Syria disappears from the Internet

December 5th, 2012 by Alistair King and Alberto Dainotti

On the 29th of November, shortly after 10am UTC (12pm Damascus time), the Syrian state telecom (AS29386) withdrew the majority of BGP routes to Syrian networks (see reports from Renesys, Arbor, CloudFlare, BGPmon). Five prefixes allocated to Syrian organizations remained reachable for another several hours, served by Tata Communications. By midnight UTC on the 29th, as reported by BGPmon, these five prefixes had also been withdrawn from the global routing table, completing the disconnection of Syria from the rest of the Internet.

Several organizations with access to different sources of data that illuminate aspects of the blackout have released their data analyses. Renesys and BGPmon used BGP routing data to monitor the systematic withdrawal of routes to networks in Syria. Arbor Networks used traffic flow data collected from their globally distributed ATLAS infrastructure, which serves hundreds of customers. Akamai has traffic data from their own content distribution network infrastructure, and released a graph showing an abrupt drop in the volume of (HTTP) traffic Akamai servers sent to Syrian hosts. While the RIPE NCC allowed users to follow the BGP update activity for Syrian prefixes in near-realtime.

We provide another lens through which the blackout could be observed: a drop in unsolicited traffic generated by malware-infected Syrian PCs. Malware (worms, viruses, etc) often spreads to other vulnerable computers over the Internet by way of random scanning by infected hosts. A signal-producing side effect of a country-level Internet blackout is that Internet access is also denied to malware attempting to infect other hosts. This drop in unsolicited traffic can be observed in data captured from a darknet such as the UCSD Network Telescope. A darknet is a block of globally reachable but unassigned IP addresses; all traffic destined to such addresses is unsolicited, most of it from malware-infected PCs. We have previously used this technique to analyze the Internet blackouts in Egypt and Libya during the Arab Spring uprisings of last year and the impact of the earthquakes in Japan and New Zealand in early 2011.

The Syrian Internet Blackout in Nov 2012 as seen at the UCSD Network Telescope

The Syrian Internet Blackout in Nov 2012 as seen at the UCSD Network Telescope

This graph shows the number of unique Syrian source IP addresses per hour sending traffic that reaches the UCSD Network Telescope. Our data confirms the findings of other groups, showing an abrupt decrease in the number of transmitting Syrian hosts between 10 and 11am UTC on the 29th. For the following 48 hours we received almost no traffic from Syrian hosts. To determine that an IP address belongs to a Syrian host, we constructed a list of prefixes officially delegated by RIPE NCC to Syrian organizations, augmented with the 5 prefixes advertised by Tata Communications (as reported by BGPmon), which were the last to be withdrawn. We then validated the addresses found in the telescope data against the Maxmind GeoLite Country database and through manual traceroutes.

During the period of the blackout we received a total of 6 packets from 3 sources inside Syrian address space. These packets had source IP addresses (which could be spoofed, we are still investigating) within the networks advertised by Tata Communications. We observed this traffic after these routes had been withdrawn (according to BGPmon), so it is possible that some Syrian networks were still able to send traffic by way of default routes, as was the case for some hosts during the Egyptian blackout (see our IMC2011 paper). Traffic began returning to pre-blackout levels just after 2pm UTC on December 1st.

This activity is part of our NSF SATC-funded project on Internet outages (NSF CNS-1228994), and is also supported by measurement and data curation made possible by DHS S&T’s PREDICT and Cybersecurity programs (Cooperative Agreement FA8750-12-2-0326 and Contract N66001-12-C-0130).

Team: Alistair King, Karyn Benson, Brad Huffaker, Marina Fomenkov, Emile Aben, Alberto Dainotti, KC Claffy

Leave a Reply