While most Iranian users spent the past days in total digital darkness, technical reports indicate that the internet flow was not completely severed. New data published by Cloudflare unveils this mystery: at the peak of disruptions, a group of users remained connected to the global network through five main internet providers (ISPs).
Five Open Gateways Amidst High Filtering Walls
According to Cloudflare’s analytical report, details of which were provided to the media by a hosting company, user traffic in the recent seven-day period was concentrated on five operators and internet service providers.
This data shows that the largest share of user connection to the internet network belonged to Mobile Telecommunication Company of Iran (MCI), Irancell, Telecommunication Company of Iran (TCI), Fanava, and Negin Ertebaat Ava (Negin Tel).
Company Shares of DNS Requests; Infrastructure at the Top
Another ponderable point in this report involves the status of DNS requests sent abroad. Following the nationwide disconnection, the possibility of sending these requests was gradually restored. Statistics show which providers handled the most traffic in this sector:
Ranked first is the Telecommunication Infrastructure Company (TIC), which manages the country’s main internet gateway, accounting for 47.9% of all requests. Following that, Irancell with 20.8%, TCI with 13.8%, MCI with 8.3%, and RighTel with 5.1% stand in the subsequent ranks.
Through Which Routes Did Internet Traffic Pass?
Examining the list of Autonomous Systems (AS) in the Cloudflare data reveals that half of the internet traffic released in recent days passed through the Telecommunication Infrastructure Company network. After the infrastructure, the networks of companies such as Afranet and Respina held the highest share in traffic transmission. In the following tiers, names such as Asiatech, Afaq, Fanava Group, Amin Data Processing Institution, and Padiz Dadeh Rasan can be seen.
A network expert explained this issue to Zoomit:
“The presence of these names does not necessarily imply the Whitelisting of the entire company; rather, it is probable that specific IPs of companies or organizations sourcing their internet from these providers were placed on the whitelist and had access to the internet.”
Surge in VPN Usage Since Saturday
Another section of Cloudflare’s charts is dedicated to comparing normal user traffic versus Bot traffic. In this chart, a sudden growth in bot activity is observed starting Saturday, which in Iran’s technical network literature largely signifies an increase in VPN and filter-breaker client traffic. Since the chart is presented in a normalized format, the overall drop in traffic is not palpable, but the change in network behavior is clearly visible.
Official Confirmation of Outage Cause: Governance System Orders
According to the last accessible reports prior to the total cut, starting Thursday, January 8 (18th of Dey), the rate of IPv6 addressing in Iran experienced a 98.5% drop. Now, after one week, Cloudflare in its final report has explicitly declared the cause of this widespread blackout as “Government Directed.”
