How a Resilient Society Defends Cyberspace


Iran and the Internet: Uneasy Standoff

June 14, 2009 Comments (20) Views: 10429 Engineering, Internet, Politics

Strange Changes in Iranian Transit

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInShare on Reddit


Many media sources have reported outages in Iranian mobile networks and Internet services in the wake of Friday’s controversial elections. We took a look at the state of Iranian Internet transit, as seen in the aggregated global routing tables, and found that the story is not as clear-cut as has been reported.

There’s no question that something large happened in the Iranian telecom space, and that the timing aligns with the close of voting and the emerging controversy. Iran typically has a fairly high baseline level of sporadic route instability, due to the country’s highly centralized incumbent transit through DCI (Data Communications Iran, AS12880) and DCI’s somewhat peripheral connectivity to the main east-west conduits for data. Even so, we started seeing spikes of route instability (changes in the paths to Iranian IP space) starting around 08:05 UTC on Saturday (just after noon in Tehran) that were significantly larger than normally expected. These bursts affected as many as 400 prefixes (blocks of IP addresses) — the majority of Iran’s Internet presence.

At 17:48 UTC, instability turned into outage, as more than 180 Iranian networks were withdrawn from the global routing tables, indicating that there were no remaining paths into DCI for that portion of Iranian traffic. Contrary to media reports, however, the outages were fairly short-lived. Within a few minutes, half of the outaged population were restored to alternative transit; over the course of an hour, outage levels returned to their normal baseline. Route instability continued to be fairly high, and that pattern has continued through the night and into Sunday.

What can we say for sure? Not much, except that Iran remains well-connected to the Internet from a routing perspective. If I had to guess, I’d say that there are probably a lot more people around the world pulling local content from Iran’s providers right now, and that surge of demand is probably contributing to increased congestion and (perhaps) some of the route instability we see. It wouldn’t be unusual for there to be some inbound cyber-mischief as well, from supporters of one or the other side, but so far we only have rumors on that front.

It is interesting to note that the changes in routing that took place were very specific in their impact on DCI’s various transit providers, who keep the country connected to the world. There are six of them: Turk Telecom (TTNet, AS9121), FLAG (AS15412), Singapore Telecom (AS7473), PCCW (AS3491), Telia (AS1299), and Telecom Italia Sparkle (AS6762). As the following plot shows, five of them lost Iran’s transit, and one of them (Turkish Telecom) was a big gainer. (Red arrows indicate loss of transit preference from the outside world; green indicates a gain in transit via the given provider.)

A transit shift of this magnitude may indicate that something (administrative, or physical) has affected Iran’s connection to the submarine cables running east and west — not a total outage, but some kind of significant impairment. Turkey has their own, interesting arrangements with Iran for transit, and those are still in good shape (perhaps somewhat congested, having presumably doubled or tripled in transit volume). It wasn’t unusual to see 300ms traceroutes from North America and Europe in this timeframe to many Iranian sites.

Of course, you have to remember that globally visible routes are the signposts for inbound traffic to and through DCI to the local providers; from the outside, there’s no telling what the Internet experience of the average person inside Iran is like today. It sounds as if a lot of content is being blocked within the country. For now, it’s a good sign that information continues to flow, and Iran is still connected to the world at large. Let’s hope they stay connected.

Tags: , ,

Learn More About Dyn Internet IntelligenceLearn More

Not sure how your network is affected by events? Check out the tool our research team uses!

20 Responses to Strange Changes in Iranian Transit

  1. I have to wonder if someone pulled the plug on the Gulf landing and forgot that BGP would everything through Turkey.
    What I can add to this is that AmericaFree.TV lost its (small but steady) broadcast audience in Iran at some point on Friday, and regained it, at least in part, today.

  2. Thanks for the great info and analysis James!
    I can only add that those interested in following the developments real time as reported by people “on the streets” in Iran can find a good list of twitterer’s to follow here:

  3. Some Guy says:

    Is this what an attack on the Internet would look like?

  4. tudza says:

    So, if I understand, you are saying that Iran is well connected for incoming and outgoing traffic but that internal traffic is being blocked? Isn’t that exactly what Iranians are complaining about?

  5. Obliterous says:

    what this means, is that instead of multiple connections in/out of the Iranian portion of the internet, there is only ONE connection. Such a restriction allows for much simpler filtering, firewalling and content censoring. This basically allows whomever is in charge at DCI (or their political overlords) to decide what parts of the global internet are reachable from within the Iranian segment of the internet.
    If that person decides that Iranians shouldn’t be able to reach the CNN website, then they can’t reach the CNN website. If they decide that the rest of the world should not be able to view a website hosted within Iran, then it doesn’t happen.
    The only realistic reasons for this to have happened are either major widespread equipment failure, or political action for purposes of censorship. Five major links don’t suffer technical failure like that (at almost the same time) without MAJOR infrastructure problems, ie: the power goes out and stays out longer than the backup systems can handle.

  6. Anon says:

    Obliterous — Their government can effectively block content regardless of the number of outgoing international internet links should they wish to do so. Having traffic going through only one link doesn’t make content blocking simpler.
    I was in Iran a couple of years ago and website blocking was implemented at the ISP level. It was easy to get around and it appears it still is based on the number of people still using twitter there.

  7. Kaveh says:

    The report misses the main reason, this happened because DCI (who is the only legal bandwidth provider in the country, so all ISPs get their bandwidth from DCI, at least their legal bandwidth) decreased the bandwidth provided to ISPs by up to twenty times, so, if you had a contract for 200Mbps, you could end-up getting something close to 10Mbps, now the trick is ISPs BGP Connection to DCI is not out of band, they use the same link they use to get the bandwidth to initiate the BGP Session and there is no QoS on that network, BGP connection to DCI starts getting unstable and that’s what you get…

  8. Social Media Ignites in Iran

  9. Chris Rhoads says:

    Kaveh, i’m a reporter with the WSJ working on a story today on this, would you have a moment to chat? and others out there looking at this in detail—how the Iranian Internet performed around the Iranian elections—would be great if we could be in touch asap.

  10. When Communication Is Taken Away

    Internet and SMS traffic is greatly reduced in Iran after contested election

  11. Ben Ward says:

    @Marshall Eubanks – You might well have a point there. As of 2006 the only cable system that reached Telecom Iran was someone like Etisalat. FLAG Telecom’s FEA often carried the capacity West and East from UAE, and certainly provided one of no more than three IP transit services.
    At that point to take out Telecom Italia, Singtel, FLAG, PCCW and Telia Sonera could be done from a single cable landing station, but not a single transit router. It makes sense then that the prefixes to Turkey would take a different (overland) route if this were to happen.
    I know it’s 2009, but aside from press releases I don’t believe there’s been another completed CLS in Iran yet, not even from FLAG (Reliance) FALCON.
    It’s a big plug and all it would take is one loyal landing station engineer to yank it.

  12. Vic Winkler says:

    Iran is at the beginning of a play that will end up with fundamental change. The questions are how much blood will be involved and how long.

  13. evil daystar says:

    Iran: Notaus für das Internet?

    Der Iran wird insgesamt von sechs Providern, Türk Telekom, FLAG, Singapore Telecom, PCCW, Telia, and Telecom Italia Sparkle mit dem Internet verbunden. Zufällig genau dann wenn ein Großteil der Bevölkerung  sich über gefakte Wahlen beschwert und …

  14. Dark Typh says:

    Would it be possible to get a more current graph of the outages somewhere?

  15. Could the large effort to DDoS Iranian government website have a significant role in reducing the TTNet access and knocking out the others?

  16. A few more links — the best way to follow the twitter stream

  17. Alex says:

    Hi Ben,
    Iran internet infrastructure is different with Etisalat (used to be a monopoly) now there is DU.
    Iran has over 30 main ISPs and 1000 sub-ISPs conencted to main ones. There is no single pipe that feeds the country, however, all ISPs are forced to follow the filtering rules set by IRAN Telecom Company. The list is updated and given to ISPs on daily basis and there are heft fines if an ISP neglects to follow the rules.
    As per the past few days, there are huge DDOS attacks toward the government sponsored news agencies and ministries. On top of that they government has started to block virtually everything on the net, from facebook, twitter, IM, news, emails and so on.

  18. Michael says:

    Interesting comments on te IRAN Telecom Company’s filtering rules. You state that these are distributed to the ISP’s on a daily basis.
    Is anything more detailed known about this process? Is it automated? Could it be interrupted or spoofed? If the community could intervene in the direction the ISP’s are getting it could be helpful. One outcome would be a total interruption, likely forcing a status quo based on the last known update. Another would be conflicting (spoofed) credible versions, providing the ISP’s with enough leeway to claim belief of whichever they prefer.

  19. Marco says:

    I am a journalist from Germany’s leading newspaper FAZ and I find your article very interesting. Do you have more details about the the Iran internet infrastructure that you could send me?
    Thanks a lot for your help!

  20. Yedda: RE: Protests in Iran

    American Patriot answered: re: How Should We Help Iran? Suppose that President Obama decides to support the revolution in Iran. You may say it?s unlikely, but you?d have said that the revolution itself was pretty darned unlikely, wouldn?t you …

Leave a Reply

Your email address will not be published. Required fields are marked *