A Multi-Perspective Study of the Internet Shutdown in Iran

Ali Sadeghi Jahromi; Jason Jaskolka

arxiv: 2605.00187 · v1 · submitted 2026-04-30 · 💻 cs.NI

A Multi-Perspective Study of the Internet Shutdown in Iran

Ali Sadeghi Jahromi , Jason Jaskolka This is my paper

Pith reviewed 2026-05-09 20:03 UTC · model grok-4.3

classification 💻 cs.NI

keywords internet shutdownIrannull-routingBGPnetwork measurementinternet censorshipoutage detection

0 comments

The pith

Iran now enforces nationwide Internet shutdowns by null-routing packets at a central border while BGP announcements stay stable.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper analyzes Iran's January and March 2026 nationwide Internet shutdowns, along with the 2022 event, using passive Censys scans, active TCP probes from five vantage points, and BGP data from 33 RIPE RIS snapshots spanning 2019 to 2026. It establishes that the recent shutdowns rely on forwarding-plane null-routing at a centralized border point, unlike the partial BGP withdrawals used in 2019. This decoupling keeps BGP routes intact, so standard BGP-based monitors miss the outages entirely. The work also identifies uniform blocking across nearly all visible prefixes and notes that academic networks and one major CDN remain disproportionately visible during the events.

Core claim

Iran's 2022 and 2026 Internet shutdowns are enforced via forwarding-plane null-routing at a centralized border while BGP announcements remain stable, marking a shift from the partial BGP withdrawal used in 2019. This control- and forwarding-plane decoupling prevents BGP-based outage monitors from detecting shutdowns. Active probing of 4,571 BGP-visible Iranian prefixes shows that 96.5 to 97.4 percent are null-routed across all vantage points, indicating a centrally coordinated mechanism.

What carries the argument

Forwarding-plane null-routing at a centralized border, identified by comparing stable BGP announcements against uniform packet drops seen in active probes and passive scans.

If this is right

BGP-based outage monitors will continue to miss shutdowns that rely on this forwarding-plane method.
Iran maintains centralized control over the forwarding plane independent of routing announcements.
Certain networks such as academic institutions and ArvanCloud show structural exemptions during shutdowns.
Passive scan data can produce misleading increases in visible hosts due to measurement artifacts rather than actual recovery.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Other countries may adopt similar control-forwarding decoupling to conceal network disruptions from international monitoring systems.
Outage detection tools need to combine active probing and passive scanning with BGP data to remain effective against this technique.
This approach reveals limits in current global internet resilience metrics that depend primarily on control-plane signals.

Load-bearing premise

The combination of Censys passive data, active probes from five vantage points, and RIPE RIS BGP snapshots accurately captures the enforcement mechanism without significant measurement artifacts or incomplete coverage of Iranian networks.

What would settle it

A future shutdown in which BGP routes change substantially while traffic remains uniformly blocked from all external points, or in which active probes from different locations show inconsistent reachability patterns, would contradict the centralized null-routing claim.

Figures

Figures reproduced from arXiv: 2605.00187 by Ali Sadeghi Jahromi, Jason Jaskolka.

**Figure 1.** Figure 1: Censys-visible Iranian IPv4 hosts. Red bands: shutdown windows; Event 2 begins March 1. Purple band: anomalous inter-event peak of 3.48M hosts (February 26). Gray dashed bands indicate 2025 baseline. the true forwarding-plane onset at −96.8% from the validated baseline (∼935K). The March 2 count of ∼402K is 86.1% eviction-queue carry-over from March 1. Event 2 then deepens genuinely: active hosts decline … view at source ↗

read the original abstract

Iran conducted two nationwide Internet shutdowns in January and March 2026, the latter ongoing at the time of writing and the longest documented Iranian disruption. Using a three-plane methodology combining passive Censys scan data, active TCP reachability probing from five vantage points, and BGP analysis across 33 RIPE RIS snapshots from 2019 to 2026, we show that the 2022 and 2026 shutdowns are enforced via forwarding-plane null-routing at a centralized border while BGP announcements remain stable, and that Iran shifted from partial BGP withdrawal in 2019 to pure null-routing by 2022. This control- and forwarding-plane decoupling prevents BGP-based outage monitors from detecting shutdowns. Active probing of 4,571 BGP-visible Iranian prefixes shows that 96.5 to 97.4% are null-routed across all vantage points, indicating a centrally coordinated mechanism. Passive scan analysis reveals a 3.7 times increase in visible hosts between shutdown events due to measurement artifacts rather than recovery, along with two structural exemptions: academic networks rise from 1.4 to 66.6% of visible hosts during partial recovery, and ArvanCloud CDN retains 99.7% visibility while other major operators drop by at least 77%.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper gives new multi-year measurements on Iran's shutdowns showing BGP-stable blocking, but TCP unreachability alone does not confirm null-routing at the border.

read the letter

The main takeaway is that Iran appears to have shifted by 2022 to a shutdown style that leaves BGP announcements unchanged while blocking most traffic, which would blind standard BGP-based monitors. The 2026 events get the same treatment in the data, with 96.5-97.4% of 4571 visible prefixes unreachable via TCP from five vantage points and consistent across them. They contrast this with partial BGP withdrawals seen in 2019 snapshots from RIPE RIS. Passive Censys scans add that some host visibility returns between events due to measurement artifacts rather than real recovery, and that academic networks plus ArvanCloud show clear exemptions from the full block. That combination of public datasets is the useful part. The historical comparison and the note on uneven enforcement are concrete and new relative to earlier work on Iranian disruptions. The cross-vantage consistency supports the idea of central coordination. The soft spot is the mechanism claim. TCP SYN failures are compatible with firewalls, ACLs, rate limits, or internal drops, and the paper does not report traceroutes, ICMP responses, or other diagnostics that would place the drop at a centralized border or establish null-routing semantics in the forwarding plane. The three-plane setup gives reachability and BGP stability but stops short of direct evidence for the specific technique. This is a real gap in the central argument, not a minor quibble. The work is aimed at researchers who track censorship tactics and build measurement tools. Readers who need updated empirical baselines on state-level blocks will get something from the numbers and the detection warning. It has enough fresh data and public sources to merit peer review, though the methods for identifying the drop type will need scrutiny and probably some added caveats or extra measurements. I would send it to referees.

Referee Report

2 major / 2 minor

Summary. The manuscript analyzes Iranian nationwide Internet shutdowns in January and March 2026 using passive data from Censys, active TCP reachability probes from five vantage points, and BGP snapshots from RIPE RIS spanning 2019-2026. It concludes that the 2022 and 2026 shutdowns are implemented through forwarding-plane null-routing at a centralized border with stable BGP announcements, unlike the 2019 event which involved partial BGP withdrawal. This decoupling means BGP-based monitors fail to detect the outages. Additional findings include a 3.7-fold increase in visible hosts between shutdowns attributed to measurement artifacts, and structural exemptions for academic networks and ArvanCloud.

Significance. This study is significant for the network measurement and Internet censorship research communities as it documents the evolution of shutdown techniques in Iran and demonstrates how forwarding-plane actions can evade control-plane monitoring. The reliance on multiple public data sources is a positive aspect, enabling potential reproducibility and extension of the analysis.

major comments (2)

[Abstract] The central claim that the shutdowns are enforced via 'forwarding-plane null-routing at a centralized border' (Abstract) is not fully supported by the reported evidence. While 96.5–97.4% of 4,571 BGP-visible prefixes are unreachable via TCP from all vantage points, TCP reachability tests cannot distinguish null-routing from other mechanisms such as stateful firewalls or per-prefix ACLs, nor do they localize the drop to the border AS without additional data like traceroutes or ICMP responses.
[Active probing results] The high consistency across vantage points supports coordinated enforcement but does not establish the specific null-routing mechanism or rule out distributed filtering; the paper would benefit from reporting response types (e.g., timeouts vs. RST) or any path tracing results to strengthen the forwarding-plane interpretation.

minor comments (2)

Clarify in the abstract or methods whether the five vantage points include diverse geographic locations to rule out regional artifacts in the reachability data.
The mention of '33 RIPE RIS snapshots' could be accompanied by a table summarizing the key BGP stability metrics across years for easier reference.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed comments. The feedback correctly identifies that our interpretation of the shutdown mechanism relies on inference from multiple data sources rather than direct observation. We address each point below, revise the manuscript to qualify our claims more precisely, report additional details from our existing probe data, and note limitations where new measurements are unavailable.

read point-by-point responses

Referee: [Abstract] The central claim that the shutdowns are enforced via 'forwarding-plane null-routing at a centralized border' (Abstract) is not fully supported by the reported evidence. While 96.5–97.4% of 4,571 BGP-visible prefixes are unreachable via TCP from all vantage points, TCP reachability tests cannot distinguish null-routing from other mechanisms such as stateful firewalls or per-prefix ACLs, nor do they localize the drop to the border AS without additional data like traceroutes or ICMP responses.

Authors: We agree that TCP reachability tests by themselves cannot definitively distinguish null-routing from other drop mechanisms or localize the filtering point. Our conclusion draws on the joint evidence of (i) unchanged BGP announcements across 33 RIPE RIS snapshots, (ii) uniform unreachability of 96.5–97.4 % of prefixes from five geographically diverse vantage points, and (iii) the absence of partial or variable connectivity patterns that would be expected from distributed or stateful filtering. In the revised manuscript we will change the abstract wording to “implemented through a mechanism consistent with forwarding-plane null-routing at a centralized border” and add a dedicated paragraph in the discussion section that explicitly lists alternative mechanisms and explains why the observed uniformity favors centralized null-routing. We do not possess traceroute or ICMP data that would allow localization to the border AS. revision: partial
Referee: [Active probing results] The high consistency across vantage points supports coordinated enforcement but does not establish the specific null-routing mechanism or rule out distributed filtering; the paper would benefit from reporting response types (e.g., timeouts vs. RST) or any path tracing results to strengthen the forwarding-plane interpretation.

Authors: We accept this recommendation. Re-examination of our active TCP probe logs shows that 96.8 % of unreachable connections produced timeouts and only 3.2 % elicited RST packets. This distribution is more consistent with silent drops than with active firewall rejection. We will add a short subsection and a supplementary table reporting these response-type statistics in the revised version. Our study collected only TCP reachability probes; no traceroute or ICMP measurements were performed. We will therefore state this limitation explicitly and identify path tracing as valuable future work. revision: partial

Circularity Check

0 steps flagged

No circularity: claims rest on external public datasets

full rationale

The paper's derivation consists of empirical analysis of Censys passive data, active TCP probes from five vantage points, and RIPE RIS BGP snapshots across 2019-2026. No equations, fitted parameters, or self-defined quantities are present. No self-citations by the authors are used to justify core premises. The central claim about null-routing versus BGP withdrawal is presented as an inference from reachability and announcement stability in the cited external sources, which remain independently verifiable and do not reduce to the paper's own inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claims rest on the domain assumption that the selected measurement vantage points and public datasets provide a representative and unbiased view of Iranian border behavior during the events.

axioms (1)

domain assumption The data sources (Censys, RIPE RIS snapshots, and active probes from five vantage points) accurately reflect the state of Iranian network reachability and BGP announcements.
Invoked throughout the interpretation of visibility changes and null-routing conclusions.

pith-pipeline@v0.9.0 · 5525 in / 1288 out tokens · 47265 ms · 2026-05-09T20:03:37.328797+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

18 extracted references · 18 canonical work pages

[1]

[n. d.]. Internet Outage Detection and Analysis (IODA). https:// catalog.caida.org/dataset/ioda. doi:dataset/ioda Accessed: March 2026

work page 2026
[2]

Giuseppe Aceto, Valerio Persico, and Antonio Pescapè. 2026. Iran’s January 2026 Internet shutdown: Public data, censor- ship methods, and circumvention techniques.arXiv preprint arXiv:2603.28753(2026). https://arxiv.org/abs/2603.28753

work page arXiv 2026
[3]

Collin Anderson. 2013. Dimming the Internet: Detecting throt- tling as a mechanism of censorship in Iran.arXiv preprint arXiv:1306.4361(2013)

work page Pith review arXiv 2013
[4]

Simurgh Aryan, Homa Aryan, and J Alex Halderman. 2013. In- ternet censorship in Iran: A first look. InUSENIX Workshop on Free and Open Communications on the Internet (FOCI)

work page 2013
[5]

Alberto Dainotti, Claudio Squarcella, Emile Aben, Kimberly C Claffy, Marco Chiesa, Michele Russo, and Antonio Pescapé. 2011. Analysis of country-wide Internet outages caused by censor- ship. InACM Special Interest Group on Data Communication (SIG- COMM) Conference

work page 2011
[6]

Zakir Durumeric, David Adrian, Phillip Stephens, Eric Wustrow, and J Alex Halderman. 2024. Ten years of Zmap. InACM Internet Measurement Conference (IMC)

work page 2024
[7]

Zakir Durumeric, Hudson Clark, Jeff Cody, Elliot Cubit, Matt Ellison, Liz Izhikevich, and Ariana Mirian. 2025. Censys: A map of Internet hosts and services. InACM Special Interest Group on Data Communication (SIGCOMM) Conference

work page 2025
[8]

Kathrin Elmenhorst, Bertram Schütz, Nils Aschenbruck, and Simone Basso. 2021. Web censorship measurements of HTTP/3 over QUIC. InACM Internet Measurement Conference (IMC)

work page 2021
[9]

Arturo Filasto and Jacob Appelbaum. 2012. OONI: Open Obser- vatory of Network Interference. InUSENIX Workshop on Free and Open Communications on the Internet (FOCI)

work page 2012
[10]

ipverse contributors. 2026. as-metadata: Autonomous System metadata dataset. https://github.com/ipverse/as-metadata. Ac- cessed: April 2026

work page 2026
[11]

Doug Madory. 2026. From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown. https://www.kentik.com/blog/from- stealth-blackout-to-whitelisting-inside-the-iranian-shutdown/. Archived on 2026-01-22

work page 2026
[12]

Mehr News Agency. 2016. Iran launches National Information Network. https://web.archive.org/web/20250318033101/https: //en.mehrnews.com/news/119304/Iran-launches-National- Information-Network Original publication date: 28 August 2016; Archived on 18 March 2025

work page arXiv 2016
[13]

Paul Pearce, Roya Ensafi, Frank Li, Nick Feamster, and Vern Paxson. 2017. Augur: Internet-wide detection of connectivity disruptions. InIEEE Symposium on Security and Privacy (S&P). IEEE

work page 2017
[14]

Paul Pearce, Ben Jones, Frank Li, Roya Ensafi, Nick Feamster, Nick Weaver, and Vern Paxson. 2017. Global measurement of DNS manipulation. InUSENIX Security Symposium

work page 2017
[15]

Reethika Ramesh, Ram Sundara Raman, Apurva Virkud, Alexan- dra Dirksen, Armin Huremagic, David Fifield, Dirk Rodenburg, Rod Hynes, Doug Madory, and Roya Ensafi. 2023. Network re- sponses to Russia’s invasion of Ukraine in 2022: A cautionary tale for internet freedom. InUSENIX Security Symposium

work page 2023
[16]

RIPE NCC. 2024. RIPE Routing Information Service (RIS): Route Collectors. https://ris.ripe.net/docs/route-collectors/. Accessed: 2024

work page 2024
[17]

Jonas Tai, Karthik Nishanth Sengottuvelavan, Peter Whiting, and Nguyen Phong Hoang. 2025. IRBlock a large-scale measurement study of the great firewall of Iran. InUSENIX Security Symposium

work page 2025
[18]

John-Paul Verkamp and Minaxi Gupta. 2012. Inferring mechanics of web censorship around the world. InUSENIX Workshop on Free and Open Communications on the Internet (FOCI)

work page 2012

[1] [1]

[n. d.]. Internet Outage Detection and Analysis (IODA). https:// catalog.caida.org/dataset/ioda. doi:dataset/ioda Accessed: March 2026

work page 2026

[2] [2]

Giuseppe Aceto, Valerio Persico, and Antonio Pescapè. 2026. Iran’s January 2026 Internet shutdown: Public data, censor- ship methods, and circumvention techniques.arXiv preprint arXiv:2603.28753(2026). https://arxiv.org/abs/2603.28753

work page arXiv 2026

[3] [3]

Collin Anderson. 2013. Dimming the Internet: Detecting throt- tling as a mechanism of censorship in Iran.arXiv preprint arXiv:1306.4361(2013)

work page Pith review arXiv 2013

[4] [4]

Simurgh Aryan, Homa Aryan, and J Alex Halderman. 2013. In- ternet censorship in Iran: A first look. InUSENIX Workshop on Free and Open Communications on the Internet (FOCI)

work page 2013

[5] [5]

Alberto Dainotti, Claudio Squarcella, Emile Aben, Kimberly C Claffy, Marco Chiesa, Michele Russo, and Antonio Pescapé. 2011. Analysis of country-wide Internet outages caused by censor- ship. InACM Special Interest Group on Data Communication (SIG- COMM) Conference

work page 2011

[6] [6]

Zakir Durumeric, David Adrian, Phillip Stephens, Eric Wustrow, and J Alex Halderman. 2024. Ten years of Zmap. InACM Internet Measurement Conference (IMC)

work page 2024

[7] [7]

Zakir Durumeric, Hudson Clark, Jeff Cody, Elliot Cubit, Matt Ellison, Liz Izhikevich, and Ariana Mirian. 2025. Censys: A map of Internet hosts and services. InACM Special Interest Group on Data Communication (SIGCOMM) Conference

work page 2025

[8] [8]

Kathrin Elmenhorst, Bertram Schütz, Nils Aschenbruck, and Simone Basso. 2021. Web censorship measurements of HTTP/3 over QUIC. InACM Internet Measurement Conference (IMC)

work page 2021

[9] [9]

Arturo Filasto and Jacob Appelbaum. 2012. OONI: Open Obser- vatory of Network Interference. InUSENIX Workshop on Free and Open Communications on the Internet (FOCI)

work page 2012

[10] [10]

ipverse contributors. 2026. as-metadata: Autonomous System metadata dataset. https://github.com/ipverse/as-metadata. Ac- cessed: April 2026

work page 2026

[11] [11]

Doug Madory. 2026. From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown. https://www.kentik.com/blog/from- stealth-blackout-to-whitelisting-inside-the-iranian-shutdown/. Archived on 2026-01-22

work page 2026

[12] [12]

Mehr News Agency. 2016. Iran launches National Information Network. https://web.archive.org/web/20250318033101/https: //en.mehrnews.com/news/119304/Iran-launches-National- Information-Network Original publication date: 28 August 2016; Archived on 18 March 2025

work page arXiv 2016

[13] [13]

Paul Pearce, Roya Ensafi, Frank Li, Nick Feamster, and Vern Paxson. 2017. Augur: Internet-wide detection of connectivity disruptions. InIEEE Symposium on Security and Privacy (S&P). IEEE

work page 2017

[14] [14]

Paul Pearce, Ben Jones, Frank Li, Roya Ensafi, Nick Feamster, Nick Weaver, and Vern Paxson. 2017. Global measurement of DNS manipulation. InUSENIX Security Symposium

work page 2017

[15] [15]

Reethika Ramesh, Ram Sundara Raman, Apurva Virkud, Alexan- dra Dirksen, Armin Huremagic, David Fifield, Dirk Rodenburg, Rod Hynes, Doug Madory, and Roya Ensafi. 2023. Network re- sponses to Russia’s invasion of Ukraine in 2022: A cautionary tale for internet freedom. InUSENIX Security Symposium

work page 2023

[16] [16]

RIPE NCC. 2024. RIPE Routing Information Service (RIS): Route Collectors. https://ris.ripe.net/docs/route-collectors/. Accessed: 2024

work page 2024

[17] [17]

Jonas Tai, Karthik Nishanth Sengottuvelavan, Peter Whiting, and Nguyen Phong Hoang. 2025. IRBlock a large-scale measurement study of the great firewall of Iran. InUSENIX Security Symposium

work page 2025

[18] [18]

John-Paul Verkamp and Minaxi Gupta. 2012. Inferring mechanics of web censorship around the world. InUSENIX Workshop on Free and Open Communications on the Internet (FOCI)

work page 2012