Whisper

THE
BLACKOUT

An autopsy of the January 8th internet collapse.Scroll to investigate

infrastructure collapseTCI routing updates spiked 368% to 5.6 million in 24 hours
centralized command evidenceThree distinct network types (Fixed, Mobile, Hosting) failed simultaneously
messaging censorshipSession Messenger was specifically targeted with DNS spoofing
surveillance depthMiddleboxes were detected rewriting HTTP headers on the national backbone
intranet isolation attemptThe event coincided with a 400% instability surge in domestic hosting providers
infrastructure collapseTCI routing updates spiked 368% to 5.6 million in 24 hours
centralized command evidenceThree distinct network types (Fixed, Mobile, Hosting) failed simultaneously
messaging censorshipSession Messenger was specifically targeted with DNS spoofing
surveillance depthMiddleboxes were detected rewriting HTTP headers on the national backbone
intranet isolation attemptThe event coincided with a 400% instability surge in domestic hosting providers

BGP Routing Activity

Telecommunication Company of Iran (AS58224)

Route Instability (Flapping)

BGP UPDATE MESSAGES • HIGH VOLUME = ROUTERS LOSING & RE-LEARNING PATHS

CLICK CHART FOR DETAILED ANALYSIS

00:00 - THE BASELINE

The Steady Pulse

For weeks, the nation's digital heartbeat was stable. TCI (Telecommunication Company of Iran) broadcasted a predictable rhythm of roughly 1.2 million routing updates daily.

STATUS: STABLE

03:00 - THE ANOMALY

The Scream

Suddenly, the routers began to convulse. Not a silence, but a scream. BGP announcements skyrocketed to 5.6 million.

"The routers, overwhelmed by conflicting filtering rules, began to flap, tearing the fabric of connectivity."

System-Wide Instability

BGP UPDATE VOLUME (% CHANGE FROM BASELINE) • 10 NETWORKS MONITORED

CLICK LEGEND ITEMS FOR DETAILED ASN ANALYSIS

NETWORK FORENSICS

Total Ecosystem Failure

It wasn't just TCI. Our analysis of 10 major ASNs reveals a perfect storm. Mobile operators (Irancell, Rightel), ISPs (Shatel, Pars Online), and Hosting providers (Afranet) all spiked in exact unison.

Evidence A: Synchronization

The charts don't lie. 10 out of 10 monitored networks, covering Mobile (MCI, Irancell, Rightel), Fixed (TCI, Asiatech), and Hosting types, destabilized within the exact same 3-hour window. This is not organic congestion. This is a command.

Evidence B: The Intranet Isolation

Afranet hosts the majority of Iran's domestic services (banks, taxis, food delivery). Its 341% spike proves the shutdown wasn't just about blocking "the outside world" (International Internet). It was a reconfiguration of the "National Information Network" itself, likely forcing all domestic traffic through new, choke-pointed deep packet inspection boxes.

FORENSIC CONCLUSION

The event on Jan 8th was a stress-test for a disconnected national network. The high volume of BGP withdrawals indicates route leaks caused by a"Filter-First, Route-Second" policy being applied to the core gateways.

Structural Damage: The Protocol Gravesite

NORMALIZED REACHABILITY (BASELINE = 100) • REAL RIPE RIS DATA • Note: Rapid jumps indicate route flapping/instability.

DIGITAL REGRESSION

The Protocol Gravesite

They didn't just slow us down; they sent us back a decade.

Our forensic reconstruction reveals a chilling detail: IPv6 collapsed completely. While the legacy IPv4 network struggled (cyan), the modern internet infrastructure (purple) was simply effectively wiped out. This suggests the filtering boxes aren't sophisticated enough to handle IPv6, so the state simply pulls the plug on the future.

DIGITAL KILL CHAIN

ANATOMY OF A SHUTDOWN

Step 1: Inspection
EVIDENCE: HTTP HEADER MANIPULATION

Middleboxes scan for specific footprints. OONI detected 'Malformed ctrl_headers' for Psiphon traffic.

Step 2: Injection
EVIDENCE: DNS SPOOFING

The gateway injects fake responses. Session Messenger's 'getsession.org' resolved to incorrect IPs.

Step 3: Silence
EVIDENCE: PACKET DROPPING

When inspection fails or specific protocols are used, traffic is blackholed. Signal reported 'generic_timeout_error'.

16:39 - THE MECHANISM

Anatomy of a Block

The shutdown wasn't a simple switch. It was a complex forensic operation. Our probe data (OONI) reveals a three-layered "Kill Chain" deployed to hunt down specific encrypted traffic.

CONFIRMED TARGETS

Session & Psiphon Blocked

OONI probes confirmed DNS Injection targeting Session Messenger and Middlebox Interference against Psiphon VPN.

  • > GET session.org -> [DNS SPOOF LOGGED]
  • > CONNECT psiphon -> [HTTP HEADER MANIPULATED]

Protocol-Level Degradation

BGP peer visibility during the blackout period (Jan 7-12, 2026)

82%
IPv4 Peer Drop
313 → 56 peers
100%
IPv6 Blackout
No visibility after Jan 9
3,278
Pre-Blackout Prefixes
IPv4 baseline
93
IPv6 Prefixes Lost
Complete withdrawal

BGP Peer Visibility (Higher = More Global Visibility)

Active Prefix Announcements

Key Finding: IPv6 connectivity was completely severed after January 9th, while IPv4 experienced severe degradation with peer visibility dropping from 313 to as low as 56 peers (82% reduction). This indicates a targeted, protocol-aware shutdown strategy.

PROTOCOL ANALYSIS

IPv6: Complete Erasure

The modern internet runs on two protocols: IPv4 (legacy) and IPv6 (future). During the blackout, IPv6 was completely severed.

After January 9th, zero IPv6 prefixes were visible to global BGP peers. This wasn't degradation—it was digital amputation.

IPv4: SEVERE DEGRADATION

82% Visibility Loss

IPv4 peer visibility crashed from 313 peers to just 56 peers—an 82% reduction.

This explains why some connectivity remained: the state couldn't completely kill IPv4 without severing its own access. IPv6, with no such dependencies, was simply switched off.