Iranian Traffic Engineering

The outcome of the Iranian elections now hangs in the balance and perhaps, also on the availability of the Internet (or at least Twitter and Facebook according to the US State Department).

Based on significant Internet engineering changes over the last week, the Iranian government seems to agree…

While other countries (e.g. Burma in 2007) completely unplugged the country during political unrest, Iran has taken a decidedly different tact.

Before going further, I should note that we have no direct insight into Iranian political machinations nor telecommunications policy. But the 100 ISPs participating in the Internet Observatory provide some interesting hints on how the Iranian government may hope to control Internet access.

The state owned Data communication Company of Iran (or DCI) acts as the gateway for all Internet traffic entering or leaving the country. Historically, Iranian Internet access has enjoyed some level of freedom despite government filtering and monitoring of web sites.

In normal times, DCI carries roughly 5 Gbps of traffic (with a reported capacity of 12 Gbps) through 6 upstream regional and global Internet providers. For the region, this represents an average level of Internet infrastructure (for purposes of perspective, a mid size ISP in Michigan carries roughly the same level of traffic).

Then the Iranian Internet stopped.

One the day after the elections on June 13th at 1:30pm GMT (9:30am EDT and 6:00pm Tehran / IRDT), Iran dropped off the Internet. All six regional and global providers connecting Iran to the rest of the world saw a near complete loss of traffic.

The below graph shows Iranian Internet traffic through Iran’s six upstream providers.


Note: All data comes from analysis of Internet Observatory anonymous ASPath traffic statistics from which we infer upstream ISP traffic. Also a few caveats -- Iranian traffic is such a small part of global Internet traffic levels that the Observatory data is fairly noisy. We used a number of standard statistical approaches to normalize the sampled dataset.

As noted earlier, Iran normally sees around 5 Gbps of traffic with typical diurnal and weekly curves (though Iran sees dips both on Iranian weekend of Thurs / Friday as well as during western Sat / Sun weekends). From the view of the Observatory, most Internet traffic to Iran goes through Reliance (formerly Flag) Telecom, the major Asia Pacific region underseas cable operator. Singtel, a major pan-Asian provider and Türk Telekom also provide significant transit.

Initially, DCI severed most of the major transit connections into Iran. Within a few hours, a trickle of traffic returned across TeliaSonera, Reliance and SignTel — all well under 1 Gbps.

The below graph shows a zoomed in view of the outage and earlier graph.

As of 6:30am GMT June 16, traffic levels returned to roughly 70% of normal with Reliance traffic climbing by more than a Gigabit.

So what is happening to Iranian traffic?

I can only speculate. But DCI’s Internet changes suggest piecemeal migration of traffic flows. Typically off the shelf / inexpensive Internet proxy and filtering appliances can support 1 Gbps or lower. If DCI needed to support higher throughput (say, all Iranian Internet traffic), then redirecting subsets of traffic as the filtering infrastructure comes online would make sense.

Unlike Burma, Iran has significant commercial and technological relationships with the rest of the world. In other words, the government cannot turn off the Internet without impacting business and perhaps generating further social unrest. In all, this represents a delicate balance for the Iranian government and a test case for the Internet to impact democratic change.

Events are still unfolding in Iran, but some reports are saying the Internet has already won.
 

 

43 Responses to “Iranian Traffic Engineering”

June 18, 2009 at 10:33 am, Iran’s Election As Seen Through the ISPs said:

[…] garden hose so that equipment can sift through the packets and let legitimate traffic through. In a blog post today, Arbor Chief Scientist Craig Labovitch writes: I can only speculate. But DCI’s Internet changes […]

June 18, 2009 at 12:05 pm, Eiman Zolfaghari said:

God Bless you for this fascinating information!

June 18, 2009 at 12:18 pm, Irán, hoy de nuevo (work in progress) said:

[…] del tráfico en Internet ofrecen evidencias de que un día después de las elecciones el régimen iraní “tumbó” la […]

June 18, 2009 at 3:57 pm, Mehdi said:

Nice article!
In some hours of the day, there is no network coverage in Iran, and also, since the election SMS service is completely disabled. So, God bless the Internet! Nowadays, Facebook and Twitter are the most important communication methods in Iran.

June 18, 2009 at 9:24 pm, Aburjubur.com » Iran Election Live-Blogging (Thursday June 18) said:

[…] Internet stopped.” Via reader Chas, on the Arbor Network Security blog, Craig Labovitz writes: In normal times, DCI carries roughly 5 Gbps of traffic (with a reported capacity of 12 Gbps) […]

June 18, 2009 at 6:10 pm, Why “Twitter” Became So Important In Iran | QandO said:

[…] fascinating stuff here: The state owned Data communication Company of Iran (or DCI) acts as the gateway for all […]

June 19, 2009 at 3:44 am, Internet: Keep up the good work for the Iranian people | bareablog.com said:

[…] Very good analysis of Iranian government efforts to silence Iranian protesters: […]

June 19, 2009 at 4:14 am, Carpe Diem » مهندسی ترافیک اینترنت در ایران said:

[…] اینجا می‌توانید ببینید Ú©Ù‡ از شنبه هفته پیش Ú†Ù‡ بلایی بر سر […]

June 19, 2009 at 4:31 am, Internet Traffic In Iran | North Vancouver I AM said:

[…] Look how the sensorship affects the traffic of Internet in Iran. If you are interested more about that, please read more here. […]

June 19, 2009 at 3:04 am, The Musings of Chris Samuel » Blog Archive » Iranian Internet Controls – Targeting Flash and Email ? said:

[…] and filtering from the time of the Iranian presidential election onwards. They have both a preliminary investigation showing a dramatic fall in traffic at the time of the election and a follow up deeper look […]

June 19, 2009 at 5:06 am, Best Kept Anonymous said:

You are actually completely incorrect about “While other countries (e.g. Burma in 2007) completely unplugged the country during political unrest”. It was never completely disconnected. Internet activities continued for longer than was expected – no disconnection to phone lines either.

Public access (cybercafes) were offline for 8 days, and not the 6 weeks quoted in the bbc article that linked me to here.

June 19, 2009 at 5:10 am, My Blog Site!.. » Iran’s internet dilemma said:

[…] social media sources, despite the efforts of the authorities to block web access. But this image – in a blog by the security firm Arbor Networks – really tells the story of the Iranian regime’s […]

June 19, 2009 at 10:19 am, Iran Again « I Think ^(Link)…… said:

[…] take note of what happened with technology following the election on the 13th. In normal times, DCI carries roughly 5 Gbps of traffic (with a […]

June 19, 2009 at 11:55 am, More Details Emerge on Iran’s Internet Censorship « The SiliconANGLE said:

[…] analysis on the Iranian IT situation, picking their pet theories we presented late last night. – Arbor Networks thinks that the networks were taken offline and migrated to low-capacity proxy […]

June 19, 2009 at 4:44 pm, BT said:

Telecom Itaia seems to have been completely cutoff. All other streams are diminished, with the exception of TeliaSonera which is showing greater than normal traffic. I have no idea what this means, but it’s interesting

June 19, 2009 at 5:13 pm, alfonsofuggetta.org » Blog Archive » Isenberg: Iran e Net Neutrality, è solo un problema loro? said:

[…] [source] [h/t EthanZ] […]

June 20, 2009 at 3:01 am, links for 2009-06-20 | sbdc said:

[…] Iranian Traffic Engineering Security to the Core | Arbor Networks Security (tags: internet censorship iran filtering) […]

June 20, 2009 at 5:02 am, No name said:

Please keep us updated……

June 21, 2009 at 1:26 pm, Updates on Iran « Tim Unwin’s Blog said:

[…] Labovitz on Iranian traffic engineering from the Arbor Networks security blog – contains a great graph showing the flow of Internet […]

June 22, 2009 at 3:50 pm, Cry for help said:

Right now, everything is almost blocked since today 23 June 2009. only game sites etc are open, Almost nothing serious is accessible anymore.

This is kind of cry for help. Till now, the only last choice to pass the proxies was using FreeGate6.80 and now it seems Freegate has totally closed its network to Iranians, even the 2 minute chance it gave doesn’t work anymore, maybe they have bought them, or something alike.

I am not sure if I can even access this site after this, but somebody please provide a freegate like network, or all of us might be doomed, they are already executing and then asking for 3000 to 7000 USDs to give back the corpses to families.

June 23, 2009 at 1:45 pm, DPI in Iran -- Gianluca Lini said:

[…] reale su cui si può ragionare è  il traffico internet iraniano verso i sei upstream rilevato da Arbor. Tags: DPI « Locanda […]

June 23, 2009 at 3:52 pm, Stralau-Blog — Schöner sterben am Wasser » Blog Archive » Ein paar Links zur Sicherheit said:

[…] 23. Juni: Statistiken, wann geblockt wurde und […]

June 23, 2009 at 6:26 pm, Keine Eisenfaust « Thorstens Blog said:

[…] Fist” durch das Regime in Teheran, um derartige Internetaktivitäten zu unterbinden, dokumentiert Craig Labovitz in zwei Artikeln im Arbor Networks Security […]

June 24, 2009 at 2:54 am, On Looking Deeper, Or, Things About Iran You Might Not Know « advice from a fake consultant said:

[…] they aren’t doing is employing the simplest method possible: cutting off all access. This is presumably because […]

June 24, 2009 at 11:12 am, Подробности за филтрирането на Интернет в Иран | Често задавани въпрРsaid:

[…] филтриране на Интернет след изборите в Иран – тук и тук, благодарение на B. Schneier. Според изтеклата […]

June 25, 2009 at 4:26 am, Computerspil m.m. » Blog Archive » Kommunikation gennem spil er ikke censureret i Iran said:

[…] Allerede dagen efter valget stoppede internet-trafikken dramatisk: /blog/asert/2009/06/iranian-traffic-engineering/ […]

June 25, 2009 at 9:29 am, Bits und so #153 (Langfristig) | Bits und so said:

[…] WSJ: Nokia/Siemens haben Zensurinfrastruktur im Iran geliefert. Ist ja nur “Lawful Interception”. Traffic Stats […]

June 25, 2009 at 9:37 am, Un’Ira(n) di Dio - Lastknight.com di Matteo Flora said:

[…] paio di post estremamente […]

June 25, 2009 at 9:46 am, Il firewall iraniano | FABblog said:

[…] traffico Internet in Iran nei giorni precedenti e immediatamente successivi alle elezioni: dopo una prima analisi, ne è seguita un’altra, più approfondita, che riporto in […]

June 26, 2009 at 3:39 pm, One More Time: Iran Isn’t Using Deep Packet Inspection « The SiliconANGLE said:

[…] analysis on the Iranian IT situation, picking their pet theories we presented late last night. – Arbor Networks thinks that the networks were taken offline and migrated to low-capacity proxy servers. – GigaOm’s […]

June 28, 2009 at 5:13 pm, OpenVPN - Page 2 - Why We Protest - IRAN said:

[…] […]

June 29, 2009 at 10:20 am, Verdecchia Blog » Blog Archive » Un’occhiata al firewall dell’Iran said:

[…] /blog/asert/2009/06/iranian-traffic-engineering/ […]

June 29, 2009 at 10:05 am, National Traffic Engineering « CIP VIGILANCE said:

[…] Iranian Traffic Engineering – A Deeper Look at The Iranian […]

June 30, 2009 at 12:17 pm, Traffic und Twitter im Iran | Webregard - Watch the Web said:

[…] gewinnen. Dies liegt an den aktuellen Ereignissen im Iran. Doch seit wenigen Wochen werden diese Dienste unterdrückt und sind nur noch durch Systeme wie Tor erreichbar. Verhaltenskodex bei Social […]

July 01, 2009 at 4:42 am, petro said:

[…] analysis on the Iranian IT situation, picking their pet theories we presented late last night. – Arbor Networks thinks that the networks were taken offline and migrated to low-capacity proxy servers. – GigaOm’s […]
interest iddei. i agreed

July 05, 2009 at 1:06 am, روش هاي ارتباطي از اين پس « تارتنک- آي‌تي‌2ميم‌ت said:

[…] اينكه در اين پست و نمودار آن، نشان داده شده كه به جهت محدوديت فني […]

July 24, 2009 at 1:17 am, Annotated Bibliography: Twitter and the Iranian Election Protests « OPEN ANTHROPOLOGY said:

[…] Iranian Traffic Engineering Arbor Networks, Craig Labovitz, 17 June 2009 /blog/asert/2009/06/iranian-traffic-engineering/ How could anyone in Iran have been tweeting on the days following the election when physical Internet traffic had been shut down? – Extract: “In normal times, DCI carries roughly 5 Gbps of traffic (with a reported capacity of 12 Gbps) through 6 upstream regional and global Internet providers. For the region, this represents an average level of Internet infrastructure (for purposes of perspective, a mid size ISP in Michigan carries roughly the same level of traffic). Then the Iranian Internet stopped. One the day after the elections on June 13th at 1:30pm GMT (9:30am EDT and 6:00pm Tehran / IRDT), Iran dropped off the Internet. All six regional and global providers connecting Iran to the rest of the world saw a near complete loss of traffic.” […]

July 30, 2009 at 1:47 pm, Iran Election Live-Blogging (Thursday June 18) | linkthe.com said:

[…] Internet stopped.” Via reader Chas, on the Arbor Network Security blog, Craig Labovitz writes: In normal times, DCI carries roughly 5 Gbps of traffic (with a reported capacity of 12 Gbps) […]

August 08, 2009 at 9:35 pm, Jonathan Stone said:

What kind of appliances would they be buying to do this IP traffic filtering? I have heard of the Nokia-Seimens monitoring that everyone is making a stink about, but you suggest here that there is something far less powerful being used. Would you feel comfortable giving some examples?

March 05, 2010 at 7:39 pm, How Nokia helped Iran “persecute and arrest” dissidents | Planet-Iran.com said:

[…] organizing tools in the days after the disputed election (the Iranian Internet was essentially cut off completely from the world right after the election, and only restored piecemeal as new blocking capabilities were brought […]

August 10, 2010 at 12:04 pm, A nation of bloggers… | Helen's Blog said:

[…] /blog/asert/2009/06/iranian-traffic-engineering/ […]

January 28, 2011 at 6:15 pm, Egypt Loses the Internet | Security to the Core | Arbor Networks Security said:

[…] outage is unknown though many press reports have drawn parallels to the Internet outages following Iranian political protests during the summer of 2009. Further, the simultaneous failure of Internet across multiple different […]

May 17, 2011 at 7:14 pm, Iran inadvertantly wages cyber war — on itself | The Last Watchdog said:

[…] Posted on | June 18, 2009 | 1 comment var addthis_product = 'wpp-254'; var addthis_config = {"data_track_clickback":true,"ui_language":"en"};Iran has become the first nation-state to wage cyber war — on itself. At least that’s the notion posited by Computerworld reporter Patrick Thibodeau in this story,  and reinforced by Arbor Networks researcher Craig Labovitz in this blog post. […]

Comments are closed.