Thursday afternoon, something very unusual happened to superbigcocks.com. That site and 255 others — many of them porn sites — suddenly began dropping off the web. The servers showed no problems, but users from Russia to Hong Kong were typing the URLs into their browsers and getting blank pages. Something on the internet was getting in the way.

That obstacle, as it turns out, was the state telecom of Iran. The country has long maintained an extensive-but-scattershot web censorship system — but on Thursday, it began blocking not just the sites, but the basic mechanisms of the web itself.

Breaking the basic mechanism of the web

The national telecom had announced phony routes for each of the 256 sites, the internet equivalent of a fake street sign. For an internet service provider looking for the quickest way to a given IP, Iran’s new routes seemed like an easy shortcut — and when they arrived at the blank page, browsers simply assumed the page was down. The resulting outage didn’t affect the entire web, but anyone close enough to be tempted by the phony routes was drawn in. That list included India’s Bharti Airtel, Russia’s RETN, Indonesia’s Telekomunikasi and Hong Kong’s Hutchison — all major ISPs for their region.

Among network operators, this trick is known as BGP hijacking, although it’s usually seen at a smaller and less haphazard scale. The attack exploits a long-standing vulnerability in the architecture of the web. By the rules of networking, any network can announce a route to any IP address — essentially saying, if you want to get to the server for superbigcocks.com, head this way. Having a lot of those routes at once makes the internet efficient and robust, but it also makes it easy to spoof. If a network decides to announce a bad route, there’s very little in place to stop it.

The problem is that, while Iran’s national telecom has strict internal censorship rules, it’s also pivotal to the transit of data through the region, particularly for Oman’s central telecom, Omantel. “[Iran’s] TIC transits over 4000 routes and announces about a tenth of those to Omantel,” says Dyn’s Doug Madory, who’s been tracking the incident closely. “At that level, it isn't reasonable for someone at Omantel to check each new route.”

Roughly 28 hours after the blackouts began, networks finally began to block the routes, as can be seen on the readout above. However, the bad routes appear to still be circulating within Iran.

It’s still unclear what motivated the hijacking. Iran has typically used more reliable means to block content, whether using ISP-level blocks or nationwide packet inspection. The sudden move to bogus traffic routing has puzzled observers like Collin Anderson, who studies Iran’s web censorship system.

“BGP is typically not the mechanism that is used for domestic censorship, so it doesn't align with a routine motivation,” Anderson told The Verge. “It's difficult to tell whether this was an accident or not.”