Iran Blocks VPN Ports

First time accepted submitter Parham90 writes "After the Iranian post-election events that led to massive riots and break-outs through the world, the Iranian government started blocking all social websites, including Facebook, Youtube, Orkut, MySpace and Twitter. The Iranians, however, started using VPN (virtual private network) connections to bypass censorship. Since Thursday, September 30, 2011, all VPN ports have however been blocked, in the first attempt to start what the Iranian government calls the 'National Internet.'"

This is why...

[GameboyRMH]

I run my VPN server on port 80.

Re:This is why...

[GameboyRMH]

You're absolutely right - in theory. In practice, not so much. I addressed this point below:

http://yro.slashdot.org/comments.pl?sid=2463106&cid=37625236

Re:This is why...

[scubamage]

Unless I'm completely misunderstanding your comment, it doesn't matter what port its running on at all. Unless Iran is doing some seriously deep packet inspection, its not going to look "suspiscious." If you set your VPN peer to use port 80, its no longer an unencrypted HTTP port, its a VPN port. 80 being http is just a standard, but like everything, standards can be bent when necessary. As for doing DPI on every single IP device generating IP traffic into/out of the country, good farking luck. It'll basically wreck their international telecomm systems since most of those should be IP based by this point. DPI + UDP = crap audio.

Re:This is why...

[GameboyRMH]

He's assuming that Iran is doing seriously deep packet inspection on everything. Which in theory is a good assumption, but in practice rarely happens.

Re:This is why...

[scubamage]

Agreed - the amount of hardware they'd require to be able to do that without incurring significant delay EVERYWHERE would be incredible. If they're going on a port by port approach, that's not going to stop anyone who seriously has any interest in communicating.

Re:This is why...

[smash]

You're assuming iran has a decently fast internet backbone. I suspect it doesn't, and that a half-decent major ISP level deep packet inspection device would be sufficient for the country.

Re:This is why...

[Alarash]

Some people do this in hardware now with no performance impact (DPI is traditionally very processor intensive). They don't look at things in term of TCP anymore, but by application. You can block, say, Facebook and Twitter but allow RMTPT (Flash video streaming over HTTP). And you can easily block any traffic on port 80 that you don't recognize as HTTP. This exists because people used to do protocol tunneling to circumvent traditional firewalls (HTTP in DNS over UDP for example). Modern DPI devices are designed to detect those creative methods with no performance (and therefore delay) impact.

You do need a lot of hardware, but not as much as 3 years ago. And when you have a government-sized budget for this, nothing is impossible.

I hate mentioning only Palo Alto, but in my knowledge (I'm a network test equipment vendor employee - I test the performance of these devices for a living) they are the only ones to do that in hardware. Checkpoint does the exact same thing but as far as I know it's not done in hardware - they do claim it has no performance impact but I haven't had a chance to test this myself.

Gartner published a report (here hosted by PA, reg. unfortunately required) that goes over all these challenges. I'm fairly sure somebody in Iran read this report and implemented it.

Re:This is why...

[scubamage]

It would still be pretty intensive to fully de-encapsulate all the way up to layer 6/7 to see the type of traffic though. Although I had seen some routers demo'd a few months ago which only look at the first packet or two in a dialog, determine the type of payload, and then let the rest of the stream pass unmolested. That might be possible? Not sure if they had intended to do something like this with them. (source)

Re:This is why...

[scubamage]

I think you may be wrong - I highly doubt all of their cell phone carriers are operating their backbones over TDM, it'd be a massive waste of bandwidth. That means an IP network - that means big pipes carrying lots of UDP and RTP data. Given the huge Persian diaspora and (pardon if I offend) the typical closeness of Persian families, I think they'd be sending a fairly significant amount of data both in and out of the country.

Re:This is why...

[Dunbal]

It might be suspicious, but I dare you to block it at the ISP level.

Re:This is why...

[spazdor]

Let the stegano/cryptography arms race commence. Sorry, Iran, but the Church-Turing thesis guarantees you're not going to win this one.

All 65k+ of them?

[siddesu]

It is impressive they still manage to run Internet services then.

Re:All 65k+ of them?

[GameboyRMH]

They could theoretically block everything but 80 and MITM any SSL connections (or did that cert get removed from IE yet?) to check those too, to prevent VPN connections that mimic HTTPS connections (real thing) and VPNs running over port 80 using deep-packet inspection. They'd also have to check for VPN over DNS (also, real thing). Short of this it's impossible to block VPNs.

Even then, you could run a VPN over a steganographic connection. In practice I find port 80 is the best - it's never failed me so far. 443 is a good option too, in fact a better option in theory, but keep in mind that a few mobile internet providers in 3rd world countries block 443.

Re:All 65k+ of them?

[ledow]

Hell, I once saw a VPN that rewrote its traffic to use ICMP messages and other nefarious means of communication in order to transmit packets.

It'd probably look odd if you KNEW to look at that individual's connection but the chances of finding *every* way that encrypted data can be slipped into another datastream are incredibly minimal.

Hell, VPN-over-HTTP-proxy is very common.

Re:All 65k+ of them?

[GameboyRMH]

Um...how is this any different? The only real difference between encrypted and unencrypted connections as far as an intercepting party is concerned is that one makes sense while the other looks like garbage. If you wrote an AJAX app that used PKI to do encryption at the application layer there would only be slight technical differences in the traffic going through that firewalls could easily be modified to pick up on.

Re:All 65k+ of them?

[Hatta]

You don't just need to circumvent the block. You need to circumvent a block in a way that the authorities can't detect.

Re:All 65k+ of them?

[scubamage]

I don't envy the guy hired to look at every ICMP packet for an entire country. About the only way he could remain sane is if he was autistic since they tend to be really good at tasks like that.

Re:All 65k+ of them?

[jrbrtsn]

Thank goodness for ipv6. Now you can run all services on port 80 and just assign a different ip address for each one!

Re:All 65k+ of them?

[sosume]

They could theoretically block everything but 80 and MITM any SSL connections (or did that cert get removed from IE yet?) to check those too, to prevent VPN connections that mimic HTTPS connections (real thing) and VPNs running over port 80 using deep-packet inspection. They'd also have to check for VPN over DNS (also, real thing). Short of this it's impossible to block VPNs.

How about putting the entire nation's network behind a giant proxy, configured to disallow streams? that would effectively block everything but http..

Re:All 65k+ of them?

[GameboyRMH]

I don't see how that would help, there are VPNs that can mimic HTTP/HTTPS...I've even run one like that over a GPRS connection which doesn't allow streams by its very nature.

Re:All 65k+ of them?

[GameboyRMH]

True, depends how many data centers the government is willing to build...

Re:All 65k+ of them?

[scubamage]

You may want to look into the research, AC.

Re:All 65k+ of them?

[wmac1]

You do not need to check 65k things. You just check every single packet to see what port it is and whether the content matches that port. That's in fact what they currently do (and have done since 2007). One of their sites which I visited in 2006 contained 30 racks of filtering equipments.

Re:All 65k+ of them?

[tlhIngan]

Even then, you could run a VPN over a steganographic connection. In practice I find port 80 is the best - it's never failed me so far. 443 is a good option too, in fact a better option in theory, but keep in mind that a few mobile internet providers in 3rd world countries block 443.

A number of VPNs these days use HTTPS (443). It's called SSL VPN and you can get access points from the usual vendors (Cisco, Sonicwall, etc). They're all the rage these days as they start up as normal HTTPS connections (and you can use it with a web browser at the very minimum - no client required).

Reason for this is many corporate networks have started blocking everything but 80/443. When you're visiting a customer with their network set up that way, being able to VPN over HTTPS is extremely valuable. Especially since it goes through NAT easily as well.

Re:All 65k+ of them?

[Parham90]

Yes. I hear SSTP works very nicely. However, I haven't been able to figure out a way to test it yet.

Re:All 65k+ of them?

[Lehk228]

counter with a VPN tunnel that formats it's messages as HTTP GET commands, with the GET URI being the send and the reply as the receive

if paranoid such exchanges could be coded in the form of words rather than hex data, it would be slower to process but almost impossible for a network monitor to find or filter without breaking all internet access

Re:All 65k+ of them?

[Geminii]

He doesn't even see the code any more. He just sees blonde, brunette, Goatse...

Good luck with that...

[afxgrin]

I wonder how far the censorship has to go before we see months of endless street protests again? If they ever expect anything like this to work, they should never have allowed their citizens to be in possession of the technology to begin with. They have an entire generation of people that grew up with cell phones, computers and the internet. There is no hope in hell of this working in the long term.

Re:Good luck with that...

[MightyMartian]

I don't think Egypt swapped anything, to be honest with you. The Army always ran the show. They were content to let Mubarak be the frontman, but ultimately it wasn't street protests that knocked Mubarak down, it was the Army saying "Well, you're of no use to us anymore."

The subject is the article I'm responding to

[jidar]

"The Net interprets censorship as damage and routes around it." -- John Gilmore

They will just move to using other ports.

Re:The subject is the article I'm responding to

Censorship interprets the net as damage and routes around it.

Re:The subject is the article I'm responding to

[fph+il+quozientatore]

You forgot the "in soviet Russia" part.

Re:The subject is the article I'm responding to

Changing ports does nothing if they use deep packet inspection.

Re:The subject is the article I'm responding to

[gandhi_2]

In Soviet China, The censors interpret internets as damage and wall around it. -- me

All ports?

[kju]

This sounds like nonsense. There are VPN providers on non-standard ports. If you have your own server and a spare IP, you can even use some netfilter rewrite magic to allow connection on ANY port of that IP which is helpful in a lot of situations.

Use OpenVPN

[kandresen]

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

Re:Use OpenVPN

[malraid]

+1 for OpenVPN

Re:Use OpenVPN

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

OpenVPN has not functioned properly in Iran for a while now, on any port. The same goes for Syria.

Re:Use OpenVPN

[NevarMore]

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

How is OpenVPN not detected as regular VPN communication?
Does it have its own signatures and patterns which are detectable?

Re:Use OpenVPN

[cdp0]

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

OpenVPN was blocked even in 2010. No protocol (UDP or TCP) and port combination worked. Both normal and static key configuration were detected and blocked.

tcpdump showed a short packet exchange between the client and the server, and after that the connection completely died. Subsequent tries on the same protocol and port were completely blocked too (probably blacklisted).

Even so, I find it weird that OpenVPN was blocked while PPTP was allowed. Maybe they had/have a way of attacking PPTP ?

What worked back then and might still work is SSH (including tunneling). With access to a server outside Iran and a bit of imagination many things can be done with SSH tunneling.

Re:Use OpenVPN

[scubamage]

I'm trying to find out more of what they're blocking... TLS? L2TP? PPTP? IPSEC? These are all styles of VPN, and even more exist. I highly doubt they're blocking them all.

Re:Use OpenVPN

[GameboyRMH]

OpenVPN has a mode that can mimic HTTPS, but even then it isn't foolproof.

Re:Use OpenVPN

[Parham90]

Yes, SSH tunneling is what I'm using right now. Still, VPNs would be much easier to use when you have multiple application needing to be proxified (yes, you can use Proxifier too, but VPN is as easy as plug-and-play).

Re:Use OpenVPN

[Myuu]

L2TP, PPTP, IPSEC.

Re:Use OpenVPN

[Anthony+Mouse]

I would have thought this would work pretty well:

1) Install squid on the server in a non-oppressive country
2) ssh user@server -L 3128:localhost:3128
3) Configure the system proxy settings to use localhost on port 3128

Also, there is a (relatively new) VPN feature in OpenSSH. Look at the -w option.

Re:Use OpenVPN

[gad_zuki!]

This isn't about ports. I'm not sure how it suddenly became about ports (poor writeup?).

Iran uses packet inspection. They're getting good at it. They took down Tor for a little while before those guys found a work around. A lot VPNs don't work in Iran. Lots of things don't work. Simple work arounds like port numbers don't work.

In other words, when your country is a theocratic dictatorship, bad things happen. Considering how Iran is also a police state, there's little to no chance of anything stopping this anytime soon.

Ah religion. Your evil knows no bounds.

Re:Use OpenVPN

[WhiteDragon]

you can also use ssh to provide a generic SOCKS proxy:

ssh -D 1234 some.host.example.com

then just tell your apps to use a SOCKS proxy of localhost, port 1234

There are plenty of SOCKS wrappers for apps that don't have SOCKS code built in.

Re:Use OpenVPN

[blop]

You can actually run a proper VPN with ssh and not just tunnel individual ports:

https://help.ubuntu.com/community/SSH_VPN

This creates a point-to-point layer 2 or 3 tunnel between 2 hosts. This is great for proxying TCP, UDP, ethernet frames...

Re:Use OpenVPN

[OdinOdin_]

With OpenVPN permutate the data with a random IV and CBC XOR derived from a secret key you agree with website (via an independant channel). This will remove markers easily identifiable from the observable stream during the connection/handshake process before payload data is conveyed.

Put an agreed about of fixed or variable length random data on the front of the TCP connection data (just after connect) send in random chunk sizes with random time delays, if using variable length random data this can be encoded in a bit pattern that acts as a premable to indicate the start of the real data. Think like layer 1 signal encoding where it is possible to recover data delimeters ouot of essentially white noise and maintain a 50/50 random zero-bit to one-bit dispersion in the data regardless of what the plaintext data is. Do this in both directions (random length variable data).

So does random data survive the DPI ? or does it detect the protocol from well-known constructs the decide to block ?

Information can't be blocked

[captainpanic]

Governments have tried that since the 15th-16th century, and failed every time.

Re:Information can't be blocked

Except for North Korea, of course.

Re:Information can't be blocked

[shutdown+-p+now]

Define "failed". USSR, for example, was quite successful at it for most of its existence. Oh sure, there was a leak here and there, but it had to run against a massive government propaganda campaign. End result is that most citizens were quite convinced that things are much better for them than they were in practice.

It's somehow done

[Parham90]

Since I live in Iran, I can vouch for it being true. The government-run media claims that the "PPTP" (and some other) protocols have been blocked, although I'm not sure how this works. I, for sure, can't access the VPN connections I used to be able to access. So I'm going to find a friend outside of Iran and ask them to start a VPN connection on port 80; just to see if they are feeding people another lie or not. :-)

Re:It's somehow done

[L4t3r4lu5]

Since I live in Iran, I can vouch for it being true. The government-run media claims that the "PPTP" (and some other) protocols have been blocked, although I'm not sure how this works. I, for sure, can't access the VPN connections I used to be able to access. So I'm going to find a friend outside of Iran and ask them to start a VPN connection on port 80; just to see if they are feeding people another lie or not. :-)

Probably shouldn't post this kind of thing over an unencrypted connection.

>_>
<_<
>_>

Re:It's somehow done

[Parham90]

I do have my connection encrypted now, but not through VPN. *smile*

Re:It's somehow done

[scubamage]

If you won't endanger yourself by poking it too much, I'm curious what exactly they blocked. IPSEC, L2TP, PPTP, TLS... there are a ton of possibilities. Heck, you can even proxy everything via SSH if you want.

Re:It's somehow done

More power to the people of Iran. You make the Internets proud.

But, still, please be careful.

Re:It's somehow done

[Parham90]

I have tried SSH tunneling. Right now, that's how I am encrypting my connection. I've tried OpenVPN and PPTP and IpSec, and also L2TP. These are blocked (as far as I can gather). Haven't tried connecting to non-standard ports, however.

Re:It's time to invade.

[orphiuchus]

The problem is its actually the minority that wants freedom. Seriously.

Iran's rural population is huge, and its made up of what basically amount to Muslim rednecks. They're the morons who keep assholes in power, and they probably all support this idea.

As Mr. Universe would say...

[Moheeheeko]

Can't stop the signal.

Re:As Mr. Universe would say...

[Geminii]

Sword-o-gram!

change to port 80 and 443

[lechiffre5555]

Run your VPN over port 80 and 443 let them block those as well. They may as well just switch it all off at the mains and be done with it.

Re:change to port 80 and 443

[WhiteDragon]

Run your VPN over port 80 and 443 let them block those as well. They may as well just switch it all off at the mains and be done with it.

Well, as other posters have pointed out, Iran is using Deep Packet Inspection, so they don't care about port numbers, just about the type of data that's being sent. I'm kind of surprised that according to some posters, they aren't blocking ssh.

Re:It's time to invade.

[Hatta]

The problem is its actually the minority that wants freedom. Seriously.

America and Iran have more in common than they'd like to admit.

Re:It's time to invade.

[Lunix+Nutcase]

And you're going to enlist to help fight as well, no? Oh wait it's just another basement armchair general blustering about starting wars but too chickenshit to actually do any of the fighting.

Re:It's time to invade.

[microbox]

Then kill them all. Fuck them. It's the 21st century. Time for them to fuck off. The world has bigger problems to deal with. Time these fucktards were stopped from holding the rest of us up.

I almost split my spleen laughing at this. You, my friend, are a parody of yourself.

Wrong Info

[I'm+Not+There+(1956)]

The summary says Iran started internet censorship after the election and people started using VPN from then. No, it's not like that. First, internet censorship goes back to at 7 or 8 years, IIRC. Long before the election. Second, anti-censorship tools have always been changing in all these years. VPN is just the main tool of most of people now, but even two years ago (right after election) few people knew VPN and used other tools. So, things look tough, but it's not that we are going to lose our connection with the world. We always find a solution. Even right now I'm using a PPTP VPN and if you see this comment it works well. The only solution to prevent people from accessing sites the government doesn't like would be to shut down internet connection with the outside world completely. And I hope they won't do that, at least not for long.

Re:Wrong Info

[Parham90]

Ah. If that is the message that came across, I'm quite sorry. That was meant to say, "there was censorship, but these social websites were censored since then." Facebook and Youtube weren't censored prior to the elections. The VPN connections, also, gained a wider use after the iTunes store and such were blocked, which happened after the elections. I didn't want to give a long history of what has happened in Iran, so I'm, again, sorry if I came across as incorrect.

Re:Wrong Info

[Parham90]

Also, I'm curious to know how your PPTP still works. Have you changed the port?

Re:Wrong Info

[I'm+Not+There+(1956)]

Talking in public about these is not a good idea (specially that you're name in the story links directly to your Gmail address), but no, I didn't have to change the port. It stopped working last week, but that was for a few days only. Anyway, I suggest that you never rely on only one anti-censorship solution. Have a handful of them at your disposal, and switch to another when one of them doesn't work.

Definition of "freedom"

[Quila]

To many, it means the freedom to worship Allah without being offended by anybody.

For example, that Mohammed cartoon violated their freedom. Seeking to have it suppressed did not violate the author's freedom, since freedom of speech is defined within the framework of what is acceptable to Allah.

Re:It's time to invade.

[Securityemo]

It's not fundamentally a problem of freedom, but of good and evil. Sharia law must be wiped from the planet; it is IMHO abhorrently evil. On the other hand, killing everyone living in such societies sort of misses the point, doesn't it?

Blocked all vpn ports?

[Lando]

Ummm, so does that mean they shut down their internet entirely? Port 80 is simple enough to use or even daresay a little perl script using email, yeah the latency sucks, but still works. Getting past port blocking is pretty simple.

Hmmm, sending traffic through stenography via email attachments would be interesting. Wonder how long it would take to code that up.

Re:Blocked all vpn ports?

[smash]

read up on deep packet inspection

Re:Blocked all vpn ports?

[Misanthropy]

Not sure how translating everything into shorthand would help much, I'm sure the Iranians have a few people around who can read it.

Steganography might be fun to try, though ;)

Re:Blocked all vpn ports?

[Lando]

All that deep packet inspection means is that you have to create another protocol to transfer information that they are either unfamiliar with or that they classify as something else.

censorship

[Oswald+McWeany]

Gosh... wouldn't it be simpler if they just cut off everyone's fingers so they couldn't type... and cut out their tongues so the couldn't talk. Oh and poke out their eyes so they can't see sign languate... oh and rip off their ears so they can't hear... and... ... or how about they realise that talk and speech is inevitable and trying to censor it only makes yourself unpopular and your demise as ruler more likely.

Re:censorship

[gtall]

Now, now. Sharia law does not condone any of those...unless the sentence dutifully made by a registered mullah, imam, or any other anal retentive neurotic nostalgic for the good old days of medieval torture.

Re:censorship

[Parham90]

LOL! Guys, you might want to start ducking when you start a religious argument. As for myself, *slides safely under his desk*

Re:censorship

[Oswald+McWeany]

Even if they had no fingers you'd still need to poke their eyes out so that they can't read what others in other countries have written/typed.

Admittedly it would be hard to navigate the web or turn pages in a book without any fingers.

Amazing that '1984' arrived in unexpected places

[Cragen]

When I was in high school, in the 70's, we "studied" the book "1984". We all assumed, I assume, that "1984" would happen in Russia or in a bizarro America. I do not remember anyone suggesting that religion would be the driver. ( I don't include the Chinese government in this particular assumption as China, to me, seems to have simply re-introduced the feudal system for the masses with a "ruling committee" replacing the emperor at the top.) What a mess.

https tunnels?

[smash]

Or they're going to block internet banking now?

Re:https tunnels?

[cpghost]

How many of them are doing online banking with foreign banks anyway? If they blocked encrypted traffic at the international peering point(s), it wouldn't break their internal internet banking system at all.

Re:https tunnels?

[Parham90]

This seems to have happened, in fact. I can access HTTPS inside of Iran, but accessing Google AdWords, for example, over https is impossible.

Re:https tunnels?

[Geminii]

Or just insist that all internet banking go through bank sites hosted on country-internal servers.

From a NOC perspective

[cpghost]

I'm working at the Network Operation Center (NOC) of a major Tier-1 backbone operator, and I'm somewhat familiar with the Nokia-Siemens DPI software used in some places of the world, including Iran. And guess what? I'm NOT surprised that they were able to block VPN traffic, even encrypted one at this point.

Unencrypted VPN traffic is incredibly easy to flag anyway, and even the handshake of popular encrypted VPN tunnels has a pattern that's predictable enough to be quite effective. I don't need to point out that ALL ports are affected. Switching to another port is basically useless in this context.

All this DPI doesn't require huge CPU processing power, as one would naively expect; since it (currently) happens only at the beginning of a session (yes, including UDP). And that is currently the Achilles' heel of this filter: if you initiate a "harmless" (as in allowed-by-policy) connection, and switch to encryption a couple of 10k packets later, you slip right through the firewall. Try it. If it doesn't work, they've upgraded to a new release and had to invest heavily in additional routers.

Re:From a NOC perspective

[djradon]

mod parent up. i guess, as an earlier poster mentioned, we need steganographic vpns. openVPN feature request? Thought these were interesting:

STEGAN0GRAPHY APPLIED 0N NETW0RK SESSi0NS AND NEiGHB0URH00D
http://www.s0ftpj.org/bfi/dev/en/BFi12-dev-10-en

what about iodine

[WhiteDragon]

Iodine is IP over DNS. Since it is actually the DNS protocol (and not just using the DNS ports), it might not be susceptible to Deep Packet Inspection. However, it could presumably still be detected.

Steganography?

[LocalH]

Looks like it's time for a VPN that uses stego. Sure, it might slow the connection down quite a bit, but if it's the difference between no access and (ideally almost undetectable) access, it'll have to do.

Do they inspect pigeons?

[Ghakan]

Just use IP over Avian Carriers. Sure, latency is a bitch, but otherwise it's probably safer.

Shooting themselves in the foot, they do.

[Fusselwurm]

Question is, to what extent does a "national internet" affect the economy? I know my productivity at least would drop seriously w/o global communication channels. But then, I'm not Iranian.

Tunnel over Skype Chat?

[mla_anderson]

I know Skype isn't open source, but I also know that Skype is good at getting through all sorts of blocks, and I know that Skype works in Iran. Since Skype text chats can be automated with their development API couldn't you Base 64 encode packets and send them via Skype to an endpoint outside the country?

I guess this would work with pretty much any text based chat application that is successful at getting out of , even SMS.

Re:It's time to invade.

[shutdown+-p+now]

Sharia law must be wiped from the planet

How do you kill an idea?

change the port !

[Jimpqfly]

Simple solution : change the port to 80 or 443 server side...