More on the unintended consequences of DDoS attacks on pro-Ahmadinejad web-sites

As we keep getting condradicting reports about the role of DDoS attacks in slowing down the Iranian Internet (as well as the means employed to slow it down), I decided to check in with Jim Cowie, CTO of Renesys, which is one of the leading Internet intellegence companies (their excellent blog is here).

I asked Jim a) whether DDoS attacks on pro-government Web sites are likely to slow down the Internet for everyone else b) whether it's likely that the Iranian government might be encouraging those attacks in order to slow down the Internet and thwart the distribution of images/videos from the protests. Below is Jim's response, which I decided to reproduce in full, since it's very interesting: 

Yes, as I implied in the blog, attacks cause congestion. Simple attacks, like the automatic reloaders, mimic heightened levels of real user interest. You send a small HTTP request, and the page contents are streamed to you.   Each page they serve consumes domestic bandwidth. From the sound of things, the regime may have deliberately created artificial domestic bandwidth scarcity, in an attempt to reduce the number of people who can use the Internet without taking it down entirely. Because of the diversity of the domestic transit market (there are dozens of ISPs big and small), the regime is almost certainly imposing these bandwidth restrictions at the central chokepoints through which data must flow -- that is, near the core of the domestic Internet, represented by Data Communications Iran, not out near the edge (individual providers). The struggle for transit capacity becomes a zero-sum game, because of the requirement that domestic providers come to a central place (DCI) for their international bandwidth and to exchange traffic with each other. In other words, if you attack a pro-government site, you are almost certainly also stealing bandwidth from pro-opposition sites.


From what I've gleaned from local providers, it sounds as if the bandwidth restrictions are being handed down from bigger providers to smaller providers; if you were previously able to send and receive 100 megabits of traffic, suddenly you're scraping up against a 10 megabit ceiling. If you had 10 megabits, perhaps you find your upstream connection topping out at 2 megabits. In other words, a traffic engineering change has been made centrally by the government, applied at the common points where domestic providers are required to exchange traffic. That's exacerbated by whatever "flash crowd" effect is resulting from hundreds of millions of foreigners trying to read Iranian blogs, and consuming still more of the scarce resources.


As interesting as the "government encouraging DDOS" hypothesis would be, I don't buy it.  The Iranian internet infrastructure is still centralized enough that if the government wants to make the Internet unusable domestically, or turn it off entirely, they have the tools to make it happen; they don't have to recruit you and me to do it for them. Even more compellingly, remember that Iran pays cold hard currency for all the Internet traffic they have to ship to the wider world on one of their six international carrier connections. Every megabit of internationally-sourced DDOS traffic costs them money. There are cheaper ways to break the Internet.