By: ThreatLabz

Egypt ... Now Just Gyped

Analysis

There are a number of good references discussing the recent events in Egypt and the subsequent Egyptian-government ordered Internet shutdown (ISPs in Egypt have withdrawn their routes via BGP- timeline). This shutdown includes cellphone SMS/MMS/data networks. The premise for the government-ordered shutdown was to avoid what recently happened in Tunisia where social networks (Facebook in particular) and blogs helped to strengthen and organize protests (reference). In Egypt, a video was recorded of a protester being shot in the head, point-blank by police - in an effort to prevent this and other information from going viral and escalating protests, the Egyptian government (allegedly) ordered this Internet-shutdown.

In a recent report, it was shown that over 50% of Egypt's Internet users are the youth of the nation (18-34 year old) and that the "social media scene has quickly gained ground" among its users. Zscaler was servicing a number of web transactions for customers from Egypt before the routes went dark. I wanted to share some stats on what we were seeing in terms of web usage up until the plug was pulled January 27 at 22:34 UTC.

The following chart shows the daily percentage of the week's web transactions from/to Egypt clients/servers that traversed our cloud from January 24th - 28th. The y-axis is the percentage of transactions from all Egypt transactions we observed from Jan. 24- 28.

Egypt's Web Transactions Preceding Shutdown
 
Our data showed a 68% percent increase in transactions to Egypt web servers on January 26th - the spike was most noticeable in the News/Media category of web servers for people using Egyptian news sources to obtain information on the protests. Then we see the decline and eventual drop to (near) zero on January 28th for Egyptian web transactions (client and server). Taking a look at the web server transactions for the 28th showed www.egyptse.com, the Egyptian Stock Exchange, (217.139.183.2 - NOOR network) remaining live and visited by customers - as others have noted, this remains the only live Egypt network.

Among the Egyptian websites that were visited on the 27th, that are no longer accessible include:
  • *.masrawy.com (41.178.51.93)
  • *.ahram.org.eg
  • *.arabia.msn.com (41.178.51.12)
  • www.egynews.net -> productnews.link.net (41.178.51.29)
  • egypt.usaid.gov (196.219.223.215)
  • algomhuria.net.eg
  • ahram.org.eg
  • *.gov.eg sites
The .eg domains no longer resolve due to the Egyptian nameservers being inaccessible from the Internet outage. There are stories that discuss this DNS outage (here).

On January 27th, prior to the shutdown, this is the breakdown in web surfing activity that was being seen from client traffic originating in Egypt.
The above chart illustrates the Egyptian Internet usage during the protests and leading up to their Internet shutdown. Social media and news related web pages accounted for roughly 65% of the web browsing that was done from Egyptian client IPs through our cloud.

The top sites visited by Egypt web clients on the 27th include:
  • Facebook related (42.02% total)
    • *.facebook.com (25.36%)
    • *.fbcdn.net (16.66%)
  • *.aljazeera.net (6.63%)
  • Google (6.96%)
The Internet remains dark for nearly all of Egypt to (allegedly) stop what these stats show - the ability to stay up to date with news/events and communicate and share ideas with friends ... after all, information is power. I leave it to the reader to decide whether the end justifies the means, whether this is an acceptable form of "censorship" and whether these measures should ever be permissible. In any case, the world is watching and learning from these historical events.

Learn more about Zscaler.