Unsolicited background radiation traffic to the UCSD network telescope—particularly Conficker worm scanning (TCP SYN, port 445, 48-byte packets)—dropped nearly simultaneously with Egyptian BGP route withdrawals on January 27, corroborating control-plane analysis with data-plane evidence. Crucially, some worm-infected hosts continued to generate outbound scanning traffic even after their prefixes were BGP-withdrawn, because packet filtering was absent; this asymmetry between inbound unreachability and outbound connectivity can distinguish pure BGP-based blocking from combined BGP-plus-filtering approaches.

Both Egypt and Libya demonstrate that concentration of Internet infrastructure under state ownership—in Egypt, all submarine fiber backhaul terminated at a single facility, the Ramses Exchange, controlled by the state telecommunications provider—makes country-wide BGP-based shutdowns technically straightforward. The authors conclude that the small number of state-controlled parties involved in international connectivity was the critical enabling factor, not any novel technical capability.

§5.1.1 policy

Egypt's Internet shutdown on January 27, 2011 was accomplished via BGP route withdrawals: approximately 2,500 IPv4 prefixes (out of 2,928 visible) disappeared within a 20-minute window beginning at 22:12:26 GMT, leaving only 176 prefixes visible by 23:30:00 GMT. The shutdown lasted more than five days, with BGP connectivity beginning to return at 09:29:31 GMT on February 2, and more than 2,500 Egyptian prefixes back in global BGP tables by 09:56:11 GMT.

§5.1.1, §5.1.2 evaluation

During Egypt's 5.5-day Internet blackout, active CAIDA Ark measurements found that only 1% of probes to Egyptian IPv4 prefixes received responses, compared to 16–17% on normal days. The minority of addresses that retained bidirectional connectivity all mapped to BGP prefixes that had not been withdrawn—including prefixes serving the Egyptian stock exchange and two national banks, whose 83 prefixes were kept live until January 31 at 20:46:48 GMT before being simultaneously withdrawn.

§5.1.2 evaluation

Libya implemented escalating Internet disruptions before executing a sustained blackout: a 6.8-hour curfew on February 18 and an 8.3-hour curfew on February 19, followed by a 3.7-day near-total blackout beginning March 3. The authors detected what they believe were Libya's attempts to test firewall-based packet filtering before transitioning to more aggressive BGP-based disconnection, demonstrating a two-phase escalation pattern.

§1, §5.2 evaluation

On March 28, 2022, Russian ISP RTComm (AS8342) hijacked Twitter's IPv4 prefix 104.244.42.0/24 for approximately 45 minutes (12:05–12:50 UTC) and announced it to the global Internet as a blocking measure. The hijack was blunted because Twitter had preemptively registered RPKI route origin authorizations (ROAs) for its prefixes, causing RPKI-validating ASes worldwide to reject the hijacked route.

2023-ramesh-network §4.3 bgp-hijackasn-blackholing

In the August 2012 Bell-Dery BGP route leak, TTL analysis at per-prefix granularity revealed that two IP addresses within AS577 maintained constant TTLs and unaffected packet rates throughout the disruption, while 37 of 38 other active /16 prefixes experienced significant volume drops and TTL changes indicating rerouting through longer paths. This demonstrates that BGP route leaks can affect subnets within a single AS asymmetrically, and that TTL inspection can identify unaffected sub-AS paths.

2013-benson-gaining §IV-B bgp-hijackmeasurement-platform

During the February 2012 Dodo-Telstra BGP route leak, AS1221 (Telstra) exhibited a 20-minute congestion phase in which γC and γ3 both dropped while η rose from approximately 3 to 5 seconds, followed by a complete outage during which zero darknet sources were observed from the AS. The congestion phase produced measurable packet loss before the full blackout, providing an early-warning window of roughly 20 minutes.

2013-benson-gaining §IV-A bgp-hijackmeasurement-platform

IBR-derived metrics γ (average SYN retransmits per flow) and η (inter-packet time between retransmits) can distinguish packet-loss-induced outages from packet-filtering censorship: during Libya's 2011 packet-filtering phase γC remained near pre-censorship values despite reduced source counts, whereas BGP route leaks caused measurable γ decreases and η increases. This difference exists because filtering reduces the host population but preserves per-flow OS retransmit behavior, while congestion causes routers to drop individual packets mid-flow.

2013-benson-gaining §IV-C, §IV-D measurement-platformip-blockingbgp-hijack

Iran and Libya each have a single point of control (1 AS), making complete national internet shutdown achievable with a single administrative action. Egypt's 2011 shutdown left one AS (Noor Group, 4.9% of connected IPs) operational for four days, apparently due to its role serving the Egyptian stock exchange and other core financial institutions.

2011-roberts-mapping §VI, Figure 7 asn-blackholingbgp-hijackthrottling

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling