The pattern of internet disruption observed during the recent protests marks a strategic departure from the "nationwide shutdowns" of the past. Instead, it resembles the approach used during the Rouhani administration: localized, phased, and controlled restrictions designed to suffocate connectivity without fully severing it.
Field reports and technical evidence indicate that internet cuts and disruptions follow a clear logic: the implementation of localized restrictions rather than a complete network shutdown. This pattern suggests an “operational order” aimed at degrading network capacity and destabilizing the user experience. Notably, this continuity in policy is consistent with the current ICT Ministry’s alignment with the managerial circle of former Minister Mohammad Javad Azari Jahromi.
The following analysis provides an overview of internet connectivity issues from the onset of protests on December 28 through January 4.
1. The Strategy: Regional Disruptions Instead of a Nationwide Shutdown
Unlike the 12-day war in June 2025, Iran’s internet has not experienced a nationwide shutdown. Instead, it has entered a phase of chronic instability. While physically connected, stable communication—whether for circumvention tools, web browsing, or messaging applications—has become difficult to maintain.
From the outset, disruptions have been hyper-localized. The pattern indicates a deliberate tightening of control over communication infrastructure in sensitive areas and protest locations rather than a blanket national kill-switch.
1.1. Field Evidence: Mobile Internet Cuts and Severe Degradation
Beginning on Monday, December 29, field reports highlighted a targeted suppression campaign targeting specific areas:
- Tehran’s Commercial & Central Hubs: In neighborhoods surrounding the Grand Bazaar, mobile internet services provided by MCI (Hamrah-e Aval), Irancell, and Rightel were either completely cut off or effectively unusable. In the Baharestan and Amirkabir areas—key administrative and commercial zones—fixed-line services also faced early-morning disruptions.
- The "Weak but Connected" Zones: User accounts from Sadeghieh (west) and Haft-Tir (central) reported connections that were technically active but extremely weak across MCI, Irancell, and Shatel networks.
- High-Friction Areas: In contrast, routes through Amirabad, Enghelab, Valiasr Square, and Fatemi—areas often associated with student movements and public gatherings—were described as "practically unusable for several hours," particularly on the Irancell network.
- West Tehran: A report from Boulevard Ferdows described severe slowdowns and intermittent "on-and-off" connectivity. Users noted that VPNs failed persistently, requiring frequent configuration changes. Notably, there was no performance difference between domestic and international websites; both loaded slowly.
- The "Zombie" Connection: Across these areas, users reported that while VPNs might appear to connect, traffic would not pass through. WhatsApp failed to function, and speeds dropped to a "very, very low" level.
1.2 Disruptions Outside Tehran
Outside the capital, the pattern of phased and regional disruptions continued:
Isfahan Province: Severe speed degradation affected MCI and TCI fiber connections in the city of Isfahan. In the industrial and satellite towns of Fooladshahr and Falavarjan, users experienced complete outages for several hours.
Southern & Western Iran: In Bushehr, disruptions in protest-affected areas were described as "close to a full outage." In cities experiencing intense protest activity—including Sanandaj, Ilam, Shiraz, Marvdasht, and Fasa, as well as Mashhad in the northeast—users reported severe slowdowns and a total loss of international connectivity, limiting access strictly to domestic services.
2. Why Are Disruptions Regional?
User reports note, “It works a few kilometers away,” or “It gets worse during specific time windows,” or “it’s more severe on a particular operator or in a specific neighborhood.”
From a network perspective, this heterogeneity results from enforcement at granular levels: the ISP Point of Presence ( PoP), provincial or city level, or even specific cell towers. Policy enforcement at the network edge varies by operator and by province.
Regional and phased disruptions allow authorities to calibrate pressure and disrupt coordination and effective communication among protesters without triggering the media shock associated with a full shutdown. This internet remains ostensibly online, rendering the network fragile and unreliable but not off.
3. The Blind Spots of Technical Charts
Why do macro-level data from Internet monitoring platforms like IODA show no nationwide flatline? Analysis of AS197207 (MCCI – Hamrah-e Aval) and AS44244 (IranCell) does not reveal a broad or significant traffic drop. However, this does not tell the full story.
Localized Tactics: Experts explain that mobile disruptions are now "tactical"—involving cell tower interference or centralized shutdowns limited to specific neighborhoods.
Measurement Limitations: Due to CGNAT (Carrier-Grade NAT) architecture, measurement tools based on IODA or Cloudflare models cannot easily detect regional throttling or jamming. In short, mobile outages affecting a single neighborhood or a few streets are invisible in aggregate nationwide datasets.
4. Impact on Circumvention Tools
Technical reports shared by circumvention tool developers with Filterwatch indicate a sophisticated escalation in anti-censorship tactics since late December.
Infrastructure Attacks: There has been a mass blocking of IP addresses and foreign servers used for tunneling. Even long-standing, stable servers have been flagged and blocked.
The "No-Ping" Phenomenon: According to user reports, during peak traffic hours (approx. 4:00 PM to 10:00 PM), VPNs may show a "connected" status but suffer such severe latency and packet loss that they effectively have "no ping."
Inconsistency: Users reported to Filterwatch that access to blocked apps is erratic. For example, at certain times, Instagram may be inaccessible while Telegram functions on the same VPN.
5. Traffic Analysis: "Traffic Reduction" vs. User Demand
Since December 31, Cloudflare data shows an approximate 35% reduction in internet traffic compared to the baseline.
Notably, this drop does not indicate a decline in user demand. During periods of protest, demand generally increases. The traffic decline is a direct result of network interference - users attempt to connect, but timeouts, resets, and severe slowdowns block successful communication.
As a result, the observed traffic decline in recent days reflects the impact of network disruption rather than a decrease in user activity.
6. Protocol-Level Interference
On Saturday, January 2, the OONI Observatory reported “protocol-level anomalies” affecting QUIC on MCI (Hamrah-e Aval) and IranCell networks. OONI noted a delay of several days in these effects appearing across operators suggesting a phased deployment.
A large portion of the modern internet relies on a communication protocol known as QUIC for sending and receiving data—whether when loading websites in a browser, sending messages within apps, or streaming video.
The Impact: Disruption of this protocol degrades the performance of modern apps and renders many VPNs (which mimic web traffic for obfuscation) unstable.
The Result: The network is technically "connected" at the IP layer, but disruption is shifted to higher layers. The user experience is: "The internet appears connected, but nothing actually loads."
Calculated Network Interference to Suppress Ongoing Protests
Taken together, these observations indicate that the prevailing strategy for digitally suppressing the ongoing protests is to reduce the internet’s effective capacity and undermine the user experience.
What has been observed since the start of the protests is not a “nationwide internet shutdown,” but a pattern of regional disruptions, severe speed degradation, complete outages in some areas or a shift to “domestic-only” connectivity, targeted blocking of VPNs, and intensified control over circumvention tools. This approach allows authorities to suppress information flows in key locations and protest areas without incurring the political cost of a full blackout.