Iranians went almost the entire month of May without reliable internet access. For at least 26 days, nationwide throttling and periods of near-total internet (mobile data) shutdowns impacted users in localities across the country. Disruptions began on May 6 in the southwestern province of Khuzestan, major disruptions occurred nationwide as well. Shutdowns and throttling coincided at times with protests and social unrest sparked by potential increases in food prices and a fatal collapse of a ten-story tower, the Metropol Building, which was under construction in the city of Abadan.

Authorities employed various internet disruptions methods that shifted day-to-day and locality-to-locality, which potentially reflects provincial level decision making. The majority of disruptions included shutting down access to international sites and services on mobile data or throttling international bandwidth on mobile and (home/office) broadband networks. On occasion, Iran-based sites and services were all throttled.

During these disruption episodes, Iranian authorities also appeared to test new, more sophisticated strategies for using Iran’s local network, the National Information Network (NIN), to limit internet access.

Scheduling disruptions based on the time-of-day;
Coordinating the shutdown of access to international internet sites and services with throttling access to Iran-based sites and services;
Piloting a local VPN that tunnels through the throttling.

Lack of available, nuanced data and official admission by authorities or Internet Service Providers, however, make it difficult to determine all the details of each disruption episode over the month. This report provides Filterwatch’s best assessment given what is known. The findings and data presented here is based on:

Data provided by the network monitoring tool such as IODA or private tech companies such as Cloudflare and Kentik.

Running our own network measurement tests.
Trusted sources in Iran.

Emerging Strategies

Iranian Officials’ Reactions

In the past, Iranian officials have issued statements and comments in response to internet shutdowns and tried to provide reasons or justifications. However, this time, officials were mostly silent with the exception of Eisa Zarepour, Minister of Information and Communications Technology, who denied bandwidth throttling in a statement on May 18.

“I deny that we have reduced the country’s bandwidth,” he said. However, he did not make any comments about the internet shutdown.

On May 24, ISNA News Agency reported an internet shutdown in the city of Abadan and confirmed it.

Scheduling Disruption

In a novel approach that lasted four days, nationwide authorities seemed to schedule their disruptions based on the time-of-day. Effectively they shutdown mobile data starting midday. From May 17 to 20, however, users across Khuzestan, and in particular in the cities of Ahvaz, Andimeshk and Dezful, could generally connect to the mobile internet until around noon.

Picture1 - Filterwatch — Screenshot of users experience in Khuzestan that shows MCI was connect to the internet

In the afternoons, 4G and 3G networks would be completely cut off as this image demonstrates.

Picture2 - Filterwatch — Screenshot of users experience in Khuzestan that shows MCI was not connect to the internet

After several hours of a complete shutdown, around dusk, mobile data was restored but only the national intranet was connected and remained the same until the next day around noon.

Picture3 - Filterwatch — Screenshot of users experience in Khuzestan that shows MCI was connect to the local network

The reasoning for scheduling such disruptions throughout the day is unclear. It is possible that authorities believe that people are more likely to organize or protest during certain hours. In contrast, later in May, shutdowns and throttling appeared to be less planned and more reactive based on the sensitivities and analysis of security forces at the neighborhood, city, or provincial level.

Cutting international Internet access while throttling the local network

Another new strategy shows that the Iranian government is now using the NIN in a more sophisticated way.

Previously, we were dealing with two main strategies, either there was a total internet shutdown or only an international internet shutdown. Meaning (1) the entire network(s) was cut off or (2) only the international internet connection was cut and local services on the NIN were accessible.

Since November 2019, the second type of shutdown has been the norm when authorities seek to limit or suppress protests. On May 19th, Filterwatch received a video from a trusted source in Khuzestan that showed just how real users could access the Iran-based network but were blocked from the outside world. This video demonstrates that local websites and services, such as Digikala (similar to Amazon) and Aparat (similar to Youtube), are accessible while Google is not.

“وضعیت دسترسی به #اینترنت در برخی از شهرهای #خوزستان در ساعات تاریکی شب “#فیلترنت #InternetShutdowns pic.twitter.com/OVZr60EdYY

— Filterbaan | فیلتربان (@filterbaan) May 20, 2022

Filterwatch argues that this method of shutdown minimizes the economic and social effects of shutdowns, because most day-to-day services continue (e.g., local banking, ridesharing apps, e-commerce).

Filterwatch observed a change in the disruption pattern, however, after a new wave of protests spread and quickly grew following the collapse of the Metropol building and the protests. Iranian authorities appeared to react by maintaining their shutdown of the international network and throttling the NIN. As you can see in this video, not only is the international internet not accessible, but also because of localized bandwidth throttling, local services and sites were so slow that they were effectively inaccessible. Moreover, the authorities work with such surgical precision that they were able to fully exclude their preferred sites and many government websites from throttling. As shown in the video, the Supreme Leader’s website was unaffected by the disruptions.

گزارش کاربران از وضعیت اینترنت در آبادان:#اینترنت_همراه خطهای #ایرانسل و #همراه_اول تقریبا در تمامی محله‌های #آبادن قطع و #اینترانت (سایت‌ها و سرویس‌های داخل ایران) برقرار است.#فیلترنت pic.twitter.com/Y9MEPSlkpw

— Filterbaan | فیلتربان (@filterbaan) May 26, 2022

Potential Pilot Version of Legal VPN

Sometime in the second week of May, a source informed FilterWatch that “the Iranian government might distribute some proxies of VPNs among people who are protesting”. “This might be a pilot test for a legal VPN to show users how good this idea is”, added the informed source who talked to FilterWatch on condition of anonymity.

In the midst of shutdowns on international networks and throttling the local network, unknown vendors began promoting multiple “solutions” to the internet shutdown.

On several Telegram channels, these unknown vendors promoted VPNs to locals in Abadan and other cities of Khuzestan, where the shutdown was most intense.

Picture4 - Filterwatch — Screenshot of a Telegram channel selling circumvention tools that can bypass an Internet shutdown for half price

They sold VPSs and other types of circumvention tools that were used on Google Outline, Porton VPN, Shadowsocks or other apps and technologies to reach local servers that could channel the entire traffic to another server outside of Iran. These tools were promised to (1) bypass the shutdown of the internal internet and (2) offer a half-price data cost to surf the NIN. Testing showed that these circumvention tools did as promised.

These tools might be a pilot version of the Legal VPN project. For years, authorities have been promising to roll out state sanctioned VPNs that could enable “qualified individuals” access to otherwise blocked content and servers.

We have identified at least five Telegram channels with the same business and all of them were created in March. Because of similar language, admin names, tools, training videos or GIF animation and other material in those channels, it looks like all of them are run by the same group.

Picture5 - Filterwatch — Screenshot of a Telegram channel selling circumvention tools that can bypass an Internet shutdown for half price

While it is unclear who was selling these circumvention tools, it seems somewhat unlikely anyone could do so without some level of official approval, as in one channel they confirmed these tools are ”legal”.

Timeline of Regional Disruptions

Timeline of internet shutdowns, throttling, and disruptions based on regions and cities.

NOTE: In some cases, the available data allows Filterwatch to determine if the disruption is a type of shutdown of access or throttling (i.e., a dramatic slowing of connection speeds). In other cases, we are only able to observe a disruption or outage without more specificity.

May 6 until May 8: Total internet shutdown in Khuzestan, as well as disruptions in Kerman, and Golestan.
May 9: Nationwide throttling as well as near total shutdown in Kohgiluyeh and Boyer Ahmad, Hamdan, and disruptions in Gilan, Golestan, Kordestan, Tehran, Lorestan, Ilam, Isfahan, Khuzestan, Bushehr, Fars, and Hormozgan.

May 10: Near total shutdown in Qazvin, and disruptions in Kerman, West Azerbaijan, East Azerbaijan, Gilan, Mazandaran, and Golestan.

May 11: Disruptions in Kurdistan, Yazd, Charmahal and Bakhtiyari, and Kerman.

Picture6 - Filterwatch — 1240 UTC Uniq Source of IP Dropped Dramatically

May 12: Disruptions in Yazd, Tehran, Kurdistan, Isfahan, Hamadan, and Kerman.

Picture7 - Filterwatch — 820 UTC Uniq Source of IP Dropped Dramatically

May 13: Near total shutdown in Ardabil, Behbahan, as well as disruptions in Khuzestan, East Azerbaijan, West Azerbaijan, Fars, Zanjan, and Kerman.

May 14: Near total shutdown in Busher and disruptions in Ardabil, Ilam, Hormozgan, Fars, Bushehr, Khuzestan, Hamedan, Kurdistan, Zanjan, East and West Azerbaijan, and Tehran.

Picture9 - Filterwatch — Nationwide disruptions at midnight

May 15: MobinNet announced an outage resulting from a cyber-attack.
May 16: Disruptions in Bushehr, Golestan, Yazd, Hormozgan, Ilam, and Kohgiluyeh and Boyer-Ahmad.
May 17: Disruptions in Golestan, Yazd, Kohgiluyeh and Boyer-Ahmad, Ilam, Chaharmahal Bakhtiari, Bushehr, Hormozgan, and Qazvin.
May 18: Mobile data in the city of Rasht was shut down and distribution in Tehran, Isfahan.

Picture 11 - Filterwatch — Nationwide disruptions

May 19: Near total shutdown in Ilam.

May 20 May until 22: Near total shutdown in Ilam, disruptions in South Khorasan.

May 22: Near total shutdown in Yazd, Hormozgan, and Fars, disruptions in Tehran, Ilam, Kohgiluyeh and Boyer-Ahmad, and South Khorasan.

May 23: TCI shows outages with near total shutdowns in North Khorasan, Zanjan, Lorestan and disruptions in Ardabil, Isfahan, Tehran, and Sistan and Baluchestan.

May 24: ISNA News Agency reported an internet shutdown in the city of Abadan. Near total shutdown in Kerman.

May 25: Near total shutdown in Hormozgan.

May 26: Near total shutdown in Qom, disruptions in Khuzestan, Isfahan, Sistan and Baluchestan, Ilam, Bushehr, Fars, Kerman, Hormozgan, and Kohkiloyeh and Boyerahmad.

May 28: Disruptions in Ardabil, South Khorasan, and Ghazvin and near total shutdown in Far, Kerman, Kokleloyeh and Boyer Ahmad, Hormozgan.

Provider Outages

AS202391, Afra Rasa is a network operator. The disruptions on their network affected users in Fars, Tehran, Golestan, and Razavi-Khorasan provinces for 14 days.

AS25124, Datak Internet Engineering Inc. went completely offline beginning May 11th. The service has yet to resume and has affected users in Tehran province.

AS56466, Pars Fonoun Ofogh Information Technology and Communications Company LTD went offline from May 11 to May 26, affecting users in Tehran and Hamadan.

AS48309, Ariana Gostar Spadana (PJSC) outages affected users in Tehran, Esfahan, and Bushehr provinces from May 11th until May 26th.

Network Monitor: From Internet Shutdowns To A Pilot Version of a Legal VPN