During the Nowruz holidays in Iran, which began on March 26, a DDoS cyberattack disrupted internet access, leading to widespread disturbances. Reports indicated short-term mobile internet outages, and these disruptions persisted even after the Nowruz holidays.
According to Cloudflare data, the attack affected over 80% of Iran’s network, and per local network experts, network packet loss increased by 40% during this period.
The DDoS attacks that began on March 26 targeted layers 3 and 4 of the network, namely the routing and transport layers. Cloudflare’s charts show that Iranian providers Irancell (AS44244), Hamrah-e-Avval (AS197207), and the Telecommunication Company of Iran (AS58224) were affected by approximately 70% of these attacks, with 68% of mobile internet impacted during the incident.
This incident resulted in significant disruptions to the citizens’ connectivity, affecting both the global internet and Iran’s national information network. Additionally, with Iran-access becoming active, external access to domestic news websites and government services became cut off.
Technical analyses conducted by Filterwatch on various prominent news websites and local applications, including Rubika, revealed a substantial increase in packet loss from March 26 to April, coinciding with the final week of the Nowruz holidays.
Discussions between Filterwatch and technical experts within Iran have identified the Communications Infrastructure Company as the origin of the network disruptions. Given that this company is the sole gateway of internet services to Iranian operators, these operators are currently without a precise resolution to the problem.
In response to the DDoS attacks, authorities initially denied the incidents. Subsequently, they implemented Iran-access on the network, which prolonged the disruption for international users attempting to access content within Iran.
Internet service providers are trying to maintain service quality by employing scrubbing methods to distinguish between malicious and legitimate traffic. However, the limited capacity of these services means that parts of the network are still vulnerable. The deployment of these scrubbing services has also resulted in increased delays or latency in delivering network services. Moreover, the presence of bots within the network significantly hinders the effective differentiation of traffic types.
