How ISPs Can Enforce Temporary Internet Shutdowns During Elections Using BGP Controls

By Admin | 26-10-2025

Objective

As violence and misinformation spread during elections, particularly on social media, governments have sometimes ordered temporary internet bans to keep the peace. That is not to say that platforms like Facebook, X (Twitter), and WhatsApp aren’t important for communication and engagement— they are—but they also can be used to foment fake news, hate, and organized violent protests.

In order to mitigate these risks of public safety, Government proposed a temporary suspension of internet at the ISP level. Extreme, yes, but this is how democratic veracity is protected and violence escaped.

 

 

Scenario Overview

Scenario 1:

In the French Presidential Elections, the ISP Orange have been ordered by the national authority to implement a 4-day disconnect of Internet connectivity in France, which is deemed under threat from separatist groups.

This post gives basic idea how such an “internet shutdown” can be achieved at the ISP (BGP) layer through route manipulation and policy filtering.

BGP Overview

You say internet so for that you need to use BGP protocol. It’s an AS-by-AS routing protocol. Each ISP has at least one peering connection towards the upstream provider and significantly effects in achieving internet reach ability.

How is the internet connected at a user's end?

Tier-3 to Tier-1 ISP connections for Internet Access: -

What is Peering? – 

 Tier-3 to Tier-1 ISP connectivity Perhaps it's obvious if you've been in the business for a while but one of the fundamental elements of making sure all internet "works" together around the world is interconnection at some point. Tier-3 ISPs are regional providers focusing on serving small businesses and consumer end-users, with the underpinning connectivity usually being provided by a larger Tier-2 ISP. 

These Tier-2 ISPs then connect to the Transit providers or even further up to Tier-1 ISPs, which form the backbone of the internet and provide the largest networks and global span. 

Tier-1 ISP’s peer with each other exchanging traffic at no cost which is known as the internet backbone. This hierarchical inter connection allows a user in a small city (Tier-3) to reach servers or other users around the world (Tier-1), providing robust, scalable and reliable Internet access.

Most of the time default-route used for upload traffic and different policy is define in BGP for upload / download traffic.

Import-policy: Download the data-traffic

In the world of Networking and ISPs a policy is an import policy in which case it generally means that traffic is being downloaded. This pertains to the policies an ISP or network admin implements in order to regulate and restrict data coming from other networks.

Download Traffic: The data downloaded towards the network is mainly controlled by import policies.  This filtering may consist or prioritization of one type of traffic over another, or even blocking traffic.

Routing Decisions: Import policies play a role in determining how data is received, in other words which routes are accepted into the routing table from the external world.

Security: Such policies may consist of security policies that safeguard a network from harmful traffic (e.g., DDoS attacks, spam, and unauthorized access attempts).

An ISP could also use an import policy to restrict that only valid and required routes are allowed through peering agreements to other ISPs. This in turn, helps them to keep the network stable, secure and data is flowing exactly as it should be for their customer.

So, in a networking context, "import policy" usually refers to how received or downloaded data traffic is processed and controlled.

Export-policy: Upload the data-traffic

In a network/ISP context, the term "export policy" is used to refer to the rules and the configurations that apply to outgoing data traffic (ie: Uploading data). This method includes policies an ISP (or network admin) implements to manage and control transporting their own data to other networks.

Upload Traffic: The data being uploaded (out) from the network is mainly controlled by Export policies. This even extends to what data or routes it shares with other networks.

Routing Decisions: The export policies can also determine which routes will be sent to other networks. This may influence where data "leaks" from, and how the network is viewed by peers/upstream providers.

Traffic management: You can control traffic flow, prioritize different classes of data, and optimize way bandwidth is allocated when sending information to other networks with these policies.

Security: Security measures can be established for exports to prevent the network from emitting hostile traffic, making sure that it is not a disseminator of attacks or illicit data.

An ISP could apply an export policy to actually advertise only what they want/need/optimized towards their peers or upstream. This will help to conserve network efficiency, security and keep good relationship with other networks.

As a result, in the jargon of networking, "export" and "export policy" typically has to do with what happens to data traffic that you upload or send out. You use it to manage how data is made available on external networks, and in general keeping a level of ‘goodness’ or efficiency of the Network.

Now back to our scenario ---

Orange ISP have 2 upstream providers:

As-by-As route propagation is here with:

User-prefix block for sake an example:

u*>i  172.26.8.0/24
u*>i  172.26.14.76/30
u*>i  172.26.14.80/30
u*>i  172.26.22.0/28
u*>i  172.26.22.16/28
u*>i  172.26.22.24/29
u*>i  172.26.22.32/27
u*>i  172.26.22.64/27
u*>i  172.26.22.96/27
u*>i  172.26.22.160/27
u*>i  172.26.22.176/28
u*>i  172.26.22.192/27
u*>i  172.26.27.0/25
u*>i  172.26.39.32/27
u*>i  172.26.44.0/29
u*>i  172.26.50.128/26
u*>i  192.168.243.0/25
-------------------------------------------------------------------------------

Here u*>i denotes best routes received in BGP route-table

To block Gi traffic (internet traffic) routes which is advertised towards MPBN need to be block.

Here, above 17 prefix blocks have been advertised towards both up-stream provider end in normal condition to get reach ability for internet access. We can manipulate with Local-preference and AS path prepend as per user request to get seamless response for download and upload traffic respectively.

Step-1 : Drop default-route towards MPBN end.

1.      Check MPBN peer ip in BGP neighbor first.

 Before
*B:France-router-1>config>router>policy-options# policy-statement "policy-default"
*B: France-router-1>config>router>policy-options>policy-statement# info
----------------------------------------------
                entry 10
                    from
                        prefix-list "prefix-default"
                    exit
                    action accept
                    exit
                exit
                default-action drop
                exit
----------------------------------------------
 After
*B: France-router-1>config>router>policy-options>policy-statement "policy-default"
----------------------------------------------
               entry 10
                    from
                        prefix-list "prefix-default"
                    exit
                    action drop-----------------------------------------------------------------need to drop
                    exit
    default-action drop
    exit

 

----------------------------------------------

Step-2 remove import policy so, automatically advertised prefix block deny traffic in peer.

*B: France-router-1>config>router>bgp
BEFORE
               group "to_FR-Internet-Primary"
                    next-hop-self
                    type external
                    multihop 5
                    remove-private
                    export "deny-all"
                    local-as 60410
                    peer-as 4755
                    neighbor 154.0.176.252
                        description "to_FR-Internet-Primary"
                        authentication-key "5ywEP73dR5vNoAYbu/H27FRIOxsFF4GVV7yb" hash2
                    exit
                exit

 

 After
*B: France-router-1>config>router>bgp        
      group "to_FR-Internet-Primary"
                    next-hop-self
                    type external
                    multihop 5
                    remove-private
                    import "deny-all"------------------------------------need to remove import policy
                    export "deny-all"
                    local-as 60410
                    peer-as 4755
                    neighbor 154.0.176.252
                        description "to_FR-Internet-Primary"
                        authentication-key "5ywEP73dR5vNoAYbu/H27FRIOxsFF4GVV7yb" hash2
                    exit
                exit

 

Note: Authentication key is used for authentication purpose in security side, neighbor IP we use as BGP peer formation with away site and peer-as indicates far-end as details. Usually in each ISP two routers are deployed: primary and secondary2. so, next step is same for router-2 as well to get the defined objective. when we want to get internet connection back will change action "accept" or action "drop in bias default and same way import policy- accept all instead of deny all.

Conclusion

A short-term internet grasp at the ISP viewpoint can be technically resolved by using BGP route control techniques, such as dropping the default route and import/export policy manipulation.

As unsettling as it may be for the society and economy, these are security and last-resort measures implemented to maintain peace during a certain period of unrest or national sensitivity that would preserve democratic processes.

Core Insights 

Technically, Internet blackouts are implemented using manipulation of the route advertisement in BGP.

Traffic direction and reachability are crucial when it comes to import/export policies.

Service providers can also easily modulate traffic to restore or blackhole services by changing a few routing policies.

Reversible policy ensures easy recovery of services after lifting the ban.