Iran Internet Shutdown: Why 98.5% of IPv6 Vanished
At 11:50 UTC on January 8, Iranian networks withdrew 98.5% of IPv6 address space. The lights went out. This wasn't a curfew; it was a surgical amputation of global connectivity. The regime has graduated from blunt force to a mature architecture of selective isolation, executing precise BGP withdrawal strategies that dismantle external access while keeping internal infrastructure limping along.
Traffic volumes plummeted nearly 90% within hours as heavyweights like MCCI and IranCell severed peering sessions. (Cloudflare's iran internet partially restored may 2026) Forget the mobile-only restrictions of 2022. This 2026 operation marks a calculated shift toward protocol suppression, crushing IPv6 human-generated traffic from 12% to virtually zero before turning the screw on IPv4. Filterwatch spotted anomalies days earlier with QUIC-protocol issues. This wasn't panic; it was a phased rollout.
We need to trace the lineage of these connectivity drops, from the blunt instruments of the 2019 fuel protests to this current network anomaly. More importantly, we must define how to detect these traffic shifts in real-time. If you are monitoring state-level censorship, waiting for total silence is too late.
The Evolution of State-Sponsored Internet Blackouts in Iran
Defining the Modern Internet Shutdown via BGP Withdrawals
Stop calling it throttling. A modern internet shutdown is the intentional withdrawal of BGP announcements that scrub IP blocks from the global routing table. Throttling makes things slow; DNS filtering makes things annoying. BGP withdrawal eliminates the next hop entirely. The address becomes unreachable. Period.
Field reports from Filterwatch flagged initial anomalies on December 29, 2025, but the hammer dropped on January 8, 2026. The regime cut off 92 million citizens by dropping announced IPv6 address space by 98.5%, crashing from over 48 million /48s to just over 737,000 /48s. When networks stop telling the world how to reach those addresses, the path vanishes. Clients and servers stare into the void. Traffic volumes fell nearly 90% between 16:30 and 17:00 UTC. MCCI, IranCell, and others pulled the plug.
| Feature | Throttling | DNS Filtering | BGP Withdrawal |
|---|---|---|---|
| Path Status | Active | Active | Removed |
| Packet Flow | Delayed | Blocked at Resolver | Dropped at Edge |
| Recovery Time | Minutes | Seconds | Hours |
Partial restrictions leave cracks. This approach severs the AS path completely. No external peering sessions can establish. Internal services lose contact with global CDNs and cloud providers instantly. Re-announcement is the only fix. The mechanism relies on deep packet inspection to strip QUIC packets, forcing clients onto legacy TCP stacks that are easier to filter or reset. Post-shutdown monitoring shows residual traffic at 0.01% of normal levels. Only hardened, whitelisted connections survive this infrastructure of silence.
The 2019 event pulled the plug immediately. This phased degradation let the regime test filtering efficacy in real-time. Network engineers must treat sudden drops in HTTP/3 ratios as a definitive indicator of impending total blackout. Ignore this signal at your peril.
State-sponsored blackouts have mutated. We went from blunt five-day cuts in 2019 to precise mobile-only curfews by 2027. Infrastructure maturity now enables total isolation rather than temporary suppression. November 2019 fuel protests triggered a precedent for near-total nationwide shutdowns when systems could finally sever users from global networks completely. That approach lacked surgical precision.
September 2022 demonstrations following Mahsa Amini's death utilized nightly shutdowns affecting only mobile networks while keeping fixed lines active. This was cost-saving: suppress mobilization without incinerating the economy. The regime refined these mobile networks.
| Era | Trigger Event | Scope | Target Layer |
|---|---|---|---|
| 2019 | Fuel price hikes | Total (5+ days) | All IP traffic |
| 2022 | Custody death | Nightly mobile only | Cellular data |
| 2026 | Regime demands | Total isolation | BGP + HTTP/3 |
The strategy is clear: minimize economic blowback while maximizing political control. Earlier methods caused immediate, massive financial loss. Newer tactics apply selective pressure. Partial connectivity often precedes total withdrawal. The architectural evolution suggests future blackouts will target specific protocol stacks before collapsing entirely. Watch the stack, not just the uptime.
BGP route withdrawal at 11:50 UTC erased next hop reachability for Iranian IPv6 blocks. This mechanism functions by sending BGP UPDATE messages that strip specific prefixes from the global routing table. It tells peer routers that a destination no longer exists. Unlike accidental outages where routes flap or degrade, this withdrawal of IPv6 routes's_January_2026_Internet_Shutdown_Public_Data_Censorship_Methods_and_Circumvention_Techniques) represents a deliberate administrative action.
The technical distinction lies in persistence. Traffic vanished, yet route announcements for remaining blocks stayed broadly stable. This points to internal filtering, not physical cable cuts or hardware failures. Operators must distinguish between a loss of signal and a loss of route advertisement.
| Feature | Accidental Outage | Intentional Withdrawal |
|---|---|---|
| BGP State | Flapping or unstable | Clean, final withdrawal |
| Scope | Random or localized | Systematic across ASN |
| Recovery | Automatic retry | Requires manual re-announcement |
Monitoring BGP UPDATE messages provides earlier warning than traffic volume metrics. Once a prefix is withdrawn, packets destined for those addresses are dropped at the edge of the global internet. Standard redundancy protocols cannot bypass this hard boundary without alternative peering arrangements outside the affected jurisdiction.
IranCell (AS44244) saw HTTP/3 usage collapse from a peak to single digits at 20:00 UTC on December 31. Active packet dropping was underway. This decline is a precise indicator because QUIC relies on UDP port 443, distinct from legacy TCP stacks that censors often allow initially. Operators tracking these shifts can identify QUIC-protocol anomalies. The mechanism involves deep packet inspection systems stripping UDP payloads, forcing clients to fallback to slower, more easily filtered TCP connections.
| Protocol | Transport Layer | Censorship Signal | Detection Latency |
|---|---|---|---|
| HTTP/3 | UDP | Sudden drop to baseline | Minutes |
| HTTP/2 | TCP | Gradual degradation | Hours |
| IPv6 Routes | BGP | Prefix withdrawal | Immediate |
Correlate application-layer metrics with routing data. Distinguish congestion from intentional suppression. Researchers noted similar patterns on TCI (AS58224), where usage fell below threshold levels by January 3, confirming a coordinated filtering strategy. Sophisticated censors may mimic natural packet loss, requiring operators to verify findings against circumvention detection. A sharp drop in modern protocol usage without corresponding physical link failures confirms layered whitelisting is active.
Peak traffic levels recovered by January 5. Do not be fooled. This surge preceded the most severe nationwide internet shutdown in the country's history. Operators analyzing traffic anomalies during this window risk misclassifying temporary stabilization as network durability. The brief recovery masked active preparation for total isolation.
| Signal Phase | Observable Metric | Operational Reality |
|---|---|---|
| Pre-Shutdown | Traffic exceeds expected levels | Filtering infrastructure finalizes rulesets |
| Transition | IPv6 share drops from 12% to 2% | Route withdrawals target modern transport |
| Event | Volume falls to near-zero | Complete BGP path suppression active |
State-controlled network mechanics are volatile. High visibility often precedes total blackout. Researchers detected these QUIC-protocol anomalies. A temporary rise in request counts can indicate clients retrying failed handshakes against increasingly restrictive firewalls. This behavior creates a false positive for stability in standard monitoring dashboards. Ignoring this pattern delays incident response when the final cut occurs.
Defining Brief Connectivity Windows and Traffic Spikes
Access to 1.1.1.1 briefly returned at 10:00 UTC on January 9. Request traffic spiked above expected ranges, then vanished. This defines a brief connectivity window: a temporary restoration where internal data shows sharp spikes followed by a return to near-zero levels. These events signal filter testing, not genuine recovery. Only a small amount of request traffic remained visible after the initial surge.
Operators must distinguish between accidental route flaps and intentional, short-lived access grants designed to trap circumvention tools. Stateful firewalls allow UDP bursts to identify active V2Ray or Shadowsocks endpoints before re-imposing total blocks.
| Phase | Traffic Behavior | Operator Action |
|---|---|---|
| Spike | Requests exceed baseline | Log source IPs immediately |
| Collapse | Volume drops to minimal | Verify BGP withdrawal status |
| Silence | No visible packets | Assume deep packet inspection active |
False positives remain a risk. Interpreting these rebounds as successful circumvention detection is dangerous. Misinterpreting a trap as a restoration exposes user identities to state actors. Even during alleged recovery periods, connectivity often fails to reach pre-shutdown capacity. Recall the partial restoration failure observed in May 2026 where service remained spotty.
University of Tehran Informatics Center (AS29068) briefly announced routes at 11:30 UTC. This marked a specific partial restoration window. Analysts tracking BGP changes during protests must isolate these academic Autonomous System Numbers to detect patchy connectivity before national providers recover. On January 28, 2026, authorities relaxed restrictions. Traffic returned in a patchwork and heavily filtered form, not full access. Verification steps require correlating DNS resolver accessibility with AS path re-appearance, as seen when 1.1.1.1 requests spiked then vanished. Cloudflare Radar provides country and network level insights to distinguish regional retention from total blackouts.
| ASN Entity | Restoration Time | Duration |
|---|---|---|
| AS29068 | 11:30 UTC | 3.5 hours |
| AS12660 | 11:30 UTC | 3.5 hours |
| AS43965 | 11:30 UTC | 3.5 hours |
| AS57745 | 11:30 UTC | 3.5 hours |
Activity often remains depressed even after restoration orders. The partial nature of the restoration is undeniable. University windows may be intentional traps to identify active circumvention tools rather than genuine service returns. Operators interpreting these signals risk false positives if they assume route announcements equal usable bandwidth.
Declaring an outage over based on uneven data ignores reality. Traffic volumes remain at a fraction of a percent despite apparent access returns. Analysts observing the partial and uneven restoration on January 28 risk false positives when connectivity returns in a patchwork form. Traffic metrics validate this deception; while DNS queries rose during restoration attempts, actual network activity remained significantly depressed. This gap between resolver availability and usable throughput defines the restoration failure mode. Wait for sustained volume increases rather than isolated DNS resolver spikes before easing escalation protocols. Even after May 26, users reported slow, spotty service where activity reached only a portion of pre-shutdown levels. Reporting practices must distinguish between filter testing and genuine recovery. Premature declaration leaves networks vulnerable to renewed political and wartime tool deployment strategies.
Critical Risks of Digital Isolation and Mitigation Limitations
Defining Layered Whitelisting Risks in Patchwork Restorations
Layered whitelisting restores connectivity only after deep packet inspection validates specific application signatures. It creates a false perception of recovery. This mechanism filters traffic at the protocol level rather than blocking IP ranges. State actors permit necessary banking data while suppressing protest coordination tools. The cost is measurable: small merchants face bankruptcy risks due to the cutoff, as these groups played a central role in recent unrest central role. Operators observing brief DNS resolver availability often misinterpret these signals as full network restoration.
Hidden operational costs emerge during these patchwork restorations:
- Stateful firewall tables exhaust memory tracking allowed flows.
The cumulative financial loss from the second blackout phase exceeds $3 billion due to sustained isolation. This wartime blackout targeted trade protocols rather than just social media, crippling export logistics. Critics argue partial filtering preserves revenue improved than total disconnection, yet the regime prioritized absolute control over economic continuity. The mechanism relied on suppressing BGP announcements to sever cross-border payment gateways instantly.
Hidden costs accumulated silently across specific sectors during the 87-day window:
- Freelance developers lost access to global Git repositories permanently. * Import verification systems failed without real-time DNS resolution. * Digital banking settlements stalled due to missing TLS handshakes. * Remote medical diagnostics collapsed when HTTP/3 streams vanished.
Recovery remained incomplete even after restrictions lifted, with traffic returning to only a fraction of pre-crisis levels. The partial restoration ordered in late May failed to restore full AS path visibility for international peers. Operators attempting to fix missing internet access during national outage face degraded root zone trust chains that persist long after connectivity returns.
Critics argue that satellite constellations offer a strong fix for missing internet access. They are wrong. This ignores the physical dependency on ground stations within national borders. Without local points of presence, latency spikes and throughput collapses render HTTP/3 sessions unusable. Hardware alone cannot bypass a sovereign network provider outage when the upstream path ceases to exist.
Hidden costs of relying on satellite alternatives include:
- Regulatory criminalization of possession
- Inability to reach local banking systems
- Lack of redundancy for DNS resolution
- High latency breaking real-time applications
Cloudflare Radar uses data from its global presence to observe these routing changes directly, whereas external observers rely on measurement techniques. InterLIR recommends operators treat satellite links as secondary paths only, never as primary rescue infrastructure during geopolitical instability.
About
Alexei Krylov serves as the Head of Sales at InterLIR, a Berlin-based marketplace specializing in IPv4 address redistribution. While his daily work focuses on optimizing network availability through efficient IP resource allocation, this expertise provides a critical lens for analyzing the Iran internet shutdown. As a specialist in BGP routing and global connectivity infrastructure, Krylov understands that the sudden drop to zero traffic reported by Cloudflare Radar represents more than just political suppression; it is a catastrophic failure of network integrity. His background in managing Regional Internet Registries and ensuring clean route objects allows him to technically dissect how state-mandated disconnections alter the fundamental layers of the internet. By connecting InterLIR's mission of maintaining open network access to this crisis, Krylov highlights the severe impact of cutting off 92 million citizens from necessary digital resources and the broader implications for global IP stability.
Conclusion
The collapse of IPv6 reachability proves a hard truth: modern internet durability fails when state actors target routing tables rather than physical cables. Relying on non-terrestrial networks as a primary failover creates a false sense of security while incurring massive operational debt in hardware procurement and legal risk. Organizations operating in volatile regions must stop treating LEO constellations as silver bullets for sovereignty-level outages.
Leaders should mandate a hybrid architecture where critical data replicates to edge nodes in neutral jurisdictions before any crisis escalates. This shift requires moving beyond reactive hardware purchases to proactive data sovereignty planning within the next six months. Start by auditing your application's dependency on local DNS resolution this week. Configure fallback resolvers hosted outside the affected geopolitical zone. Maintain basic connectivity when domestic roots vanish.
Frequently Asked Questions
Iranian networks withdrew 98.5% of their announced IPv6 address space to sever global connectivity. This massive drop reduced available blocks from over 48 million down to just over 737,000 /48s.
Traffic volumes fell nearly 90% between 16:30 and 17:00 UTC as major providers disconnected. This rapid decline signaled the transition from partial restriction to a near-total state-sponsored internet shutdown.
The share of human-generated IPv6 traffic dropped significantly from 12% to just 2% during the initial phase. This reduction preceded the final disappearance of IPv6 traffic from the country entirely.
Post-shutdown monitoring showed residual traffic at only 0.01% of normal levels during the blackout. This tiny fraction indicates that only hardened, whitelisted connections survived the infrastructure of silence.
The January 2026 event successfully cut off 92 million citizens by removing IP blocks from routing tables. This action eliminated the next hop path, rendering addresses unreachable for the vast majority.
