Blog Post

Iran's Election As Seen Through the ISPs

The protests in Iran that have come in the wake of the country’s June 13 election results, which returned President Mahmoud Ahmadinejad to power, have showcased the rise of social media like Twitter, Facebook and even cell phone video taken in the streets and uploaded onto YouTube. Arbor Networks, a company that provides security and deep packet inspection equipment to ISPs, has taken a look at the implications of the conflict — not at the social media level, but at the packet level — and found that Iran’s web censorship is different from those of other regimes.

Whiles some governments block certain web sites with a heavy hand or cut off web access entirely, Iran has taken a far more subtle approach. The state-owned Data Communication Company of Iran (or DCI), which acts as the gateway for all Internet traffic entering or leaving the country, has slowed web access down to a crawl. The assumption is that DCI dialed back the bandwidth in order to better inspect which content and packets needed to be censored. Instead of viewing the packets through a fire hose, they turned the pipe into a garden hose so that equipment can sift through the packets and let legitimate traffic through. In a blog post today, Arbor Chief Scientist Craig Labovitch writes:

I can only speculate. But DCI’s Internet changes suggest piecemeal migration of traffic flows. Typically off the shelf / inexpensive Internet proxy and filtering appliances can support 1 Gbps or lower. If DCI needed to support higher throughput (say, all Iranian Internet traffic), then redirecting subsets of traffic as the filtering infrastructure comes online would make sense.

Indeed, web traffic was stopped following the election, then reopened, but at much lower levels. But this may prove to be a partial victory for web censorship, and an opportunity for some unscrupulous equipment vendor who wants to interest the Iranian government in better deep packet inspection equipment.


10 Responses to “Iran's Election As Seen Through the ISPs”

  1. I don’t see this as a partial victory for censorship, more like a total failure. The Iranian government it trying it’s best to keep the information from leaving the country, yet it still flows. The proxy network is getting even more complex, Tor nodes are rapidly coming online. If they were using DPI then they could easily stop proxy servers allowing people to get to Twitter, but they haven’t stopped that yet.

  2. I think Fazal is on the money with caveat that in a regime such as this, the human chain of command lag on such critical information contributes the remaining crawl. I have to imagine numerous sets of eyes and ears has to determine how to respond inspection results as the event unfolds.

  3. I would assume US and EU-based networking vendors can’t sell DPI equipment to Iran because of sanctions. Perhaps they are getting gear from Huawei (often straight rip-offs of Cisco gear), which would be a generation or more behind what Juniper et al can do..

  4. Hi Stacey, “The assumption is that DCI dialed back the bandwidth in order to better inspect which content and packets needed to be censored.” is probably close but perhaps a little bit off and may be better expressed as “The assumption is that DCI has turned on deep packet inspection and/or various filters and this is slowing network performance”. The reason I say this is that DPI, deep packet inspection, is hard to pull off at true wire speed. The more you want to look into the packet, the more processing power you need. Many pieces of equipment, even those which claim wirespeed throughput, are (or at least used to be) wirespeed with established flows but still take a bit of a hit with each new flow established.

    • Stacey Higginbotham

      Thanks, Jason. So you’re saying the slowdown is a result of the filtering rather than caused by the DCI to aid in filtering? Anyone else out there care to weigh in on this?