Iran's Internet Shutdowns: Technical Methods and Documented Patterns

Iran has conducted at least 14 major internet shutdowns or significant throttling events since 2017, according to Access Now's KeepItOn project. These incidents follow identifiable patterns tied to political events—elections, protests, sensitive exams—and reveal a technical infrastructure capable of nationwide connectivity disruption within hours.

The 2017 New Year protests marked the first well-documented nationwide shutdown of the modern era. Starting December 30, 2016, Iranian authorities implemented a multi-layered blocking strategy that persisted for several weeks. Access Now documented this as among the most severe cases on record. The shutdown targeted both mobile and fixed-line infrastructure, though mobile networks experienced more aggressive throttling.

The 2019 fuel-price protests produced sharper, more complete disruption. Beginning November 15, 2019, Iran implemented what international observers characterized as a near-total shutdown lasting approximately one week. This incident was significant because authorities appeared to execute connectivity loss at the BGP (Border Gateway Protocol) and AS (Autonomous System) level, effectively isolating large portions of Iran's internet from global routing. OONI's measurement infrastructure captured the moment of disconnect and subsequent restoration, providing technical confirmation of nation-wide blocking rather than localized filtering.

The 2020 Soleimani killing protests and subsequent January unrest saw regional throttling and DNS-level filtering rather than full shutdown. The 2021 water-shortage protests in Khuzestan Province demonstrated selective geographic blocking—authorities restricted connectivity in affected regions while maintaining national service. This reflects technical capability for granular, province-level or city-level control rather than requiring all-or-nothing shutdown decisions.

Iran's blocking architecture relies on multiple redundant techniques. DNS filtering, implemented at state-controlled ISP level, blocks resolution of restricted domains and is the most persistent form of content filtering. Deep Packet Inspection (DPI) systems operated by the Telecommunications Infrastructure Company (TCI) examine traffic content, enabling SNI (Server Name Indication) filtering to block encrypted HTTPS connections by hostname without decrypting them. IP blacklisting blocks traffic to foreign servers by address. During escalation events, authorities implement bandwidth throttling—restricting per-user or per-IP data rates—before progressing to complete disconnection. OONI's network measurement probes have documented DNS blocking, TCP/IP blocking, and DPI interference on Iranian networks across multiple carrier ASNs.

Measurable data on shutdown scope comes primarily from OONI and Access Now. OONI's Probe network in Iran (active when connectivity permits) logs blocking events; their reports show consistent DNS tampering on major ISPs including Hamrah-e Aval (AS12880), RighTel (AS39798), and others. During 2019 and 2021 shutdowns, OONI infrastructure went offline entirely, indicating ISP-level connectivity loss rather than targeted filtering. Access Now's KeepItOn project documents duration: the 2019 shutdown lasted approximately 7-10 days; the 2017 shutdown exceeded 4 weeks; the 2021 Khuzestan throttling lasted 3-5 days regionally.

Not all internet restriction events in Iran constitute "shutdowns" as technically defined. Throttling—intentional reduction of bandwidth—is a routine tool deployed during exam periods (university entrance exams in summer months historically trigger bandwidth restrictions to prevent cheating via messaging apps) and during low-level protest activity. Throttling is harder to measure than binary blocking but produces observable signatures in OONI latency and throughput tests. Speed degradation to 10-20% of normal bandwidth effectively disables video, real-time chat, and secure tunneling—functionally destructive without complete disconnection.

Technical circumvention against Iran's filtering requires understanding these specific threats. DNS filtering can be bypassed using DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to recursive resolvers outside Iran's control, though recent OONI reports suggest some DoH endpoints are being blocked at DPI level. SNI filtering requires use of ECH (Encrypted Client Hello) to hide the requested hostname, or protocols that don't expose SNI in plaintext. IP blocking requires tunneling through addresses not yet enumerated; this is where open-source tunnel protocols like WireGuard, OpenVPN, and Shadowsocks remain effective against static IP lists, though DPI capable of detecting VPN protocols (via traffic fingerprinting rather than content inspection) may still interfere. V2Ray and Xray with REALITY protocol mode, or obfuscation layers like obfs4, add protocol camouflage to resist fingerprinting. Tor with pluggable transports like Snowflake or WebTunnel can work where simpler VPN methods fail, though bandwidth limitations inherent to bridge systems make Tor unsuitable for video or general browsing.

For users facing potential shutdowns or throttling, no single technique is universally effective. Resilience requires redundancy: multiple tunnel protocols, bridge diversification, and awareness that techniques effective during throttling may fail during escalated blocking. No measurement or academic publication has demonstrated that any commercial VPN product achieves guaranteed access during Iran's coordinated multi-layer blocking events.

Iran's documented shutdowns represent the most mature technical and operational internet control infrastructure outside mainland China. The pattern is clear: capability exists for nationwide shutdown execution, deployment follows political calendars, and technical methods are layered specifically to defeat single-method circumvention.