What we saw on Iranian networks in February 2026
Two new Iranian DPI patterns and how hardened mode closes both.
Context
On February 7 Iran started another round of tightened filtering — against the backdrop of internal events the state traditionally cuts parts of the internet. For us it's a sanity check: a sharp drop in successful connections from our IR cohort.
Pattern #1: UDP drop, wholesale
First we saw QUIC-based sessions simply stop establishing. Lab capture confirmed: nothing passes, UDP to our port doesn't reach the edge node. TCP works.
Fix: auto-fallback to TCP-based transports (TLS, WebSocket, HTTP/2) after three consecutive failed QUIC attempts. The client switches in ~6 seconds; the user sees "picking a strategy".
Pattern #2: TLS SNI sniff + blacklist
TCP handshake completes, TLS ClientHello leaves, ServerHello comes back, then — RST exactly 1.2 seconds later. Why 1.2? Likely a Python/Go script on a middle-box that parses ClientHello, extracts SNI, and checks it against a blacklist.
Fix: domain fronting with SNI swapped for Cloudflare/Akamai-owned domains. We already had the capability; we just turned it on by default for the IR cohort.
Outcome
By February 11 the p95 connection-success rate in Iran was back to 96%. Hardened mode covers both patterns. Interesting observation — GFW and Iran's DPI look more alike architecturally each year, but the lags and rollout patterns differ. We're baking that into the next adaptive-strategy iteration.