Internet Disruption Report: February 2020

A year ago, in my “Last Month in Internet Intelligence: February 2019” post for Oracle’s Internet Intelligence blog, I noted that “February was a surprisingly quiet month for Internet disruptions.” Interestingly, that appeared to hold true a year later, with fewer major disruptions observed than in prior months. In addition, the disruptions covered this month had a more limited set of causes — a DDoS attack, network maintenance, and cable/fiber issues — no power outages in Venezuela or wide-scale Internet shutdowns in the Middle East as have been seen in prior months.

DDoS Attack

On February 8, network operators in Iran were reportedly targeted by a distributed denial-of-service (DDoS) attack that disrupted connectivity for several hours across the country. According to a Tweet from @sadjadb, a member of the Board of Directors at infrastructure provider TIC, a DDoS attack at 09:30 local time “hampered” Internet connectivity for some fixed and mobile providers within the country. He noted that connectivity was “normalized with the intervention of the Dzhafa Shield and the efforts of its communications infrastructure partners”. Also known as the “Digital Fortress”, the Shield was announced in May 2019, and is intended to “protect citizens’ privacy, deter cyberattacks on infrastructure, help sustain digital services, combat data breaches and online fraud, as well as detect malware in the network and stop its spread”.

The figures below from show the impact of the DDoS attack on Iran at a country level, as well as on leading fixed and mobile network providers. The CAIDA IODA graphs show a disruption to the Active Probing metric starting at around 08:00 GMT, with recovery taking four to six hours. Slight perturbations are evident in the BGP metric, and it is interesting to see a slight increase in the Darknet metric at a country level and for AS44244, although it is not clear if this increase is directly associated with the attack.

CAIDA IODA graph for Iran, February 8
CAIDA IODA graph for AS48159 (TIC), February 8
CAIDA IODA graph for AS44244 (Iran Cell), February 8

Network Maintenance

At the end of January, MTN Ghana alerted customers that it would be undertaking maintenance work on its network between 00:00-01:00 local time on February 1, and that this work would result in intermittent disruptions to Internet connectivity.

The figures below illustrate the impact of MTN Ghana’s maintenance work on Internet connectivity for Ghana at a country level, as well as on MTN Ghana’s network. The disruption is visible within the Oracle Internet Intelligence graphs as minor brief disruptions to the active probing and BGP metrics. Within the CAIDA IODA graphs, the impact to the BGP metric is more significant than to the active probing metric at a country level. However, at a network level, the maintenance resulted in both the BGP and active probing metrics dropping to near zero for approximately 15 minutes.

Cable/Fiber Issues

February 7 was an active day for Internet disruptions apparently caused by problems with submarine or terrestrial cables.

Just after noon (GMT), an Internet disruption was observed for Vanuatu, with declines in all three metrics seen in the Oracle Internet Intelligence graph, and declines seen in the active probing and BGP metrics on the CAIDA IODA graph. The disruption appears to have lasted for approximately three hours.

Drilling down to a network level and looking at AS9249 (Telecom Vanuatu), the disruption is clearly evident in both the Oracle and CAIDA graphs below. The Oracle graph shows that Telecom Vanuatu primarily gets upstream connectivity from AS38442 (Vodafone Fiji), and in looking at Telegeography’s Submarine Cable Map, we can see that the Interchange Cable Network 1 (ICN1) connects the two island nations.

However, the Oracle Internet Intelligence graph below for AS38442 (Vodafone Fiji) shows that the network gets most of its upstream connectivity from AS4637 (Telstra Global), and that there is a concurrent disruption clearly evident in that connection as well. Given that the Southern Cross Cable Network connects to Fiji, and that Telstra Global is part owner and a purchaser of substantial capacity on the SCCN, it is more likely that the disruption occurred on this submarine cable, and then became evident for Vanuatu because of its limited international Internet connectivity.

Oracle Internet Intelligence Traffic Shifts graph for AS38442 (Vodafone Fiji)

In Botswana, Internet disruptions were observed mid-morning and late evening GMT on February 7. The Oracle Internet Intelligence graphs in the figure below show significant drops in the active probing and BGP metrics for both disruptions, with mixed decreases in the DNS Query Rate metric. The CAIDA IODA graph shows significant losses across all three metrics for both periods of disruption.

At a network level, the disruption is also clearly evident in the Oracle and CAIDA graphs below for AS14988 (Botswana Telecommunications Corporation) and AS37678 (Botswana Fibre Networks) – the latter is the former’s primary upstream connectivity provider.

Botswana Telecommunications Corporation posted, but then subsequently deleted, information about the disruption to its Facebook page. Botswana Fibre Networks also posted an explanation, shown below. Given that the Oracle graph above for AS37678 shows the problem with measurements transiting AS37662 (West Indian Ocean Cable Company), it is likely that a failure in their infrastructure connecting Botswana and South Africa caused the observed disruption.

In the third significant Internet disruption observed on February 7, U.S. cable provider Spectrum suffered a fiber cut that impacted connectivity for customers in the New England area. As shown in the graphs below, the service disruption caused by the fiber cut began just before 20:30 GMT (15:30 local time) and lasted for nearly six hours before metrics returned to normal levels.

Spectrum Tweeted just after midnight (local time) on February 8 that the fiber break had been repaired. According to a company spokesperson, “the company’s fiber-optic network was damaged in two separate locations. The first location was damaged by severe weather in the area… The second damaged fiber affected Spectrum’s network redundancy, which led to the loss of services.”

On February 11 & 12, several Internet disruptions occurred in Papua New Guinea, clearly visible in the figures below. The disruption on February 11 appeared to impact all three metrics in both the Oracle and CAIDA graphs, while the disruption on February 12 appeared to primarily impact active probing.

However, these disruptions may not have come as a surprise. On February 3, PNG Dataco, a state-owned telecommunications service provider, posted a Public Notice on its Facebook page stating “Dataco wishes to advise its clients that we will be working to activate the link on Coral Sea Submarine Cable (CS2) system this week with migration of traffic from PPC-I and APNG-2 to CS2 so there will be network outages and glitches happening that may affect your link.” The Coral Sea Submarine Cable connects Papua New Guinea to Australia through a landing point in Sydney.

In three separate posts (1, 2, 3) to its Facebook page, Telikom PNG referenced issues in Sydney, and noted that PNG Dataco was involved in working to address the issue. The Oracle Internet Intelligence graphs below show AS17828 as the upstream provider for both AS38009 (Telikom PNG) and AS55792 (Datec-PNG). According to BGPview, AS17828 is owned by PNG Dataco. As such, it is likely that the disruptions observed at a country level and within these two networks was related to activation work being done on the submarine cable by PNG Dataco.

On February 20, concurrent Internet disruptions were detected in six Caribbean territories, including Anguilla, Antigua and Barbuda, Dominica, Grenada, Montserrat, and Saint Kitts and Nevis. As shown in the Oracle Internet Intelligence graphs below, the disruption occurred between 12:00 and 14:00 GMT. In looking at Telegeography’s Submarine Cable Map, it appears that only the Eastern Caribbean Fiber System (ECFS) lands on all of the affected islands. Given this commonality, it is likely that an issue with this cable led to the observed service disruption.

At approximately 22:30 GMT on February 26, an Internet disruption started in Somalia, and lasted for about two and a half hours, until 01:00 on February 27. As shown in the figure below, the disruption was visible in the active probing and BGP metrics within both the Oracle and CAIDA graphs.

The disruption was also visible across a number of Somalian network providers. The common thread across these providers is that they all either have AS37662 (West Indian Ocean Cable Company) as a direct upstream provider, or have an upstream provider that is downstream of WIOCC. WIOCC is listed as an owner of the Eastern Africa Submarine System (EASSy) submarine cable, so it is likely that observed disruption was caused by an issue with this cable.

Finally, also on February 27, an incident on the Africa Coast to Europe (ACE) submarine cable disrupted Internet connectivity to Mauritania for several days. According to a published report, the incident started around 08:40 GMT, and at a country level, disrupted connectivity for nearly two days, as seen in the Oracle Internet Intelligence graph below.

Oracle Internet Intelligence Country Statistics graph for Mauritania, February 27-29

According to a published report, the damage to the ACE cable led to a complete Internet outage for local network provider MATTEL, while Mauritel was able to maintain connectivity. This claim is reflected in the Oracle graphs below, which shows connectivity to AS37508 (MATTEL) essentially disappearing for nearly 32 hours, while AS29544 (Mauritel) was able to fail over to an alternate upstream connectivity provider almost immediately.

Conclusion

A number of the disruptions covered above were classified under a suspected cause based on ‘circumstantial’ evidence, in part because the telecommunications providers involved did not publish any information or updates regarding the incidents observed on their networks. In addition to these disruptions, measurements from Oracle Internet Intelligence and CAIDA IODA also surfaced other Internet disruptions in Mayotte, Yemen, Sudan, Palau, South Africa, Angola, Cape Verde, Malawi, and Kiribati. Unfortunately, no information was available about these disruptions either from the impacted providers.

As the Internet plays an increasingly critical role for connection and communication during the COVID-19 pandemic amidst the lockdowns and shelter-in-place orders being implemented around the world, communicating quickly and openly about Internet disruptions when they do occur is more important than ever. Once again, we implore network providers and submarine cable operators to leverage their Web sites and/or social media presence to provide information and status updates about problems that disrupt connectivity for a set of customers or a whole country.

2 Comments

Leave a comment