Arbpr Networks graphic of Syria's cutoff from the Internet on Thursday
Sean Gallagher, writing for Ars Technica, describes how the regime shut down the Internet for more than 48 hours:
Just after noon Damascus time on Thursday, the government-owned Syrian Telecommunications Establishment essentially deleted the whole country from the Internet's routing tables, blocking all inbound and outbound network traffic. Rather than the result of terrorist attacks, as the government claimed on state television, the blackout was a well-rehearsed and deliberate act intended to deny connection to Syria's citizens and the opposition forces currently trying to topple the regime of President Bashar Al-Assad.
Five Syrian networks, identified by their IP address prefixes, were reachable over the network connections of Indian telecom provider Tata Communications until late Thursday. The Syrian government's previous network monitoring company, BGPMon, reported that the country was 100 percent offline by 1:45 AM Damascus time Friday morning, until 4:30 PM on December 1 when connections were restored. There were also reports of widespread landline and cellular phone service outages.
That didn't mean that there was no way for Syrian citizens to connect to the outside world. And the US State Department provided communications equipment to "dozens" of local councils in areas of Syria no longer under government control in order to bypass Syria's government-controlled networks.
But the Internet blackout in Syria was much more complete than the similar government-directed blocking of communications by former Egyptian president Hosni Mubarak's regime in January. That's probably because the Assad regime has been honing its network warfare skills for some time and preparing a plan for a complete network shutdown—staging two dress-rehearsals just in the last week.
Syria has been moving toward consolidating its network traffic since the summer of this year, increasingly shifting its network routes as sanctions from the US and European Union blocked western telecommunications companies from continuing to do business with Syria. Since August, the Syrian Telecommunications Establishment has also tried to reduce its reliance on Ankara-based Turk Telecom as tensions have risen between the Turkish and Syrian governments.
Turk Telecom has still handled a very small percentage of Syria's traffic over its terrestrial cable link, but the vast majority of Syria's network routes were being handled via undersea cable links from Tartous, Syria to Lebanon and by Hong Kong based PCCW. "Almost all [of Syria's network traffic] was via PCCW delivered out of Europe," said Tom Paseka, a lead network engineer for CloudFlare, in an exchange of emails with Ars Technica. Tata Communications and Telecom Italia also continued to provide some small amount of network connectivity as well, though many of the IP addresses served by Tata were actually hosted outside of Syria.
That centralization of the nation's Internet traffic gave the Assad regime a much greater level of control over communications with the outside world. And it took place as the government—which already has used deep packet inspection technology to track citizens' use of the Internet—began to use its control over the national Internet infrastructure as a weapon. In May it was discovered that government agents were using servers in Damascus (hosted through Tata Communications) as part of an effort to install malware on dissident's computers to monitor their Internet activities.
In July, the Syrian Telecommunications Establishment changed routing tables, causing (either accidentally or deliberately) a 40-minute long nationwide Internet outage. But otherwise, Syria's Internet traffic remained relatively stable despite the violence and upheaval within the country — until this week, which began with two network blackouts lasting about 15 minutes each, according to traffic data from multiple content delivery networks and network monitoring companies.
On the first occasion — Sunday, November 25 — network traffic from Syria dropped to about 13 percent of its normal levels, according to CloudFlare CEO Matthew Prince. The second outage, on November 27, resulted in an even more significant drop, with traffic reduced to 0.2 percent of its usual levels. These now appear to have been test runs to prepare for a full-blown shutdown of the country's Internet presence.