Iran Blocks VPN Ports

First time accepted submitter Parham90 writes "After the Iranian post-election events that led to massive riots and break-outs through the world, the Iranian government started blocking all social websites, including Facebook, Youtube, Orkut, MySpace and Twitter. The Iranians, however, started using VPN (virtual private network) connections to bypass censorship. Since Thursday, September 30, 2011, all VPN ports have however been blocked, in the first attempt to start what the Iranian government calls the 'National Internet.'"

This is why...

[GameboyRMH]

I run my VPN server on port 80.

Re:This is why...

Yeah, encrypted traffic over the unencrypted http port. That's not suspicious at all. Better to use 443 where at least they're expecting encryption, and if you use OpenVPN, it won't look dissimilar from https.

Re:This is why...

[GameboyRMH]

You're absolutely right - in theory. In practice, not so much. I addressed this point below:

http://yro.slashdot.org/comments.pl?sid=2463106&cid=37625236

Re:This is why...

[scubamage]

Unless I'm completely misunderstanding your comment, it doesn't matter what port its running on at all. Unless Iran is doing some seriously deep packet inspection, its not going to look "suspiscious." If you set your VPN peer to use port 80, its no longer an unencrypted HTTP port, its a VPN port. 80 being http is just a standard, but like everything, standards can be bent when necessary. As for doing DPI on every single IP device generating IP traffic into/out of the country, good farking luck. It'll basically wreck their international telecomm systems since most of those should be IP based by this point. DPI + UDP = crap audio.

Re:This is why...

[GameboyRMH]

He's assuming that Iran is doing seriously deep packet inspection on everything. Which in theory is a good assumption, but in practice rarely happens.

Re:This is why...

[scubamage]

Agreed - the amount of hardware they'd require to be able to do that without incurring significant delay EVERYWHERE would be incredible. If they're going on a port by port approach, that's not going to stop anyone who seriously has any interest in communicating.

Re:This is why...

[smash]

You're assuming iran has a decently fast internet backbone. I suspect it doesn't, and that a half-decent major ISP level deep packet inspection device would be sufficient for the country.

Re:This is why...

[Alarash]

Some people do this in hardware now with no performance impact (DPI is traditionally very processor intensive). They don't look at things in term of TCP anymore, but by application. You can block, say, Facebook and Twitter but allow RMTPT (Flash video streaming over HTTP). And you can easily block any traffic on port 80 that you don't recognize as HTTP. This exists because people used to do protocol tunneling to circumvent traditional firewalls (HTTP in DNS over UDP for example). Modern DPI devices are designed to detect those creative methods with no performance (and therefore delay) impact.

You do need a lot of hardware, but not as much as 3 years ago. And when you have a government-sized budget for this, nothing is impossible.

I hate mentioning only Palo Alto, but in my knowledge (I'm a network test equipment vendor employee - I test the performance of these devices for a living) they are the only ones to do that in hardware. Checkpoint does the exact same thing but as far as I know it's not done in hardware - they do claim it has no performance impact but I haven't had a chance to test this myself.

Gartner published a report (here hosted by PA, reg. unfortunately required) that goes over all these challenges. I'm fairly sure somebody in Iran read this report and implemented it.

Re:This is why...

Iran is in FACT doing deep packet inspection since 2007. They can detect traffic type and block it on any port. When I was in Iran I tested other ports and it would immediately block the traffic.

I visited one of the filtering sites in 2006 and they had around 30 Racks of filtering devices there. The deep packet inspection slows down the traffic and adds considerable lag and delay.

I suspect that in addition to deep packet inspection they also run some type of data analysis on some of the protocols (like smtp etc.). This is in addition to intelligent web filtering of course.

Re:This is why...

[scubamage]

It would still be pretty intensive to fully de-encapsulate all the way up to layer 6/7 to see the type of traffic though. Although I had seen some routers demo'd a few months ago which only look at the first packet or two in a dialog, determine the type of payload, and then let the rest of the stream pass unmolested. That might be possible? Not sure if they had intended to do something like this with them. (source)

Re:This is why...

[scubamage]

I think you may be wrong - I highly doubt all of their cell phone carriers are operating their backbones over TDM, it'd be a massive waste of bandwidth. That means an IP network - that means big pipes carrying lots of UDP and RTP data. Given the huge Persian diaspora and (pardon if I offend) the typical closeness of Persian families, I think they'd be sending a fairly significant amount of data both in and out of the country.

Re:This is why...

[Dunbal]

It might be suspicious, but I dare you to block it at the ISP level.

Re:This is why...

[spazdor]

Let the stegano/cryptography arms race commence. Sorry, Iran, but the Church-Turing thesis guarantees you're not going to win this one.

All 65k+ of them?

[siddesu]

It is impressive they still manage to run Internet services then.

Re:All 65k+ of them?

[GameboyRMH]

They could theoretically block everything but 80 and MITM any SSL connections (or did that cert get removed from IE yet?) to check those too, to prevent VPN connections that mimic HTTPS connections (real thing) and VPNs running over port 80 using deep-packet inspection. They'd also have to check for VPN over DNS (also, real thing). Short of this it's impossible to block VPNs.

Even then, you could run a VPN over a steganographic connection. In practice I find port 80 is the best - it's never failed me so far. 443 is a good option too, in fact a better option in theory, but keep in mind that a few mobile internet providers in 3rd world countries block 443.

Re:All 65k+ of them?

Doesn't matter. Run it as an unencrypted connection over port 80 and just encrypt the traffic prior to transmission. Easy-peasy. It's basically impossible to block an encrypted channel so long as ANY form of communication is allowed.

Re:All 65k+ of them?

[ledow]

Hell, I once saw a VPN that rewrote its traffic to use ICMP messages and other nefarious means of communication in order to transmit packets.

It'd probably look odd if you KNEW to look at that individual's connection but the chances of finding *every* way that encrypted data can be slipped into another datastream are incredibly minimal.

Hell, VPN-over-HTTP-proxy is very common.

Re:All 65k+ of them?

[GameboyRMH]

Um...how is this any different? The only real difference between encrypted and unencrypted connections as far as an intercepting party is concerned is that one makes sense while the other looks like garbage. If you wrote an AJAX app that used PKI to do encryption at the application layer there would only be slight technical differences in the traffic going through that firewalls could easily be modified to pick up on.

Re:All 65k+ of them?

[Hatta]

You don't just need to circumvent the block. You need to circumvent a block in a way that the authorities can't detect.

Re:All 65k+ of them?

[scubamage]

I don't envy the guy hired to look at every ICMP packet for an entire country. About the only way he could remain sane is if he was autistic since they tend to be really good at tasks like that.

Re:All 65k+ of them?

[jrbrtsn]

Thank goodness for ipv6. Now you can run all services on port 80 and just assign a different ip address for each one!

Re:All 65k+ of them?

Devils advocate:

If a country took a stance where any non-conforming packet sent by someone was grounds for arrest and jail (which isn't that far-fetched), their censors may not find all the packets (especially with newer VPN mechanisms that use "spread-spectrum" transmission techniques where stuff is sent over DNS, ICMP, etc.) However, if a lot of packets that can't be decoded come from an individual, the local police are notified to pay the person a visit and relieve them of their computer, their freedom, and possibly their life.

Re:All 65k+ of them?

[sosume]

They could theoretically block everything but 80 and MITM any SSL connections (or did that cert get removed from IE yet?) to check those too, to prevent VPN connections that mimic HTTPS connections (real thing) and VPNs running over port 80 using deep-packet inspection. They'd also have to check for VPN over DNS (also, real thing). Short of this it's impossible to block VPNs.

How about putting the entire nation's network behind a giant proxy, configured to disallow streams? that would effectively block everything but http..

Re:All 65k+ of them?

[GameboyRMH]

I don't see how that would help, there are VPNs that can mimic HTTP/HTTPS...I've even run one like that over a GPRS connection which doesn't allow streams by its very nature.

Re:All 65k+ of them?

even if you automated this, wouldn't a DoS attack against... anything you wish, make this system slow down to a halt or just drop?

I mean, inspecting a huge number of packets is hard, even if we only scan fishy ones, you could just dos with those.

Re:All 65k+ of them?

I would agree if everything I knew about autism had been learned from Rainman.

Re:All 65k+ of them?

[GameboyRMH]

True, depends how many data centers the government is willing to build...

Re:All 65k+ of them?

[scubamage]

You may want to look into the research, AC.

Re:All 65k+ of them?

[wmac1]

You do not need to check 65k things. You just check every single packet to see what port it is and whether the content matches that port. That's in fact what they currently do (and have done since 2007). One of their sites which I visited in 2006 contained 30 racks of filtering equipments.

Re:All 65k+ of them?

[tlhIngan]

Even then, you could run a VPN over a steganographic connection. In practice I find port 80 is the best - it's never failed me so far. 443 is a good option too, in fact a better option in theory, but keep in mind that a few mobile internet providers in 3rd world countries block 443.

A number of VPNs these days use HTTPS (443). It's called SSL VPN and you can get access points from the usual vendors (Cisco, Sonicwall, etc). They're all the rage these days as they start up as normal HTTPS connections (and you can use it with a web browser at the very minimum - no client required).

Reason for this is many corporate networks have started blocking everything but 80/443. When you're visiting a customer with their network set up that way, being able to VPN over HTTPS is extremely valuable. Especially since it goes through NAT easily as well.

Re:All 65k+ of them?

So? We'd simply send each packet with a HTTP header stating that itâ(TM)s a picture, and add a JPEG header too, if we have to. Or as base-64-encoded plain text. Or even steganography inside images.

Hell, if we have to, we can generate sentences that are grammatically correct, could make sense, and still encode data is their (e.g. first) letters, then post them via Twitter.

Sorry, this will not ever work. Ever.
The only way that would work is to block *everything* by default, and then only open connections to trustworthy systems. (But don't tell them that.) (Also, in practice that's really the same thing as shutting down all of the Internet. So it *will* cause riots!

Re:All 65k+ of them?

[Parham90]

Yes. I hear SSTP works very nicely. However, I haven't been able to figure out a way to test it yet.

Re:All 65k+ of them?

NSTX uses Dns requests to a domain you control. This utilizes the DNS infrastructure already designed to support DNS requests. Use with SSH and you can say a big fuck you to the controlling entity of your choice. It has pretty much the same requirements as ICMPTX for the terminating side excepting a nameserver record for a domain under your control.

Re:All 65k+ of them?

In other news, Iranian authorities saw a sudden resurgence of interest in people playing Quake III Arena online ;)

http://caia.swin.edu.au/cv/szander/publications/lcn08covertgames.pdf

Re:All 65k+ of them?

But but but the headline says they "block the ports". All of them.

Re:All 65k+ of them?

[Lehk228]

counter with a VPN tunnel that formats it's messages as HTTP GET commands, with the GET URI being the send and the reply as the receive

if paranoid such exchanges could be coded in the form of words rather than hex data, it would be slower to process but almost impossible for a network monitor to find or filter without breaking all internet access

Re:All 65k+ of them?

I don't envy the guy hired to look at every ICMP packet for an entire country. About the only way he could remain sane is if he was autistic since they tend to be really good at tasks like that.

Sending a very large amount of ping flood, on a very large scale, would probably cripple that too... Either they must hire more autistics than the country has, or the people they do hire will probably explode.

Re:All 65k+ of them?

[Geminii]

He doesn't even see the code any more. He just sees blonde, brunette, Goatse...

Just switch it off completely

See how well that worked for Egypt?

Good luck with that...

[afxgrin]

I wonder how far the censorship has to go before we see months of endless street protests again? If they ever expect anything like this to work, they should never have allowed their citizens to be in possession of the technology to begin with. They have an entire generation of people that grew up with cell phones, computers and the internet. There is no hope in hell of this working in the long term.

Re:Good luck with that...

If you think street protests matter much, think again. All it takes is one helicopter with a couple hellfire missiles and a high RPM cannon, and what was a street protest is a mass grave.

In reality, revolution is pretty much impossible. Egypt appears to have just swapped one tyrannical master for another. It doesn't take much for another Kent State to happen if protests happen at a college, and protesters know that -- the whole 60s era of protesting completely ground to a halt when people realized they may be used as target practice with live rounds.

Re:Good luck with that...

[MightyMartian]

I don't think Egypt swapped anything, to be honest with you. The Army always ran the show. They were content to let Mubarak be the frontman, but ultimately it wasn't street protests that knocked Mubarak down, it was the Army saying "Well, you're of no use to us anymore."

Re:Good luck with that...

All it takes is one helicopter with a couple hellfire missiles and a high RPM cannon, and what was a street protest is a mass grave.

That'd require Iran to have soldiers willing to mass murder their own citizens, including women in the crowd. There's a reason this doesn't happen very often in real life; most militaries are extremely unwilling to mass murder their own countrymen, to the extent that if such an order is given, it outright triggers an armed revolution, complete with large chunks of the military defecting. That's essentially what happened in Egypt; the military refused to fire, then backed the protesters.

In the last round of protests, Iran had to import outsiders to do most of the beating. That should serve as a pretty strong indicator that the military wouldn't do it. (If I recall correctly, the only local group that was part of the beatings were the religious police, but they have only small arms, not attack helicopters). Iran isn't Afghanistan; they aren't a bunch of sharply divided tribes willing to shoot their own neighbors.

The subject is the article I'm responding to

[jidar]

"The Net interprets censorship as damage and routes around it." -- John Gilmore

They will just move to using other ports.

Re:The subject is the article I'm responding to

Censorship interprets the net as damage and routes around it.

Re:The subject is the article I'm responding to

[fph+il+quozientatore]

You forgot the "in soviet Russia" part.

Re:The subject is the article I'm responding to

Changing ports does nothing if they use deep packet inspection.

Re:The subject is the article I'm responding to

[gandhi_2]

In Soviet China, The censors interpret internets as damage and wall around it. -- me

Re:The subject is the article I'm responding to

I'll give you a deep packet injection

Re:The subject is the article I'm responding to

You can't use DPI on encrypted streams. You could potentially build a heuristic to find patterns (or the lack thereof) inherent in encrypted streams, but you would get a ton of false positives, and it would be expensive as fuck.

Re:The subject is the article I'm responding to

That's because I wasn't trying to be funny.

All ports?

[kju]

This sounds like nonsense. There are VPN providers on non-standard ports. If you have your own server and a spare IP, you can even use some netfilter rewrite magic to allow connection on ANY port of that IP which is helpful in a lot of situations.

Place is full of muslims

Who gives a fuck

Use OpenVPN

[kandresen]

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

Re:Use OpenVPN

[malraid]

+1 for OpenVPN

Re:Use OpenVPN

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

OpenVPN has not functioned properly in Iran for a while now, on any port. The same goes for Syria.

Re:Use OpenVPN

[NevarMore]

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

How is OpenVPN not detected as regular VPN communication?
Does it have its own signatures and patterns which are detectable?

Re:Use OpenVPN

[cdp0]

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

OpenVPN was blocked even in 2010. No protocol (UDP or TCP) and port combination worked. Both normal and static key configuration were detected and blocked.

tcpdump showed a short packet exchange between the client and the server, and after that the connection completely died. Subsequent tries on the same protocol and port were completely blocked too (probably blacklisted).

Even so, I find it weird that OpenVPN was blocked while PPTP was allowed. Maybe they had/have a way of attacking PPTP ?

What worked back then and might still work is SSH (including tunneling). With access to a server outside Iran and a bit of imagination many things can be done with SSH tunneling.

Re:Use OpenVPN

[scubamage]

I'm trying to find out more of what they're blocking... TLS? L2TP? PPTP? IPSEC? These are all styles of VPN, and even more exist. I highly doubt they're blocking them all.

Re:Use OpenVPN

[GameboyRMH]

OpenVPN has a mode that can mimic HTTPS, but even then it isn't foolproof.

Re:Use OpenVPN

[Parham90]

Yes, SSH tunneling is what I'm using right now. Still, VPNs would be much easier to use when you have multiple application needing to be proxified (yes, you can use Proxifier too, but VPN is as easy as plug-and-play).

Re:Use OpenVPN

[Myuu]

L2TP, PPTP, IPSEC.

Re:Use OpenVPN

[Anthony+Mouse]

I would have thought this would work pretty well:

1) Install squid on the server in a non-oppressive country
2) ssh user@server -L 3128:localhost:3128
3) Configure the system proxy settings to use localhost on port 3128

Also, there is a (relatively new) VPN feature in OpenSSH. Look at the -w option.

Re:Use OpenVPN

PPTP uses GRE so that is trivial to block.

Re:Use OpenVPN

[gad_zuki!]

This isn't about ports. I'm not sure how it suddenly became about ports (poor writeup?).

Iran uses packet inspection. They're getting good at it. They took down Tor for a little while before those guys found a work around. A lot VPNs don't work in Iran. Lots of things don't work. Simple work arounds like port numbers don't work.

In other words, when your country is a theocratic dictatorship, bad things happen. Considering how Iran is also a police state, there's little to no chance of anything stopping this anytime soon.

Ah religion. Your evil knows no bounds.

Re:Use OpenVPN

[WhiteDragon]

you can also use ssh to provide a generic SOCKS proxy:

ssh -D 1234 some.host.example.com

then just tell your apps to use a SOCKS proxy of localhost, port 1234

There are plenty of SOCKS wrappers for apps that don't have SOCKS code built in.

Re:Use OpenVPN

[blop]

You can actually run a proper VPN with ssh and not just tunnel individual ports:

https://help.ubuntu.com/community/SSH_VPN

This creates a point-to-point layer 2 or 3 tunnel between 2 hosts. This is great for proxying TCP, UDP, ethernet frames...

Re:Use OpenVPN

[OdinOdin_]

With OpenVPN permutate the data with a random IV and CBC XOR derived from a secret key you agree with website (via an independant channel). This will remove markers easily identifiable from the observable stream during the connection/handshake process before payload data is conveyed.

Put an agreed about of fixed or variable length random data on the front of the TCP connection data (just after connect) send in random chunk sizes with random time delays, if using variable length random data this can be encoded in a bit pattern that acts as a premable to indicate the start of the real data. Think like layer 1 signal encoding where it is possible to recover data delimeters ouot of essentially white noise and maintain a 50/50 random zero-bit to one-bit dispersion in the data regardless of what the plaintext data is. Do this in both directions (random length variable data).

So does random data survive the DPI ? or does it detect the protocol from well-known constructs the decide to block ?

Information can't be blocked

[captainpanic]

Governments have tried that since the 15th-16th century, and failed every time.

Re:Information can't be blocked

Except for North Korea, of course.

Re:Information can't be blocked

[shutdown+-p+now]

Define "failed". USSR, for example, was quite successful at it for most of its existence. Oh sure, there was a leak here and there, but it had to run against a massive government propaganda campaign. End result is that most citizens were quite convinced that things are much better for them than they were in practice.

It's somehow done

[Parham90]

Since I live in Iran, I can vouch for it being true. The government-run media claims that the "PPTP" (and some other) protocols have been blocked, although I'm not sure how this works. I, for sure, can't access the VPN connections I used to be able to access. So I'm going to find a friend outside of Iran and ask them to start a VPN connection on port 80; just to see if they are feeding people another lie or not. :-)

Re:It's somehow done

[L4t3r4lu5]

Since I live in Iran, I can vouch for it being true. The government-run media claims that the "PPTP" (and some other) protocols have been blocked, although I'm not sure how this works. I, for sure, can't access the VPN connections I used to be able to access. So I'm going to find a friend outside of Iran and ask them to start a VPN connection on port 80; just to see if they are feeding people another lie or not. :-)

Probably shouldn't post this kind of thing over an unencrypted connection.

>_>
<_<
>_>

Re:It's somehow done

[Parham90]

I do have my connection encrypted now, but not through VPN. *smile*

Re:It's somehow done

[scubamage]

If you won't endanger yourself by poking it too much, I'm curious what exactly they blocked. IPSEC, L2TP, PPTP, TLS... there are a ton of possibilities. Heck, you can even proxy everything via SSH if you want.

Re:It's somehow done

On the typical westernized firewalls--corporate included, you often have better luck using 53/DNS for tunneling traffic through. I should caution you though...using a VPN through DNS would pretty much be...immediately obvious...to anyone doing any kind of traffic analysis.

Even if you had a friend set up something like nstx (which would produce valid DNS traffic)--you can 'spot it' fairly routinely if for some reason you had a need to break out wireshark and look at your connection.

Re:It's somehow done

More power to the people of Iran. You make the Internets proud.

But, still, please be careful.

Re:It's somehow done

[Parham90]

I have tried SSH tunneling. Right now, that's how I am encrypting my connection. I've tried OpenVPN and PPTP and IpSec, and also L2TP. These are blocked (as far as I can gather). Haven't tried connecting to non-standard ports, however.

It's time to invade.

Yes. Invade.
Take the side of the people who want freedom. The religious zealots, fascists and other authoritarian types be damned. It's time to liberate Iran.

Re:It's time to invade.

[orphiuchus]

The problem is its actually the minority that wants freedom. Seriously.

Iran's rural population is huge, and its made up of what basically amount to Muslim rednecks. They're the morons who keep assholes in power, and they probably all support this idea.

Re:It's time to invade.

The problem is its actually the minority that wants freedom. Seriously.

Iran's rural population is huge, and its made up of what basically amount to Muslim rednecks. They're the morons who keep assholes in power, and they probably all support this idea.

Then kill them all. Fuck them. It's the 21st century. Time for them to fuck off. The world has bigger problems to deal with. Time these fucktards were stopped from holding the rest of us up.

Seriously. fuck them.

Re:It's time to invade.

[Hatta]

The problem is its actually the minority that wants freedom. Seriously.

America and Iran have more in common than they'd like to admit.

Re:It's time to invade.

[Lunix+Nutcase]

And you're going to enlist to help fight as well, no? Oh wait it's just another basement armchair general blustering about starting wars but too chickenshit to actually do any of the fighting.

Re:It's time to invade.

Kill everybody who wants to stop freedom, you say? What about the Patriotic Act, doesn't it stop freedoms? Should we kill all rednecks because they want to restrict the freedom of Latin Americans to live in the US of A? If we do invade Iran over this, shouldn't we also kill all American soldiers because they want to restrict the freedom of Iranians to choose their leaders?

Seriously. Fuck you.

Re:It's time to invade.

[microbox]

Then kill them all. Fuck them. It's the 21st century. Time for them to fuck off. The world has bigger problems to deal with. Time these fucktards were stopped from holding the rest of us up.

I almost split my spleen laughing at this. You, my friend, are a parody of yourself.

Re:It's time to invade.

with fight with soldiers, vitrify them with some H bombs, the fanatic will respect us after that.

Re:It's time to invade.

First of all, it's a theocracy. Any semblance of democracy is just a dog and pony show. How they got there in the first place was because of the original Iranian revolution. Second. I don't want our soldiers in Iran. But I have no problem waxing them when they cause problems for us outside their nation. For all I care, their entire navy can rest at the bottom of the ocean. Probably for the best anyways.

Re:It's time to invade.

[Securityemo]

It's not fundamentally a problem of freedom, but of good and evil. Sharia law must be wiped from the planet; it is IMHO abhorrently evil. On the other hand, killing everyone living in such societies sort of misses the point, doesn't it?

Re:It's time to invade.

Then kill them all. Fuck them. It's the 21st century. Time for them to fuck off. The world has bigger problems to deal with. Time these fucktards were stopped from holding the rest of us up.
Seriously. fuck them.

(Posting anon because I feed the trolls less that way.)

Democracy is based on the collective freedom of the people to not have decisions imposed upon them by unaccountable parties. By electing their rulers, in theory, the people of democratic societies can always hold the rulers responsible.

And now you advocate the use of force (pretty much the strongest form of imposition) to make a nation free? To impose a system whose characteristic is the relative absence of imposition? If you think a little longer, I'm sure you'll see the contradiction.

Re:It's time to invade.

He/she/it won't. In many people's minds, "$REGIME" (meaning "what we have over here in $MYCOUNTRY") is the only possible way to live. Therefore, if people are living under a different regime, they must have been forced to live like that; they must be freed by force.

If $REGIME=theocracy and $MYCOUNTRY=Iran, you have the extremist muslims. If $REGIME=democracy and $MYCOUNTRY=USA, you have extreme right-wing Americans. They are one and the same in their shortsightedness and lack of perspective.

Re:It's time to invade.

All those damn minorities stealing, not working... yup.

Re:It's time to invade.

[shutdown+-p+now]

Sharia law must be wiped from the planet

How do you kill an idea?

As Mr. Universe would say...

[Moheeheeko]

Can't stop the signal.

Re:As Mr. Universe would say...

[Geminii]

Sword-o-gram!

change to port 80 and 443

[lechiffre5555]

Run your VPN over port 80 and 443 let them block those as well. They may as well just switch it all off at the mains and be done with it.

Re:change to port 80 and 443

[WhiteDragon]

Run your VPN over port 80 and 443 let them block those as well. They may as well just switch it all off at the mains and be done with it.

Well, as other posters have pointed out, Iran is using Deep Packet Inspection, so they don't care about port numbers, just about the type of data that's being sent. I'm kind of surprised that according to some posters, they aren't blocking ssh.

How long before...

...They block off good old Port 80?

Wrong Info

[I'm+Not+There+(1956)]

The summary says Iran started internet censorship after the election and people started using VPN from then. No, it's not like that. First, internet censorship goes back to at 7 or 8 years, IIRC. Long before the election. Second, anti-censorship tools have always been changing in all these years. VPN is just the main tool of most of people now, but even two years ago (right after election) few people knew VPN and used other tools. So, things look tough, but it's not that we are going to lose our connection with the world. We always find a solution. Even right now I'm using a PPTP VPN and if you see this comment it works well. The only solution to prevent people from accessing sites the government doesn't like would be to shut down internet connection with the outside world completely. And I hope they won't do that, at least not for long.

Re:Wrong Info

[Parham90]

Ah. If that is the message that came across, I'm quite sorry. That was meant to say, "there was censorship, but these social websites were censored since then." Facebook and Youtube weren't censored prior to the elections. The VPN connections, also, gained a wider use after the iTunes store and such were blocked, which happened after the elections. I didn't want to give a long history of what has happened in Iran, so I'm, again, sorry if I came across as incorrect.

Re:Wrong Info

[Parham90]

Also, I'm curious to know how your PPTP still works. Have you changed the port?

Re:Wrong Info

[I'm+Not+There+(1956)]

Talking in public about these is not a good idea (specially that you're name in the story links directly to your Gmail address), but no, I didn't have to change the port. It stopped working last week, but that was for a few days only. Anyway, I suggest that you never rely on only one anti-censorship solution. Have a handful of them at your disposal, and switch to another when one of them doesn't work.

Definition of "freedom"

[Quila]

To many, it means the freedom to worship Allah without being offended by anybody.

For example, that Mohammed cartoon violated their freedom. Seeking to have it suppressed did not violate the author's freedom, since freedom of speech is defined within the framework of what is acceptable to Allah.

Blocked all vpn ports?

[Lando]

Ummm, so does that mean they shut down their internet entirely? Port 80 is simple enough to use or even daresay a little perl script using email, yeah the latency sucks, but still works. Getting past port blocking is pretty simple.

Hmmm, sending traffic through stenography via email attachments would be interesting. Wonder how long it would take to code that up.

Re:Blocked all vpn ports?

[smash]

read up on deep packet inspection

Re:Blocked all vpn ports?

[Misanthropy]

Not sure how translating everything into shorthand would help much, I'm sure the Iranians have a few people around who can read it.

Steganography might be fun to try, though ;)

Re:Blocked all vpn ports?

[Lando]

All that deep packet inspection means is that you have to create another protocol to transfer information that they are either unfamiliar with or that they classify as something else.

Just block these people on the ITAR list

[zoomshorts]

Have done with idiots who dismiss human rights. Cut them off totally from the internet. Why allow opressive regiems to exist at all? It CAN be done by sanctions etc. Do business with these people and get blocked too.
Want to whine about human rights? Wait until these countries give a shit and THEN allow them into the human race, not before!

censorship

[Oswald+McWeany]

Gosh... wouldn't it be simpler if they just cut off everyone's fingers so they couldn't type... and cut out their tongues so the couldn't talk. Oh and poke out their eyes so they can't see sign languate... oh and rip off their ears so they can't hear... and... ... or how about they realise that talk and speech is inevitable and trying to censor it only makes yourself unpopular and your demise as ruler more likely.

Re:censorship

cut off everyone's fingers so they couldn't type

and poke out their eyes so they can't see sign languate

Why poke out their eyes if their fingers are already cut off? So they can't see palm stubs waiving around?

Re:censorship

[gtall]

Now, now. Sharia law does not condone any of those...unless the sentence dutifully made by a registered mullah, imam, or any other anal retentive neurotic nostalgic for the good old days of medieval torture.

Re:censorship

[Parham90]

LOL! Guys, you might want to start ducking when you start a religious argument. As for myself, *slides safely under his desk*

Re:censorship

[Oswald+McWeany]

Even if they had no fingers you'd still need to poke their eyes out so that they can't read what others in other countries have written/typed.

Admittedly it would be hard to navigate the web or turn pages in a book without any fingers.

Amazing that '1984' arrived in unexpected places

[Cragen]

When I was in high school, in the 70's, we "studied" the book "1984". We all assumed, I assume, that "1984" would happen in Russia or in a bizarro America. I do not remember anyone suggesting that religion would be the driver. ( I don't include the Chinese government in this particular assumption as China, to me, seems to have simply re-introduced the feudal system for the masses with a "ruling committee" replacing the emperor at the top.) What a mess.

OpenVPN does NOT work in Iran

Just so this is absolutely clear: OpenVPN does NOT work in Iran. It does not work on any port, both tcp and udp mode, I've tested this extensively with multiple individuals in the country, the connection is cut off almost immediately upon establishment. Syria suffers from the same problem. OpenVPN isn't a magic protocol, it's being blocked just like all the rest.

https tunnels?

[smash]

Or they're going to block internet banking now?

Re:https tunnels?

[cpghost]

How many of them are doing online banking with foreign banks anyway? If they blocked encrypted traffic at the international peering point(s), it wouldn't break their internal internet banking system at all.

Re:https tunnels?

[Parham90]

This seems to have happened, in fact. I can access HTTPS inside of Iran, but accessing Google AdWords, for example, over https is impossible.

Re:https tunnels?

[Geminii]

Or just insist that all internet banking go through bank sites hosted on country-internal servers.

From a NOC perspective

[cpghost]

I'm working at the Network Operation Center (NOC) of a major Tier-1 backbone operator, and I'm somewhat familiar with the Nokia-Siemens DPI software used in some places of the world, including Iran. And guess what? I'm NOT surprised that they were able to block VPN traffic, even encrypted one at this point.

Unencrypted VPN traffic is incredibly easy to flag anyway, and even the handshake of popular encrypted VPN tunnels has a pattern that's predictable enough to be quite effective. I don't need to point out that ALL ports are affected. Switching to another port is basically useless in this context.

All this DPI doesn't require huge CPU processing power, as one would naively expect; since it (currently) happens only at the beginning of a session (yes, including UDP). And that is currently the Achilles' heel of this filter: if you initiate a "harmless" (as in allowed-by-policy) connection, and switch to encryption a couple of 10k packets later, you slip right through the firewall. Try it. If it doesn't work, they've upgraded to a new release and had to invest heavily in additional routers.

Re:From a NOC perspective

[djradon]

mod parent up. i guess, as an earlier poster mentioned, we need steganographic vpns. openVPN feature request? Thought these were interesting:

STEGAN0GRAPHY APPLIED 0N NETW0RK SESSi0NS AND NEiGHB0URH00D
http://www.s0ftpj.org/bfi/dev/en/BFi12-dev-10-en

what about iodine

[WhiteDragon]

Iodine is IP over DNS. Since it is actually the DNS protocol (and not just using the DNS ports), it might not be susceptible to Deep Packet Inspection. However, it could presumably still be detected.

Steganography?

[LocalH]

Looks like it's time for a VPN that uses stego. Sure, it might slow the connection down quite a bit, but if it's the difference between no access and (ideally almost undetectable) access, it'll have to do.

Do they inspect pigeons?

[Ghakan]

Just use IP over Avian Carriers. Sure, latency is a bitch, but otherwise it's probably safer.

Shooting themselves in the foot, they do.

[Fusselwurm]

Question is, to what extent does a "national internet" affect the economy? I know my productivity at least would drop seriously w/o global communication channels. But then, I'm not Iranian.

Socks with multiple listeners

My Socks proxy listens on multiple ports, including DNS, SMTP, POP, POPS, IMAP, IMAPS, HTTP, HTTPS and a few other ports where it would not be expected, precisely to avoid these kind of blockades. So I can travel pretty much anywhere in the world and always find my way onto the public net.

National Internet?

"National Internet" = Intranet

Bizarro america?

It's happening in real america.

just

step 1. make VPN only site that glorifies Allah and Islam

step 2. make sure its ONLY accessible via these blocked ports

step 3. condemn those doing the blocking as enemies of Islam and Allah

Step 4. sharpen the beheading axe and wait for things to kick off

Tunnel over Skype Chat?

[mla_anderson]

I know Skype isn't open source, but I also know that Skype is good at getting through all sorts of blocks, and I know that Skype works in Iran. Since Skype text chats can be automated with their development API couldn't you Base 64 encode packets and send them via Skype to an endpoint outside the country?

I guess this would work with pretty much any text based chat application that is successful at getting out of , even SMS.

What is more democratic?

[luk3Z]

What is more democratic: Block VPN Ports [Iran] or seizure domain [USA] ?

Iran dosn't mean what it says.

[EricTheO]

I don't think they meant "National Internet", what they meant to say was "National Intranet".

SSH too?

I wonder if port 22 is blocked too. That would block a lot of legitimate traffic. In 2010 I was in Iran and back then it was possible to evade all censorship by creating a socks5 proxy over ssh to my server in my home country. I needed to update my linkedin profile, which was blocked.

change the port !

[Jimpqfly]

Simple solution : change the port to 80 or 443 server side...

when the national internet is established

i guess ahmadinejad will mud wrestle gore for the title of "inventor of the internet"?