| Title | A Multidimensional Network Forensics Investigation of a State-Sanctioned Internet Outage |
| Publication Type | Conference Paper |
| Year of Publication | 2021 |
| Authors | Mangino, Antonio, Bou-Harb, Elias |
| Conference Name | 2021 International Wireless Communications and Mobile Computing (IWCMC) |
| Date Published | jun |
| Keywords | Collaboration, composability, compositionality, Fingerprint recognition, Forensics, Geology, Government, Human Behavior, human factors, Internet background radiation, Internet Outage Detection, Internet-of-Things, Internet-scale Computing Security, Measurement, Metrics, network forensics, policy-based governance, pubcrawl, resilience, Resiliency, Scalability, telecommunication traffic, Wireless communication |
| Abstract | In November 2019, the government of Iran enforced a week-long total Internet blackout that prevented the majority of Internet connectivity into and within the nation. This work elaborates upon the Iranian Internet blackout by characterizing the event through Internet-scale, near realtime network traffic measurements. Beginning with an investigation of compromised machines scanning the Internet, nearly 50 TB of network traffic data was analyzed. This work discovers 856,625 compromised IP addresses, with 17,182 attributed to the Iranian Internet space. By the second day of the Internet shut down, these numbers dropped by 18.46% and 92.81%, respectively. Empirical analysis of the Internet-of-Things (IoT) paradigm revealed that over 90% of compromised Iranian hosts were fingerprinted as IoT devices, which saw a significant drop throughout the shutdown (96.17% decrease by the blackout's second day). Further examination correlates BGP reachability metrics and related data with geolocation databases to statistically evaluate the number of reachable Iranian ASNs (dropping from approximately 1100 to under 200 reachable networks). In-depth investigation reveals the top affected ASNs, providing network forensic evidence of the longitudinal unplugging of such key networks. Lastly, the impact's interruption of the Bitcoin cryptomining market is highlighted, disclosing a massive spike in unsuccessful (i.e., pending) transactions. When combined, these network traffic measurements provide a multidimensional perspective of the Iranian Internet shutdown. |
| DOI | 10.1109/IWCMC51323.2021.9498743 |
| Citation Key | mangino_multidimensional_2021 |
A Multidimensional Network Forensics Investigation of a State-Sanctioned Internet Outage