A view into the network shutdown in Iran, June 2025

2025-08-08
David Fifield <david@bamsoftware.com>

https://www.bamsoftware.com/talks/crysp-2025-iran/

Two IP addresses
that remained accessible:
140.82.121.6	api.github.com
216.239.38.120	google.com

Internet Connectivity for Iran (Islamic Republic Of) — https://ioda.inetintel.cc.gatech.edu/country/IR?from=1750132839&until=1750896039

Near-total shutdown June 18 to June 21 (60 hours)
Reduced connectivity June 21 to June 26

GitHub and Microsoft are willing collaborators in dictatorship.

Look for alternatives to GitHub.

https://www.theverge.com/2025/1/9/24340039/google-microsoft-trump-inauguration-donation

During the shutdown, people in Iran unexpectedly found themselves able to comment on the discussion thread using the GitHub app.

I'm in iran and just got access to outside network using github app on android.

Idk how is this working but i need to replicate it on real vpn connection — #issuecomment-2985672840

We have Internet black out in Iran right now. No news from outside. Just somehow Github app works. Any one has any solution to Circumvent this blockage? I'm using RighTel right now. — #issuecomment-2986195907

The reason was that the GitHub app uses the GitHub REST API (api.github.com at 140.82.121.6).

Turns out api.github.com's ip (140.82.121.6) is open for connections

We got public whitelisted ip in iran before GTA 6 — #issuecomment-2987484989

No access to web version of GitHub
No access to software downloads
Just API access (commenting on issues using the GitHub app)

Partway into the shutdown, Google search (google.com at 216.239.38.120) suddenly became accessible. (See IODA graph.)

No other Google services: no maps, drive, youtube, etc.

Let's try domain fronting:

> How about:
> curl --ssl-revoke-best-effort -H "Host: www.youtube.com" https://google.com

NO
SHOT

mg/logos/favicon_144x144.png" sizes="144x144"title>YouTube</title><link rel="alternate" media="handheld

WHAT TF IS HAPPENING?
is it because google.com and youtube.com have the same ip? — #issuecomment-2988927420

But actually, domain fronting was not required.
(Only an IP filter, no SNI filter.)

Pointing Google domains to 216.239.38.120 in /etc/hosts would make them accessible.

Downloading files from Google Drive through the single accessible IP address:

curl --connect-to ::216.239.38.120 --ssl-revoke-best-effort \
  -L -o champa-client-darwin-amd64 \
  "https://drive.usercontent.google.com/download?
  id=1ROCBSIsnat8uDQSlOFajuW2XAbeqNNZh&export=download&confirm=t"

https://github.com/net4people/bbs/issues/485#issuecomment-2992413851

After the shutdown (ntc.party/t/17068/2):

Gradually increasing levels of access, different in different ASes.
Some things were briefly more open than usual for Iran: ICMP echo was permitted to all IP addresses, and many Tor relays were accessible (but needed a patch to disguise Tor's protocol fingerprint).
A second shutdown on July 5, lasting 3 hours. No google.com access this time (which was also the case at the beginning of the first shutdown).

The June 2025 shutdown was qualitatively different than past shutdowns in Iran. More information: Project Ainita presentation at IETF 123:

Video: https://www.youtube.com/watch?v=b9-I-zrlG-s&t=2462s (timestamp 41:02).
Slides.

November 16–23, 2019

Notable drops in BGP signals
OONI report
Wikipedia

September 19–27, 2022

Intermittent and localized shutdowns during the Mahsa Amini protests, primarily affecting mobile ISPs
Reduction in BGP
OONI report
BBS thread
Wikipedia

The big difference in June 2025: less reliance on BGP-based blocking (routing); instead using selective middleboxes.

Summary

Some channels of network access remained open, even during a "shutdown".

Different events called "shutdowns" work differently, even in the same country at different times.

Some forms of fairly traditional censorship circumvention worked in this case, though it is not known whether they would have continued to. (The situation did not persist long enough to reach an equilibrium.)