Internet Censorship in Iran: A First Look (FOCI 2013) #226
Comments
wkrp
added
the
reading group
|
We'll start the reading group for "Internet Censorship in Iran" at Sunday at 13:00 UTC, about 20 hours from now. https://meet.jit.si/moderated/2dc56baf31ed6b05581d4de75787544466acc45c4ac8230c35c4b3540e138c25 As before, I'll try to get the meeting running about 20 minutes early to give time to debug any connection issues. You can join using a pseudonym. I will set up the meeting so that participants' webcam and microphone are disabled when they join. I will make a video, but the video will not include the browser window that shows the meeting. To get an idea of how the video will look, see last month's reading group. |
|
Here's a summary of the paper in advance of the meeting. Internet Censorship in Iran: A First Look This is among the earliest efforts to formally document Internet censorship practices in Iran. The researchers used a single vantage point in Iran to make measurements of foreign destinations; in some experiments they connected to their own cooperating server outside Iran, in order to see both sides of the connection. The study covers a time span shortly before and after presidential elections in June 2013. It found evidence of HTTP Host header filtering, HTTP path keyword filtering, DNS interception, and bandwidth throttling. Traceroute tests suggest that censorship activity is centralized at a single chokepoint on paths that leave the country. The largest set of experiments consisted of HTTP GET requests to the top 500 sites in each of 18 Alexa categories. The most censored category was "Adult", at more than 95%; the next most censored was simply the top 500 by popularity, at around 50%. In a few cases the requests timed out, and some of these were certainly cases of geoblocking, where it was the destination server refusing to provide service, rather than interference by a middlebox. The form of blocking most commonly observed was triggered by the HTTP Host header: requesting a blocked domain name results in a false HTTP response with a "403 Forbidden" status code that redirects first to a censorship block page at http://10.10.34.34/ (only accessible from inside Iran) and then to http://peyvandha.ir/ (2013 archive here). The TCP handshake gets through the firewall to the true destination web server, but the packet containing the GET request and Host header is blocked (never reaches the destination), and instead the censorship node itself returns the false response, meanwhile also sending 5 RST packets to the destination with various sequence numbers and a spoofed source address. Besides the Host header, certain keywords in URL paths result in similar blocking: the researchers demonstrate by requesting "sex.htm". There were no packet-level changes that would indicate the use of a transparent HTTP proxy. False DNS responses were also observed, but only for a small set of domains: facebook.com, youtube.com, and plus.google.com. The IP address in fake DNS responses was the same as in the fake HTTP responses, 10.10.34.34. The DNS query is stopped at the censorship node and never makes it to the intended resolver; this is different from how DNS injection works in China, where the query gets to the resolver and the user gets two DNS responses, one injected and one genuine. Bizarrely, the censorship node sent TCP RST packets to the destination DNS resolver, as with the HTTP-based blocking, in spite of the fact that the DNS exchange used UDP. They tested TCP-based DNS as well, and found no interference with it. The researchers tested throttling by downloading a file over HTTP, HTTPS, and SSH. The HTTP and HTTPS transfers went about as fast as expected, but SSH transfers were throttled down to about 15% of available speed. The throttling was effected by dropping TCP packets. SSH obfuscated by xoring with a constant key was throttled almost to zero, as was obfs2. The authors' interpretation of these results is that throttling is based on a protocol whitelist: a few enumerated protocols are permitted, and all others are throttled. Tests after the election in June 2013 showed no evidence of throttling. There is evidence that network censorship is enforced at a centralized location. Traceroutes to IP addresses in various foreign countries all passed through a certain 10.10.*.* IP address. Traceroutes in the reverse direction did not see the 10.10.*.* address. TTL-limited HTTP GET requests in the manner of Xu et al. 2011 show that the node at this IP address is the same one responsible for HTTP interception. The address did not respond to port scans. |
|
(
Wow, you are so diligent.
We have stopped focus on newer technologies now.
Over the wall without knowing what to do following and just focus on stabilize over-walling technique is no sense.
And any techniques evading finally are just temporary. Seek the final answer is more effective.
)
Mar 26, 2023 00:56:05 wkrp ***@***.***>:
… Here's a summary of the paper in advance of the meeting. I have written to the authors to see if they think the summary I have written is accurate, but they have not yet replied. I don't want to post a permanent summary when there's a chance the authors might disagree with its characterization, so here's a temporary link. When I hear back, I'll edit this comment to contain the summary.
https://share.riseup.net/#3yQSMnwTlL4y_0US0WCkJQ
https://share.riseup.net/#3yQSMnwTlL4y_0US0WCkJQ
—
Reply to this email directly, view it on GitHub[#226 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AKGBAYEY3XUKSKCMEDRKLTTW54PSLANCNFSM6AAAAAAVX3GK44].
You are receiving this because you are subscribed to this thread.[Tracking image][https://github.com/notifications/beacon/AKGBAYFMZJZWLWLTZQAKDVLW54PSLA5CNFSM6AAAAAAVX3GK46WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTSYOIGMM.gif]
|
|
@wkrp Followup about DNS: I did not observe any RSTs when trying to reproduce what you said in the meeting (doing normal DNS over UDP requests with clients behind the old and also new DPI). I did however see one TCP RST+ACK on the remote server when testing DNS over TCP with a client behind the new(?) DPI. The client just received an ACK followed by the malformed response and nothing else. both forged responses had random IP IDs and no TCP option fields (header was exactly 20 bytes). When the client tried to close the flow with a FIN+ACK it surprisingly arrived at its destination and the remote server replied with RST as it should since the connection was already torn down (I'm not still sure about if they're just allowing FIN packets or the flow is not blocked. This needs more testing.). The old DPI still allows DNS over TCP and does not alter the response. Example of the I also have PCAPs of both the client and server. I can share it via a private communication channel if possible. I should also note that what I'm referring to as the "new" DPI might not be that new but I've never seen such behavior (random IP ID and RST after forbidden SNI) before and I am seeing it deployed on more networks slowly. |
|
Here is the video of the discussion. Thanks to all who participated. Some quite interesting points came up in the discussion, comparing the current censorship situation with what this paper described ten years ago:
We talked about ways to reproduce the paper's Figure 2, which shows the blocking rate of different website categories, using contemporary censorship measurement systems. This is Figure 2 from the paper:
You can get a similar chart straight from OONI MAT. Go to https://explorer.ooni.org/chart/mat, enter Country: Iran and Columns: Website Categories, then click Show Chart. The columns aren't all the same size, and the result categories are stacked rather than side by side, but you can still see that, e.g., the PORN category is proportionally almost completely blocked: I could not figure out how to get such a chart directly from the Censored Planet dashboard. But the data is there: you can export a CSV and visualize it yourself. Select Country: Iran, then clear the Network, Subnetwork, Site Category, and Domain fields. Click the ✚ icon next to "Top 50 – Domain" to expose the site categories, then click ⋮ and Export as CSV.
The R/Tidyverse script to produce the above Censored Planet graph is: Censored Planet Dashboard_HTTPS Analysis_Pivot table.csv library("tidyverse")
ggplot(read_csv("Censored Planet Dashboard_HTTPS Analysis_Pivot table.csv") %>%
filter(Domain != "CONTROL" & `Site Category` != "Uncategorized") %>%
mutate(
OK = `Probe Count` * (1 - `Unexpected Rate`),
Unexpected = `Probe Count` - OK
) %>%
group_by(`Site Category`) %>%
summarize(`Probe Count` = sum(`Probe Count`), OK = sum(OK), Unexpected = sum(Unexpected)) %>%
mutate(`Site Category` = fct_reorder(`Site Category`, OK / `Probe Count`)) %>%
pivot_longer(cols = c(OK, Unexpected), names_to = "result", values_to = "count")
) +
geom_bar(
aes(x = `Site Category`, y = count / `Probe Count`, fill = result),
width = 0.7,
stat = "identity",
position = "dodge"
) +
scale_fill_manual(values = c(OK = "lightgreen", Unexpected = "red")) +
theme_minimal() +
theme(axis.text.x = element_text(angle = 60, hjust = 1)) +
labs(x = NULL, y = NULL)
ggsave("censoredplanet-categories.png", width = 8, height = 5)Links to references that came up during the discussion:
|
wkrp
changed the title
|
@ftfws: thanks so much for the tests and the information. You said that the responses injected by DNS-over-TCP censorship are malformed. In what way are they malformed? |
|
@wkrp Here is an example for google.com. I have redacted the transaction ID but it did match the question's transaction ID. I don't know much about DNS over TCP's wire protocol but it looks like it's missing the question class (0x0001 in this case for IN) before starting the answer section and the pointer (0xc00c). |
|
And about HTTP blocking, the new(?) DPI still injects iframes too but the injected response differs slightly (there are more headers now). The packets still show signs that they're injected from the new DPI (random IP ID for example). I have no idea why they do both. Example of iframe injection (the title is redacted as I thought it might contain identifiable information): Notice that there are now 2 lines (and the line ends at You also can trigger the |
Yes, your analysis is correct. The response is missing the QCLASS field of the Question section. The NAME field of the Answer section is being interpreted as the QCLASS, and then parsing gets desynchronized. The response is malformed in another way: it says ARCOUNT=1 but the Additional section is empty. But the IP address in the response seems to be a valid one for google.com, 216.239.38.120. Here is a manual dissection: It is strange, if this interference is intended for censorship, that it returns what appears to be a good IP address, rather than a 10.10.34.X one. Does google.com get interference with UDP-based DNS? Are all domain names interfered with when using DNS over TCP, or only some of them? It may be that this ISP's DNS-over-TCP resolver just doesn't work properly. ARCOUNT=1 may be something that is (wrongly) copied from the query. It is a little reminiscent of the faulty response construction that used to happen in Turkmenistan. ARCOUNT=1 is characteristic of EDNS, which uses the Additional section to store extension information. I suggest trying a query which does not used EDNS, and seeing if ARCOUNT=0 in the response when you do that. E.g. |
This is
The censor has the ability to inject any IP address and not just
This kind of interference, like all kinds of DNS censorship, happens on all ISPs over UDP (and TCP if the ISP has the new DPI).
Not all domains of course. I am also using a DNS server outside of Iran to avoid the ISP's DNS and focus on the firewall itself.
The command used was a simple |
Wow, TIL. Thanks for the information. https://support.google.com/websearch/answer/186669
This would make a good small research project. Process past OONI and Censored Planet measurements, looking for ones where DNS queries for google.com get a forcesafesearch.google.com IP address, as well as looking for empty or NXDOMAIN responses to queries for use-application-dns.net, which is a canary domain that DNS operators can use to disable DNS over HTTPS in browsers. |
The previous live reading group was good fun and I'd like to schedule another session to talk about a noteworthy paper from the past. This time I want to do a paper about censorship in Iran from 2013.
"Internet Censorship in Iran: A First Look"
PDF, slides and video
The time:
Sunday, 2023-03-26 13:00–14:00 UTC
If you want to participate, just read the paper in advance and show up to the gathering, location TBA. As before, I'll make a video for those who cannot attend live.
The paper is an early effort to document censorship mechanisms in Iran, such as DNS injection, HTTP filtering, and bandwidth throttling, using the classic methodology of a controlled vantage point inside the censor's network. There is a noteworthy analysis based on traceroute to understand the network topology of the censorship system.
It will be ideal if we can have participation from someone who is familiar with current censorship conditions in Iran, so we can talk about what has changed and what has not since 2013.
The text was updated successfully, but these errors were encountered: