Japanese survivors desperate for information

Cyber-criminals target quake-hit network

Japan's Internet infrastructure withstood quake and tsunami, but was also left working for cyber-criminals to exploit the anguish of survivors desperate for information

The primary disasters of earthquake, tsunami and nuclear plant problems that struck Japan on and after 11 March have been much reported, but the consequences for Japan's digital world have attracted less coverage. Despite cellular and landline circuits being knocked for six in Northern Japan as a direct result of the quake and resultant tsunami, the Internet stood firm.

However, although this resilience was a tribute to Japanese IT engineers and a boon to information exchange, cyber-criminals responded to the shift in trending topics on Twitter by focusing their attentions on leveraging the Japanese disaster for purposes of scamming and phishing.

If anything, the 'dense mesh' that the designers of Japan's Internet infrastructure designed in the 1980s – and then built upon for the last two-and-a-half decades – meant that users were able to turn to the Internet, and in particular Twitter and Mixi, the Japanese social media site, for their information and communications.

Protecting the Web

The people to thank for this technology miracle in the face of massive human suffering are the US Department of Defense, whose DARPA project started the Internet bandwagon rolling in the 1960s and designed the network using a protocol called TCP/IP. TCP/IP was a simple concept – break data into small packets, and find a route for the destination of each packet according to what is available at any given time. In Japan last month, this meant that the Internet did what it was designed to do: find a way to route data around damaged elements of the network. Reports suggest that there was a lot of damage – some saying that more than half of Japan's undersea cables were knocked out by the quake and its aftershocks.

But what really saved the day was the Japanese government's masterplan for the Internet when a 'dense mesh' was created, centering on four Internet peering points, BBIX, JPIX, JPNAP, and NSPIXP-6, all dotted in and around Tokyo.

Landlinks being downed by the disasters you can understand; but what were the problems with the cellular network?

NTT DoCoMo, Japan's largest mobile network provider, has now revealed that two-thirds of its 10,000-plus basestations in northern Japan were knocked out as the 8.9-magnitude quake unfolded. By 24 March, the company reported that around 800 basestations were still out of service, and these are likely to be offline for several more months owing to outstanding network infrastructure problems. Quake-borne issues have to be fixed on top of any other network repairs and maintenance that was pending prior to 11 March.

NTT DoCoMo also reports that it was only 'gapping' mobile calls – that is, deliberately failing calls at the basestation/switch end – for about 24 hours after the quake. Nonetheless, with a 90 per cent gapping rate (only 1 in 10 calls allowed), the effects were widely noticed.

NTT East, the fixed-line carrier for Northern Japan, meanwhile, says it lost one and a half million voice, ISDN and fibre-optic Internet circuits after the quake; but, as of two weeks later, had brought back-up to almost 90 per cent of these circuits – an admirable recovery achievement. Again, these remaining circuits will take months to fix, owing to the fact that their switches were very badly damaged.

Resilience of the Internet

So where have the initial earthquake, tsunami, and aftershocks left Japan's Internet infrastructure? Due to the self-healing aspect of the country's quad peering point-based dense mesh, the Internet infrastructure coped with the 200 per cent increase in IP traffic in the 24 hours following the disaster without any strain. Again, this demonstrates redoubtable resilience, although users' reports indicated that performance was somewhat below par.

According to Renesys, the Internet research firm that came to prominence when tracking Egypt's disconnection from the global Internet in February, even they have been surprised at how little the quakes have affected efficiency of the undersea cables that connect Japan with the rest of the world. Renesys reports that the Japanese Internet situation is quite different to that seen in the Taiwan earthquake in 2006, shock from which broke several undersea cables and knocked several carriers – and many millions of users – offline, for months in some cases.

There has been some damage, with two segments of Pacnet's EAC cable system having broken, and the Pacific Crossing main cable system having also gone down as a result of the submarine seismic waves.

Says Renesys CTO James Cowie, out of around 6,000 Japanese network routing prefixes in the global Internet routing table, only about 100 were temporarily withdrawn from service in the hours after the force of the quake was felt: 'Still, it's clear that Internet connectivity has survived this event better than anyone would have expected,' he adds. 'The engineers who built Japan's Internet created domestic and international connectivity that is among the richest and most diverse on Earth, as befits a critical gateway for global connectivity in and out of east Asia.'

The darker side of the Internet, infested by cyber-criminals intent on maximising their profits from other people's anguish, were operating within minutes of the quake. Spammers started to exploit interest in Japan's tragedy by masquerading as charitable institutions and governmental organisations sending helpful emails to concerned Internet users. Within the first few hours of the earthquake and tsunami, researchers at security firm Symantec observed more than 50 domains with names featuring either 'Japan tsunami' or 'Japan earthquake'.

Search engine optimisation

According to Japan-headquartered Trend Micro, cyber-criminals started 'poisoning' search engine results within hours of the disaster, pushing search engine users to infected legitimate sites as well as freshly registered new ones. Norman Ingal, threat response engineer with the IT security vendor, says his team 'saw blackhat SEO [search engine optimisation] attacks almost immediately after an 8.9 magnitude earthquake affected Japan...'

Ingal adds: 'We immediately monitored for any active attack as soon as news broke out. True enough, we saw Web pages that have been inserted with keywords related to the earthquake.' Ingal notes that one of the active sites that his team saw used the keywords 'most recent earthquake in Japan','which then link-led to fake antivirus programs.

Symantec security researcher Samir Pati says his team saw a spike of malicious spam activity in the early morning of 16 March. 'These spam samples use subject lines related to the recent natural disaster in Japan, and to political unrest in the Middle East,' he says, adding that clicking on some of the URLs in the spammed emails took users to a website hosting the Blackhole exploit kit, so loading users' computers with rafts of malware.

The situation is probably being exacerbated by the fact that many Internet novices are going online with the intention of making donations to aid agencies as soon as possible, and they may not be savvy to the extent of the scams already waiting to ensnare them.

While it is unlikely that the authorities can do anything to stop the spread of Japanese-related search engine poisoning and malware-laded spam, the problem facing the stakeholders of the Internet – that's us – is that around 90 per cent of the 650-odd infected websites that IT security vendor Sophos sees every single day are legitimate.

Back in the digital world, it is certain that IP networking experts will be looking at what has happened – or rather, what has not happened – in Japan vis-à-vis the Internet, and refreshing their organisation's disaster recovery plans as a result.

Many companies have migrated much of their data storage and allied IT systems onto a Cloud Computing platform in the last year or so, and it is likely the lessons learned from the Japanese disaster – in particular the resilience and self-healing aspect of the IP grid – will accelerate this process. *

Further information

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them