9.7 Analysis of the network in Ethiopia

Because of curiosity and because I wanted to see the usage of open source operating systems and web servers on Ethiopian hosts, I have done some investigation on host in the et DNS domain and on IP addresses owned by ETC. I will first describe how I searched for the host and what programs I used to do this, then I will present the result.

When I started this search I had no clue to what IP addresses belonged to Ethiopia. IP addresses is not organised according to geography, but more or less randomly distributed by Internet Registrars associated with Internet Assigned Number Authority (IANA). IANA assigns available IP addresses to Regional Internet Registry (RIR). RIR assigns IP addresses to Local Internet Registry (LIR) or National Internet Registry (NIR) which again assigns IP addresses to Internet service providers.

To find the IP-range owned by ETC i decided to search for all the hosts registered in the et DNS domain. ETC is the only ISP in Ethiopia, so if I could find the IP range owned by ETC I would find all IP addresses in Ethiopia. The DNS domain et is also owned by ETC. All the hosts in the et domain is not necessarily located in Ethiopia, but I am more likely to find hosts located in Ethiopia in this domain. My first thought where to query the DNS server for the et domain. I found the DNS server for this domain by querying the WHOIS database. The different RIR’s have WHOIS servers with a database over assigned domain names, IP-addresses and various other information. I used the program whois witch searches a number of WHOIS servers. By using this I found the following DNS servers for the et domain.

  Nameserver Information:
      Nameserver: ns1.gip.net.
      IP Address:
      Nameserver: ns1.telecom.net.et.
      IP Address:
      Nameserver: ns2.gip.net.
      IP Address:
      Nameserver: ns2.telecom.net.et.
      IP Address:
      Nameserver: ns3.gip.net.
      IP Address:

DNS uses port 53 for communication and by searching this nameservers I found that all the nameservers in the gip.net domain were up and running. The nameservers in the telecom.net.et domain had a firewall that filtered out port 53. When I at a later time checked the telecom.net.et servers they where not even running. I concluded that the servers in the gip.net domain where the ones in use, with ns1.gip.net as the primary server.

Now I had the primary DNS server for Ethiopia so now I tried to find all the sub-domains registered in this server. This can be done with something called zone transfer. The purpose of zone transfers is to copy the content of a DNS server database to be used by a secondary server. Zone transfers are often only allowed for hosts within a specified IP-address range. This where the case for the aforementioned servers. Because I couldn’t find any other way to get all the records of a DNS server I dropped this strategy.

The next strategy I thought of where to search Google for all et domains. Google offers domain specific searches. This way I could find most of the hosts in the et domain running a web server. To automate this I made a script that made a search query to Google and parsed the result. The parsing captured all sub-domains of et in the links found in the search result. Because many host names can be served by the same physical host I looked up the IP address for the host names.

When I first did this at 13th of September I found 89 host names on 11 physical host. When I did this the day after I found 157 host names on 21 physical hosts. Many of this hosts where not located in Ethiopia. I searched the WHOIS database for the different IP-addresses in the result and found that the range - belonged to ETC. There are over 8000 IP-addresses in this range, which is a small number for a whole country. Using a ping sweep on this address range on 13th of September I found 895 host to be up. A ping sweep sends a small message to every IP-address in the range and checks for replies. I used a program called nmap for this. Normally an ICMP Echo message is used for pinging, but firewalls often filter this messages out. nmap uses various techniques to circumvent firewalls. Most of the previously mentioned hosts is probably only clients with no server software running on them.

I repeated the ping sweep on 15th of September. This time I also checked if port 80 where open on the running host I found. Port 80 is the standard http port used by web servers. I wanted to know how many of the host I found where running a web server. Of the 1162 host I found that 42 had an open port 80. I combined this with the hosts in the ETC IP address range, which I found through the Google search. I got a total of 46 web hosts. Then I did a operating system scan and version scan on this 46 addresses. An operating system scan tries to guess the operating system running on the host and a version scan tries to guess the version of the server software running on the host. With this data I can get an estimate of the usage of FLOSS for web servers.

Of the 46 IP addresses I decided to scan for operating system and web server version, 39 were up. This 39 hosts will form the basis of my study of the usage of FLOSS programs in the Ethiopian web server marked. Of the 39 hosts that were found to be up I found information about 37 of them (See table 9.1). The Cisco IOS and MS ISA web servers are not web servers meant to present content to the Internet, but used to configure the other services running on it. The other services can be fire-walling, routing, VPN or other kind of infrastructure related services.

Operating System

Web Server Windows GNU/Linux Solaris Cisco IOS Unknown

Apache 1
SunONE 3
Netscape 1
Cisco IOS 11
Unknown 2 1

Table 9.1: Operating systems and web servers used in Ethiopia