Slashdot Mirror
Iran Blocks VPN Ports
First time accepted submitter Parham90 writes "After the Iranian post-election events that led to massive riots and break-outs through the world, the Iranian government started blocking all social websites, including Facebook, Youtube, Orkut, MySpace and Twitter. The Iranians, however, started using VPN (virtual private network) connections to bypass censorship. Since Thursday, September 30, 2011, all VPN ports have however been blocked, in the first attempt to start what the Iranian government calls the 'National Internet.'"
I wonder how far the censorship has to go before we see months of endless street protests again? If they ever expect anything like this to work, they should never have allowed their citizens to be in possession of the technology to begin with. They have an entire generation of people that grew up with cell phones, computers and the internet. There is no hope in hell of this working in the long term.
"The Net interprets censorship as damage and routes around it." -- John Gilmore
They will just move to using other ports.
Sigs are awesome huh?
They could theoretically block everything but 80 and MITM any SSL connections (or did that cert get removed from IE yet?) to check those too, to prevent VPN connections that mimic HTTPS connections (real thing) and VPNs running over port 80 using deep-packet inspection. They'd also have to check for VPN over DNS (also, real thing). Short of this it's impossible to block VPNs.
Even then, you could run a VPN over a steganographic connection. In practice I find port 80 is the best - it's never failed me so far. 443 is a good option too, in fact a better option in theory, but keep in mind that a few mobile internet providers in 3rd world countries block 443.
"When information is power, privacy is freedom" - Jah-Wren Ryel
You're absolutely right - in theory. In practice, not so much. I addressed this point below:
http://yro.slashdot.org/comments.pl?sid=2463106&cid=37625236
"When information is power, privacy is freedom" - Jah-Wren Ryel
OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.
Governments have tried that since the 15th-16th century, and failed every time.
Since I live in Iran, I can vouch for it being true. The government-run media claims that the "PPTP" (and some other) protocols have been blocked, although I'm not sure how this works. I, for sure, can't access the VPN connections I used to be able to access. So I'm going to find a friend outside of Iran and ask them to start a VPN connection on port 80; just to see if they are feeding people another lie or not. :-)
The problem is its actually the minority that wants freedom. Seriously.
Iran's rural population is huge, and its made up of what basically amount to Muslim rednecks. They're the morons who keep assholes in power, and they probably all support this idea.
Hell, I once saw a VPN that rewrote its traffic to use ICMP messages and other nefarious means of communication in order to transmit packets.
It'd probably look odd if you KNEW to look at that individual's connection but the chances of finding *every* way that encrypted data can be slipped into another datastream are incredibly minimal.
Hell, VPN-over-HTTP-proxy is very common.
Can't stop the signal.
You don't just need to circumvent the block. You need to circumvent a block in a way that the authorities can't detect.
Give me Classic Slashdot or give me death!
The problem is its actually the minority that wants freedom. Seriously.
America and Iran have more in common than they'd like to admit.
Give me Classic Slashdot or give me death!
Unless I'm completely misunderstanding your comment, it doesn't matter what port its running on at all. Unless Iran is doing some seriously deep packet inspection, its not going to look "suspiscious." If you set your VPN peer to use port 80, its no longer an unencrypted HTTP port, its a VPN port. 80 being http is just a standard, but like everything, standards can be bent when necessary. As for doing DPI on every single IP device generating IP traffic into/out of the country, good farking luck. It'll basically wreck their international telecomm systems since most of those should be IP based by this point. DPI + UDP = crap audio.
I don't envy the guy hired to look at every ICMP packet for an entire country. About the only way he could remain sane is if he was autistic since they tend to be really good at tasks like that.
The summary says Iran started internet censorship after the election and people started using VPN from then. No, it's not like that. First, internet censorship goes back to at 7 or 8 years, IIRC. Long before the election. Second, anti-censorship tools have always been changing in all these years. VPN is just the main tool of most of people now, but even two years ago (right after election) few people knew VPN and used other tools. So, things look tough, but it's not that we are going to lose our connection with the world. We always find a solution. Even right now I'm using a PPTP VPN and if you see this comment it works well. The only solution to prevent people from accessing sites the government doesn't like would be to shut down internet connection with the outside world completely. And I hope they won't do that, at least not for long.
"If fifty million people say a foolish thing, it's still a foolish thing."
To many, it means the freedom to worship Allah without being offended by anybody.
For example, that Mohammed cartoon violated their freedom. Seeking to have it suppressed did not violate the author's freedom, since freedom of speech is defined within the framework of what is acceptable to Allah.
It's not fundamentally a problem of freedom, but of good and evil. Sharia law must be wiped from the planet; it is IMHO abhorrently evil. On the other hand, killing everyone living in such societies sort of misses the point, doesn't it?
Emotions! In your brain!
Unencrypted VPN traffic is incredibly easy to flag anyway, and even the handshake of popular encrypted VPN tunnels has a pattern that's predictable enough to be quite effective. I don't need to point out that ALL ports are affected. Switching to another port is basically useless in this context.
All this DPI doesn't require huge CPU processing power, as one would naively expect; since it (currently) happens only at the beginning of a session (yes, including UDP). And that is currently the Achilles' heel of this filter: if you initiate a "harmless" (as in allowed-by-policy) connection, and switch to encryption a couple of 10k packets later, you slip right through the firewall. Try it. If it doesn't work, they've upgraded to a new release and had to invest heavily in additional routers.
cpghost at Cordula's Web.
Iodine is IP over DNS. Since it is actually the DNS protocol (and not just using the DNS ports), it might not be susceptible to Deep Packet Inspection. However, it could presumably still be detected.
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?