Infrastructure Analysis

Jan 7 → Jan 13

BaselineJan 7, 2026, 12:00 AM UTC

ScannedJan 13, 2026, 06:00 PM UTC

FORENSIC INFRASTRUCTURE ANALYSIS

THE DIGITAL
AUTOPSY

We scanned 16.7 million IP addresses across Iran's surviving network prefixes. This is what we found beneath the surface of the shutdown.

6,095

live IPs discovered

DPI surveillance nodes

3,082

BGP ports exposed

open resolvers

2,377

routes withdrawn

38.4%

ArvanCloud HTTP

2,074

blocked responses

336

TLS certificates

Polish CA certs

expired certs

Scroll to begin the investigation

PROLOGUE — THE BASELINE

What Iran Had Before January 8th

In December 2025, Iran's internet was a sprawling network of 9,072 routes across hundreds of organizations. This is what connectivity looked like before the shutdown...

9,072

Pre-Shutdown Routes

December 2025 baseline

2,377

Routes Withdrawn

26.2% of addressing gone

6,695

Routes Survived

Infrastructure still reachable

987

New Routes

Network reconfiguration

December 2025

9,072

routes connected

SURVIVED

6,695

73.8%

WITHDRAWN

2,377

26.2%

NEW

987

reconfigured

January 2026

7,682

routes remaining

26.2% of Iran's internet addressing space was deliberately withdrawn on January 8th, 2026

December 2025

9,072

routes connected

SURVIVED

6,695

73.8%

WITHDRAWN

2,377

26.2%

NEW

987

reconfigured

January 2026

7,682

routes remaining

26.2% of Iran's internet addressing space was deliberately withdrawn on January 8th, 2026

ACT I — THE SEVERANCE

January 8th, 2026

2,377 routes vanished. 26% of Iran's addressing space simply... stopped existing.

This wasn't a gradual degradation. It was a deliberate, coordinated severance of network connectivity.

The Backbone Bleeds

TCI, the national backbone, lost — 34% of ALL withdrawals came from the spine of Iran's internet.

The backbone was targeted. This wasn't random — this was surgical.

Who Survived?

Mobile carriers held on. MCI: . Irancell: .

The regime needed mobile control more than they needed the internet dead.

The New Routes

appeared — not recovery, but reconfiguration.

The National Information Network being rewired. New routes aren't restoration — they're control infrastructure.

ACT I — THE SEVERANCE

January 8th, 2026

2,377 routes vanished. 26% of Iran's addressing space simply... stopped existing.

The Backbone Bleeds

TCI, the national backbone, lost — 34% of ALL withdrawals came from the spine of Iran's internet.

The backbone was targeted. This wasn't random — this was surgical.

Who Survived?

Mobile carriers held on. MCI: . Irancell: .

The regime needed mobile control more than they needed the internet dead.

The New Routes

appeared — not recovery, but reconfiguration.

The National Information Network being rewired. New routes aren't restoration — they're control infrastructure.

HTTPS

:443

3,345(55%)

HTTP

:80

3,068(50%)

SSH

:22

1,474(24%)

HTTP-Alt

:8080

1,462(24%)

HTTPS-Alt

:8443

1,434(24%)

Port 179

:179

1,401(23%)

HTTPS

HTTP

SSH

High Risk

ACT II — THE GHOST TOWN

We Went Looking

We probed 16.7 million IP addresses. 500,000 packets per second. This is what answered...

6,095 Live IPs

37.49% response rate. Iran's internet is now a ghost town.

What Shouldn't Be Exposed

We found 117 database and high-risk services exposed to the public internet.

HTTPS

:443

3,345(55%)

HTTP

:80

3,068(50%)

SSH

:22

1,474(24%)

HTTP-Alt

:8080

1,462(24%)

HTTPS-Alt

:8443

1,434(24%)

Port 179

:179

1,401(23%)

HTTPS

HTTP

SSH

High Risk

ACT II — THE GHOST TOWN

We Went Looking

We probed 16.7 million IP addresses. 500,000 packets per second. This is what answered...

6,095 Live IPs

37.49% response rate. Iran's internet is now a ghost town.

For every million IPs we scanned, only 365 answered.

What Shouldn't Be Exposed

We found 117 database and high-risk services exposed to the public internet.

Someone left the doors open. Critical infrastructure accessible to anyone.

ACT II.5 — THE SURVEILLANCE APPARATUS

WHAT THE SCAN
REVEALED

Beyond the ghost town lies infrastructure designed not to serve, but to surveil. Here's the evidence of Iran's digital panopticon.

The Servers That Listen On Everything

Deep Packet Inspection Infrastructure Exposed

Normal Web Server

443

3306

4 ports open — SSH, HTTP, HTTPS, database

This is normal. Servers only listen on ports they need.

ArvanCloud DPI Node

SANCTIONED

...

65,523 ports open — 99.98% of ALL TCP ports

This is NOT normal. This is surveillance infrastructure.

Why Does This Matter?

We discovered 20 IP addresses in ArvanCloud's network that respond on virtually every TCP port.

A CDN server needs a handful of ports. A web server needs even fewer. Nothing legitimate needs 65,000 ports.

This is the fingerprint of transparent proxy infrastructure. Traffic on any port can be intercepted, inspected, logged, and blocked. These aren't CDN nodes — they're checkpoints.

DPI NODES

65,523

MAX PORTS

99.98%

PORT COVERAGE

ArvanCloud

OFAC SANCTIONED

All 20 DPI Nodes Discovered

185.220.226.0/24 subnet

185.220.226.240

65,523 ports

99.98% coverage

185.220.226.92

65,523 ports

99.98% coverage

185.220.226.166

65,522 ports

99.98% coverage

185.220.226.1

65,522 ports

99.98% coverage

185.220.226.52

65,521 ports

99.98% coverage

185.220.226.51

65,521 ports

99.98% coverage

185.220.226.53

65,521 ports

99.98% coverage

185.220.226.228

65,521 ports

99.98% coverage

185.220.226.77

65,520 ports

99.98% coverage

185.220.226.205

65,520 ports

99.98% coverage

185.220.226.16

65,520 ports

99.98% coverage

185.220.226.13

65,520 ports

99.98% coverage

185.220.226.204

65,520 ports

99.98% coverage

185.220.226.78

65,520 ports

99.98% coverage

185.220.226.89

65,520 ports

99.98% coverage

185.220.226.14

65,519 ports

99.98% coverage

185.220.226.192

65,519 ports

99.98% coverage

185.220.226.219

65,519 ports

99.98% coverage

185.220.226.120

65,519 ports

99.98% coverage

185.220.226.247

65,519 ports

99.98% coverage

BGP Exposure

Routing Infrastructure at Risk

3,082

Hosts with BGP Port 179 Exposed

These are doors to Iran's routing tables - left wide open.

Click for details →

What is BGP?

Border Gateway Protocol (BGP) is the internet's GPS system. It controls how data packets find their way across the global network. When BGP ports are exposed to the public internet, attackers can potentially:

BGP Hijacking - Redirect traffic through malicious servers
Route Injection - Insert fake routes into the network
Traffic Interception - Monitor data flows in transit

Security Implications

3,082 exposed BGP endpoints represent a massive attack surface. A single successful BGP hijack could redirect traffic for entire network blocks through attacker-controlled infrastructure.

Learn about BGP hijacking

The 412 Protocol

ArvanCloud Content Filtering Fingerprint

What is HTTP 412?

HTTP 412 "Precondition Failed" is supposed to mean a client's conditional request couldn't be fulfilled. ArvanCloud uses it as their blocking response.

Every blocked request returns the same response. Same server header. Same content-length. This is the fingerprint of censorship infrastructure.

Block Page Fingerprints

Identical content-length values indicate standardized block pages from centralized filtering:

10,920 bytes1,257 responses

BLOCK PAGE

Sample IPs:

10,915 bytes719 responses

BLOCK PAGE

Sample IPs:

10,910 bytes80 responses

BLOCK PAGE

Sample IPs:

13,574 bytes18 responses

BLOCK PAGE

Sample IPs:

HTTP Status Code Distribution

400

2,094

39.2%

412

2,074

38.8%

200

529

9.9%

404

229

4.3%

301

191

3.6%

302

1.3%

403

1.1%

503

0.7%

401

0.3%

500

0.2%

Evidence of centralized filtering: 38.8% of all HTTP responses are 412 errors from ArvanCloud. Identical response sizes indicate standardized block pages served from a unified censorship infrastructure.

The CDN Duopoly

Who Controls Iran's Internet?

47.9%

of Iran's web infrastructure controlled by two companies

ArvanCloudSANCTIONED

Sotoon CDN

One company (ArvanCloud) is US Treasury sanctioned for building Iran's censorship infrastructure. Together, these two companies control nearly half of all responsive HTTP services in Iran.

HTTP Server Distribution

ArvanCloudSANCTIONED

2,05638.4%

Sotoon CDN

5109.5%

nginx

1272.4%

gws

1112.1%

nginx/1.18.0 (Ubuntu)

551%

nginx/1.24.0 (Ubuntu)

310.6%

Apache/2.4.58 (Ubuntu)

290.5%

Microsoft-IIS/10.0

270.5%

DERAK.CLOUD

260.5%

Microsoft-HTTPAPI/2.0

250.5%

5,348

Total Services

ArvanCloudSANCTIONED

38.4%

Sotoon CDN

9.5%

nginx

2.4%

gws

2.1%

nginx/1.18.0 (Ubuntu)

ArvanCloud - OFAC Sanctioned

US Treasury designated ArvanCloud on June 2, 2023 for constructing Iran's National Information Network - the censorship backbone.

Founders Pouya Pirhosseinloo and Farhad Fatemi personally sanctioned
Dubai shell company created for sanctions evasion
Controls 38.4% of Iran's HTTP infrastructure

US Treasury Press Release

The Polish Connection

Foreign Certificate Authority Dependency

336

TOTAL CERTS

GOV ON POLISH

Iranian Government on Polish Certificate AuthorityCRITICAL FINDING

Iran's government trusts a Polish company (Unizeto/Asseco) to issue certificates for its official domains. If Poland revokes these certificates, Iranian government services would show security errors to all visitors.

piu.gov.ir

178.252.135.86:443

.gov.ir

Certificate Issuers by Country

184

54.8%

Unknown

22.9%

7.4%

5.4%

3.0%

1.2%

0.9%

Polish CA Certificates (25)

Click for details

piu.gov.ir

178.252.135.86:443

GOVPL

fidibo.com

185.143.233.217:8443

aparat.style

185.147.179.20:443

dnswebhost.com

185.159.155.2:2083

aparatmusic.com

185.147.179.29:443

pars.host

185.159.155.3:443

csguard.ir

185.231.114.218:443

saba-e.com

185.80.199.1:443

EXPIREDPL

cdn.asset.aparat.com

188.209.117.0:443

asset.aparat.com

188.209.117.105:443

cdn.asset.filimo.school

188.209.117.103:443

asset.filimo.school

188.209.117.110:443

asset2.aparat.com

188.209.118.104:443

EXPIREDPL

tccim.ir

188.75.86.26:443

sso.haj.ir

193.56.59.168:443

exportgaz.com

217.144.106.205:443

bale.ai

2.189.68.126:443

mail.naftiran.ch

217.172.123.34:443

yarangroup.com

195.211.71.23:443

pgpicc.com

46.209.156.180:443

Geopolitical Risk: 7.4% of Iran's TLS certificates depend on Polish Certificate Authorities. Certificate revocation is a potential sanctions enforcement tool that could instantly disable HTTPS for a significant portion of Iranian websites.

DPI NODES

3,082

BGP EXPOSED

2,074

BLOCKED (412)

38.4%

ARVANCLOUD

POLISH CA

Certificate Health Status

336 CERTIFICATES ANALYZED ACROSS IRANIAN INFRASTRUCTURE

297 Valid (88%)

39 Expired (12%)

297

Valid Certs

Expired

Self-Signed

TLSv1.3 (82%)

Primary Protocol

ACT III — THE BROKEN LOCKS

Certificate Chaos

39 of 336 certificates have expired. Security has collapsed from within.

Certificate Authority Dependency

IRAN'S INFRASTRUCTURE DEPENDS ON FOREIGN CAs

of certificates from Let's Encrypt (USA)

Nearly half of Iranian infrastructure relies on Let's Encrypt, a US-based certificate authority. While 0% use self-signed certificates for internal services, external-facing services depend heavily on foreign CAs.

US Certificate AuthoritiesUSA

184 (54.8%)

Let's Encrypt, Google Trust Services

Self-signed/Unknown

77 (22.9%)

Internal/shadow infrastructure

Polish Certificate AuthoritiesPoland

25 (7.4%)

Used by Aparat/Filimo CDN

UK Certificate AuthoritiesUK

18 (5.4%)

Comodo/Sectigo

GlobalSignBelgium

10 (3.0%)

Enterprise certificates

TW CATW

4 (1.2%)

Other certificate authority

IR CAIR

3 (0.9%)

Other certificate authority

Domestic Infrastructure

IRAN'S HOMEGROWN SERVICES AND THEIR CERTIFICATE SOURCES

Aparat

Iranian YouTube

nodes

*.asset2.aparat.com

*.asset.aparat.com

Filimo

Streaming platform

nodes

*.asset.filimo.school

Derak Cloud

CDN provider

nodes

derak.cloud

Digikala

E-commerce

nodes

digikala.com

KEY FINDINGS

82% use TLSv1.3

Modern protocol adoption is high

27% self-signed certificates

Internal infrastructure lacks trusted CAs

12% of certificates are expired

Some services need certificate renewal

45% rely on US-based Let's Encrypt

Heavy dependency on foreign certificate authorities

Explore Certificate Data

Click to Explore Certificate Details

Certificates by Issuer

Download Certificate Data

TLS certificates with IP addresses and threat indicators

336

rows

Data by Whisper Security

Certificate Health Status

336 CERTIFICATES ANALYZED ACROSS IRANIAN INFRASTRUCTURE

297 Valid (88%)

39 Expired (12%)

297

Valid Certs

Expired

Self-Signed

TLSv1.3 (82%)

Primary Protocol

ACT III — THE BROKEN LOCKS

Certificate Chaos

We examined 336 TLS certificates across Iran's internet infrastructure.

What we found tells a story of neglect, foreign dependency, and active surveillance.

82% TLS 1.3

297 certificates are using modern protocols. The infrastructure has largely adopted current security standards.

However, 91 certificates are self-signed, indicating internal infrastructure without trusted CA validation.

Foreign CA Dependency

45% of certificates come from US-based Let's Encrypt. Iran's infrastructure depends heavily on foreign certificate authorities for trust.

If certificate authorities were weaponized, significant portions of Iran's web presence could be disrupted through trust chain attacks.

Certificate Authority Dependency

IRAN'S INFRASTRUCTURE DEPENDS ON FOREIGN CAs

of certificates from Let's Encrypt (USA)

US Certificate AuthoritiesUSA

184 (54.8%)

Let's Encrypt, Google Trust Services

Self-signed/Unknown

77 (22.9%)

Internal/shadow infrastructure

Polish Certificate AuthoritiesPoland

25 (7.4%)

Used by Aparat/Filimo CDN

UK Certificate AuthoritiesUK

18 (5.4%)

Comodo/Sectigo

GlobalSignBelgium

10 (3.0%)

Enterprise certificates

TW CATW

4 (1.2%)

Other certificate authority

IR CAIR

3 (0.9%)

Other certificate authority

Domestic Infrastructure

IRAN'S HOMEGROWN SERVICES AND THEIR CERTIFICATE SOURCES

Aparat

Iranian YouTube

nodes

*.asset2.aparat.com

*.asset.aparat.com

Filimo

Streaming platform

nodes

*.asset.filimo.school

Derak Cloud

CDN provider

nodes

derak.cloud

Digikala

E-commerce

nodes

digikala.com

KEY FINDINGS

82% use TLSv1.3

Modern protocol adoption is high

27% self-signed certificates

Internal infrastructure lacks trusted CAs

12% of certificates are expired

Some services need certificate renewal

45% rely on US-based Let's Encrypt

Heavy dependency on foreign certificate authorities

Deep Dive: Certificate Data

CLICK ANY CATEGORY TO SEE IP ADDRESSES AND DOMAIN DETAILS

Click to Explore Certificate Details

Certificates by Issuer

Download Certificate Data

TLS certificates with issuers, domains, IP addresses, and threat indicators

336

rows

Data by Whisper Security

Damage by Network

Click on any network to see its affected prefixes.

AS58224TCI - Iran Telecommunication Company PJS

1,401 totalClick to expand →

547 survived810 withdrawn44 new

AS197207MCCI-AS - Mobile Communication Company of Iran PLC

961 totalClick to expand →

689 survived116 withdrawn156 new

AS42337RESPINA-AS - Respina Networks & Beyond PJSC

776 totalClick to expand →

631 survived66 withdrawn79 new

AS44244IRANCELL-AS - Iran Cell Service and Communication Company

451 totalClick to expand →

368 survived60 withdrawn23 new

AS43754ASIATECH - Asiatech Data Transmission company

327 totalClick to expand →

273 survived24 withdrawn30 new

AS31549RASANA - Aria Shatel PJSC

267 totalClick to expand →

126 survived98 withdrawn43 new

AS25184AFRANET - Afranet

238 totalClick to expand →

221 survived15 withdrawn2 new

AS24631FANAPTELECOM-FCP - Tose'h Fanavari Ertebabat Pasargad Arian Co. PJS

221 totalClick to expand →

187 survived20 withdrawn14 new

AS57218RIGHTEL - "Rightel Communication Service Company PJS"

190 totalClick to expand →

45 survived109 withdrawn36 new

AS50810MOBINNET-AS - Mobin Net Communication Company (Private Joint Stock)

178 totalClick to expand →

102 survived23 withdrawn53 new

Download Prefix Data

Complete prefix comparison with status for each route

10,059

rows

Data by Whisper Security

The New Routes: Control Infrastructure

987 new prefixes appeared after the shutdown. These aren't recovery — they're reconfiguration of the National Information Network.

987 New Routes Appeared

Network reconfiguration after the shutdown - click any network to explore

AS197207MCCI-AS - Mobile Communication Company of Iran PLC

156 new→

109.108.160.0/24109.203.128.0/20109.203.128.0/24109.203.144.0/20109.225.128.0/19

AS42337RESPINA-AS - Respina Networks & Beyond PJSC

79 new→

176.101.32.0/24176.101.33.0/24185.110.28.0/22185.14.163.0/24185.215.228.0/24

AS50810MOBINNET-AS - Mobin Net Communication Company (Private Joint Stock)

53 new→

103.111.69.0/24103.132.228.0/24103.217.124.0/22176.126.223.0/24178.131.112.0/21

AS58224TCI - Iran Telecommunication Company PJS

44 new→

151.234.162.0/24151.234.164.0/24151.234.167.0/24151.234.168.0/24151.234.202.0/23

AS31549RASANA - Aria Shatel PJSC

43 new→

151.238.100.0/22151.238.104.0/22151.238.108.0/22151.238.112.0/22151.238.116.0/22

AS57218RIGHTEL - "Rightel Communication Service Company PJS"

36 new→

185.24.228.0/22188.208.156.0/24188.208.157.0/24188.208.158.0/23188.208.224.0/19

AS43754ASIATECH - Asiatech Data Transmission company

30 new→

128.65.176.0/22176.65.252.0/22185.112.39.0/24185.132.80.0/23185.141.168.0/22

AS206065FDI - Tose'h Fanavari Ertebabat Pasargad Arian Co. PJS

24 new→

185.222.120.0/24188.121.128.0/24188.121.156.0/24188.136.175.0/24188.136.185.0/24

AS44244IRANCELL-AS - Iran Cell Service and Communication Company

23 new→

2.144.20.0/222.146.64.0/242.147.5.0/245.113.83.0/245.115.43.0/24

AS49556WEBDADE - Web Dadeh Paydar Co (Ltd)

23 new→

109.70.76.0/24109.70.77.0/24109.70.78.0/24185.227.78.0/24185.227.79.0/24

Download New Routes

All prefixes that appeared after the shutdown

987

rows

Data by Whisper Security

Exposed High-Risk Services

These services should never be directly accessible from the internet. Click on any service to see the full list of exposed IPs.

218 High-Risk Services Exposed

These services should never be directly accessible from the internet

Microsoft SQL Server

Database exposed to internet - potential data breach

77.237.122.226

ArvanCloud CDN185.220.226.14

ArvanCloud CDN185.220.226.174

ArvanCloud CDN185.220.226.216

ArvanCloud CDN185.220.226.155

ArvanCloud CDN185.220.226.94

ArvanCloud CDN185.220.226.243

ArvanCloud CDN185.220.226.192

ArvanCloud CDN185.220.226.223

ArvanCloud CDN185.220.226.228

PostgreSQL Database

Database exposed to internet - potential data breach

95.81.76.6

ArvanCloud CDN185.220.226.205

ArvanCloud CDN185.220.226.114

ArvanCloud CDN185.220.226.231

ArvanCloud CDN185.220.226.230

ArvanCloud CDN185.220.226.244

ArvanCloud CDN185.220.226.8

ArvanCloud CDN185.220.226.203

ArvanCloud CDN185.220.226.180

ArvanCloud CDN185.220.226.194

MySQL Database

Database exposed to internet - potential data breach

ArvanCloud CDN185.220.226.184

ArvanCloud CDN185.220.226.233

ArvanCloud CDN185.220.226.82

ArvanCloud CDN185.220.226.28

ArvanCloud CDN185.220.226.34

ArvanCloud CDN185.220.226.90

ArvanCloud CDN185.220.226.116

ArvanCloud CDN185.220.226.134

ArvanCloud CDN185.220.226.77

ArvanCloud CDN185.220.226.21

MongoDB Database

Often misconfigured without authentication

ArvanCloud CDN185.220.226.244

ArvanCloud CDN185.220.226.112

ArvanCloud CDN185.220.226.194

ArvanCloud CDN185.220.226.13

ArvanCloud CDN185.220.226.208

ArvanCloud CDN185.220.226.109

ArvanCloud CDN185.220.226.74

ArvanCloud CDN185.220.226.32

ArvanCloud CDN185.220.226.134

ArvanCloud CDN185.220.226.101

Elasticsearch

Can expose indexed data without auth

ArvanCloud CDN185.220.226.90

ArvanCloud CDN185.220.226.94

ArvanCloud CDN185.220.226.81

ArvanCloud CDN185.220.226.109

ArvanCloud CDN185.220.226.147

ArvanCloud CDN185.220.226.181

ArvanCloud CDN185.220.226.180

ArvanCloud CDN185.220.226.240

ArvanCloud CDN185.220.226.218

ArvanCloud CDN185.220.226.30

Redis Cache/Database

Default config has no authentication

ArvanCloud CDN185.220.226.206

ArvanCloud CDN185.220.226.24

ArvanCloud CDN185.220.226.83

ArvanCloud CDN185.220.226.44

ArvanCloud CDN185.220.226.211

ArvanCloud CDN185.220.226.104

ArvanCloud CDN185.220.226.11

ArvanCloud CDN185.220.226.233

ArvanCloud CDN185.220.226.153

ArvanCloud CDN185.220.226.6

Telnet (Insecure)

Transmits credentials in plaintext

ArvanCloud CDN185.220.226.33

ArvanCloud CDN185.220.226.115

ArvanCloud CDN185.220.226.70

77.237.122.94

ArvanCloud CDN185.220.226.16

77.237.122.83

ArvanCloud CDN185.220.226.88

ArvanCloud CDN185.220.226.165

ArvanCloud CDN185.220.226.131

ArvanCloud CDN185.220.226.58

RDP (Remote Desktop)

Common attack target for ransomware

ArvanCloud CDN185.220.226.67

Pars Online195.211.71.193

ArvanCloud CDN185.220.226.148

ArvanCloud CDN185.220.226.91

ArvanCloud CDN185.220.226.45

ArvanCloud CDN185.220.226.159

ArvanCloud CDN185.220.226.255

ArvanCloud CDN185.220.226.46

Pars Online195.211.71.187

ArvanCloud CDN185.220.226.185

FTP (File Transfer)

Credentials transmitted in plaintext

ArvanCloud CDN185.220.226.89

85.185.45.52

Pars Online195.211.71.114

95.38.174.166

Afranet62.60.178.84

Afranet62.60.178.211

ArvanCloud CDN185.220.226.209

ArvanCloud CDN185.220.226.82

ArvanCloud CDN185.220.226.69

ArvanCloud CDN185.220.226.42

VNC (Remote Display)

Often has weak authentication

ArvanCloud CDN185.220.226.125

ArvanCloud CDN185.220.226.111

ArvanCloud CDN185.220.226.176

ArvanCloud CDN185.220.226.88

ArvanCloud CDN185.220.226.67

ArvanCloud CDN185.220.226.116

ArvanCloud CDN185.220.226.232

ArvanCloud CDN185.220.226.84

ArvanCloud CDN185.220.226.141

ArvanCloud CDN185.220.226.27

Kubernetes API

Cluster management - potential full system access

ArvanCloud CDN185.220.226.195

ArvanCloud CDN185.220.226.44

ArvanCloud CDN185.220.226.76

ArvanCloud CDN185.220.226.93

ArvanCloud CDN185.220.226.198

ArvanCloud CDN185.220.226.177

ArvanCloud CDN185.220.226.77

ArvanCloud CDN185.220.226.11

ArvanCloud CDN185.220.226.158

ArvanCloud CDN185.220.226.112

Download Exposed Services

High-risk services exposed to the internet

117

rows

Data by Whisper Security

THE GATEKEEPER

ArvanCloud Controls 61% of Everything

One network block — 185.220.x.x — hosts 41% of everything responsive. Iran doesn't have a distributed internet anymore. It has a gatekeeper.

ArvanCloud Dominance(185.220.x.x + 185.143.x.x)

14.6%of all responsive services

ArvanCloud Networks

Other Networks

Download Service Data

All responsive services by IP, port, and network

6,095

rows

Data by Whisper Security

ACT III — THE DNS LANDSCAPE

314 DNS Servers. Only 0 Answered.

27 Open Resolvers Detected

These DNS servers allow recursive queries from any source. This can be exploited for DNS amplification attacks or used as surveillance infrastructure to monitor DNS queries.

314

DNS Servers

Responsive (0.0%)

Open Resolvers

Software Fingerprints

9.18.39-0ubuntu0.24.04.2-Ubuntu5 servers

PowerDNS Authoritative Server 4.9.5 (built Aug 26 2025 11:35:14 by root@bh-centos-8.dev.cpanel.net)4 servers

PowerDNS Authoritative Server 4.9.5 (built Aug 26 2025 00:00:00 by root@bh-centos-9.dev.cpanel.net)2 servers

9.18.39-0ubuntu0.22.04.2-Ubuntu2 servers

unbound 1.23.02 servers

109.201.19.246

No Response

Shatel178.252.135.86

No ResponseOpen Resolver

ArvanCloud CDN185.143.232.253

No Response

ArvanCloud CDN185.143.234.253

No Response

ArvanCloud CDN185.159.155.2

No Response

PowerDNS Authoritative Server 4.9.5 (built Aug 26 2025 11:35:14 by root@bh-centos-8.dev.cpanel.net)

ArvanCloud CDN185.159.155.3

No Response

PowerDNS Authoritative Server 4.9.5 (built Aug 26 2025 11:35:14 by root@bh-centos-8.dev.cpanel.net)

185.188.104.10

No Response

185.188.104.11

No Response

185.188.104.12

No Response

185.188.105.10

No Response

185.188.105.11

No Response

185.188.105.12

No Response

ArvanCloud CDN185.220.226.0

No Response

ArvanCloud CDN185.220.226.1

No Response

ArvanCloud CDN185.220.226.10

No Response

ArvanCloud CDN185.220.226.100

No Response

ArvanCloud CDN185.220.226.101

No Response

ArvanCloud CDN185.220.226.105

No Response

ArvanCloud CDN185.220.226.108

No Response

ArvanCloud CDN185.220.226.109

No Response

+294 more resolvers

Download DNS Data

All DNS servers with version fingerprints and resolver status

314

rows

Active Filters

filter: open_resolvers

Data by Whisper Security

ACT IV — THE WEB FINGERPRINT

The 412 Wall

143 responses returned HTTP 412 "Precondition Failed" - every single one from ArvanCloud. The WAF is blocking foreign probes, revealing the centralized control point of Iran's filtered internet.

143

blocked requests

41.9%

of all responses

WAF Blocked (HTTP 412)

ArvanCloud rejecting foreign probes

143(41.9% of responses)

686

Probed

341

Responded

Valid Certs

Domains

Response Status Distribution

Server Fingerprints

Unknown486

ArvanCloud139

Sotoon CDN14

gws9

nginx7

DigiCDN Edge4

Download HTTP Data

All HTTP endpoints with status codes, certificates, and domains

686

rows

Data by Whisper Security

EPILOGUE — THE EVIDENCE

This Is Your Data

Download it. Analyze it. Share it. The world needs to see what's happening in Iran.

Download Complete Dataset

Get all raw data files for your own analysis

10,059

Network prefixes

1,424

Responsive services

314

DNS servers

686

HTTP endpoints

Includes: prefix comparison, service scans, DNS enumeration, HTTP fingerprints

Data collected January 12, 2026 | Scan methodology: TCP SYN on 34 ports

Return to main report Whisper Security

THE DIGITALAUTOPSY

PROLOGUE — THE BASELINE

What Iran Had Before January 8th

ACT I — THE SEVERANCE

January 8th, 2026

The Backbone Bleeds

Who Survived?

The New Routes

ACT I — THE SEVERANCE

January 8th, 2026

The Backbone Bleeds

Who Survived?

The New Routes

ACT II — THE GHOST TOWN

We Went Looking

6,095 Live IPs

What Shouldn't Be Exposed

ACT II — THE GHOST TOWN

We Went Looking

6,095 Live IPs

What Shouldn't Be Exposed

WHAT THE SCANREVEALED

The Servers That Listen On Everything

Normal Web Server

ArvanCloud DPI Node

Why Does This Matter?

All 20 DPI Nodes Discovered

BGP Exposure

What is BGP?

Security Implications

The 412 Protocol

What is HTTP 412?

Block Page Fingerprints

HTTP Status Code Distribution

The CDN Duopoly

HTTP Server Distribution

ArvanCloud - OFAC Sanctioned

The Polish Connection

Iranian Government on Polish Certificate AuthorityCRITICAL FINDING

Certificate Issuers by Country

Polish CA Certificates (25)

Certificate Health Status

ACT III — THE BROKEN LOCKS

Certificate Chaos

Certificate Authority Dependency

Domestic Infrastructure

Aparat

Filimo

Derak Cloud

Digikala

KEY FINDINGS

Explore Certificate Data

Click to Explore Certificate Details

Certificates by Issuer

Download Certificate Data

Certificate Health Status

ACT III — THE BROKEN LOCKS

Certificate Chaos

82% TLS 1.3

Foreign CA Dependency

Certificate Authority Dependency

Domestic Infrastructure

Aparat

Filimo

Derak Cloud

Digikala

KEY FINDINGS

Deep Dive: Certificate Data

Click to Explore Certificate Details

Certificates by Issuer

Download Certificate Data

Damage by Network

Download Prefix Data

The New Routes: Control Infrastructure

987 New Routes Appeared

Download New Routes

Exposed High-Risk Services

218 High-Risk Services Exposed

Download Exposed Services

THE GATEKEEPER

THE DIGITAL
AUTOPSY

WHAT THE SCAN
REVEALED