Failures in a Hybrid Content Blocking System

  • Richard Clayton
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3856)


Three main methods of content blocking are used on the Internet: blocking routes to particular IP addresses, blocking specific URLs in a proxy cache or firewall, and providing invalid data for DNS lookups. The mechanisms have different accuracy / cost trade-offs. This paper examines a hybrid, two-stage system that redirects traffic that might need to be blocked to a proxy cache, which then takes the final decision. This promises an accurate system at a relatively low cost. A British ISP has deployed such a system to prevent access to child pornography. However, circumvention techniques can now be employed at both system stages to reduce effectiveness; there are risks from relying on DNS data supplied by the blocked sites; and unhappily, the system can be used as an oracle to determine what is being blocked. Experimental results show that it is straightforward to use the system to compile a list of illegal websites.


Content Provider Child Pornography Proxy Cache Content Blocking Illegal Content 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bright, M.: BT puts block on child porn sites. Observer (June 6, 2004),,6903,1232422,00.html
  2. 2.
    Brightview Internet Services Ltd.: WebMinder, a configuration for restricting access to obscene sites identified by the Internet Watch Foundation, 21 p. (June 9, 2005)Google Scholar
  3. 3.
    Dornseif, M.: Government mandated blocking of foreign Web content. In: von Knop, J., Haverkamp, W., Jessen, E. (eds.): Security, E-Learning, E-Services: Proceedings of the 17. DFN-Arbeitstagung über Kommunikationsnetze, Düsseldorf 2003, Lecture Notes in Informatics, pp. 617–648 (2003) ISSN 1617-5468Google Scholar
  4. 4.
    Edelman, B.: Web Sites Sharing IP Addresses: Prevalence and Significance. Berkman Center for Internet and Society at Harvard Law School (February 2003),
  5. 5.
    Her Majesty’s Stationery Office: Protection of Children Act (1978)Google Scholar
  6. 6.
    Internet Watch Foundation: Annual Report 2003 (March 22, 2004),
  7. 7.
    King Abdulaziz City for Science and Technology: Local Content Filtering Procedure. Internet Services Unit, KACST, Riyadh (2004),
  8. 8.
    Lowe, G.: An Attack on the Needham-Schroeder Public-Key Authentication Protocol. Information Processing Letters 56(3), 131–133 (1995)CrossRefMATHGoogle Scholar
  9. 9.
    McWilliams, B.: Cloaking Device Made for Spammers. Wired News (October 9, 2003),,1367,60747,00.html
  10. 10.
    OpenNet Initiative: Google Search & Cache Filtering Behind China’s Great Firewall. Bulletin 006, OpenNet Initiative (Augest 30, 2004),
  11. 11.
    Norge, T.: Telenor and KRIPOS introduce Internet child pornography filter. Telenor Press Release (September 21, 2004)Google Scholar
  12. 12.
    US District Court for the Eastern District of Pennsylvania: CDT, ACLU, Plantagenet Inc v Pappert, Civil Action 03-5051 (September 10, 2004)Google Scholar
  13. 13.
    Zittrain, J., Edelman, B.: Documentation of Internet Filtering Worldwide. Harvard Law School (October 24, 2003),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Richard Clayton
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUnited Kingdom

Personalised recommendations