February 2008
Underwater Fiber Cuts in the Middle East (4 February 2008)
Abandoned Ship Anchor Found Near Cable Cut (7 February 2008)
Teach a Man to Phish (13 February 2008)
A Technical Mistake (16 February 2008)
A Pakistani ISP "Hijacks" Youtube (24 February 2008)

Underwater Fiber Cuts in the Middle East

4 February 2008

Within the last week, there have been outages affecting four underwater cables. Millions of users are off the net in India, Pakistan, Egypt, Saudi Arabia, UAE, Kuwait, Qatar, and Bahrain.

It isn’t clear yet exactly what happened. Two cables in the Mediterranean, SEA-ME-WE 4 and Flag Telecom’s FLAG cable were cut. The latter cut was 8.3 km from Alexandria; the former was reported to be cut near Marseille, though other reports have that cut near Egypt, too. After that, there were problems with two cables in the Persian Gulf. Flag’s Falcon cable was cut; a cable between the UAE and Oman has suffered some sort of power failure.

Four failures in less than a week. Coincidence? Or enemy action? If so, who’s the enemy, and what are the enemy’s goals?

You can’t have that many failures in one place — especially such a politically sensitive place — without people getting suspicious. Naturally, most of the fingers have pointed at the US and Israel, with Iran seen as the likely target. There’s just one problem: Iran doesn’t seem to have been affected much. In fact, one study shows better throughput to Iran after the incident.

Now — the US certainly has the ability to tap undersea cables. After all, they did just that to the Soviets several decades ago. That said, I don’t think it’s an NSA or Mossad operation, as some have speculated, because I don’t think they’re that stupid. Four failures at once will raise suspicions, and that’s the last thing you want when you’re eavesdropping on people.

If if wasn’t a direct attempt at eavesdropping, perhaps it was indirect. Several years ago, a colleague and I wrote about link-cutting attacks. In these, you cut some cables, to force traffic past a link you’re monitoring. Link-cutting for such purposes isn’t new; at the start of World War I, the British cut Germany’s overseas telegraph cable to force them to use easily-monitored links. One of the messages they intercepted — and cryptanalyzed — was the Zimmerman telegram, which asked Mexico to join Germany in attacking the US, in exchange for financial support and recovery of Texas, New Mexico, and Arizona. Instead, public outrage in the US contributed to the decision to enter the war against Germany.

The problem with this scenario is that the benefit is short-lived: the cables will be repaired in a few weeks.

One can construct other scenarios. Some I’ve seen involve stock market manipulation, al Qaeda trying to block access to nasty Internet content, clueless terrorists launching a denial of service attack, etc. Any of these are possible, but are they plausible? Who gains, and by how much?

Cables do fail, for all sorts of reasons, including ship anchors, storms (and there was bad weather in the area), earthquakes, even sharks. To be sure, a common failure cause seems improbable, given the geographic and temporal extent of the failures. Besides, Egypt says there were no ships in the area. (Cables fail even more on land, as Neal Stephenson explained in a wonderful article some years ago.)

So — I don’t know what happened. As a security guy, I’m paranoid, but I don’t understand the threat model here. On the other hand, four accidental failures in a week is a bit hard to swallow, too. Let’s hope there will be close, open examination of the failed parts of the cables.


Update: there’s a good summary article here. It also states definitively that both cuts in the Mediterranean were near Alexandria, which increases the odds that there was a common cause for the failure. Presumably, the confusion about the location of the SEA-ME-WE 4 break arose because the other end of the cable is in Marseille.
Update: Contrary to some rumors and reports, Iran has not been knocked off the net. See the Renesys analysis for details.
https://www.cs.columbia.edu/~smb/blog/2008-02/2008-02-04.html