Characterizing Iran's Phased National Internet Shutdown in 2025: A Progressive and Distributed Action

In June 2025, the Iranian government executed a nationwide shutdown. This shutdown did not employ traditional large-scale BGP route withdrawals; instead, it relied on service-level restrictions. This shift in shutdown strategy renders existing passive-trafficbased monitoring and network-level active probing systems illequipped to capture the event's fine-grained characteristics. To address this gap, we develop a service-level shutdown monitoring framework. Leveraging continuous, large-scale active port scanning data of Iran's entire IPv4 space, we treat the collected 8.65 million results as a statistically representative sample of the nation's network state. Then, we identify shutdowns by detecting significant drops in service activity against a dynamic baseline computed via an adaptive sliding window. Based on our monitoring results, we reveal that this shutdown was not a monolithic event, but a sophisticated operation with three core properties: phased, progressive, and distributed. Specifically, the operation unfolded in four distinct phases: it began with two complementary localized drills that shifted focus from infrastructure control to information obstruction, escalated into a near-total nationwide blockade, and concluded with a tiered, censorship-oriented recovery. This escalation was progressive, with the blockade's scope expanding to impact 98 of the top 100 ASes and 49 of the top 50 network services. Furthermore, we find significant heterogeneity in the shutdown's impact and recovery across different ASes, indicating a distributed enforcement architecture. Beyond these primary characteristics, our analysis reveals deeper consequences. This nationwide shutdown action also caused collateral impacts, such as unexpected * Corresponding author.