Iran partially blocks encrypted network traffic

by phobos | February 10, 2012

Over the past two days we've been hearing from, and working with, a number of Iranians having difficulty using Tor from inside Iran. It seems the Iranian government has ramped up censorship in three ways: deep packet inspection (dpi) of SSL traffic, selective blocking of IP Address and TCP port combinations, and some keyword filtering. For instance, they have partially blocked access to Tor's website, torproject.org, via IP address (such as 86.59.30.36) and port 443 (which is the HTTPS port). The third level of blocking is by keywords, such as searching for the word 'tor' via regular, non-encrypted search engine websites.

The blocks on SSL are not complete and not nationwide. Where blocking is in place, initial investigations show they are identifying the beginning of the SSL handshake and simply interrupting the handshake. We continue to research and investigate solutions with the assumption that SSL will eventually be blocked nationwide inside Iran. Our goal is to defeat their dpi signatures and allow tor to work by default.

The Iran Media Program has posted their thoughts on what is happening from a journalist's perspective.

So far, it seems the majority of Tor users are not affected by these blocks. Iran is still the #2 country based on direct usage, https://metrics.torproject.org/users.html?graph=direct-users&country=ir…. This number is on the decline, however.

More details to follow as we have them.

Update 2011-02-10 18:05 UTC: We are working on making our obfuscating proxy more stable and easier to deploy. If you can compile code, following these directions will help. We're also working on Amazon EC2 instances of obfsproxy for point and click deployment.

circumvention

Comments

Please note that the comment area below has been archived.

How can the random dude help

How can the random dude help out? Set-up a relay? Minimize our own client traffic? Let us know please!

sounds like a good question.

sounds like a good question. what about this option of helping censored users reach the Tor network? will this work properly?

parsa from iran! i just red

parsa from iran! i just red this.and what you guys are doing is a great help to millions of youngster who just want to fill free. every one pays a lot monthly just to use a VPN or SOCKS to enter the websites they have block

FALSE information Iran in

FALSE information
Iran in connection with the work site torproject.org

Controlled today by a friend who lives in iran!

It does not apply to the

It does not apply to the whole country.

It does not apply to any ISP.

Do you understand the

Do you understand the meaning of "partially blocked" and "the blocks on SSL are not complete and not nationwide"?!!

anything we can do?

I hope my country (Israel)

I hope my country (Israel) wont hate cuz im helping them...though i do whats moraly right, but strategy wrong.

You are helping the PEOPLE

You are helping the PEOPLE of Iran, never forget!

The Isreal/Iran disuputes are between governments.
The Iranian people are as much the enemies of the Iranian government as Israel and the US. That is why the Islamic Revolution government is filtering the Internet, because they can't control what people read and are afraid of people making their own decisions - possibly leading to a revolution against the Revolution.

If everyone in Iran could read, have a personal computer and have unfiltered Internet access, that country would enter the 21st century and become an equality, engineering and scientific based society in 10 years.

What you are doing is both ethically and strategically correct :)

Hi thank you for informing

thank you for informing us
i can't get tor to connect(from inside iran)

help us

Hello, im from Iran. Im

Hello, im from Iran.
Im currently using another method to bypass filtering, its fast. but not safe! not a bit of it.

What can I do now?

Everything is blocked here, SOCKS, SSL/TLS, PPTP, IPSec, etc everything encrypted will be blocked after 5 or 6 packets if you can escape from SSL Handshaking blockage. like using pre-shared key in OpenVPN instead of regular TLS key.

Self preservation of a

Self preservation of a regime.

Would it be possible to DDoS

Would it be possible to DDoS the deep-packet-inspecting routers with fake SSL handshake requests, or some partial part of it? Sort of like a TCP-SYN attack at the SSL level, and force them to give up DPI?

In other words, if we know that they are cutting off the handshake at the ServerKeyExchange phase, for example, couldn't we generate large amount fake SSL traffic that stops one step before that, cause the router to hang?

It would be not so easy,

It would be not so easy, moust of theese DPI boxes have a huge throughput rate and shaping techniques. For ex. PRX-10G. If they really use signature like inspection, then maybe people from Iran should try something like tunnelling Tor with httptunnel or udptunnel using compression(not zlib? most of DPI defeats it) not encryption methods.

DO NOT (D)DOS IN ANY

DO __NOT__ (D)DOS IN ANY FORM!
The censor-routers are mainly the ONLY exit route where the whole networkin inside the country get's routed to the internet.
So when they crash, the people won't have any access at all.

If you can identify the

If you can identify the routers that are sending the fraudulent packets.

I don't think it is a good

I don't think it is a good idea to ddos a country like iran. Do you really think you can create such a large number of handshake requests inside iran?

Interesting thought...

Yes and No. There's a good

Yes and No. There's a good chance that they won't stop the DPI, they'll just let the internet slow to a crawl. I believe that happened previously, but I don't recall the country.

Solution: sent tor data over

Solution: sent tor data over unencrypted connections with the usage of steganography. I dont know if someone did this before, but it should be totally possible to encrypt and hide tor packets inside of the normal (unencrypted) http traffic.

Hans (uclan hackers)

For those of us who want to

For those of us who want to setup proxies for Iran, it would help to know their IP address blocks. Is there a list somewhere?

I have setup a obfsproxy on

I have setup a obfsproxy on a VPS but I need tor with obfproxy for ms windows too. how can I get it from a trusted source?

hi.i am from iran.i had try

hi.i am from iran.i had try several time several version of tor bundles but it do not help me to bypass the hard block of ...!
i test ultrasurf,it can be connected but is is too slow via my 1.5mb line!
now i have use the jondo and now i am here with slow speed but enough to do my work!
i hope you release new fixes soon
thanks for support the freedom of speech!

Sorry I should post this in

Sorry I should post this in the ML, but since I currently don't have a [secure] access to my email I post it here:

this is the result of my first try with an apparently running obfs bridge which was mentioned in the ML (I was looking for one since yesterday, and yes, I'm from Iran.)

<br />
[<a href="mailto:me@myhost" rel="nofollow">me@myhost</a> tor-0.2.3.11-alpha]$ src/or/tor<br />
Feb 11 12:15:19.417 [notice] Tor v0.2.3.11-alpha running on Linux x86_64.<br />
Feb 11 12:15:19.417 [notice] Tor can't help you if you use it wrong! Learn how to be safe at <a href="https://www.torproject.org/download/download#warning
Feb" rel="nofollow">https://www.torproject.org/download/download#warning<br />
Feb</a> 11 12:15:19.417 [notice] This version is not a stable Tor release. Expect more bugs than usual.<br />
Feb 11 12:15:19.417 [notice] Read configuration file "/usr/local/etc/tor/torrc".<br />
Feb 11 12:15:19.420 [notice] Initialized libevent version 2.0.16-stable using method epoll (with changelist). Good.<br />
Feb 11 12:15:19.420 [notice] Opening Socks listener on 127.0.0.1:5000<br />
Feb 11 12:15:19.420 [notice] Opening Control listener on 127.0.0.1:9051<br />
Feb 11 12:15:19.000 [notice] No AES engine found; using AES_* functions.<br />
Feb 11 12:15:19.000 [notice] This OpenSSL has a good implementation of counter mode; using it.<br />
Feb 11 12:15:19.000 [notice] OpenSSL OpenSSL 1.0.0g 18 Jan 2012 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation<br />
Feb 11 12:15:19.000 [notice] Reloaded microdescriptor cache.  Found 0 descriptors.<br />
Feb 11 12:15:19.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.<br />
Feb 11 12:15:20.000 [notice] Heartbeat: Tor's uptime is 0:00 hours, with 0 circuits open. I've sent 0 kB and received 0 kB.<br />
Feb 11 12:15:22.000 [notice] Bootstrapped 5%: Connecting to directory server.<br />
Feb 11 12:15:22.000 [notice] Bootstrapped 10%: Finishing handshake with directory server.<br />
Feb 11 12:15:23.000 [warn] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 1; recommendation warn)<br />
Feb 11 12:15:23.000 [warn] 1 connections have failed:<br />
Feb 11 12:15:23.000 [warn]  1 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE<br />
<b>^C</b>Feb 11 12:16:00.000 [notice] Interrupt: exiting cleanly.<br />

Disconnected after a SUCCESSFUL handshake?! I'm not sure if it was a successful one, but at least it was different from when I tried tor without obfs. Normally (without a bridge defined in torrc), it would result as:

<br />
[<a href="mailto:me@myhost" rel="nofollow">me@myhost</a> tor-0.2.3.11-alpha]$ src/or/tor<br />
Feb 11 12:25:35.058 [notice] Tor v0.2.3.11-alpha running on Linux x86_64.<br />
Feb 11 12:25:35.059 [notice] Tor can't help you if you use it wrong! Learn how to be safe at <a href="https://www.torproject.org/download/download#warning
Feb" rel="nofollow">https://www.torproject.org/download/download#warning<br />
Feb</a> 11 12:25:35.059 [notice] This version is not a stable Tor release. Expect more bugs than usual.<br />
Feb 11 12:25:35.059 [notice] Read configuration file "/usr/local/etc/tor/torrc".<br />
Feb 11 12:25:35.061 [notice] Initialized libevent version 2.0.16-stable using method epoll (with changelist). Good.<br />
Feb 11 12:25:35.061 [notice] Opening Socks listener on 127.0.0.1:5000<br />
Feb 11 12:25:35.061 [notice] Opening Control listener on 127.0.0.1:9051<br />
Feb 11 12:25:35.000 [notice] No AES engine found; using AES_* functions.<br />
Feb 11 12:25:35.000 [notice] This OpenSSL has a good implementation of counter mode; using it.<br />
Feb 11 12:25:35.000 [notice] OpenSSL OpenSSL 1.0.0g 18 Jan 2012 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation<br />
Feb 11 12:25:35.000 [notice] Reloaded microdescriptor cache.  Found 0 descriptors.<br />
Feb 11 12:25:35.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.<br />
Feb 11 12:25:36.000 [notice] Bootstrapped 5%: Connecting to directory server.<br />
Feb 11 12:25:36.000 [notice] Heartbeat: Tor's uptime is 0:00 hours, with 1 circuits open. I've sent 0 kB and received 0 kB.<br />
Feb 11 12:25:36.000 [notice] Bootstrapped 10%: Finishing handshake with directory server.<br />
<b>^C</b>Feb 11 12:25:41.000 [notice] Interrupt: exiting cleanly.<br />

(It would stay on "Bootstrapped 10%: Finishing handshake with directory server." if I didn't CTRL+C)

[the same guy as the

[the same guy as the previous comment]

I'm sorry now I see that maybe the server isn't even up! I can't actually ping it!! sorry for the wrong report. I will be trying again and will let you know if it wored for me.

به فارسی بگبن

به فارسی بگبن باید چی کار کنیم

If anything encrypted was

If anything encrypted was really blocked steganography would be the only remaining option.

But I doubt Iran does that or will sustain the block if it currently does so. How do they plan to keep e-commerce and online banking? Haven't banks and corporations in Iran lobbying power just like in any other state?

Ha, for one these crooks could do something just and right (even if only by accident).

No Access to HTTPS.I live

No Access to HTTPS.I live In Tabriz-Iran.since 2/9/2011 We have no access to yahoo messenger-yahoo mail,gmail, hotmail .
As you now facebook is banned and we were connection face book using VPN on sstp or Https prixyservers.
But they are out of functioning too.

Hey, Its good to hear from

Hey,
Its good to hear from the people in Iran.

Also TOR is not working now.

از کجا می شود

از کجا می شود دانلود کرد ؟
خواهشا سریع تر لینک دانلود را قرار دهید

چگونه می شه

چگونه می شه دانلود کنیم ؟

Currently using UltraSurf

Currently using UltraSurf 10.17 from Iran to see this site. My connection is extremely slow. Help me out. I can't connect to my email...

"I hope my country (Israel)

"I hope my country (Israel) wont hate cuz im helping them...though i do whats moraly right, but strategy wrong."

Hi Israeli friend, I am Iranian and I can tell you that what you see on your TV is false. Iranians like Israel and Israeli people, our enemy is the Islamic regime in our country, it is a retrograde force against the culture and identity of Iran, it represents Arab barbarism and not Iranian glory.

Iran and Israel will hopefully be friends some day in the future.

Love from Mohsen, using VPN in Tehran University.

This is exactly, what

This is exactly, what governments are afraid of. I'm writing from Germany and have seen what happens, when the people decide, that they don't need their oppressive regime any more.

I really wish all you guys the freedom and peace that you've been denied far too long.

A government that is afraid

A government that is afraid of facebook , youtube and twitter should go rule a farm not a nation , it's funny when these islamists talk about freedom an Israel which respects its people and their freedom , these islamist guys have to know there will be no tolerance for their islamic intolerance since 1979 till now

An ex-muslim from Iran

i would be very very afraid

i would be very very afraid too of facebook, youtube, google and stuff, due to their privacy policy...(google new policy will be effective march 1...everyone should take a look)
islamist brothers, should understand their nations might be wrong for something, but capitalism and our so called "free nations" are collapsing and actually building up a scary cage for everyone manipulating the economy and controlling people's life while giving them the "illusion" of freedom.

i do not see any freedom around, left or right, black or white.... it is allways the same thing.

Peace.

bridge : 117.202.184.159:443

bridge : 117.202.184.159:443 ADE4272A5C808D78953C3166D1B2E804F50CDCF7

Only a matter of time my

Only a matter of time my friends.

Hi. Im from iran and i

Hi. Im from iran and i really appreciate your work.
Please keep it up.
As i tested various ways of bypassing this with current available tools i found out that the only way that works is https/socks tunneling through an uncommon port.
Hope this helps.

To the israelly guy: im so

To the israelly guy: im so glad hearing you are trying to help us, specially in these days which government is trying to make iranians hate you.
I hope oneday all this ends.

Dear community, I would like

Dear community,

I would like to take this opportunity to remind you that the people of Syria also need your support.

Evidence of the crimes against humanity occurring there, in the form of photos and videos, are the people's only weapon against the regimes in Iran and Syria (which, make no mistake, are one and the same).

On behalf of those without a voice, please take the time to set up relays.

Let the era of the humanist technologist begin.

Lol!For browsing

Lol!For browsing blog.torproject.org I must remove s from https://blog.torproject.org!
I have a question.
Tor is not working , I do run netstat command:
TCP 0.0.0.0: 135
...
TCP 0.0.0.0 :9050
....
[::] :9050

My lan ip is 192.168.1.1.what is this 0.0.0.0 that listening my 9050 port?
I get port 9050 Permission denied when I try running TOR
I must access my Emails.......
It is so funny !believe or not here we wish world powers bomb our country .It seem only way !!
:(

The iranian social networks

The iranian social networks R sharing a new tor and they say it works!
is it safe? I mean is it real?
they give these links : http://fa-blog.torproject.org/onion/73
https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-…

The best way to get free

The best way to get free internet is not to hang routers, but government.

thanks in advance for all

thanks in advance for all you do for the sake of our freedom. maybe it's time for hacktivists like Anonymous to wipe out dpi routers inside Iran if possible. that would be of far more greater help than going after such pointless stuff like attacking facebook like they said they would.

Nima from Iran.

thanks a lot for releasing

thanks a lot for releasing the tor-obfsproxy bundle. but unfortunately it doesn't work for me. here is what i get:

<br />
Feb 12 20:53:44.248 [Notice] Tor v0.2.3.11-alpha-dev (git-64523609c91d9207) running on Linux x86_64.<br />
Feb 12 20:53:44.248 [Notice] Tor can't help you if you use it wrong! Learn how to be safe at <a href="https://www.torproject.org/download/download#warning
Feb" rel="nofollow">https://www.torproject.org/download/download#warning<br />
Feb</a> 12 20:53:44.248 [Notice] This version is not a stable Tor release. Expect more bugs than usual.<br />
Feb 12 20:53:44.248 [Notice] Read configuration file "/home/me/apps/tor-browser_en-US/./Data/Tor/torrc".<br />
Feb 12 20:53:44.248 [Notice] We were compiled with headers from version 2.0.15-stable of Libevent, but we're using a Libevent library that says it's version 2.0.16-stable.<br />
Feb 12 20:53:44.248 [Notice] Initialized libevent version 2.0.16-stable using method epoll (with changelist). Good.<br />
Feb 12 20:53:44.248 [Notice] Opening Socks listener on 127.0.0.1:0<br />
Feb 12 20:53:44.248 [Notice] Socks listener listening on port 56697.<br />
Feb 12 20:53:44.249 [Notice] Opening Control listener on 127.0.0.1:0<br />
Feb 12 20:53:44.249 [Notice] Control listener listening on port 34952.<br />
Feb 12 20:53:44.249 [Notice] Parsing GEOIP file ./Data/Tor/geoip.<br />
Feb 12 20:53:45.374 [Notice] Heartbeat: Tor's uptime is 0:00 hours, with 0 circuits open. I've sent 0 kB and received 0 kB.<br />
Feb 12 20:53:47.375 [Notice] Bootstrapped 5%: Connecting to directory server.<br />
Feb 12 20:53:47.379 [Notice] Bootstrapped 10%: Finishing handshake with directory server.<br />
Feb 12 20:53:49.955 [Notice] Learned fingerprint 7C7DC083FFCFE383268B873D2CB046684B615648 for bridge [...]<br />
Feb 12 20:53:49.955 [Notice] Bootstrapped 15%: Establishing an encrypted directory connection.<br />
Feb 12 20:53:49.975 [Notice] Learned fingerprint 478208B87337CAC2E9391AD7B91D125193D5A641 for bridge [...]<br />
Feb 12 20:53:50.297 [Notice] Bootstrapped 20%: Asking for networkstatus consensus.<br />
Feb 12 20:53:50.412 [Notice] Learned fingerprint 5F88FDA345422B32E1A20F2761182C23CD49EA79 for bridge [...]<br />
Feb 12 20:53:50.618 [Notice] Bootstrapped 50%: Loading relay descriptors.<br />
Feb 12 20:53:50.678 [Notice] Learned fingerprint 9459581B2DA5458D19790C28918CB544B3854C8A for bridge [...]<br />
Feb 12 20:53:51.064 [Notice] new bridge descriptor 'Unnamed' (fresh): $7C7DC083FFCFE383268B873D2CB046684B615648~Unnamed at [...]<br />
Feb 12 20:53:51.065 [Notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.<br />
[snip]<br />
Feb 12 20:54:05.445 [Notice] new bridge descriptor 'Unnamed' (fresh): $478208B87337CAC2E9391AD7B91D125193D5A641~Unnamed at [...]<br />
Feb 12 20:54:05.445 [Notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.<br />

it gets stuck there :(

+some info:

the https has been generally restored (banking websites work, arch wiki works, gmail and yahoo mail don't) but tor still doesnt work. sometimes however (the old version, not the new bundle) it connects successfully (with or wothout bridges enabled) but practically just loads the title of the home page (in rare occasions it manages to laod the complete homepage (check.torproject.org which is a very light page).
Jondo shows a similar behavior recently. (connects but can't do much work)

I think it's worth to note that this morning (12/2) https was restored (perhaps completely) for a couple of hours (starting from about 6:15 AM). During this period, tor (the old (2.2.35) version) was working as before. The interesting bit is that the new tor (0.2.3.11-alpha) and obfsproxy that i had compiled both yesterday worked without the "obfs2" bridges but not when they were enabled. (maybe there was a problem with those two bridges and/or my setup. I'm not sure!). I was getting something like this (a lot of these lines) all of which were after "Tor has successfully opened a circuit. Looks like client functionality is working.":

<br />
Feb 12 06:27:50.000 [notice] We tried for 15 seconds to connect to '[scrubbed]' using exit $24B1F63F7DF9F85D711864811CC401BE5EB5FB9A~lumumba at 77.247.181.163. Retrying on a new circuit.<br />
Feb 12 06:27:50.000 [notice] We tried for 15 seconds to connect to '[scrubbed]' using exit $24B1F63F7DF9F85D711864811CC401BE5EB5FB9A~lumumba at 77.247.181.163. Retrying on a new circuit.<br />
Feb 12 06:28:05.000 [notice] We tried for 15 seconds to connect to '[scrubbed]' using exit $CA1CF70F4E6AF9172E6E743AC5F1E918FFE2B476~spfTOR3 at 62.220.135.129. Retrying on a new circuit.<br />

I hope these will help. keep up the good work ;)

Grab the newer Tor Obfsproxy

Grab the newer Tor Obfsproxy Browser Bundle -- it comes with Vidalia 0.2.17, Tor 0.2.3.12-alpha, and a newer obfsproxy build. Should be available from the same place you got the earlier one.

Get critical information

Get critical information from the NOC (network operations center) and we will oblige. Until then, they are just numbers that we don't know.

I am from Iran I use https

I am from Iran
I use https proxy server and i can connect easily to gmail or any https sites
I use this proxy for tor but tor connection was very slow sometimes

Anonymous has always said

Anonymous has always said that they will NOT attack Facebook, because it is nigh impenetrable, and because social networking infrastructures are a friend of free speech. Anyway, as others have said, attacking the DPI routers would probably only make matters worse.

Iran´s censoring of TOR

Iran´s censoring of TOR traffic seems to have ended. My TOR Server shows a "normal" number of users from Iran
--Salvo

For those who have read this

For those who have read this far in the thread: we have working Tor Obfsproxy Browser Bundles for Windows, OSX, and Linux that work with no config changes in Iran (and China for that matter).

https://www.torproject.org/projects/obfsproxy#download

Mirrors:

http://mit.edu/arma/Public/obfsprxy.exe
http://mit.edu/arma/Public/obfsprxy.exe.asc
http://mit.edu/arma/Public/obfsprxy.torrent

http://mit.edu/arma/Public/obfsprxy_osx.zip
http://mit.edu/arma/Public/obfsprxy_osx.zip.asc
http://mit.edu/arma/Public/obfsprxy_osx.torrent

http://mit.edu/arma/Public/obfsprxy_32bit_linux.tar.gz
http://mit.edu/arma/Public/obfsprxy_32bit_linux.tar.gz.asc
http://mit.edu/arma/Public/obfsprxy_32bit_linux.torrent

http://mit.edu/arma/Public/obfsprxy_64bit_linux.tar.gz
http://mit.edu/arma/Public/obfsprxy_64bit_linux.tar.gz.asc
http://mit.edu/arma/Public/obfsprxy_64bit_linux.torrent

50.19.186.98:443

50.19.186.98:443 5B08F60EDE1827479766C73DE63588B609CF25F4

Oh, This should be the same

Oh, This should be the same old issue... And we're going sick and tired of being in Iran these days. Look what's happening here, I'm using tor for a month and everything was working fine, from last 3 days it seems like something strange is happening that "I cannot post messages or push the LIKE buttons on facebook" do you think that this will be permanent or something ? should I upgrade my version of thor ? please share my any possible trick,
regards from Tehran, Iran.

If the version of Tor

If the version of Tor Browser Bundle you're using tells you to update, you should update it. It's probably because there are Firefox security bugs that you should get fixes for.

See https://blog.torproject.org/blog/obfsproxy-next-step-censorship-arms-ra… if you want to learn more about obfsproxy (which lets Tor work in Iran even when Iran is filtering SSL connections).

It sounds from the above like you're having trouble with some sort of application-level or website-level thing, though, which doesn't (or at least shouldn't) have anything to do with whether you can reach the Tor network from your country.