THE STATE OF IRANIAN NETWORKING

Morgan Sennhauser

Project Coordinator, NedaNet

July 09, 2009

THE STATE OF IRANIAN NETWORKING ________________________________________________________________ 1
PURPOSE ____________________________________________________________________________________________________ 1
HISTORY ____________________________________________________________________________________________________ 1
TRAFFIC MANIPULATION ____________________________________________________________________________________ 3
Overview_________________________________________________________________________________________________ 3
IP Blocking ______________________________________________________________________________________________ 3
Traffic Classification ____________________________________________________________________________________ 4
Deep Packet Inspection _________________________________________________________________________________ 4
What Else is Possible ____________________________________________________________________________________ 5
Where Manipulation Occurs ____________________________________________________________________________ 5
RESPONSE ___________________________________________________________________________________________________ 7
Normal Usage ___________________________________________________________________________________________ 8
Special Usage___________________________________________________________________________________________ 11
CONCLUSION _______________________________________________________________________________________________ 12
 PURPOSE

This document is an examination of the current state of the Internet infrastructure in Iran.
The intended audience is non-technical people who have interest in knowing how, in a general
sense, the government is doing what they are doing, and which methods will work best for
circumvention.

HISTORY

After the election in Iran on June 13th, the Iranian government began to limit civilian's basic
freedoms in strict and unjustifiable ways due to allegations of election fraud. They prevented them
from protesting peacefully with batons, teargas, and eventually, automatic weapons. They cut off
land-line and cellular phones, preventing people from being able to contact their friends and family
in and out of Iran. They also began limiting the Iranian people's access to the Internet.

However, they did not block several sites which proved to be key in helping the Iranian
people get out photographs, video, and their thoughts on the crackdown against protesters. The
most notable site for the torrent of information coming out of Iran was Twitter, where content tags
like #iranelection and #gr88 (Green Revolution 1388, the current year on the Islamic calendar)
took control of the most used tags for over two weeks.

During the early days after the election, as people watched the footage of protesters being
beaten, and became far too familiar with the concept of the Basij militia, they wondered what they
could do.

Initially, it was easy to help. You simply set up a proxy1, following easily accessible
instructions for doing so, and sent the IP and port of the proxy to one of several volunteers who had
promised to spread the proxies into Iran. Unfortunately, most proxies were quickly blocked,
meaning that it took a constant rush of people setting up proxies on thousands of computers to
keep the lines of communications even partially open.

Obviously, this pace could not be continued indefinitely, and it was becoming clear that this
was going to be a long struggle for the Iranian people. To make matters worse, rumors were
circulating that the Iranians were enabling previously unused hardware, meant to make the
majority of proxies (HTTP proxies specifically) obsolete.

1 Proxy: a network connection which allows a client to connect to a server by means of an intermediary

connection.
1
 Some examination by networking experts quickly proved these rumors to be true. Put
simply, the Iranian government was now using deep packet inspection (DPI), in addition to
manually blocking IPs and traffic shaping by port and protocol. This left a great number of people
confused as networking gurus struggled to find what solutions might be employed against this
quickly adapting entity.

This document is intended to help explain what methods the Iranian government is
employing to manipulate the traffic of the country, and what could be done to circumvent it.

(A note to the technical: This document is meant to be fairly straightforward, so there may be
things worded in ways which are technically incorrect, but get the point across much more clearly
than a lengthy technical explanation would. However, if there is something explained in a way which
is blatantly incorrect, please inform me.)

2
 TRAFFIC MANIPULATION

Traffic manipulation, in terms of computer networking, is any tampering done to the

information as it is in transit from its origin to its destination.

OVERVIEW

It has been impressive how fast the Iranian government has adapted their filtration and
manipulation of the information coming from and to Iran. They have been able to expand their
efforts in information tampering immensely since the first days after the election, and are
continuing to do so.

While logic would say that there must be some end to the resources they can expend on
limiting communication, it is better to approach the situation with a belief that they have unlimited
resources, so any solution must withstand any technologically feasible reaction.

The following is a brief and nontechnical overview of the methods that the Iranians have
been using to manipulate what communication is possible. It will also share some thoughts about
what will come next.

IP BLOCKING

The first method with which the Iranian government limited communication was simple.
They simply dropped any packets2 that were going to or coming from an IP address3. For example,
www.bbcpersian.com (IP 212.58.253.68) was blocked fairly early on. Any traffic going to or from
that IP would simply be ignored; it would appear to both sides as if the other did not exist. This is
useful in blocking entire servers- for example, websites that go against what the Iranian
government says, or computers acting as proxies.

2 Packet: a packet is the base unit with which information is transmitted.

3 IP address: this is a computer’s address on the Internet, it is how it is usually referred to by other machines.
3
 TRAFFIC CLASSIFICATION

Traffic classification, also referred to as Quality of Service (QoS) is the manipulation of

traffic based on protocol and port, and is far more advanced than IP blocking. For example, FTP4
occurs via the TCP5 protocol, typically on port 21. Therefore, if the Iranian government wanted to
throttle all FTP traffic, they could simply limit the bandwidth available across TCP port 21.
Additionally, they can monitor all the traffic on that port, since the majority of it will be file
transfers, so they would be able to detect, for example, if a person is uploading video or images
from a protest. Additionally, it is possible to filter by QoS. For example, if they were to monitor
port 21, they could choose to simply drop any traffic that had the word 'protest'. This form of traffic
control is as of today the most widely used, due to the fact that it is not too resource intensive and is
fairly easy to set up.

It would also appear that the degree to which they shape the traffic in this way varies based
on time of day and day of the week. This is most likely to prevent there from being too heavy of
restrictions on normal business operations. However, I have been told that most Iranian
businesses, even those which are branches of international corporations, do not rely heavily on the
Internet for communication, so there may be other reasons that are currently unknown.

DEEP PACKET INSPECTION

Deep Packet Inspection6, or DPI, is the most thorough kind of traffic manipulation that can
be used. While traffic classification gives a cursory examination of the packet to see where it
originated and where it is going, DPI examines the packet to see what type of content it has. Almost
all digital traffic has some identifying information that goes with it, that says whether it is HTTP,
SSL, FTP, or other types of traffic. This can be done regardless of port or protocol, meaning that
simply setting up an FTP server to use port 9328 instead of 21 will not protect you from traffic
manipulation.

This is the type of filtering which allows the Iranian government to quickly detect and block
proxies, as well as throttle other types of connection. For example, there have been several
attempts to gain functional access into the Iranian Internet infrastructure, however because of their
thorough packet inspection, we gain only short access before being disconnected.

This is the most resource intensive type of traffic manipulation, however since the Iranian
government employs the previous two methods in addition, they are not hampered by that.

Additionally, this is the most difficult type of traffic manipulation to circumvent, however
that does not mean it is impossible.

4 FTP: file transfer protocol, a common way of transferring files with little overhead.
5 TCP: TCP is one of the main protocols used on the Internet.
6 Deep packet inspection: The scanning of a packet’s header information to determine its contents.

4
 WHAT ELSE IS POSSIBLE

It is hard to predict what other tricks the Iranian Government will come up with, though it is
almost certainly going to revolve around three concepts:

AUTOMATION
They are going to continue to work on improving ways to automatically block content and
detect when these blocks are circumvented.

EXPANSION
As the traffic manipulation becomes a more permanent feature on the Iranian
communication infrastructure, it will become imperative that the methods become redundant, so
that even if one method of filtration is beaten, there may be another capable of detecting it. This
will also decrease the workload on the central servers, meaning that they will be able to reopen
some of the bandwidth, reducing the pressure from businesses to stop traffic manipulation.

INVISIBILITY
For any manipulation to be successful, long term, it has to be undetectable. While those of
us outside Iran are looking to make our traffic invisible to them, they are working to make their
efforts invisible to us. You can't go around a wall you don't know is there. However, traffic
manipulation on a massive scale with noticeable results is tough to keep secret, so it is unknown
how feasible this goal is.

WHERE MANIPULATION OCCURS

There are two main points at which traffic manipulation occurs:

5
 • National. This is where the majority of traffic manipulation is occurring at. This is most
likely due to the fact that there is only one physical link leaving Iran, and only around 30
satellite uplinks, making the management of them fairly simple.

• ISP7 level. While there is some manipulation of traffic at the provider level, it appears to be
fairly limited, such as dropping traffic based on keywords. This is similar to the type of
traffic manipulation you commonly see at schools or workplaces, to prevent people from
accessing materials they probably shouldn't be accessing while there. The benefits of doing
this type of manipulation at this level, as opposed to nationally, is that the cost to the
government is lower. However, there is a risk that an ISP might have something
misconfigured, meaning that there may be easier ways to circumvent the base filtering, at
least for a while. Unfortunately, it would seem that this is one of the first systems they
made redundant, so even if one were somehow able to circumvent the ISP filters, it would
only be beneficial for connections within the borders.

7 ISP: Internet Service Provider, a company which provides access to the Internet.
6
 RESPONSE

Due to the complex and adaptive way in which the Iranian government has responded, coming
up with an appropriate response to restore open communications is much more difficult than with
a relatively static blocking system, such as that used by China. As the system has evolved, many
people have suggested many ways that may work to circumvent the traffic manipulation. The
following are a few questions I ask of any method before serious consideration (I use HTTP proxies
as an example since they are now known to fail.)

• How resilient is it to countermeasures? Any method that can be seriously considered as

a long term method of defeating traffic manipulation must be resistant to the methods used
to do so. For example, HTTP proxies were not a good response due to the fact that they can
be detected in several ways and blocked quickly, requiring constant server rotation to stay
operational.

• How secure is it? Under close scrutiny, how secure is the data being transmitted?
Unencrypted, or plain, text is horribly insecure. Anyone in the transmission path, and that
includes the government, can view what you are transmitting. All HTTP proxies are entirely
plaintext, making them incredibly risky for those who use them. (At the time this was not
true, since traffic was not being inspected close enough for encrypted transmission to
matter.)

• How expensive is it to run? A sad truth is that servers tend to be expensive to run. The
monetary cost involved in any operation is something to be considered, as it could quickly
reach to tens of thousands of dollars a month. HTTP proxies were actually good on this,
because they could be crowdsourced. If everyone set one up, the cost to any one individual
was near zero. However, with solutions that require dedicated servers, the costs can
quickly become prohibitive, especially when you have an entire country relying on you.

• Is it traceable? One important thing to consider is whether or not the information can be
tracked to the person who used it. The government should not be able to view the traffic
and have proof that Iranian was viewing photographs of the protests in Shiraz.
Additionally, they shouldn't be able to see if Iranian was uploading photographs from a
protest near his home.

• How easily can it be deployed? Most solutions are fairly difficult to deploy. For example,
HTTP proxy deployment had quite a few steps:

o Donor sets up proxy

o Donor gives the IP and port to Facilitator

o Iranian asks Facilitator for a proxy

o Facilitator gives Iranian a proxy

As you can see, there is a lot of work involved with distributing a proxy. This involves a
lot of cooperation and communication between Foreigner and Assister, and Assister and
Native. This costs time, effort, and above all, the system of communication, already
incredibly fragile, is now relying solely on Assister being there to fulfill his assumed role.

7
 • How easy is it to use? While many of us trying to formulate solutions are skilled with
computers, those that we are helping may not be. Any method of connection has to be fairly
simple to set up.

NORMAL USAGE

There are generally two types of solutions that we focus one: those which allow for normal
Internet usage (browsing the web, chatting with family, checking e-mail) and those which are
catered to special usage. The special usage methods are, unfortunately, kept fairly quiet, and
therefore are not discussed too thoroughly in this document.

SINGLE-HOP PROXIES
This includes all methods of single client-server8 connections. HTTP proxies, FreeGate,
UltraSurf, and Psiphon all fall under this. There are both good sides and bad sides to single-hop9
proxies. While they are an excellent way to prevent temporary Internet restrictions, they are
themselves a temporary measure, and therefore generally not recommended for deployment
except in emergency cases.

Generally, the main issue with single hop proxies is that they are too easy to block,
especially with the advanced filtration used by the Iranian government. This means that in order to
be successful long term, there will either be a need for large sums of money or continually growing
public support to ensure that there can be enough servers kept operational.

As of today, there is no single-hop proxy which cannot be blocked easily. However, if you
absolutely must use a single-hop system, it is recommended to use it on the week, between noon
and 5pm, as that is when the least traffic manipulation is being done.

8 Client-server: this is the most prominent type of connection, where one side is receiving the information,
and the other is serving it.
9 Single-hop: a connection which has only one intermediate connection between the client and the

destination.
8
 The Good The Bad

• Insecure

• Easily blockable

• Expensive (either financially or in terms of

effort) to run

• Easily detectable
• Fast
• Difficult to deploy
• Easy to set up
• Traceable
• Usually don't require a client application
• Requires trusting your proxy

• If the server fails the client is disconnected

• No deniability to server provider

• Tend to have obvious fingerprints

• Dependent on outside connections

MULTI-HOP CIRCUITS
Multiple-hop10 circuits are generally much more secure than single hop proxies, however
they have their own list of downsides. The most commonly recommended multiple hop
client/server package is Tor, short for The Onion Router. While it is in some ways peer-to-peer, due
to the hidden services, it still follows the traditional client-to-server model; more specifically, client-
to-server-to-server-to-final-server.

Generally they tend to be much more secure and much more feasible to run as a long term
solution, as even if a server is blocked, it can still be used as a link the overall circuit. However, this
durability comes at a significant speed cost, that added to the already limited bandwidth in Iran can
be highly prohibitive. Luckily, the network can be greatly sped up if there are more people running
relays, especially in geographically close locations.

10 Multiple-hop: A connection which has more than one intermediate point between the client and

destination. This type of connection is commonly referred to as a circuit.

9
 Another added benefit of multi-hop circuit methods is that they can be almost entirely
crowd-sourced. Due to the nature of the network, there is usually only one link on the circuit which
would require a high bandwidth server, and that is the link which the traffic leaves out of. There
has been some work in attempting to get universities to lend their bandwidth to this purpose,
which again helps to reduce the cost to any one person to near zero.

The Good The Bad

• Difficult to block

• Once a server is blocked, it can still be used

as part of the circuit • Slow

• Usually easy to deploy • Can be more difficult to set up

• Untraceable • Risk

• Difficult to detect the information being • Requires special client

transmitted • Dependent on outside connections
• Easy to crowdsource

PEER-TO-PEER
Peer-to-peer11 networking solutions are radically different than the previously suggested
networking solutions, and are intended to be used as a supplement to them. The goal of peer-to-
peer solutions is to enable the Iranian people to stay connected and share information with each
other, even if they are completely cut off from the outside connections.

While the above two models use the concept of tunneling through the block, peer-to-peer
solutions ignore the block entirely, instead circulating information within the country, although
there is no reason why there could not be external peers. However, if those external peers are
blocked, the peers inside the country aren’t cut off from information, as they have shared it with
themselves, and can access it that way.

Unfortunately we are struggling to find a solution that is ready for deployment on a massive
scale, so there has been a somewhat limited examination into peer-to-peer networking; however
several members of NedaNet agree that it is the next step forward in ensuring the Iranian people
can continue to communicate freely.

11 Peer-to-peer: A connection which does not rely on a central server, but one that pulls information from

other peers. The most common type of peer-to-peer connection is BitTorrent file-sharing.
10
 The Good The Bad

• Almost impossible to block • Slow

• Highly secure • Limited features

• Doesn't even show on the radar of most • Limited content

inspection • Can be difficult to use
• Doesn't require outside connections • Eliminates plausible deniability
• Can accept only trusted connections • No service is ready for deployment

SUMMARY
Now that the benefits and detriments of the various connection methods have been
examined, it is easier to see what is feasible to use to fight censorship. Generally, the use of
multiple-hop proxy circuits are recommended due to their high level of security and anonymity,
despite their slow connection speeds. Additionally, they are not a temporary measure. While a
server may be blocked, it is not then rendered useless as it would be for a single-hop proxy.

Additionally, despite the lack of a working solution, the use of peer-to-peer is still highly
recommended, if only as a redundancy plan should the Internet be completely disabled within Iran.

Any method which relies on a single intermediate connection is most likely not a good
solution, since there are so many apparent flaws with the technique.

In moving forward, I think the focus needs to be put on improving the ease of use of
multiple-hop relays, and working to improve their speeds. Thankfully, the speed issues can largely
be remedied by increasing the number of relays available, which can be done by volunteers,
meaning the need for donations is minimal.

SPECIAL USAGE

There are several solutions which have been devised for specific applications, which
function in ways entirely different than the above listed methods. However, due to their limited
deployment, they are still confidential, to ensure that they stay operational for as long as possible.
Hopefully soon we’ll be able to declassify some, as they are replaced by more stable and secure
methods.

11
 CONCLUSION

There has been a lot learned by all involved about what techniques work to circumvent
manipulation, however there is still a lot more to do. There are many new ways we’re testing and
developing now to try to reduce the threat that any entity’s actions pose to the security and stability
of communication, and hopefully will prevent such a strong offensive from ever forming in the first
place. While it is difficult to predict what will and won’t work without real world usage, I believe
the methods outlined above should help to promote open communication.

12