2011-dainotti-analysis
findings extracted from this paper
-
Both Egypt and Libya demonstrate that concentration of Internet infrastructure under state ownership—in Egypt, all submarine fiber backhaul terminated at a single facility, the Ramses Exchange, controlled by the state telecommunications provider—makes country-wide BGP-based shutdowns technically straightforward. The authors conclude that the small number of state-controlled parties involved in international connectivity was the critical enabling factor, not any novel technical capability.
-
Unsolicited background radiation traffic to the UCSD network telescope—particularly Conficker worm scanning (TCP SYN, port 445, 48-byte packets)—dropped nearly simultaneously with Egyptian BGP route withdrawals on January 27, corroborating control-plane analysis with data-plane evidence. Crucially, some worm-infected hosts continued to generate outbound scanning traffic even after their prefixes were BGP-withdrawn, because packet filtering was absent; this asymmetry between inbound unreachability and outbound connectivity can distinguish pure BGP-based blocking from combined BGP-plus-filtering approaches.
-
Egypt's Internet shutdown on January 27, 2011 was accomplished via BGP route withdrawals: approximately 2,500 IPv4 prefixes (out of 2,928 visible) disappeared within a 20-minute window beginning at 22:12:26 GMT, leaving only 176 prefixes visible by 23:30:00 GMT. The shutdown lasted more than five days, with BGP connectivity beginning to return at 09:29:31 GMT on February 2, and more than 2,500 Egyptian prefixes back in global BGP tables by 09:56:11 GMT.
-
During Egypt's 5.5-day Internet blackout, active CAIDA Ark measurements found that only 1% of probes to Egyptian IPv4 prefixes received responses, compared to 16–17% on normal days. The minority of addresses that retained bidirectional connectivity all mapped to BGP prefixes that had not been withdrawn—including prefixes serving the Egyptian stock exchange and two national banks, whose 83 prefixes were kept live until January 31 at 20:46:48 GMT before being simultaneously withdrawn.
-
Libya implemented escalating Internet disruptions before executing a sustained blackout: a 6.8-hour curfew on February 18 and an 8.3-hour curfew on February 19, followed by a 3.7-day near-total blackout beginning March 3. The authors detected what they believe were Libya's attempts to test firewall-based packet filtering before transitioning to more aggressive BGP-based disconnection, demonstrating a two-phase escalation pattern.