How Egypt did (and how your government could) shut down the Internet30/01/2011 06:46
How hard is it, exactly, to kill the Internet? Egypt seems to have been able to do it. But Egypt's situation isn't exactly the same as that in the Western world. And even though Egypt only has four big ISPs, the fact that everything went down after midnight local time suggests that it took considerable effort to accomplish the 'Net shut-off. After all, it seems unlikely that President Hosni Mubarak ordered the Internet to be shut down as he went to bed; such a decision must have been made earlier in the day, and then taken hours to execute.
Also, the fact that such a drastic measure was deemed necessary may indicate that more targeted measures, such as blocking Twitter, didn't get the job done. This nuclear option—see below—was intended to make online coordination of anti-government action impossible; at the same time, the mushroom cloud may give protesters hope that their efforts are not in vain. As one blogger writes: "It's as if the regime has done the information aggregation for you and packaged it into a nice fat public signal."
Cables and routing
But back to the "how," and "would this also work in a Western democracy?"
The easiest way to disconnect a country from the Internet is to cut the cables that leave the country. Egypt has a bunch of sea cables that go across the Mediterranean to Italy, and a few others that visit other Mediterranean destinations. Other cables run through the Red Sea towards east Africa and in the direction of India and beyond.
I haven't seen any maps with cables that cross the border toward neighboring countries—it's much easier to pull fiber through the sea than through the desert. Interestingly, it doesn't look like the connections that run through Egypt have been affected. This traffic typically traverses the country without ever leaving the fiber, so it remains oblivious to the turmoil going on in Egypt. The fact that traffic between Europe and Asia is unaffected means the fiber optic cables themselves weren't cut.
The only thing we know for sure is that quite suddenly, almost all the Egyptian IP address ranges fell off the 'Net, as reported by Renesys. The Renesys post talks about BGP prefixes disappearing. That could be either cause or effect. A prefix is simply BGP-talk for a range of IP addresses. For instance, the range 192.0.2.0-192.0.2.255 is the prefix 192.0.2/24. The number after the slash indicates how many bits are part of the prefix. The remaining bits are to be filled in later. BGP, the Border Gateway Protocol, is a routing protocol that is used between the routers on either side of the border between two ISPs—"gateway" is an old-fashioned word for "router."
What BGP does is "advertise" the local address prefixes to neighboring networks. Wholesale ISPs propagate their customer's advertisements to their neighbors so that eventually all ISPs know all other ISPs' prefixes. This enables routers to know where to send packets with a given destination address. The 3,500 Egyptian prefixes are now no longer advertised, so they're missing from the routing tables of BGP routers around the world. This means that routers no longer know where to send packets addressed to IP addresses that fall within these prefixes—even if all the cables are still working fine.
However, it seems unlikely that the Egyptian ISPs removed 3,500 prefixes, if only because that means removing 3,500 lines from router configurations. Usually, two or three routers advertise a prefix—more is overkill, but less is dangerous because if the advertising routers go down, the addresses fall off of the 'Net. An easier way would be to make a filter that simply doesn't allow any outgoing BGP advertisements.
It could also be that the big "border" routers that the Egyptian ISPs use to connect to ISPs in Italy and elsewhere were disconnected or turned off. This works well in a relatively small country with only a few ISPs.
When the border routers are turned off or lose their connection to the outside world, an ISP's network becomes isolated from the rest of the world. However, that doesn't necessarily mean local connectivity is disrupted. Egypt has an Internet exchange, and many ISPs have direct interconnections. The connections between different ISPs are also governed by BGP, which requires extensive manual configuration. Disrupt the border routers, or the fibers that BGP knows about, and two ISPs can't exchange traffic anymore.
Breaking international connections wouldn't necessarily kill the connectivity between the four large Egyptian ISPs—that would require a separate action. But in a country like Egypt, with one very large city and a handful of ISPs, that number of connections between ISPs should be fairly small and therefore easy to disrupt. This is especially the case of an Internet exchange: just turn off the exchange's Ethernet switches.
Within an ISP's network, the routing protocols IS-IS and OSPF are used. Unlike BGP, IS-IS and OSPF don't require much, if any, configuration. They will simply make use of any connectivity that's available and automatically advertise address blocks within the local network. To really make it impossible for any two users of the same ISP to talk to each other, it's necessary to shut down—or at least disable the routing protocols—on every router.
Of course just being able to talk to people that are connected to the same ISP as you isn't that useful—especially if there's no DNS. Turns out that there are three DNS root servers in Egypt, so there is a possibility that they could keep internal connectivity going without relying on the outside world. The root servers are the first step in resolving domain names into IP addresses. The next step is talking to a top level domain server, and finally talking to the DNS server of the domain in question. So this only works for top level domains and domain names for which the nameservers are located within the country. The three nameservers for Egypt's .eg top level domain are located in Vienna, Seattle, and Cairo. For any content hosted within the country, it would make sense for the DNS servers to be located in Egypt, too.
But obviously, keeping local connectivity up and running would defeat the purpose. Unlike BGP and IS-IS/OSPF, the DNS in general, and root servers in particular, provides a nice central place where it's easy to disrupt the network. In the case of the US or Europe, that wouldn't be as easy, because both have dozens of root servers, and they're run by 13 different organizations.
If the DNS is still working to some degree, it's also necessary to get packets from one ISP to another. Egypt has an Internet exchange in Cairo. It's unclear whether the four big ISPs in Egypt connect with each other through that exchange, but generally ISPs don't like to use international connections for national traffic. So it's likely that they interconnect in or around Cairo.
Could this happen elsewhere?
Like in Egypt, in Europe almost all interconnection happens in the capitals of the countries involved. Not so in the US: because the country is so large, and traffic volumes are so high, large networks may interconnect in as many as 20 cities. Numerous intercontinental sea cables land in the Boston, New York, Washington DC, Miami, Los Angeles, and Seattle regions. So in Egypt or many medium-sized countries, killing the connections between ISPs wouldn't be too hard. In the US, this would be quite difficult.
Assuming someone in high places has an Internet kill switch, shutting down just the international connections would require a lot of manual work, or the preexistence of an infrastructure that can make this happen automatically through management protocols. Of course such a system would never be triggered by accident or by a disgruntled employee.
The old story that the Internet was built as a military network to withstand nuclear attacks is pretty much an urban legend, but despite that, it's surprisingly hard to kill. It can be done, however, if you're a government and you try really, really hard.