Renesys, an Internet infrastructure research outfit, has released data today that illuminates a bit on how the government of Iran is restricting access to outside websites to their citizenry.

As they illustrated with graphs showing uptime and traffic levels, the pipes leading into the country of Iran are still active and showing quite a bit of traffic headed in and out of the borders from almost all major bandwidth providers.

James Cowie presented a few theories on what may be happening, given what we know about the Iranian Internet situation:

What happens inside Iran to those bits is anyone’s guess (censorship, site blocking, traffic interception, and harassment, from all accounts). But the pipes are open and the traffic is flowing. In a few cases (which I will not detail, for obvious reasons), there are actually direct paths to international carriers, in defiance of government monopoly, that are now getting good use.

Why is it different this time? There seem to be three basic theories.

– The cynics. Perhaps the government has left the Internet intact so that they can use it to surveil and round up dissidents. Perhaps they even put bandwidth constraints in place to make it easier to cope with the volumes of traffic that need to be captured and filtered.

– The optimists. Perhaps the government has realized that a modern economy relies on the Internet to such an extent that it cannot be turned off, for fear of disrupting financial transactions and business communications. Iran’s Internet ecosystem is relatively rich, and the impact on their economy of a sustained Internet shutdown would be significant. Why make it harder for companies to do business in Iran at a time when oil revenues are cratering and foreign investment is looking for reasons to take a walk?

– The realists. Perhaps the government is too busy with other things to worry about the Internet. Governments aren’t well-suited to run the Internet, and they don’t completely understand how it works. The Internet has never been "turned off" before, and it would take creativity and thoughtful action to figure out who to ask in order to get it done. So it simply hasn’t happened, and probably won’t. Good thing, too, because they might not be able to turn it on again.

I recognize that these are interesting and viable insights, but when I considered the different theories presented, none of them particularly gelled well with what I’ve been observing by monitoring the news coming out of Iran

So, then, what is the method Iran is using to block it’s citizens from accessing the Internet, and what does that suggest about their readiness for the uprising they’re currently experiencing?

I spoke to James Watters today, one of our resident IT and cloud computing expert contributors, for his thoughts on what his best theories are on what may be happening here.

“It seems like they have a fix that keeps the average Joe from using it,” said Watters. “It wouldn’t, though, stop anyone willing to hack their way around, which tells me they aren’t blocking whole IP domains.”

It seemed to be an apt description of what is currently going on. All major communications avenues are officially blocked, but are still seeing substantial contributions although they’re seeing traffic actually from Iran drop substantially.

James Watters and I discussed the details for a bit, and he pulled in a fellow he knew who specialized in border gateway protocol routing by the name of Craig Sirkin. I presented the details and circumstances as we know they exist currently, to get an expert confirmation of what we suspected: traffic was still flowing into Iran, but citizens were unable to reach the websites they were trying to get to and when they used anonymizing proxies, they were able to surf where they wanted to until they were discovered.

“It sounds like they’re just entering domains into a blacklist in a gateway at the country level,” said Sirkin. “They’re just blocking certain domains. It doesn’t sound like they are blocking all web traffic, or else web proxies still using the same port number wouldn’t help.”

In our discussion, Sirkin said something that seemed to fit more with the mindset of the Iranian government than any other theories I’d heard up to that point.

“It’s funny, because this is the cheap and dirty way to do it,” said Sirkin. He went on to explain: “If you were planning on doing this you’d use deep packet inspection to look into the payload of each packet for something that could be identified as a tweet, chat or whatever the traffic type might be. You’d need to have planned your hardware to do that on a national scale, something that would take significant preparation beforehand.”

Essentially, this confirmed the sense that I had started to form when I first started researching the story: that either the government of Iran isn’t that technically savvy, or that they had no idea at all that the citizens of Iran would react with the ingenuity and velocity with which they’ve pursued the ability to communicate their plight.

These Two Possibilities Seem More Likely to Fit the Narrative of the Ahmadinejad Administration
If you believe that the Ahmadinejad administration, or some part of the Iranian government, played a heavy hand in securing the election at all costs, then it was clearly not that very well thought out. Forging election results where the numbers are as high as 40% in the wrong direction is sure to raise hackles in the citizenry, and simply shutting down all media access isn’t going to quell the will of the people.

Conversely, if the working theory is that the Ministry of Information’s IT team is just not that technically savvy, it also plays well into the narrative. The modus operandi, as best as can be determined, is that the Ministry’s IT is playing a game of whack-a-mole against the communities of Fark and Anonymous. Anyone who’s spent any amount of time on a security discussion board or news site has to have at one point come across the exploits of these types of underground groups, and thus would know they’re fighting a losing battle.

Beyond that, in either case, we’re talking about a government, after all.  Governments in almost all their forms are laden down with bureaucracy. Executing a company wide Deep Packet Inspection regimen isn’t exactly the easiest thing to execute, let alone one that filters the packets of an entire nation.

Both my theories automatically assume that there was hanky panky in the election process, something that I feel to be a foregone conclusion.  There’s a third possibility: their lack of preparation indicates that they didn’t suspect any backlash because there wasn’t election impropriety. 

Which theory do you think best describes what may be going on? Given the analysis and the larger body of evidence, which operating theory do you suppose holds the most water?