Technical writing

Voidly's ASN-Level Blocking Analysis: How Censorship Propagates Across Autonomous Systems

July 17, 2025· 9 min read· AI Analytics

CensorshipVoidlyBGPISP

The Voidly country censorship index aggregates measurements from all probe vantages within a country into a single composite score. That score is useful for cross-country comparisons, but it obscures one of the most policy-relevant dimensions of censorship: which ISPs are blocking, and which are not. In Russia, Rostelecom (AS8359) enforces the Roskomnadzor block list via DPI with near-complete compliance; smaller regional ISPs apply the same list inconsistently, and some commercial telcos have historically lagged behind by days or weeks. A country score alone cannot distinguish a nationwide order from an ISP that is selectively complying with it.

This post describes how Voidly uses per-ASN probe vantages and differential blocking detection to reveal that structure.

Why ASN matters for censorship measurement

Censorship infrastructure is deployed per-carrier. A government order to blockexample.com is typically issued to ISPs as a legal obligation, but implementation varies: one ISP may use DNS injection (fast, cheap, easily bypassed), another may use DPI at the peering edge (expensive but hard to circumvent), a third may use BGP null-routing for entire IP prefixes (blunt instrument that creates collateral damage). The same domain observed from three ASNs in the same country can show three completely different blocking signatures — or be unblocked on one of them entirely.

Knowing which ASN enforces which blocking method is actionable for:

Journalists: selective enforcement on state-owned carriers vs. private telcos is evidence of discriminatory application of censorship rules
Researchers: the propagation speed of new blocking orders across ASNs reveals the enforcement mechanism (legal notice to ISPs vs. automatic RIR/BGP update)
Circumvention tool operators: knowing that blocking on AS15169 (Google transit) differs from AS8359 (Rostelecom residential) allows routing optimization

ASN diversity in Voidly probe vantages

Every Voidly probe reports its vantage ASN, determined at registration time by querying the RIPE Routing Information Service (RIS) for the probe's external IP. Probe deployment targets ensure that major ASNs in high-interest countries have at least one vantage — ideally three, to distinguish per-probe anomalies from ASN-wide blocking.

ASN tiers are derived from the CAIDA AS-Rank dataset, imported weekly:

-- asn_metadata table: populated from CAIDA AS-Rank weekly snapshot
CREATE TABLE asn_metadata (
    asn            INTEGER PRIMARY KEY,
    asn_name       TEXT,
    country        CHAR(2),
    -- CAIDA AS-Rank classification
    rank_tier      SMALLINT,   -- 1=Tier-1 (transit-free), 2=Tier-2, 3=Tier-3/stub
    customer_cone  INTEGER,    -- number of ASNs in this AS's customer cone
    -- Operator category (manual annotation + heuristics from PeeringDB)
    operator_type  TEXT,       -- 'residential_isp', 'mobile_carrier', 'business_isp',
                               --  'cdn', 'transit', 'university', 'government', 'hosting'
    is_state_owned BOOL,       -- true for government/SOE telcos
    updated_at     TIMESTAMPTZ
);

-- For Russia as an example
SELECT asn, asn_name, rank_tier, operator_type, is_state_owned
FROM asn_metadata
WHERE country = 'RU'
ORDER BY customer_cone DESC
LIMIT 8;

-- asn    | asn_name               | rank_tier | operator_type     | is_state_owned
-- -------+------------------------+-----------+-------------------+----------------
-- 12389  | Rostelecom             | 2         | residential_isp   | true
-- 8359   | MTS PJSC               | 2         | mobile_carrier    | false
-- 8402   | VEON (Beeline)         | 2         | mobile_carrier    | false
-- 25478  | Enforta / ER-Telecom   | 2         | residential_isp   | false
-- 31133  | MegaFon                | 2         | mobile_carrier    | false
-- 47764  | Mail.Ru                | 3         | hosting           | false
-- 196695 | RU-CENTER              | 3         | hosting           | false
-- 2683   | RUNNet (state research)| 2         | university        | true

Per-ASN blocking rates

The measurement schema records vantage_asn on every row. This lets us compute blocking rate as a three-dimensional aggregate: domain × country × ASN. The country_daily_summary continuous aggregate in TimescaleDB includes ASN-level breakdowns:

-- Per-ASN blocking rate for a domain over the last 30 days
SELECT
    m.vantage_asn,
    a.asn_name,
    a.operator_type,
    a.is_state_owned,
    COUNT(*)                                              AS total_measurements,
    SUM(CASE WHEN m.confidence_tier >= 2 THEN 1 ELSE 0 END)
                                                          AS anomalous_count,
    ROUND(
        100.0 * SUM(CASE WHEN m.confidence_tier >= 2 THEN 1 ELSE 0 END)
              / NULLIF(COUNT(*), 0), 1
    )                                                     AS blocking_rate_pct
FROM   measurements m
JOIN   asn_metadata a USING (vantage_asn)
WHERE  m.test_url  = 'https://signal.org'
AND    m.vantage_country = 'RU'
AND    m.measurement_start_time >= NOW() - INTERVAL '30 days'
GROUP  BY m.vantage_asn, a.asn_name, a.operator_type, a.is_state_owned
ORDER  BY blocking_rate_pct DESC;

A representative result for signal.org in Russia shows:

ASN	Name	Type	State	Block %
12389	Rostelecom	residential	✓	97.2
31133	MegaFon	mobile	✗	89.4
8402	VEON	mobile	✗	84.1
8359	MTS	mobile	✗	76.3
25478	ER-Telecom	residential	✗	61.8

The state-owned Rostelecom is near-total compliance (97.2%). Private carriers comply less fully — ER-Telecom at 61.8% indicates meaningful non-compliance, which is reportable: users on that ISP have substantially better access to Signal than users on Rostelecom, despite the same legal block order applying to both.

Interference type fingerprinting per ASN

Different ISPs use different technical mechanisms. The blocking fingerprint for an ASN is the distribution of interference_type values observed from its vantages:

SELECT
    vantage_asn,
    interference_type,
    COUNT(*) AS count,
    ROUND(100.0 * COUNT(*) / SUM(COUNT(*)) OVER (PARTITION BY vantage_asn), 1) AS pct
FROM   measurements
WHERE  vantage_country = 'RU'
AND    confidence_tier >= 2
AND    measurement_start_time >= NOW() - INTERVAL '90 days'
GROUP  BY vantage_asn, interference_type
ORDER  BY vantage_asn, count DESC;

The result reveals that Rostelecom (AS12389) blocks almost exclusively viatls_interference (certificate substitution — they return a self-signed cert for any blocked domain's SNI, intercepting HTTPS at the edge). MTS (AS8359) uses primarily dns_injection (returning 0.0.0.0 or a local IP for blocked domains). ER-Telecom (AS25478) uses a mix of tcp_reset andhttp_redirect (RST injection and block page redirect respectively).

This diversity of mechanisms matters for circumvention: a DNS-over-HTTPS workaround defeats MTS's dns_injection blocking but has no effect on Rostelecom's TLS-layer interception.

Differential blocking detection

Differential blocking — where a domain is blocked on some ASNs but not others in the same country — is a strong signal of selective enforcement, as opposed to a nationwide block order that all ISPs comply with uniformly. We compute it as:

from dataclasses import dataclass

@dataclass
class AsnBlockingProfile:
    asn: int
    asn_name: str
    is_state_owned: bool
    blocking_rate: float    # 0.0 – 1.0
    measurement_count: int

def classify_blocking_pattern(
    profiles: list[AsnBlockingProfile],
    threshold: float = 0.15,   # 15pp difference = noteworthy
) -> str:
    """
    Classify the cross-ASN blocking pattern for a domain × country.

    Returns one of:
      'nationwide'   — all monitored ASNs block at >70%
      'selective'    — state-owned ASNs block, private don't (or vice versa)
      'mixed'        — high variance, no clear state/private split
      'unblocked'    — all monitored ASNs block at <10%
    """
    if not profiles:
        return 'unknown'

    rates = [p.blocking_rate for p in profiles]
    if all(r > 0.70 for r in rates):
        return 'nationwide'
    if all(r < 0.10 for r in rates):
        return 'unblocked'

    state_rates   = [p.blocking_rate for p in profiles if p.is_state_owned]
    private_rates = [p.blocking_rate for p in profiles if not p.is_state_owned]

    if state_rates and private_rates:
        state_mean   = sum(state_rates)   / len(state_rates)
        private_mean = sum(private_rates) / len(private_rates)
        if abs(state_mean - private_mean) >= threshold:
            return 'selective'

    return 'mixed'

“Selective” patterns are particularly newsworthy. When a domain is blocked at 95%+ on state-owned ASNs and below 30% on private carriers, it suggests the block order is being enforced as a political directive rather than a uniform legal obligation. We surface these in the MCP tool get_asn_measurements and in the country summary dashboard.

Propagation speed analysis

When a new domain is added to a national block list, it rarely appears across all ISPs simultaneously. The propagation speed — how many hours or days it takes for a block to reach all major ISPs — reveals the enforcement mechanism:

Same hour (<1h): Automated technical enforcement — BGP null route pushed via RPKI, or DNS response policy zone (RPZ) update propagated to all ISP resolvers simultaneously by a central authority (TSPU in Russia, for example).
Same day (1–24h): Legal notice sent to ISPs, each implementing on their own schedule after receipt. Consistent with administrative block list updates in Iran, Turkey, and Egypt.
Multi-day (1–7 days): Informal pressure or ISP-discretionary blocking. Observed in countries with weak enforcement mechanisms or where ISPs have some leverage to delay compliance.

-- Propagation timeline: when did each ASN start blocking this domain?
SELECT
    vantage_asn,
    asn_name,
    MIN(measurement_start_time) AS first_block_detected,
    MIN(measurement_start_time) - LAG(MIN(measurement_start_time))
        OVER (ORDER BY MIN(measurement_start_time))  AS lag_from_previous_asn
FROM measurements
JOIN asn_metadata USING (vantage_asn)
WHERE test_url         = 'https://instagram.com'
AND   vantage_country  = 'TR'
AND   confidence_tier  >= 2
GROUP BY vantage_asn, asn_name
ORDER BY first_block_detected;

ASN coverage targets and gap filling

For countries with active censorship incidents, we target coverage of at least the top-10 ASNs by customer cone size. Coverage gaps are filled by recruiting probe operators — the vantage selection system scores candidate probes partly on ASN novelty: a probe on an under-represented ASN scores ~2× higher than one on an ASN with three existing probes.

Current ASN coverage for the top-20 censorship countries:

Country	Major ASNs	ASNs with ≥1 probe	Coverage
CN	18	16	89%
IR	14	11	79%
RU	22	18	82%
TR	12	10	83%
EG	8	6	75%

Countries with coverage below 70% on major ASNs are flagged in the probe recruitment queue. Iran and Egypt are current priorities — both have politically active blocking regimes but under-represented residential ISP coverage, meaning our country scores may be biased toward ASNs we happen to have probes on.

For how country-level censorship scores are computed from all ASN measurements: Voidly's country-level censorship score: aggregating 2.2B probe measurements into the global index →

For the BGP routing signals used alongside ASN-level blocking data to detect shutdowns: BGP routing signals and internet shutdown detection: how Voidly uses IODA data →

For how BGP AS path topology data is used to classify censorship choke points as IXP-level, transit AS, or edge ISP: Voidly AS path analysis: using BGP topology to locate censorship enforcement points →

For the vantage selection process that ensures ASN diversity in probe recruitment: Voidly probe vantage selection: ASN diversity, operator safety, and reaching hard-to-measure countries →

For per-domain censorship history — how the DomainMeasurementSummary continuous aggregate tracks first-seen blocking and rolling blocking rates per country: Domain censorship history in Voidly: continuous aggregates, first-seen tracking, and the /v1/domains/{domain}/history API →