Many media sources have reported outages in Iranian mobile networks and Internet services in the wake of Friday's controversial elections. We took a look at the state of Iranian Internet transit, as seen in the aggregated global routing tables, and found that the story is not as clear-cut as has been reported.
There's no question that something large happened in the Iranian telecom space, and that the timing aligns with the close of voting and the emerging controversy. Iran typically has a fairly high baseline level of sporadic route instability, due to the country's highly centralized incumbent transit through DCI (Data Communications Iran, AS12880) and DCI's somewhat peripheral connectivity to the main east-west conduits for data. Even so, we started seeing spikes of route instability (changes in the paths to Iranian IP space) starting around 08:05 UTC on Saturday (just after noon in Tehran) that were significantly larger than normally expected. These bursts affected as many as 400 prefixes (blocks of IP addresses) — the majority of Iran's Internet presence.
At 17:48 UTC, instability turned into outage, as more than 180 Iranian networks were withdrawn from the global routing tables, indicating that there were no remaining paths into DCI for that portion of Iranian traffic. Contrary to media reports, however, the outages were fairly short-lived. Within a few minutes, half of the outaged population were restored to alternative transit; over the course of an hour, outage levels returned to their normal baseline. Route instability continued to be fairly high, and that pattern has continued through the night and into Sunday.
What can we say for sure? Not much, except that Iran remains well-connected to the Internet from a routing perspective. If I had to guess, I'd say that there are probably a lot more people around the world pulling local content from Iran's providers right now, and that surge of demand is probably contributing to increased congestion and (perhaps) some of the route instability we see. It wouldn't be unusual for there to be some inbound cyber-mischief as well, from supporters of one or the other side, but so far we only have rumors on that front.
It is interesting to note that the changes in routing that took place were very specific in their impact on DCI's various transit providers, who keep the country connected to the world. There are six of them: Turk Telecom (TTNet, AS9121), FLAG (AS15412), Singapore Telecom (AS7473), PCCW (AS3491), Telia (AS1299), and Telecom Italia Sparkle (AS6762). As the following plot shows, five of them lost Iran's transit, and one of them (Turkish Telecom) was a big gainer. (Red arrows indicate loss of transit preference from the outside world; green indicates a gain in transit via the given provider.)
A transit shift of this magnitude may indicate that something (administrative, or physical) has affected Iran's connection to the submarine cables running east and west — not a total outage, but some kind of significant impairment. Turkey has their own, interesting arrangements with Iran for transit, and those are still in good shape (perhaps somewhat congested, having presumably doubled or tripled in transit volume). It wasn't unusual to see 300ms traceroutes from North America and Europe in this timeframe to many Iranian sites.
Of course, you have to remember that globally visible routes are the signposts for inbound traffic to and through DCI to the local providers; from the outside, there's no telling what the Internet experience of the average person inside Iran is like today. It sounds as if a lot of content is being blocked within the country. For now, it's a good sign that information continues to flow, and Iran is still connected to the world at large. Let's hope they stay connected.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines
Neustar DNS Services
Neustar DDoS Protection