A Multi-Perspective Study of the Internet Shutdown in Iran

TL;DR

This study analyzes Iran's two nationwide Internet shutdowns in 2026, revealing they are enforced via centralized null-routing at borders, with BGP announcements remaining stable, and highlights the impact on network visibility and monitoring.

Contribution

It introduces a multi-plane methodology combining passive, active, and BGP analysis to uncover the mechanisms behind Iran's Internet shutdowns and their effects on network observability.

Findings

Shutdowns are enforced via centralized null-routing with stable BGP announcements.

96.5-97.4% of Iranian prefixes are null-routed during shutdowns.

Measurement artifacts cause apparent increases in visible hosts during shutdowns.

Abstract

Iran conducted two nationwide Internet shutdowns in January and March 2026, the latter ongoing at the time of writing and the longest documented Iranian disruption. Using a three-plane methodology combining passive Censys scan data, active TCP reachability probing from five vantage points, and BGP analysis across 33 RIPE RIS snapshots from 2019 to 2026, we show that the 2022 and 2026 shutdowns are enforced via forwarding-plane null-routing at a centralized border while BGP announcements remain stable, and that Iran shifted from partial BGP withdrawal in 2019 to pure null-routing by 2022. This control- and forwarding-plane decoupling prevents BGP-based outage monitors from detecting shutdowns. Active probing of 4,571 BGP-visible Iranian prefixes shows that 96.5 to 97.4% are null-routed across all vantage points, indicating a centrally coordinated mechanism. Passive scan analysis reveals a 3.7 times increase in visible hosts between shutdown events due to measurement artifacts rather than recovery, along with two structural exemptions: academic networks rise from 1.4 to 66.6% of visible hosts during partial recovery, and ArvanCloud CDN retains 99.7% visibility while other major operators drop by at least 77%.