CONCEPT Cited by 1 source
Filtering-based Internet shutdown¶
A filtering-based Internet shutdown is a government-directed shutdown implemented at the packet level rather than at the routing layer. BGP prefixes remain announced, IP address space stays largely consistent in the global routing table, and the country still looks "online" from a control-plane perspective — but the state-controlled or state-coerced ISPs drop, reset, or selectively permit traffic at their edge, typically via deep packet inspection (DPI).
Observational signature¶
The filtering-based shape produces a distinctive pattern on external observatories like systems/cloudflare-radar:
- IPv4 / IPv6 announced space unchanged (or only nominally shifted).
- Traffic collapses to near-zero, often to <1% of baseline — but never exactly zero, because some paths evade the filter (VPNs, out-of-country satellite, specific whitelisted endpoints).
- Small residual Web + DNS traffic continues to egress.
- No coordinated BGP events at shutdown onset — unlike a BGP withdrawal shutdown, there is no routing-table churn to point to.
Combined, these signals let observers disambiguate filtering from route-withdrawal: "No significant shifts in announced IP address space were observed around the onset of this shutdown. IPv4 space remained fairly consistent, and IPv6 space remained consistently volatile, suggesting that route withdrawals were not the cause of this second shutdown." "The continued announcement of IP address space, and the presence of traffic from the country, even if just a small amount, supports reports that the shutdown was effectively achieved through aggressive filtering."
Why it's harder to circumvent than route withdrawal¶
Route-withdrawal shutdowns fail when operators refuse to withdraw or when backup transit paths remain. Filtering shutdowns are more surgical:
- The state can permit selected traffic (see concepts/whitelist-internet-access) — some users, some sites, some protocols — while blocking everything else.
- They can operate for months without starving the country's own government / military / financial transit.
- They produce less collateral economic damage than a full blackout, making them politically sustainable longer.
This is the mechanism behind the longest-running modern shutdowns. Iran's February 28, 2026 shutdown implemented via filtering "remains largely in place" into late April, "making it one of the longest sustained Internet disruptions observed in recent years."
Distinguishing features vs. route-withdrawal shutdown¶
| Property | Filtering shutdown | BGP-withdrawal shutdown |
|---|---|---|
| BGP routes still announced | Yes | No |
| Residual traffic | ~<1%, nonzero | ~0% (DNS only via VPN) |
| Evadable via satellite | Partial | Partial |
| Selective permission | Easy (whitelist) | All-or-nothing per prefix |
| Duration envelope | Weeks to months | Hours to days |
| External observability | Traffic drop, routes steady | Route withdrawal visible |
Seen in¶
- sources/2026-04-28-cloudflare-q1-2026-internet-disruption-summary — canonical wiki instance. Iran's February 28, 2026 shutdown dropped traffic "well under 1% of previous levels" while IPv4 announcements stayed consistent and IPv6 remained "consistently volatile". Combined with reports of whitelisted SIM cards, the observability signature is unambiguous: filtering, not route withdrawal. Still active at quarter-end — the longest sustained Internet disruption observed in recent years per Cloudflare Radar's historical corpus.