This paper studies the nationwide internet shutdown in Iran in January 2026 that happened during large protests. The authors set out to describe what parts of the network were cut, how the disruption unfolded over time, how it was observed by monitoring initiatives, and which tools people used to try to get around the blocks. Their goal is a single, evidence-based view built from many partial reports.

To do this, the researchers collected and compared many public sources of network measurements. Much of their material comes from “grey literature”: technical reports and analyses produced by monitoring groups during and after the event. They also used additional private measurements from a transit provider. The paper answers six research questions about the timeline of the shutdown, the signs that preceded it, which measurement projects contributed useful data, which technical methods were used to block traffic, and how effective circumvention tools were.

The study places the shutdown in the context of Iran’s network structure. Iran’s connections to the global internet are mainly carried by two international gateways: the Telecommunication Infrastructure Company (TIC, listed as AS49666) and the Institute for Research in Fundamental Sciences (IPM, AS6736). Reports indicate most major telecom operators are controlled by the government. Iran’s National Information Network (NIN) — a centrally managed national system — is presented in official terms as a cybersecurity and sovereignty project. The paper notes this same infrastructure has been used to steer users onto domestic services and to manage unrest.

The authors summarize the censoring techniques that have been observed in Iran and that were relevant to the 2026 outage. They describe a layered filtering system sometimes called the Great Firewall of Iran (GFI). This system can interfere with DNS (the system that translates names like example.com into addresses), with ordinary web traffic (HTTP), and with encrypted web traffic (HTTPS) by inspecting a handshake field called SNI (Server Name Indication). The GFI has been reported to inject TCP reset packets to kill connections and to selectively filter UDP traffic (used by some newer web protocols and many VPNs). To counter these blocks, people use Virtual Private Networks (VPNs), the Tor network (The Onion Router) with special “pluggable transports” that try to hide Tor traffic, Snowflake (many short-lived WebRTC-based proxies), and Psiphon (a managed proxy and tunneling service). Earlier studies cited in the paper found VPNs were widely used, and Psiphon had been effective in past Iranian disruptions, but the paper does not claim a single tool always worked during the January 2026 event.