CONCEPT Cited by 2 sources
Filtering-based Internet shutdown¶
A filtering-based Internet shutdown is a government-directed shutdown implemented at the packet level rather than at the routing layer. BGP prefixes remain announced, IP address space stays largely consistent in the global routing table, and the country still looks "online" from a control-plane perspective — but the state-controlled or state-coerced ISPs drop, reset, or selectively permit traffic at their edge, typically via deep packet inspection (DPI).
Observational signature¶
The filtering-based shape produces a distinctive pattern on external observatories like systems/cloudflare-radar:
- IPv4 / IPv6 announced space unchanged (or only nominally shifted).
- Traffic collapses to near-zero, often to <1% of baseline — but never exactly zero, because some paths evade the filter (VPNs, out-of-country satellite, specific whitelisted endpoints).
- Small residual Web + DNS traffic continues to egress.
- No coordinated BGP events at shutdown onset — unlike a BGP withdrawal shutdown, there is no routing-table churn to point to.
Combined, these signals let observers disambiguate filtering from route-withdrawal: "No significant shifts in announced IP address space were observed around the onset of this shutdown. IPv4 space remained fairly consistent, and IPv6 space remained consistently volatile, suggesting that route withdrawals were not the cause of this second shutdown." "The continued announcement of IP address space, and the presence of traffic from the country, even if just a small amount, supports reports that the shutdown was effectively achieved through aggressive filtering."
Why it's harder to circumvent than route withdrawal¶
Route-withdrawal shutdowns fail when operators refuse to withdraw or when backup transit paths remain. Filtering shutdowns are more surgical:
- The state can permit selected traffic (see concepts/whitelist-internet-access) — some users, some sites, some protocols — while blocking everything else.
- They can operate for months without starving the country's own government / military / financial transit.
- They produce less collateral economic damage than a full blackout, making them politically sustainable longer.
This is the mechanism behind the longest-running modern shutdowns. Iran's February 28, 2026 shutdown implemented via filtering lasted 87 days before its first partial restoration on May 26 2026, "making it one of the longest sustained Internet disruptions observed in recent years."
Restoration is also mechanism-diagnostic¶
The same observability disambiguation that identifies a shutdown as filtering vs route-withdrawal works in reverse for the recovery direction:
- Route-withdrawal restoration propagates uniformly: re-advertising prefixes brings them back globally within minutes, with no primitive available to "re-advertise this prefix only for users in the capital." Per-region or per-cohort recovery is not technically expressible at the routing layer.
- Filtering-based restoration can be selectively walked back — by region, by carrier edge, by SIM cohort, by service / domain, by hour of day. The state retains flexibility to relax the filter incrementally and roll back cheaply if the relaxation causes problems.
When a recovery shows asymmetric geographic or carrier characteristics — most notably >80% of recovered traffic originating from the capital city (see concepts/capital-localized-internet-restoration) — filtering is the only mechanism consistent with the shape. This is the recovery-direction analogue of the "routes stay up, traffic drops" shutdown-direction signature.
Distinguishing features vs. route-withdrawal shutdown¶
| Property | Filtering shutdown | BGP-withdrawal shutdown |
|---|---|---|
| BGP routes still announced | Yes | No |
| Residual traffic | ~<1%, nonzero | ~0% (DNS only via VPN) |
| Evadable via satellite | Partial | Partial |
| Selective permission | Easy (whitelist) | All-or-nothing per prefix |
| Selective recovery | Easy (per-region/cohort) | Uniform, all-or-nothing |
| Duration envelope | Weeks to months | Hours to days |
| External observability | Traffic drop, routes steady | Route withdrawal visible |
Seen in¶
- sources/2026-04-28-cloudflare-q1-2026-internet-disruption-summary — canonical wiki instance. Iran's February 28, 2026 shutdown dropped traffic "well under 1% of previous levels" while IPv4 announcements stayed consistent and IPv6 remained "consistently volatile". Combined with reports of whitelisted SIM cards, the observability signature is unambiguous: filtering, not route withdrawal. Still active at quarter-end — the longest sustained Internet disruption observed in recent years per Cloudflare Radar's historical corpus.
- sources/2026-05-27-cloudflare-irans-internet-is-partially-restored-cloudflare-radar-data-shows — recovery-direction confirmation of the filtering mechanism. Iran's first partial restoration on May 26 2026 (87 days into the shutdown) was 91.6% Tehran-localised — a geographic selectivity that is only producible by a filtering-based architecture since BGP-withdrawal recovery is uniform. "The fact that IPv4 addresses were not removed from global routing tables, combined with the complete loss of actual traffic, suggests that Iran's shutdown was achieved through other technical means such as application filtering or whitelisting." Reaffirms the diagnosis from the Q1 review and adds the recovery-direction evidence. Diurnal pattern returned within hours of the restoration onset, confirming organic user activity. Surge magnitude ~15× prior-week levels; peak still only ~40% of 2026 maximum. Recovery flagged as potentially temporary (January precedent of reversed restorations).