Slashdot Mirror

← Back to Stories (view on slashdot.org)

Iran Blocks VPN Ports

Posted by timothy on from the why-do-you-hate-freedom dept.

First time accepted submitter Parham90 writes "After the Iranian post-election events that led to massive riots and break-outs through the world, the Iranian government started blocking all social websites, including Facebook, Youtube, Orkut, MySpace and Twitter. The Iranians, however, started using VPN (virtual private network) connections to bypass censorship. Since Thursday, September 30, 2011, all VPN ports have however been blocked, in the first attempt to start what the Iranian government calls the 'National Internet.'"

2 of 134 comments (clear)

  1. Re:Use OpenVPN by cdp0 · · Score: 5, Informative

    OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

    OpenVPN was blocked even in 2010. No protocol (UDP or TCP) and port combination worked. Both normal and static key configuration were detected and blocked.

    tcpdump showed a short packet exchange between the client and the server, and after that the connection completely died. Subsequent tries on the same protocol and port were completely blocked too (probably blacklisted).

    Even so, I find it weird that OpenVPN was blocked while PPTP was allowed. Maybe they had/have a way of attacking PPTP ?

    What worked back then and might still work is SSH (including tunneling). With access to a server outside Iran and a bit of imagination many things can be done with SSH tunneling.

  2. From a NOC perspective by cpghost · · Score: 5, Informative
    I'm working at the Network Operation Center (NOC) of a major Tier-1 backbone operator, and I'm somewhat familiar with the Nokia-Siemens DPI software used in some places of the world, including Iran. And guess what? I'm NOT surprised that they were able to block VPN traffic, even encrypted one at this point.

    Unencrypted VPN traffic is incredibly easy to flag anyway, and even the handshake of popular encrypted VPN tunnels has a pattern that's predictable enough to be quite effective. I don't need to point out that ALL ports are affected. Switching to another port is basically useless in this context.

    All this DPI doesn't require huge CPU processing power, as one would naively expect; since it (currently) happens only at the beginning of a session (yes, including UDP). And that is currently the Achilles' heel of this filter: if you initiate a "harmless" (as in allowed-by-policy) connection, and switch to encryption a couple of 10k packets later, you slip right through the firewall. Try it. If it doesn't work, they've upgraded to a new release and had to invest heavily in additional routers.

    --
    cpghost at Cordula's Web.