STRATEGIC INTELLIGENCE REPORT

Subject: Regional Telemetry Analysis – IR (Iran) Analyst: Sentinel, Senior Network Intelligence Analyst, Streamnode Platform Timestamp: 2026-03-20T00:00:08.941Z

---

1. EXECUTIVE SUMMARY (The Bottom Line)

The internet infrastructure in the IR region is currently operating in a severely ⚠️ Throttled and Anomalous state. While there are no total regional blackouts, the network is experiencing extreme routing instability, evidenced by over 21 million BGP updates, strongly suggesting state-level traffic engineering or severe infrastructure degradation. End-user experience is heavily degraded, with P75 latency spiking to nearly 420 milliseconds, pointing to intentional bandwidth throttling or inline Deep Packet Inspection (DPI) bottlenecks. Concurrently, the threat landscape is highly active, with a significant 10.1% of all email traffic containing malicious payloads and persistent application-layer attacks targeting the edge. Bottom line: The network is functional but highly hostile, heavily monitored, and structurally volatile.

2. INFRASTRUCTURE PULSE

Connectivity & Volume ⚠️ Anomalous Overall traffic volume remains suppressed (Netflow: 0.119), and latency metrics reveal a highly degraded user experience. The median latency (P50) sits at a sluggish 120.4ms, but the 75th percentile (P75) skyrockets to 419.4ms.

• The "So What?": This massive gap between average and tail latency is a classic signature of state-sponsored interference. It indicates that while some traffic flows normally, a large portion is being caught in artificial bottlenecks—likely caused by inline Deep Packet Inspection (DPI) hardware analyzing packets in real-time. Traffic is split between Desktop (55.8%) and Mobile (44.2%), indicating users may be relying slightly more on fixed-line connections, which are sometimes subject to different filtering rules than mobile networks.

Routing Stability 🚨 Critical We recorded an astronomical 21,123,583 Border Gateway Protocol (BGP) updates during this window. BGP acts as the "digital roadmap" of the internet, telling data how to travel from point A to point B. A healthy, stable network sees a fraction of this activity.

• The "So What?": Over 21 million updates indicates severe "route flapping"—where network paths are rapidly advertised and withdrawn. In this specific region, this is almost certainly the result of intentional state-level traffic engineering, dynamic censorship routing, or failing domestic infrastructure struggling to maintain localized intranets. The digital roads are constantly shifting, making stable connections nearly impossible.

3. SECURITY LANDSCAPE

Edge Defense ⚠️ Anomalous Our edge defenses show a 100% mitigation rate for Web Application Firewall (WAF) triggers, alongside a 37.5% mitigation rate for Distributed Denial of Service (DDoS) traffic. Bot mitigation currently sits at 0%.

• The "So What?": Adversaries are heavily favoring precision application-layer attacks (such as SQL injections or cross-site scripting) over brute-force volumetric DDoS campaigns. The 100% WAF mitigation indicates that attackers are actively probing web applications for vulnerabilities, but edge defenses are successfully neutralizing these sophisticated, targeted strikes. The lower DDoS mitigation percentage suggests that volumetric attacks are either highly fragmented or secondary to application-layer exploitation.

Email Threats 🚨 Critical Approximately 10.12% of all processed email traffic was flagged as malicious.

• The "So What?": In network intelligence, a 1-in-10 malicious email ratio is exceptionally high. This volume suggests a coordinated, automated campaign rather than opportunistic spam. Given the regional context, these are highly likely to be targeted phishing attempts, credential-harvesting links, or malware-laden attachments designed to compromise endpoints and bypass perimeter security through human error.

4. FORENSIC INSIGHTS

• Top Domains & Censorship Evasion (⚠️ Anomalous): Despite heavy regional filtering, the top requested domains are heavily Western-centric: googleapis.com, google.com, facebook.com, instagram.com, and apple.com. Because platforms like Facebook and Instagram are historically blocked in this region, their presence at the top of the traffic requests strongly implies widespread, persistent use of VPNs and proxy networks by the civilian populace to tunnel out of the national intranet.
• DNS Anomalies (⚠️ Anomalous): The DNS response time (P50) is registering at exactly 0ms. While this can indicate highly efficient local caching, in a heavily monitored region like IR, it frequently points to DNS hijacking or redirection—where local ISPs instantly sinkhole requests to restricted domains before they ever leave the