Internet shutdown in Iran following reported cyber-attack

Network data from the NetBlocks internet observatory confirm extensive disruption to telecommunication networks in Iran on the morning of Saturday, 8 February 2020 lasting several hours. Authorities have issued a preliminary statement that the internet shutdown is being implemented to repel a cyber-attack on the country’s infrastructure.

Network data show a distinct fall in connectivity with several of Iran’s leading network operators from approximately 11:45 a.m. local time (08:15 UTC) affecting cellular and fixed-line operators. Partial recovery was observed one hour after the initial shutdown but other networks returned some seven hours after the incident onset. National connectivity fell to a low point of 75% of ordinary levels for a period during the morning.

The outage had partial impact and was ongoing with some network operators at the time of initial reporting. ICT ministry officials state that the a Distributed Denial of Service (DDoS) attack attack was repelled by Iran’s Digital Fortress (Persian: Dejfa), and technical data confirm that networks were disabled during the same time window.

Little is known about the mechanism although similar patterns have been observed by NetBlocks during previous reported cyber-attacks.

Observations are consistent with a targeted disruption and no technical faults are evident at the present time.

Background: Outages and shutdowns

Iran has faced  series of network disruptions through recent months, with some attributed to external factors and others to state information controls to control public protests.

On December 19, Iran was one of several countries to be affected by an international network failure that also caused widespread disruption to Google services and sparked concerns about intentional blocking.

In November, Iran deliberately shut down internet access amid widespread public protests.

The November disruptions were introduced over a period of 24 hours culminating in a disconnection of all mobile networks followed by a near-total national internet blackout and partial shutdown of telephony services lasting several days.

During that period, access to limited national services became available for some users as part of the country’s national intranet, or National Information Network. Partial connectivity was restored a week after the first outages but mobile networks remained cut for longer and certain regions only regained connectivity weeks later.


Methodology

NetBlocks diffscans, which map the IP address space of a country in real time, show internet connectivity levels and corresponding outages. Purposeful internet outages generally have a distinct network pattern used by NetBlocks to determine and attribute the root cause of an outage, a process known as attribution which follows detection and classification stages.

A summary of data visualizations used in this report:

  • Network Connectivity (National): Internet providers and networks serving the affected region are visualized in a stacked time-series histogram to identify the start and end times of an internet shutdown event. Scales on the y-axis are adjusted to match localized maxima while minima indicate periods when networks became unreachable. The x-axis represents Universal Coordinated time (GMT+0).
    • Standard: Connectivity levels on the y-axis correspond directly to the observed number of reachable connections, as with National Connectivity charts.

NetBlocks is a civil society group working at the intersection of digital rights, cyber-security and internet governance. Independent and non-partisan, NetBlocks strives for an open and inclusive digital future for all.

[ methodology handbook | press | contact ] Graphics and visualizations provided under a free and open license for reuse with clear attribution.