What is happening to the Internet in Ukraine and Russia?
Internet status report from 31st of March 2022, by PhD student Jan Marius Evang.
The current events happening in Ukraine have caused interruptions to the internet connectivity. In this blog post we take a look at some things we can learn about the events from looking at internet monitoring, and what the consequences of political actions may be.
The following timeline shows the most important events that happened to the Russian and Ukrainian Internet following the invasion of Ukraine on the 24th of February until the 11th of March, 2022.
28. February: Ukraine officials sent letters to urge The Internet Corporation for assigned Names and Numbers (ICANN) and RIPE Network Coordination Centre to shut down the Russian internet
1. March: The Coordination Center for TLD RU (ccTLD.RU) got suspended from CENTR (Council of European National TLD Registries). ccTLD.RU is the national registry and administrator of the .RU and .РФ domains (Russian Federation).
2. March: ICANN give their answer to Ukraine, that they will not shut down the Russian Internet.
3. March: Cogent, one of the worlds largest Internet Service Providers (ISP), sent a note to their customers in Russia about termination on the 4th of March.
7. March: Lumen (formerly Level3/Centurylink) published a statement that they cease operation in Russia.
10. March: RIPE give their answer to Ukraine, and will not shut down the Russian Internet. An additional decision was announced: no Ukrainian or Russian ISPs unable to pay membership fees will be suspended.
11. March: London Internet Exchange (LINX) shuts down Russian Internet Service Providers.
The Russian invasion and network connectivity
The following graphs have been collected from other research institutions, showcasing how the Russian invasion can be tracked through Internet activity.
The Network data from NetBlocks (netblocks.com) reported on twitter, on March 29th, that Internet connectivity is being restored on Ukraine's national provider Ukrtelecom some 15 hours after users started falling offline amid a DDoS attack. The company's engineers say they have successfully mitigated the attack.
A DDoS attack, short for distributed denial-of-service, is a “malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.” (cloudfare.com).
Many small-scale DDoS attacks in all directions have been reported since the 24th of February 2022. To this date, there have been no large-scale directed attacks that have permanently destroyed intranet infrastructure or other services.
This connectivity index from Data Monsah IP Observatory (ip-observatory.org) and SoDa Laboratory (sodalabs.io) shows how the progress of the Russian invasion can be tracked by looking at the timing of connectivity problems across cities in Ukraine.
The Network data from NetBlocks (netblocks.com) reports a power blackout in the Chernobyl nuclear power plant in the morning of March 9th, 2022. This resulted in major disruption to telecommunications services.
In this graph from cloudfare (cloudfare.com) you can clearly see how the Internet traffic in Lviv, Ukraine changed as a large number of refugees arrived in the city from February 27th.
This graph from Cloudfare (cloudfare.com) shows the increased use of the Starlink broadband Internet system in Ukraine. Starlink is the satellite Internet kits provided by SpaceX to Ukraine, as traditional Internet got disrupted (washingtonpost.com).
This graph from Cloudfare (cloudfare.com) shows the DNS traffic for Signal in Ukraine. Signal is an encrypted messaging app, and this observation shows a major increase in the use of the application from just after midnight on February the 24th.
The larger implications
There are various conflicting arguments for what to do about the Russian internet now. Some actors go to the extreme point of attempting to completely cut off services in Russia and to Russia. For example LINX, Lumen and Cogent. Their argument being that a complete boycott of Russia is the best path to force a change of action from the Russian government.
Other actors go to the opposite extreme and try to keep the Russian internet running as much as possible, for example ICANN, RIPE and Cloudfare, arguing that the internet is one of the few possible ways that Russian people can have contact with the rest of the world and receive news that is not filtered by the Russian state.
The Russian government has prepared for both of these scenarios, and has proposed laws that enable a completely separate Russian National network, as well as a network with strong censorship mechanisms at the border.
The Russian government already in 2016 implemented a local copy of the RIPE NCC/IRR database of IP addresses and AS numbers. This database is being kept up to date with the international database, but can at any time take over as authoritative for the Russian part of the internet in case of technical or administrative problems with reaching the IRR.
They have likewise created a separate DNS service that can take over for the international root-DNS service. With the added benefit of being able to filter DNS and effectively censor unwanted information at the DNS level.
The regulations also cover a ban on using techniques to circumvent this, like for instance DNS-over-HTTPS and DNS-over-TLS. Russia has not yet implemented all aspects of this censorship but the regulations and technical implementations are on the way to be able to do so, and it is already difficult to get outside news.
In addition to the direct implications to Russian citizens, these actions also carry a risk of a fragmentation of the entire internet. The internet during the past decades has been more or less open, enabling a service in any country to reach users all over the globe, and where all users can expect to be able to reach all services.
There have been some restrictions, like countries blocking access to illegal content (according to their own definition), or to limit data transfer (like GDPR or crypto export rules). So far, all parties have shown to be in agreement that there is an advantage to having one fully connected underlying IP network. An outside decision to cut off Russia from the internet would create a precedence in using the internet as a tool in conflicts, both armed and political. And would subsequently require all countries to implement counter-measures in making sure their own national network can survive independently of the internet and that all critical and popular services can be delivered from that national network.
This might break the global idea of the open internet, and create a “splinternet” with very little central control and where a user can not expect to be able to reach all services.