Analysis of Country-wide Internet Outages Caused by Censorship - - PowerPoint PPT Presentation

Alberto Dainotti - alberto@unina.it University of Napoli “Federico II”

Analysis of Country-wide Internet Outages Caused by Censorship

CAIDA Workshop on BGP and Traceroute data August 22nd, 2011- San Diego (CA), USA

These slides are based on the following paper to be presented at ACM IMC 2011:

• A. Dainotti, C. Squarcella, E. Aben, K. C. Claffy, M. Chiesa, M. Russo, A. Pescapé,

“Analysis of Country-wide Internet Outages Caused by Censorship”

w w w . cai da.

• r

g

THE EVENTS

• Egypt
• Protests in the country start around January 25th, 2011
• The government orders service providers to “shutdown” the Internet
• On January 27th, around 22:34 GMT, several sources report the withdrawal in

the Internet’s global routing table of almost all routes to Egyptian networks

• The disruption lasts 5.5 days
• Libya
• Protests in the country start around 17th February 2011
• The government controls most of the country’s communication infrastructure
• Three different connectivity disruptions: February 18th (6.8 hrs), 19th (8.3

hrs), March 3rd (3.7 days)

• Similar events in other countries but we did not analyze them

Internet Disruptions in North Africa

COMICS Research Group University of Napoli “Federico II” - Italy

SOME FACTS

Egypt

• 3165 IPv4 and 6 IPv6 prefixes are delegated to Egypt by AfriNIC
• They are managed by 51 Autonomous Systems
• Filtering type: BGP only
• Filtering dynamic: synchronized; progressive

Libya

• 13 IPv4 prefixes, no IPv6 prefixes
• 2 (+ 1) Autonomous Systems operate in the country
• Filtering type: mix of BGP

, packet filtering, satellite signal jamming

• Filtering dynamic: testing different techniques; somehow synchronized

Prefixes, ASes, Filtering

COMICS Research Group University of Napoli “Federico II” - Italy

WHAT WE DID

• BGP
• BGP updates from route collectors of RIPE-NCC RIS and RouteViews
• We combined information from both databases
• Graphical Tools: REX, BGPlay, BGPviz
• Active Traceroute Probing
• Archipelago Measurement Infrastructure (ARK)
• We underutilized it..
• Internet Background Radiation (IBR)
• Traffic reaching the UCSD network telescope
• Capable of revealing different kinds of blocking

Combined different measurement sources

COMICS Research Group University of Napoli “Federico II” - Italy

w w w . cai da.

• r

g

THE DATA

• IP ranges associated with the country of interest
• Delegations from Regional Internet Registries (RIR)
• Commercial geolocation database
• Gather prefixes to be monitored. For each IP range:
• We look up the address space in the BGP database of announced prefixes, to find an

exactly matching BGP prefix

• We find all the more specific (strict subset, longer) prefixes of this prefix
• If the two previous steps yielded no prefix, we retrieve the longest BGP prefix entirely

containing the address space

• Every time we refer to an AS we actually refer to the IPs of

that AS that are associated to the country of interest

Geolocation + announced prefixes

COMICS Research Group University of Napoli “Federico II” - Italy

Egypt Libya AfriNIC delegated IPs 5,762,816 299,008 MaxMind GeoLite IPs 5,710,240 307,225

BGP

• We reconstruct prefixes losing and regaining reachability
• we build the routing history of a collector’s peer for each collector
• using both RIBs and UPDATES
• we mark a prefix as disappeared if it is withdrawn in each routing history

prefix reachability

COMICS Research Group University of Napoli “Federico II” - Italy 500 1000 1500 2000 2500 3000 3500 20:00 20:30 21:00 21:30 22:00 22:30 23:00 number of visible IPv4 prefixes

500 1000 1500 2000 2500 3000 3500 09:00 09:30 10:00 10:30 11:00 11:30 12:00 number of re-announced IPv4 prefixes

Egyptian disconnection and reconnection [NOTE: IPv6 routes stayed up!]

BGP

• A detailed analysis shows there is synchronization among ASes

per-AS analysis

COMICS Research Group University of Napoli “Federico II” - Italy

200 400 600 800 1000 09:00 09:30 10:00 10:30 11:00 11:30 12:00 number of re-announced IPv4 prefixes EgAS1 EgAS4 EgAS2 EgAS5 EgAS3 EgStateAS

ROUTE CHANGES

BGPlay

COMICS Research Group University of Napoli “Federico II” - Italy

• The massive disconnection caused some path changes too

UCSD TELESCOPE

• Unsolicited traffic - e.g. scanning from conficker-infected hosts -

from the observed country and reaching a (mostly) unused /8 network at UCSD

when malware helps..

COMICS Research Group University of Napoli “Federico II” - Italy

20 40 60 80 100 120 140 1

• 2

7 : 1

• 2

8 : 1

• 2

9 : 1

• 3

: 1

• 3

1 : 2

• 1

: 2

• 2

: 2

• 3

: 2

• 4

: packets per second

Egypt Libya

UCSD TELESCOPE

• We classified traffic to the telescope in
• Conficker-like
• Backscatter (e.g. SYN-ACKs to randomly spoofed SYNs of DoS attacks)
• Other

need to dissect traffic

COMICS Research Group University of Napoli “Federico II” - Italy

10 20 30 40 50 60 70 80 01-27 00:00 01-28 00:00 01-29 00:00 01-30 00:00 01-31 00:00 02-01 00:00 02-02 00:00 02-03 00:00 02-04 00:00 packets per second

• ther

conficker-like backscatter

Egypt: telescope traffic

TELESCOPE VS BGP

Consistency

COMICS Research Group University of Napoli “Federico II” - Italy 0.1 0.2 0.3 0.4 0.5 0.6 0.7 01-27 00:00 01-28 00:00 01-29 00:00 01-30 00:00 01-31 00:00 02-01 00:00 02-02 00:00 02-03 00:00 02-04 00:00 20 40 60 80 100 packets per second Number of IPv4 prefixes in BGP packet rate of unsolicited traffic visibility of BGP prefixes

• The sample case of EgAS7shows the consistency between

telescope traffic and BGP measurements

Egypt: disconnection of EgAS7

TELESCOPE VS BGP

Complementarity

COMICS Research Group University of Napoli “Federico II” - Italy

• Contrasting telescope traffic with

BGP measurements revealed a mix of blocking techniques that was not publicized by others

• The second Libyan outage involved
• verlapping of BGP withdrawals

and packet filtering

Libya

1 2 3 4 5 6 7 8 02-18 12:00 02-19 00:00 02-19 12:00 02-20 00:00 02-20 12:00 02-21 00:00 packets per second 2 4 6 8 10 12 14 02-18 12:00 02-19 00:00 02-19 12:00 02-20 00:00 02-20 12:00 02-21 00:00 number of visible prefixes

TELESCOPE VS BGP

• BGP-unreachability doesn’t, in general, prevent outbound traffic
• We found networks that were BGP-unreachable sending traffic to the telescope
• and networks BGP-reachable that were not
• Topology analysis may help to better understand this behavior

Confusion?

COMICS Research Group University of Napoli “Federico II” - Italy

Telescope traffic from two Egyptian ASes

10 20 30 40 50 60 70 80 90 01-27 00:00 01-28 00:00 01-29 00:00 01-30 00:00 01-31 00:00 02-01 00:00 02-02 00:00 02-03 00:00 02-04 00:00 packets per second EgAS4 EgStateAS

ARK

• ARK active measurements are consistent with other sources
• limitation due to frequency of probes and because they target random addresses
• the first two Libyan outages are not visible
• we used them only to test reachability, not to analyze topology

active measurements

COMICS Research Group University of Napoli “Federico II” - Italy

12 14 16 18 20 22 24 26 28 2 4 6 8 10 12 14 Feb Feb Mar Mar 1% 2% 3% 4% 5% Ark traceroute to Libya terminating in Libya

21 22 23 24 25 26 27 28 29 30 2 3 4 5 6 Jan Jan Feb Feb 5% 10% 15% Ark traceroute to Egypt terminating in Egypt

Egypt Libya

ARK

confirming telescope’s findings

COMICS Research Group University of Napoli “Federico II” - Italy

12 14 16 18 20 22 24 26 28 2 4 6 8 10 12 14 Feb Feb Mar Mar 1% 2% 3% 4% 5% Ark traceroute to Libya terminating in Libya

1 2 3 4 5 6 7 8 03-01 00:00 03-02 00:00 03-03 00:00 03-04 00:00 03-05 00:00 03-06 00:00 03-07 00:00 03-08 00:00 packets per second

Libya: ARK (left) , Telescope (right)

• Third Libyan outage: while BGP reachability was up, most of

Libya was disconnected

• ARK measurements confirmed the finding from the telescope, plus identified some

reachable hosts, suggesting the use of packet filtering by the censors

SATELLITE CONNECTIVITY

probable signal jamming

COMICS Research Group University of Napoli “Federico II” - Italy

Libya: Telescope traffic from national

• perator and satellite-based ISP
• Third Libyan outage
• a Libyan IPv4 prefix managed by SatAS1 was BGP-reachable
• a small amount of traffic from that prefix reaches the telescope

1 2 3 4 5 2

• 1

9 : 2

• 2

6 : 3

• 4

: 3

• 1

1 : packets per second LyStateAS SatAS1

CONSIDERATIONS

• Telescopes can be used for studying macroscopic connectivity

problems and they complement BGP-based measurements

• BGP-unreachable networks sometimes still *send* unsolicited packets
• Ark measurements
• Probing frequency + destination sampling = (too) small resolution
• Better/more detailed measurements should be triggered by other measurements when

interesting events occur

• Detection would need both telescope & BGP measurements
• IPv6 was neglected by the censors
• We depend on geolocation
• Time resolution of BGP measurements: can we improve it?
• We would like to look at AS-level topology
• We couldn’t study, e.g., Syria cause of very selective filtering

and low volume of unsolicited traffic

COMICS Research Group University of Napoli “Federico II” - Italy

COMICS Research Group University of Napoli “Federico II” - Italy

THANKS