It may not be your bug, but it is your problem. Censys + Google discuss Supply Chain Risks in our latest Webinar 

Hurricane Ida and Louisiana Infrastructure

By Derek Abdine and Mark Ellzey

Introduction

On August 29, a category four hurricane named Ida made landfall in Louisiana, where several news organizations reported winds of more than 150 miles per hour (241 km/h).  Hurricanes can do tremendous damage to utility infrastructures, such as power, cable, DSL/telephony, and fiber networking, creating catastrophic failures that can take significant amounts of time and money to address. Some news outlets are reporting that it may take anywhere from a few days to weeks to address damage to power infrastructure alone. Because of this physical damage, we can track Ida’s impact on the availability of hosts in Louisiana Internet IP space to better understand the issues that residents are facing.

In a nutshell, by analyzing Louisiana IP space, we were able to observe:

  • Multiple ISPs had significant losses in coverage for two days, including AT&T, Cox, Comcast, and Suddenlink. These outages are likely related to news reports of power transmission and utility pole damage throughout the state.
  • AS397793, which hosts the Sewerage and Water Board of New Orleans (swbno.org) website, was completely offline for more than 48 hours.
  • AS16913, which hosts Loyola University Louisiana (loyno.edu) and other network infrastructure, was knocked offline but partially recovered over the following days.
  • A regional medical hospital had its Internet-connected footprint disappear, though its website was still online thanks to cloud services.
  • Multiple autonomous systems (AS) were not reporting any hosts in Louisiana IP address space.

We’ll analyze these key discoveries a bit further using BigQuery SQL queries against our Enterprise Universal Internet Dataset.

A Perspective on Global Activity

As a refresher–or for those unfamiliar with Censys–we scan the entire IPv4 address space of the internet, minus some reserved and blocklisted ranges. That is, we track over 200 million hosts (those which respond with some open port) across the globe, even in highly remote locations. 

For each host we discover, we track all open ports (we scan more than 3,500, and that number increases with every new feature) and maintain the history of those hosts over time. Think of us as the Wayback machine, but for Internet-connected devices. This activity is useful to help both individuals and organizations identify malicious infrastructure to combat cybersecurity crime from bad actors, criminal rings, and state-aligned actors, to name a few. It is also helpful for organizations to better understand their assets since the explosive adoption of IT in the past two decades, which has caused a massive inventory issue for security teams worldwide.

However, as it would turn out, Internet scanning can also help us better quantify the impact of natural disasters such as Hurricane Ida by observing changes in host availability through our Internet scans.

The Nominal Shape of Louisiana IP Space

On average, daily host counts for IP addresses identifying in the state of Louisiana number 236,000. As of August 28, 2021, the day before Ida made landfall, 192 known ASes reported active hosts within Louisiana. The top 10 ASes below comprise a bulk of the hosts within the state:

AS Number (ASN)AS Description# Hosts/IPs
20115CHARTER-2011551155
22773ASN-CXA-ALL-CCI-22773-RDC43929
7018ATT-INTERNET432000
5009EATEL21437
209CENTURYLINK-US-LEGACY-QWEST14590
6389BELLSOUTH-NET-BLK10654
19108SUDDENLINK-COMMUNICATIONS6455
7922COMCAST-79225814
13760UNITI-FIBER3935
25921LUS-FIBER-LCG3885
The top 10 autonomous systems (ASes) on August 28th, 2021 — before landfall

Louisiana IP address space is composed of mainly residential and commercial broadband ISPs, including:

  • Charter
  • Cox (ASN-CXA-ALL-CCI-22773-RDC)
  • AT&T (which includes Bellsouth)
  • EATEL
  • Centurylink
  • Suddenlink
  • Comcast
  • Uniti Fiber
  • LUS Fiber

Uniti Fiber stands out a bit further. According to their Wikipedia page, they are the “leading provider of infrastructure solutions, including cell site backhaul and small cell for wireless operators, and Ethernet, Wavelengths and Dark Fiber for telecom carriers and enterprises.” Given Uniti Fiber’s roles in cellular connectivity and emergency response, paying close attention to outages within their network is crucial.

Measuring Ida’s Impact on Internet-Facing Hosts

Louisiana IP address space typically has around 237,000 hosts available over the public Internet on any given day. These hosts come from various networks within that IP space, but the overwhelming majority of them are from residential/commercial ISPs, such as Comcast, Cox, AT&T, and Suddenlink. In total, Censys observed a drop of over 50% of Internet-facing hosts for all of Louisiana between August 29 and September 1:

Active IPs in Louisiana from mid-August through September 9th, 2021
Internet-facing hosts for Louisiana, 2021-08-15 through 2021-09-09

Given a majority of Louisiana IP space consists of Internet Service Providers (ISPs), we can further delve into this data to better understand the impact per ISP. The following sections include graphs that display the number of active hosts over time.

AS22773 – Cox Communications

Active IPs in Cox AS, an ISP in Louisiana

Over five days, AS22773 (ASN-CXA-ALL-CCI) went from more than 43,000 IPv4 hosts down to just 16,670 by September 1. The most significant drop recorded was on August 30, with a delta of more than 9,432 fewer hosts than the previous day. As of September 7, this number had slowly increased back to about half of what it was before the storm began.

AS20115 – Charter Communications

Active IPs in Charter's AS, an ISP in Louisiana

AS20115 (CHARTER COMMUNICATIONS) saw a massive shift of 51,150 active IPv4 addresses down to a measly 8,185 hosts on September 1. Thousands of hosts have been reappearing in our scans as time goes on, and as of September 7, only 19,947 hosts are online compared to the original number reported before the storm.

AS7018 – AT&T Internet

Active IPs in ATT's AS, an ISP in Louisiana

ATT-INTERNET – a popular residential ISP in Louisiana – saw a massive drop of 31,984 hosts on August 28 to only 11,526 on September 1. This decrease in the number of active hosts gives us insight into the number of homes without power during this time.

AS5009 – EATEL

Active IPs in EATEL, an ISP in Louisiana

Eatel is another residential internet provider that went from an active host count of 21,451 on August 28 to 10,994 on September 1. The most significant shift was on August 30, with a drop of 4,464 hosts.

Determining Entire Network Outages

Because the Censys platform tags identified IP addresses with geolocation and autonomous system information, we can use those tags to filter the Louisiana IP address space and identify which networks did not appear in our latest scan snapshot, as compared to the day the storm made landfall. Censys stores our data in a way that makes it queryable by BigQuery, which is available for use for any Enterprise or Government customer. We can obtain this list using an SQL query:

SELECT A.asn, A.description
FROM (
        SELECT DISTINCT autonomous_system.asn, autonomous_system.description
        FROM `censys-io.universal_internet_dataset.universal_internet_dataset`
        WHERE DATE(snapshot_date) = "2021-08-27" 
        AND location.province = "Louisiana"
) A
FULL OUTER JOIN (
        SELECT DISTINCT autonomous_system.asn, autonomous_system.description
        FROM `censys-io.universal_internet_dataset.universal_internet_dataset`
        WHERE DATE(snapshot_date) = "2021-08-31"
        AND location.province = "Louisiana"
) B
ON (A.asn = B.asn)
WHERE B.asn is null

This query yields the following results, indicating which networks are no longer available:

AS Number (ASN)AS DescriptionAnalysis
16913LOYNO-EDUwww.loyno.edu, which was completely offline and has now recovered, as well as related IT infrastructure.
40877XULAUnknown; only a single host running SNMP was observed in this AS within Louisiana.
35869PETERAMAYERpeteramayer.com, an advertising agency
54311DCC-615-DELGADO-COMMUNITY-COLLEGEdcc.edu, a community college in Louisiana, has had its network operations impacted for one of the longest periods of time so far”
55028KIEWIT-
1648JEFFERSON-PARISH-SCHOOL-BOARDjpschools.org, which has a banner on their homepage indicating they are closed until further notice. We can see that their network had gone offline for quite a bit.
397793ASN-SWBNO-01swbno.org, the sewage and water board of New Orleans, which had its network presence disappear from the internet entirely for a period of time
22218ITC-GLOBAL
The above autonomous systems (AS) are no longer available per Censys scans.

In the following visualization, a reader can easily see when and where outages began to occur. On the vertical axis are the dates ranging from August 27, 2021, to September 6, 2021, and the horizontal axis shows the number of IPv4 addresses up for each ASN. The dark-blue columns are IP counts, while the cyan columns represent the delta between each row.

Active IPs per AS depicting Hurricane Ida's damage.

To create the above visualization of the outages in Louisiana, we constructed a query that counts every unique IPv4 address in the state of Louisiana between a range of two dates, grouped by the ASN and the last scan date, along with the delta of each row.

WITH
  as_active_ips AS (
  SELECT
    DATE(snapshot_date) AS day,
    autonomous_system.asn,
    autonomous_system.name,
    APPROX_COUNT_DISTINCT(host_identifier.ipv4) AS ipcount
  FROM
    censys-io.universal_internet_dataset.universal_internet_dataset
  WHERE
    location.province = "Louisiana"
    AND location.country_code = "US"
    AND DATE(snapshot_date) BETWEEN '2021-08-27'
    AND '2021-09-07'
  GROUP BY
    day,
    autonomous_system.asn,
    autonomous_system.name
  ORDER BY
    day,
    autonomous_system.asn,
    autonomous_system.name )
SELECT
  day,
  asn,
  name,
  ipcount,
  ipcount - LAG(ipcount) OVER (PARTITION BY asn ORDER BY day ASC) AS delta
FROM
  as_active_ips
GROUP BY
  day,
  asn,
  name,
  ipcount
ORDER BY
  asn,
  name,
  day

Using a lightweight SNMP sweep, Censys determined that out of 1,797 devices with publicly accessible SNMP system OID’s, only 58 devices had an uptime lower than 15 days. Cox Communications had the highest number of hosts, with 26 hosts reporting a low uptime between 5 to 8 days, followed up with AT&T’s eight hosts that announced 6 to 7-day uptimes. This data can give us insight into whether a data center went completely offline or just lost connectivity.

Where do we go from here?

The destruction from Hurricane Ida made a powerful and significant impact on infrastructure within Louisiana. So much so that a great deal of the network infrastructure that was available just a few weeks ago is still recovering. A majority of these inactive hosts are users who still may be without power, while others are hosts that suffered network outages in a data center with a generator.

Organizations in areas with a higher frequency or likelihood of adverse weather impacting operations should consider disaster recovery plans that include locations outside of the impacted area. However, this isn’t always a viable option for some organizations, such as hospitals or school systems. Multi-provider redundancy for internet connectivity and power may be essential for those organizations, but they is still no guarantee of uptime in a critical event. For mission-critical data-only systems, using an origin-based CDN may be beneficial for both reliability and performance.

Lastly, an interesting outcome of this investigation shows how interconnected infrastructure and disaster events are. The cybersecurity landscape is intricately connected to the national security landscape at multiple levels. Information sharing between the cybersecurity community and emergency agencies can be useful outside of cybersecurity incidents.

About Censys

For more information about how Censys data is used to inform industries of critical risks and vulnerabilities, check out our blog. To request a demo of our Attack Surface Management platform or other queries, contact us!

Stay up to date

To get regular news about product updates, user guides, and security tips, send us your email. You can unsubscribe at any time.