Network data from Cloudflare shows a marked increase in HTTP requests from Turkmenistan beginning in mid-June 2024, corroborating media reports of the nation unblocking billions of IP addresses. The analysis also reveals significant shifts in network connection patterns, which are consistent with the potential testing of a large-scale firewall system.
The changes follow a turkmen.news report claiming an “unprecedented easing in blocking” that made over 3 billion previously inaccessible IP addresses reachable. Cloudflare’s historical data provides an independent, technical view of these events, showing a clear surge in traffic from the country alongside distinct changes in how TCP connections were terminated.
TCP Connection Anomalies Signal Potential Interference
TCP, the protocol underpinning most web traffic, has graceful conventions for ending connections. Abrupt terminations, known as resets and timeouts, can sometimes be artifacts of user behavior but can also indicate interference from a third party, such as a state-level filtering system. According to Cloudflare, its systems detected a notable increase in these ungraceful connection endings from Turkmenistan starting on June 13, 2024.
The patterns of these connection anomalies continued to evolve in the following weeks. Further changes included an increase in “Post-PSH” anomalies around July 4 and a reduction in “Post-ACK” anomalies around July 13. While not definitive proof, Cloudflare notes that “the scale of the data would need a great number of browsers or users doing the same thing to show up,” suggesting a systemic cause. An internal link to another Cyberwarzone article about botnets could provide context on large-scale network behavior.
Network-Specific Data Reveals Clearer Patterns
Analysis of traffic from individual networks within the country showed more pronounced trends. Data from AS20661 (TurkmenTelecom), which accounts for a large portion of the nation’s traffic, largely mirrored the general trends. Other networks showed distinct patterns. For example, AS51495 (Ashgabat City Telephone Network) saw Post-ACK anomalies nearly disappear on July 12, corresponding with an increase in anomalies at a later connection stage.
A clear spike in Post-ACK anomalies was observed on July 22 for AS59974 (Altyn Asyr). This anomaly occurs at the stage where a firewall could inspect the Server Name Indication (SNI) to identify the requested domain name before dropping the connection. On the same day, HTTP request levels for that specific network saw a pronounced drop.
The data provides a unique window into the network behavior of a country with well-documented internet controls, offering empirical data to analyze changes in its filtering infrastructure. This situation is similar to other instances where governments refine their cyber tactics amid evolving geopolitical landscapes.