Democratic Republic of Congo shutdowns the Internet after Elections


January 1, 2019

Update 1st January 2018 22:00 PM UTC.

Still no Internet traffic from RDC.

Update 2nd January 2018 8:00 AM UTC

Still no Internet traffic from RDC. Radio France International (RFI) working in 105 Mhz is down. Jamming or power cut?

Update 3rd January 2018 8:00 AM UTC

Still no Internet traffic from RDC. Oracle Internet Intelligence releases a live map with the status of the Internet in the country here

Update 4th January 2018 8:00 AM UTC

Small increase Internet traffic from RDC. Only a few IPs that monitor the media online seem to have access. Oracle/DYN DNS server infrastructure has detected an increase of DNS queries coming from inside the country, suggesting that some networks are now open.

Update 5th January 2018 8:00 AM UTC

Small increase Internet traffic from RDC.

Update 6th January 2018 8:00 AM UTC

Small increase Internet traffic from RDC. Management IPs from ISP are accessing media articles to keep informed from Goma and Kinshasa.

Update 12th January 2018 8:00 AM UTC

This is how traffic from CD looks like in our load balancer.  Still global shutdown and some access seems to reach via Airtel CG.

Elections and Internet Shutdown

General elections were held in the Democratic Republic of the Congo on 30th December 2018, to determine a successor to incumbent President Joseph Kabila.

Starting at 18:50 PM (UTC) the 31st of December, we have no longer received any Internet traffic coming from providers inside the country.

Our monitoring of web traffic shows the number of visits coming from readers inside the country and a sudden drop of traffic around 19 PM.

The next graph shows a wide view of all upstream providers of the country. and which International carriers exchange traffic.

At 19 PM, traffic from AS37453 VODACOM-CONGO disappeared and very few hits came from AS37447 OASIS-SPRL and AS327879 AJYWA-TELECOM starting in the morning (9 AM) of the 1st of January 2019

One interesting fact is to compare our data with the data of IODA, the Internet Outage Detection and Analysis from CAIDA. IODA infers outage information by three means: (1) scanning each prefix inside of the country, (2) monitors the status of the Internet routing table (BGP) and (3) records traffic coming from infected machines scanning the Internet.

Their prefix monitoring (1) detected already outages starting in the morning of the 31st. It also measured that 8 BGP /24 prefixes (2) disappeared from the routing table.

What all these graphs mean?

That the shutdown did not take place in a centralized manner and each operator has been blocking the Internet during the day. For example, from our data we can see the last connection coming from AS37483 Congo-Chine shutdown at 11:05 AM, the last from AS327707 AIRTEL at 09:47 AM and the last of  AS327879 AJYWA-TELECOM at 14:56 PM.

During the 1st of January, a few networks  169.255.190.0/24 and 169.239.159.0/24 were unblocked in AS327879 AJYWA-TELECOM and  AS37447  OASIS-SPRL problably to allow key people to reach the news sites.

Government confirms shutdown

Initially, telecoms minister Emery Okundji @emeryokundji said he was unaware of the situation and Barnabé Kikaya bin Karubi, a senior adviser to President Joseph Kabila later on said that internet and SMS services were cut to preserve public order after “fictitious results” began circulating on social media.

Legal background

This is the law JO.25.01.2003.PT that gives power to the Government to shutdown the Internet for national security.

“Article 46 of the Telecommunications Framework Law No.013/2002 provides that the State may prohibit the use of telecommunication facilities (such as Vodacom’s network), in full or in part, for any period of time, as it deems fit, in the interests of public security or national defence, the public telecommunications service, or for any other reason.”

See: http://www.telecomindustrydialogue.org/resources/drcongo/

FORENSICS APPENDIX

  • What routers run in the country? How the blocking is taking place?

Hilarious to see some of the network information of Vodacom that reveals the router they use “NE40E-X8” 🙂

inetnum: 41.78.192.0 - 41.78.192.255
netname: VODACOMCONGO13
descr: WILL BE USED FOR PPPOE CUSTOMERS AT GOMA AS NAT FUNCTION NOT WORKING IN OUR NE40E-X8.
country: CD
admin-c: PM3-AFRINIC
tech-c: PM3-AFRINIC
status: ASSIGNED PA
remarks: CUSTOMERS INCREASING MORE FAST
mnt-by: VODACOMCONGO-MNT
source: AFRINIC # Filtered
parent: 41.78.192.0 - 41.78.195.255



Using IODA, Qurium Load Balancer and BGP routing tables to track the shutdown 

This is the magic formula we use in IODA Dashboard

removeEmpty(
  group(
    alias(
      normalize(
        bgp.prefix-visibility.geo.netacuity.AF.CD.v4.visibility_threshold.min_50%_ff_peer_asns.visible_slash24_cnt
      ),
      "BGP (# Visible /24s)"
    ),
    alias(
      normalize(
        darknet.ucsd-nt.non-erratic.geo.netacuity.AF.CD.uniq_src_ip
      ),
      "Darknet (# Unique Source IPs)"
    ),
    alias(
      normalize(
        sumSeries(
          keepLastValue(
            active.ping-slash24.geo.netacuity.AF.CD.probers.team-1.caida-sdsc.*.up_slash24_cnt,
            1
          )
        )
      ),
      "Active Probing (# /24s Up)"
    )
  )
)

Summary

Three findings are interesting in this case:

  1. The blocking is not centralized and each ISP took different times to implement the presidential order. As few ASN represent the majority of the Mobile traffic (Vodacom), we only detected the outage in our servers when Vodacom stopped routing from their Huawei NE40E-X8
  2. Most of the blocking is not done by withdrawing the BGP prefixes. The networks are still up and running but traffic is blocked. This suggests that filtering is done by other means and some key networks still can browse the Internet.
  3. One provider decided to withdraw all networks from the Internet. The AS32842 (iBurst) was not seen originating any address space in BGP by any of the RIS RIPE peers since 2018-12-31 08:00:00 UTC.
  4. There are two spikes in Darknet traffic data in the morning of the 31st of December. One possible explanation of this data is that RDC has two different time zones, and the spikes can be explained by infected computers booting in the morning and malware performing network scans.