Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Iran Blocks VPN Ports

timothy posted more than 2 years ago | from the why-do-you-hate-freedom dept.

Censorship 134

First time accepted submitter Parham90 writes "After the Iranian post-election events that led to massive riots and break-outs through the world, the Iranian government started blocking all social websites, including Facebook, Youtube, Orkut, MySpace and Twitter. The Iranians, however, started using VPN (virtual private network) connections to bypass censorship. Since Thursday, September 30, 2011, all VPN ports have however been blocked, in the first attempt to start what the Iranian government calls the 'National Internet.'"

cancel ×

134 comments

This is why... (1)

GameboyRMH (1153867) | more than 2 years ago | (#37625164)

I run my VPN server on port 80.

Re:This is why... (0)

Anonymous Coward | more than 2 years ago | (#37625230)

Yeah, encrypted traffic over the unencrypted http port. That's not suspicious at all. Better to use 443 where at least they're expecting encryption, and if you use OpenVPN, it won't look dissimilar from https.

Re:This is why... (3, Informative)

scubamage (727538) | more than 2 years ago | (#37625658)

Unless I'm completely misunderstanding your comment, it doesn't matter what port its running on at all. Unless Iran is doing some seriously deep packet inspection, its not going to look "suspiscious." If you set your VPN peer to use port 80, its no longer an unencrypted HTTP port, its a VPN port. 80 being http is just a standard, but like everything, standards can be bent when necessary. As for doing DPI on every single IP device generating IP traffic into/out of the country, good farking luck. It'll basically wreck their international telecomm systems since most of those should be IP based by this point. DPI + UDP = crap audio.

Re:This is why... (1)

GameboyRMH (1153867) | more than 2 years ago | (#37626054)

He's assuming that Iran is doing seriously deep packet inspection on everything. Which in theory is a good assumption, but in practice rarely happens.

Re:This is why... (1)

scubamage (727538) | more than 2 years ago | (#37626250)

Agreed - the amount of hardware they'd require to be able to do that without incurring significant delay EVERYWHERE would be incredible. If they're going on a port by port approach, that's not going to stop anyone who seriously has any interest in communicating.

Re:This is why... (1)

smash (1351) | more than 2 years ago | (#37626802)

You're assuming iran has a decently fast internet backbone. I suspect it doesn't, and that a half-decent major ISP level deep packet inspection device would be sufficient for the country.

Re:This is why... (1)

scubamage (727538) | more than 2 years ago | (#37627826)

I think you may be wrong - I highly doubt all of their cell phone carriers are operating their backbones over TDM, it'd be a massive waste of bandwidth. That means an IP network - that means big pipes carrying lots of UDP and RTP data. Given the huge Persian diaspora and (pardon if I offend) the typical closeness of Persian families, I think they'd be sending a fairly significant amount of data both in and out of the country.

Re:This is why... (1)

Alarash (746254) | more than 2 years ago | (#37626844)

Some people do this in hardware now with no performance impact (DPI is traditionally very processor intensive). They don't look at things in term of TCP anymore, but by application. You can block, say, Facebook and Twitter but allow RMTPT (Flash video streaming over HTTP). And you can easily block any traffic on port 80 that you don't recognize as HTTP. This exists because people used to do protocol tunneling to circumvent traditional firewalls (HTTP in DNS over UDP for example). Modern DPI devices are designed to detect those creative methods with no performance (and therefore delay) impact.

You do need a lot of hardware, but not as much as 3 years ago. And when you have a government-sized budget for this, nothing is impossible.

I hate mentioning only Palo Alto [paloaltonetworks.com] , but in my knowledge (I'm a network test equipment vendor employee - I test the performance of these devices for a living) they are the only ones to do that in hardware. Checkpoint [checkpoint.com] does the exact same thing but as far as I know it's not done in hardware - they do claim it has no performance impact but I haven't had a chance to test this myself.

Gartner published a report (here hosted by PA [paloaltonetworks.com] , reg. unfortunately required) that goes over all these challenges. I'm fairly sure somebody in Iran read this report and implemented it.

Re:This is why... (1)

scubamage (727538) | more than 2 years ago | (#37627750)

It would still be pretty intensive to fully de-encapsulate all the way up to layer 6/7 to see the type of traffic though. Although I had seen some routers demo'd a few months ago which only look at the first packet or two in a dialog, determine the type of payload, and then let the rest of the stream pass unmolested. That might be possible? Not sure if they had intended to do something like this with them. (source [engadget.com] )

Re:This is why... (0)

Anonymous Coward | more than 2 years ago | (#37626856)

Iran is in FACT doing deep packet inspection since 2007. They can detect traffic type and block it on any port. When I was in Iran I tested other ports and it would immediately block the traffic.

I visited one of the filtering sites in 2006 and they had around 30 Racks of filtering devices there. The deep packet inspection slows down the traffic and adds considerable lag and delay.

I suspect that in addition to deep packet inspection they also run some type of data analysis on some of the protocols (like smtp etc.). This is in addition to intelligent web filtering of course.

Re:This is why... (1)

Dunbal (464142) | more than 2 years ago | (#37627906)

It might be suspicious, but I dare you to block it at the ISP level.

All 65k+ of them? (1)

siddesu (698447) | more than 2 years ago | (#37625200)

It is impressive they still manage to run Internet services then.

Re:All 65k+ of them? (3, Informative)

GameboyRMH (1153867) | more than 2 years ago | (#37625236)

They could theoretically block everything but 80 and MITM any SSL connections (or did that cert get removed from IE yet?) to check those too, to prevent VPN connections that mimic HTTPS connections (real thing) and VPNs running over port 80 using deep-packet inspection. They'd also have to check for VPN over DNS (also, real thing). Short of this it's impossible to block VPNs.

Even then, you could run a VPN over a steganographic connection. In practice I find port 80 is the best - it's never failed me so far. 443 is a good option too, in fact a better option in theory, but keep in mind that a few mobile internet providers in 3rd world countries block 443.

Re:All 65k+ of them? (0)

Anonymous Coward | more than 2 years ago | (#37625380)

Doesn't matter. Run it as an unencrypted connection over port 80 and just encrypt the traffic prior to transmission. Easy-peasy. It's basically impossible to block an encrypted channel so long as ANY form of communication is allowed.

Re:All 65k+ of them? (1)

GameboyRMH (1153867) | more than 2 years ago | (#37625480)

Um...how is this any different? The only real difference between encrypted and unencrypted connections as far as an intercepting party is concerned is that one makes sense while the other looks like garbage. If you wrote an AJAX app that used PKI to do encryption at the application layer there would only be slight technical differences in the traffic going through that firewalls could easily be modified to pick up on.

Re:All 65k+ of them? (2, Insightful)

Hatta (162192) | more than 2 years ago | (#37625540)

You don't just need to circumvent the block. You need to circumvent a block in a way that the authorities can't detect.

Re:All 65k+ of them? (4, Informative)

ledow (319597) | more than 2 years ago | (#37625436)

Hell, I once saw a VPN that rewrote its traffic to use ICMP messages and other nefarious means of communication in order to transmit packets.

It'd probably look odd if you KNEW to look at that individual's connection but the chances of finding *every* way that encrypted data can be slipped into another datastream are incredibly minimal.

Hell, VPN-over-HTTP-proxy is very common.

Re:All 65k+ of them? (2)

scubamage (727538) | more than 2 years ago | (#37625680)

I don't envy the guy hired to look at every ICMP packet for an entire country. About the only way he could remain sane is if he was autistic since they tend to be really good at tasks like that.

Re:All 65k+ of them? (0)

Anonymous Coward | more than 2 years ago | (#37626348)

I would agree if everything I knew about autism had been learned from Rainman.

Re:All 65k+ of them? (1)

scubamage (727538) | more than 2 years ago | (#37626706)

You may want to look into the research, AC [slashdot.org] .

Re:All 65k+ of them? (0)

Anonymous Coward | more than 2 years ago | (#37625966)

Devils advocate:

If a country took a stance where any non-conforming packet sent by someone was grounds for arrest and jail (which isn't that far-fetched), their censors may not find all the packets (especially with newer VPN mechanisms that use "spread-spectrum" transmission techniques where stuff is sent over DNS, ICMP, etc.) However, if a lot of packets that can't be decoded come from an individual, the local police are notified to pay the person a visit and relieve them of their computer, their freedom, and possibly their life.

Re:All 65k+ of them? (1)

jrbrtsn (103896) | more than 2 years ago | (#37625822)

Thank goodness for ipv6. Now you can run all services on port 80 and just assign a different ip address for each one!

Re:All 65k+ of them? (1)

sosume (680416) | more than 2 years ago | (#37626064)

They could theoretically block everything but 80 and MITM any SSL connections (or did that cert get removed from IE yet?) to check those too, to prevent VPN connections that mimic HTTPS connections (real thing) and VPNs running over port 80 using deep-packet inspection. They'd also have to check for VPN over DNS (also, real thing). Short of this it's impossible to block VPNs.

How about putting the entire nation's network behind a giant proxy, configured to disallow streams? that would effectively block everything but http..

Re:All 65k+ of them? (1)

GameboyRMH (1153867) | more than 2 years ago | (#37626218)

I don't see how that would help, there are VPNs that can mimic HTTP/HTTPS...I've even run one like that over a GPRS connection which doesn't allow streams by its very nature.

Re:All 65k+ of them? (0)

Anonymous Coward | more than 2 years ago | (#37626246)

even if you automated this, wouldn't a DoS attack against... anything you wish, make this system slow down to a halt or just drop?

I mean, inspecting a huge number of packets is hard, even if we only scan fishy ones, you could just dos with those.

Re:All 65k+ of them? (1)

GameboyRMH (1153867) | more than 2 years ago | (#37626424)

True, depends how many data centers the government is willing to build...

Re:All 65k+ of them? (1)

tlhIngan (30335) | more than 2 years ago | (#37627886)

Even then, you could run a VPN over a steganographic connection. In practice I find port 80 is the best - it's never failed me so far. 443 is a good option too, in fact a better option in theory, but keep in mind that a few mobile internet providers in 3rd world countries block 443.

A number of VPNs these days use HTTPS (443). It's called SSL VPN and you can get access points from the usual vendors (Cisco, Sonicwall, etc). They're all the rage these days as they start up as normal HTTPS connections (and you can use it with a web browser at the very minimum - no client required).

Reason for this is many corporate networks have started blocking everything but 80/443. When you're visiting a customer with their network set up that way, being able to VPN over HTTPS is extremely valuable. Especially since it goes through NAT easily as well.

Re:All 65k+ of them? (0)

Anonymous Coward | more than 2 years ago | (#37627934)

So? We'd simply send each packet with a HTTP header stating that itâ(TM)s a picture, and add a JPEG header too, if we have to. Or as base-64-encoded plain text. Or even steganography inside images.

Hell, if we have to, we can generate sentences that are grammatically correct, could make sense, and still encode data is their (e.g. first) letters, then post them via Twitter.

Sorry, this will not ever work. Ever.
The only way that would work is to block *everything* by default, and then only open connections to trustworthy systems. (But don't tell them that.) (Also, in practice that's really the same thing as shutting down all of the Internet. So it *will* cause riots!

Re:All 65k+ of them? (1)

wmac1 (2478314) | more than 2 years ago | (#37627138)

You do not need to check 65k things. You just check every single packet to see what port it is and whether the content matches that port. That's in fact what they currently do (and have done since 2007). One of their sites which I visited in 2006 contained 30 racks of filtering equipments.

Just switch it off completely (0)

Anonymous Coward | more than 2 years ago | (#37625208)

See how well that worked for Egypt?

Good luck with that... (2)

afxgrin (208686) | more than 2 years ago | (#37625214)

I wonder how far the censorship has to go before we see months of endless street protests again? If they ever expect anything like this to work, they should never have allowed their citizens to be in possession of the technology to begin with. They have an entire generation of people that grew up with cell phones, computers and the internet. There is no hope in hell of this working in the long term.

Re:Good luck with that... (0)

Anonymous Coward | more than 2 years ago | (#37626018)

If you think street protests matter much, think again. All it takes is one helicopter with a couple hellfire missiles and a high RPM cannon, and what was a street protest is a mass grave.

In reality, revolution is pretty much impossible. Egypt appears to have just swapped one tyrannical master for another. It doesn't take much for another Kent State to happen if protests happen at a college, and protesters know that -- the whole 60s era of protesting completely ground to a halt when people realized they may be used as target practice with live rounds.

Re:Good luck with that... (1)

MightyMartian (840721) | more than 2 years ago | (#37626180)

I don't think Egypt swapped anything, to be honest with you. The Army always ran the show. They were content to let Mubarak be the frontman, but ultimately it wasn't street protests that knocked Mubarak down, it was the Army saying "Well, you're of no use to us anymore."

The subject is the article I'm responding to (2)

jidar (83795) | more than 2 years ago | (#37625216)

"The Net interprets censorship as damage and routes around it." -- John Gilmore

They will just move to using other ports.

Re:The subject is the article I'm responding to (1)

Anonymous Coward | more than 2 years ago | (#37625356)

Censorship interprets the net as damage and routes around it.

Re:The subject is the article I'm responding to (1)

fph il quozientatore (971015) | more than 2 years ago | (#37625682)

You forgot the "in soviet Russia" part.

Re:The subject is the article I'm responding to (1)

Anonymous Coward | more than 2 years ago | (#37625738)

Changing ports does nothing if they use deep packet inspection.

Re:The subject is the article I'm responding to (0)

Anonymous Coward | more than 2 years ago | (#37626256)

I'll give you a deep packet injection

Re:The subject is the article I'm responding to (0)

Anonymous Coward | more than 2 years ago | (#37627634)

You can't use DPI on encrypted streams. You could potentially build a heuristic to find patterns (or the lack thereof) inherent in encrypted streams, but you would get a ton of false positives, and it would be expensive as fuck.

Re:The subject is the article I'm responding to (1)

gandhi_2 (1108023) | more than 2 years ago | (#37625864)

In Soviet China, The censors interpret internets as damage and wall around it. -- me

All ports? (1)

kju (327) | more than 2 years ago | (#37625224)

This sounds like nonsense. There are VPN providers on non-standard ports. If you have your own server and a spare IP, you can even use some netfilter rewrite magic to allow connection on ANY port of that IP which is helpful in a lot of situations.

Place is full of muslims (-1)

Anonymous Coward | more than 2 years ago | (#37625258)

Who gives a fuck

Use OpenVPN (4, Interesting)

kandresen (712861) | more than 2 years ago | (#37625334)

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

Re:Use OpenVPN (1)

malraid (592373) | more than 2 years ago | (#37625396)

+1 for OpenVPN

Re:Use OpenVPN (2, Informative)

Anonymous Coward | more than 2 years ago | (#37625622)

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

OpenVPN has not functioned properly in Iran for a while now, on any port. The same goes for Syria.

Re:Use OpenVPN (1)

NevarMore (248971) | more than 2 years ago | (#37625652)

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

How is OpenVPN not detected as regular VPN communication?
Does it have its own signatures and patterns which are detectable?

Re:Use OpenVPN (1)

GameboyRMH (1153867) | more than 2 years ago | (#37626074)

OpenVPN has a mode that can mimic HTTPS, but even then it isn't foolproof.

Re:Use OpenVPN (5, Informative)

cdp0 (1979036) | more than 2 years ago | (#37625662)

OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

OpenVPN was blocked even in 2010. No protocol (UDP or TCP) and port combination worked. Both normal and static key configuration were detected and blocked.

tcpdump showed a short packet exchange between the client and the server, and after that the connection completely died. Subsequent tries on the same protocol and port were completely blocked too (probably blacklisted).

Even so, I find it weird that OpenVPN was blocked while PPTP was allowed. Maybe they had/have a way of attacking PPTP ?

What worked back then and might still work is SSH (including tunneling). With access to a server outside Iran and a bit of imagination many things can be done with SSH tunneling.

Re:Use OpenVPN (1)

Parham90 (2478210) | more than 2 years ago | (#37626768)

Yes, SSH tunneling is what I'm using right now. Still, VPNs would be much easier to use when you have multiple application needing to be proxified (yes, you can use Proxifier too, but VPN is as easy as plug-and-play).

Re:Use OpenVPN (1)

Anthony Mouse (1927662) | more than 2 years ago | (#37627190)

I would have thought this would work pretty well:

1) Install squid on the server in a non-oppressive country
2) ssh user@server -L 3128:localhost:3128
3) Configure the system proxy settings to use localhost on port 3128

Also, there is a (relatively new) VPN feature in OpenSSH. Look at the -w option.

Re:Use OpenVPN (1)

WhiteDragon (4556) | more than 2 years ago | (#37627928)

you can also use ssh to provide a generic SOCKS proxy:

ssh -D 1234 some.host.example.com

then just tell your apps to use a SOCKS proxy of localhost, port 1234

There are plenty of SOCKS wrappers for apps that don't have SOCKS code built in.

Re:Use OpenVPN (0)

Anonymous Coward | more than 2 years ago | (#37627436)

PPTP uses GRE so that is trivial to block.

Re:Use OpenVPN (1)

scubamage (727538) | more than 2 years ago | (#37625712)

I'm trying to find out more of what they're blocking... TLS? L2TP? PPTP? IPSEC? These are all styles of VPN, and even more exist. I highly doubt they're blocking them all.

Re:Use OpenVPN (1)

Myuu (529245) | more than 2 years ago | (#37626854)

L2TP, PPTP, IPSEC.

Re:Use OpenVPN (1)

gad_zuki! (70830) | more than 2 years ago | (#37627568)

This isn't about ports. I'm not sure how it suddenly became about ports (poor writeup?).

Iran uses packet inspection. They're getting good at it. They took down Tor for a little while before those guys found a work around. A lot VPNs don't work in Iran. Lots of things don't work. Simple work arounds like port numbers don't work.

In other words, when your country is a theocratic dictatorship, bad things happen. Considering how Iran is also a police state, there's little to no chance of anything stopping this anytime soon.

Ah religion. Your evil knows no bounds.

Information can't be blocked (2)

captainpanic (1173915) | more than 2 years ago | (#37625336)

Governments have tried that since the 15th-16th century, and failed every time.

It's somehow done (4, Interesting)

Parham90 (2478210) | more than 2 years ago | (#37625358)

Since I live in Iran, I can vouch for it being true. The government-run media claims that the "PPTP" (and some other) protocols have been blocked, although I'm not sure how this works. I, for sure, can't access the VPN connections I used to be able to access. So I'm going to find a friend outside of Iran and ask them to start a VPN connection on port 80; just to see if they are feeding people another lie or not. :-)

Re:It's somehow done (1)

L4t3r4lu5 (1216702) | more than 2 years ago | (#37625508)

Since I live in Iran, I can vouch for it being true. The government-run media claims that the "PPTP" (and some other) protocols have been blocked, although I'm not sure how this works. I, for sure, can't access the VPN connections I used to be able to access. So I'm going to find a friend outside of Iran and ask them to start a VPN connection on port 80; just to see if they are feeding people another lie or not. :-)

Probably shouldn't post this kind of thing over an unencrypted connection.

>_>
<_<
>_>

Re:It's somehow done (3, Insightful)

Parham90 (2478210) | more than 2 years ago | (#37625546)

I do have my connection encrypted now, but not through VPN. *smile*

Re:It's somehow done (1)

scubamage (727538) | more than 2 years ago | (#37625736)

If you won't endanger yourself by poking it too much, I'm curious what exactly they blocked. IPSEC, L2TP, PPTP, TLS... there are a ton of possibilities. Heck, you can even proxy everything via SSH if you want.

Re:It's somehow done (3, Informative)

Parham90 (2478210) | more than 2 years ago | (#37626624)

I have tried SSH tunneling. Right now, that's how I am encrypting my connection. I've tried OpenVPN and PPTP and IpSec, and also L2TP. These are blocked (as far as I can gather). Haven't tried connecting to non-standard ports, however.

Re:It's somehow done (2, Insightful)

Anonymous Coward | more than 2 years ago | (#37625814)

More power to the people of Iran. You make the Internets proud.

But, still, please be careful.

Re:It's somehow done (0)

Anonymous Coward | more than 2 years ago | (#37625752)

On the typical westernized firewalls--corporate included, you often have better luck using 53/DNS for tunneling traffic through. I should caution you though...using a VPN through DNS would pretty much be...immediately obvious...to anyone doing any kind of traffic analysis.

Even if you had a friend set up something like nstx (which would produce valid DNS traffic)--you can 'spot it' fairly routinely if for some reason you had a need to break out wireshark and look at your connection.

It's time to invade. (-1, Troll)

Anonymous Coward | more than 2 years ago | (#37625384)

Yes. Invade.
Take the side of the people who want freedom. The religious zealots, fascists and other authoritarian types be damned. It's time to liberate Iran.

Re:It's time to invade. (3, Insightful)

orphiuchus (1146483) | more than 2 years ago | (#37625424)

The problem is its actually the minority that wants freedom. Seriously.

Iran's rural population is huge, and its made up of what basically amount to Muslim rednecks. They're the morons who keep assholes in power, and they probably all support this idea.

Re:It's time to invade. (-1, Flamebait)

Anonymous Coward | more than 2 years ago | (#37625524)

The problem is its actually the minority that wants freedom. Seriously.

Iran's rural population is huge, and its made up of what basically amount to Muslim rednecks. They're the morons who keep assholes in power, and they probably all support this idea.

Then kill them all. Fuck them. It's the 21st century. Time for them to fuck off. The world has bigger problems to deal with. Time these fucktards were stopped from holding the rest of us up.

Seriously. fuck them.

Re:It's time to invade. (0)

Anonymous Coward | more than 2 years ago | (#37625626)

Kill everybody who wants to stop freedom, you say? What about the Patriotic Act, doesn't it stop freedoms? Should we kill all rednecks because they want to restrict the freedom of Latin Americans to live in the US of A? If we do invade Iran over this, shouldn't we also kill all American soldiers because they want to restrict the freedom of Iranians to choose their leaders?

Seriously. Fuck you.

Re:It's time to invade. (0)

Anonymous Coward | more than 2 years ago | (#37625690)

First of all, it's a theocracy. Any semblance of democracy is just a dog and pony show. How they got there in the first place was because of the original Iranian revolution. Second. I don't want our soldiers in Iran. But I have no problem waxing them when they cause problems for us outside their nation. For all I care, their entire navy can rest at the bottom of the ocean. Probably for the best anyways.

Re:It's time to invade. (2, Insightful)

Securityemo (1407943) | more than 2 years ago | (#37625840)

It's not fundamentally a problem of freedom, but of good and evil. Sharia law must be wiped from the planet; it is IMHO abhorrently evil. On the other hand, killing everyone living in such societies sort of misses the point, doesn't it?

Re:It's time to invade. (1)

microbox (704317) | more than 2 years ago | (#37625664)

Then kill them all. Fuck them. It's the 21st century. Time for them to fuck off. The world has bigger problems to deal with. Time these fucktards were stopped from holding the rest of us up.

I almost split my spleen laughing at this. You, my friend, are a parody of yourself.

Re:It's time to invade. (0)

Anonymous Coward | more than 2 years ago | (#37626554)

Then kill them all. Fuck them. It's the 21st century. Time for them to fuck off. The world has bigger problems to deal with. Time these fucktards were stopped from holding the rest of us up.
Seriously. fuck them.

(Posting anon because I feed the trolls less that way.)

Democracy is based on the collective freedom of the people to not have decisions imposed upon them by unaccountable parties. By electing their rulers, in theory, the people of democratic societies can always hold the rulers responsible.

And now you advocate the use of force (pretty much the strongest form of imposition) to make a nation free? To impose a system whose characteristic is the relative absence of imposition? If you think a little longer, I'm sure you'll see the contradiction.

Re:It's time to invade. (0)

Anonymous Coward | more than 2 years ago | (#37626968)

He/she/it won't. In many people's minds, "$REGIME" (meaning "what we have over here in $MYCOUNTRY") is the only possible way to live. Therefore, if people are living under a different regime, they must have been forced to live like that; they must be freed by force.

If $REGIME=theocracy and $MYCOUNTRY=Iran, you have the extremist muslims. If $REGIME=democracy and $MYCOUNTRY=USA, you have extreme right-wing Americans. They are one and the same in their shortsightedness and lack of perspective.

Re:It's time to invade. (2)

Hatta (162192) | more than 2 years ago | (#37625564)

The problem is its actually the minority that wants freedom. Seriously.

America and Iran have more in common than they'd like to admit.

Definition of "freedom" (2, Insightful)

Quila (201335) | more than 2 years ago | (#37625776)

To many, it means the freedom to worship Allah without being offended by anybody.

For example, that Mohammed cartoon violated their freedom. Seeking to have it suppressed did not violate the author's freedom, since freedom of speech is defined within the framework of what is acceptable to Allah.

Re:It's time to invade. (1)

Lunix Nutcase (1092239) | more than 2 years ago | (#37625584)

And you're going to enlist to help fight as well, no? Oh wait it's just another basement armchair general blustering about starting wars but too chickenshit to actually do any of the fighting.

Re:It's time to invade. (0)

Anonymous Coward | more than 2 years ago | (#37625670)

with fight with soldiers, vitrify them with some H bombs, the fanatic will respect us after that.

As Mr. Universe would say... (2)

Moheeheeko (1682914) | more than 2 years ago | (#37625466)

Can't stop the signal.

change to port 80 and 443 (1)

lechiffre5555 (1939278) | more than 2 years ago | (#37625472)

Run your VPN over port 80 and 443 let them block those as well. They may as well just switch it all off at the mains and be done with it.

Re:change to port 80 and 443 (1)

WhiteDragon (4556) | more than 2 years ago | (#37627980)

Run your VPN over port 80 and 443 let them block those as well. They may as well just switch it all off at the mains and be done with it.

Well, as other posters have pointed out, Iran is using Deep Packet Inspection, so they don't care about port numbers, just about the type of data that's being sent. I'm kind of surprised that according to some posters, they aren't blocking ssh.

How long before... (0)

Anonymous Coward | more than 2 years ago | (#37625596)

...They block off good old Port 80?

Wrong Info (4, Informative)

I'm Not There (1956) (1823304) | more than 2 years ago | (#37625694)

The summary says Iran started internet censorship after the election and people started using VPN from then. No, it's not like that. First, internet censorship goes back to at 7 or 8 years, IIRC. Long before the election. Second, anti-censorship tools have always been changing in all these years. VPN is just the main tool of most of people now, but even two years ago (right after election) few people knew VPN and used other tools. So, things look tough, but it's not that we are going to lose our connection with the world. We always find a solution. Even right now I'm using a PPTP VPN and if you see this comment it works well. The only solution to prevent people from accessing sites the government doesn't like would be to shut down internet connection with the outside world completely. And I hope they won't do that, at least not for long.

Re:Wrong Info (1)

Parham90 (2478210) | more than 2 years ago | (#37626666)

Ah. If that is the message that came across, I'm quite sorry. That was meant to say, "there was censorship, but these social websites were censored since then." Facebook and Youtube weren't censored prior to the elections. The VPN connections, also, gained a wider use after the iTunes store and such were blocked, which happened after the elections. I didn't want to give a long history of what has happened in Iran, so I'm, again, sorry if I came across as incorrect.

Re:Wrong Info (1)

Parham90 (2478210) | more than 2 years ago | (#37626796)

Also, I'm curious to know how your PPTP still works. Have you changed the port?

Re:Wrong Info (1)

I'm Not There (1956) (1823304) | more than 2 years ago | (#37627132)

Talking in public about these is not a good idea (specially that you're name in the story links directly to your Gmail address), but no, I didn't have to change the port. It stopped working last week, but that was for a few days only. Anyway, I suggest that you never rely on only one anti-censorship solution. Have a handful of them at your disposal, and switch to another when one of them doesn't work.

Blocked all vpn ports? (1)

Lando (9348) | more than 2 years ago | (#37626004)

Ummm, so does that mean they shut down their internet entirely? Port 80 is simple enough to use or even daresay a little perl script using email, yeah the latency sucks, but still works. Getting past port blocking is pretty simple.

Hmmm, sending traffic through stenography via email attachments would be interesting. Wonder how long it would take to code that up.

Re:Blocked all vpn ports? (1)

smash (1351) | more than 2 years ago | (#37626910)

read up on deep packet inspection

Just block these people on the ITAR list (1)

zoomshorts (137587) | more than 2 years ago | (#37626160)

Have done with idiots who dismiss human rights. Cut them off totally from the internet. Why allow opressive regiems to exist at all? It CAN be done by sanctions etc. Do business with these people and get blocked too.
Want to whine about human rights? Wait until these countries give a shit and THEN allow them into the human race, not before!

censorship (1)

Oswald McWeany (2428506) | more than 2 years ago | (#37626210)

Gosh... wouldn't it be simpler if they just cut off everyone's fingers so they couldn't type... and cut out their tongues so the couldn't talk. Oh and poke out their eyes so they can't see sign languate... oh and rip off their ears so they can't hear... and... ... or how about they realise that talk and speech is inevitable and trying to censor it only makes yourself unpopular and your demise as ruler more likely.

Re:censorship (0)

Anonymous Coward | more than 2 years ago | (#37626484)

cut off everyone's fingers so they couldn't type

and poke out their eyes so they can't see sign languate

Why poke out their eyes if their fingers are already cut off? So they can't see palm stubs waiving around?

Re:censorship (1)

Oswald McWeany (2428506) | more than 2 years ago | (#37627346)

Even if they had no fingers you'd still need to poke their eyes out so that they can't read what others in other countries have written/typed.

Admittedly it would be hard to navigate the web or turn pages in a book without any fingers.

Re:censorship (1)

gtall (79522) | more than 2 years ago | (#37626552)

Now, now. Sharia law does not condone any of those...unless the sentence dutifully made by a registered mullah, imam, or any other anal retentive neurotic nostalgic for the good old days of medieval torture.

Re:censorship (1)

Parham90 (2478210) | more than 2 years ago | (#37626714)

LOL! Guys, you might want to start ducking when you start a religious argument. As for myself, *slides safely under his desk*

Amazing that '1984' arrived in unexpected places (1)

Cragen (697038) | more than 2 years ago | (#37626670)

When I was in high school, in the 70's, we "studied" the book "1984". We all assumed, I assume, that "1984" would happen in Russia or in a bizarro America. I do not remember anyone suggesting that religion would be the driver. ( I don't include the Chinese government in this particular assumption as China, to me, seems to have simply re-introduced the feudal system for the masses with a "ruling committee" replacing the emperor at the top.) What a mess.

OpenVPN does NOT work in Iran (0)

Anonymous Coward | more than 2 years ago | (#37626722)

Just so this is absolutely clear: OpenVPN does NOT work in Iran. It does not work on any port, both tcp and udp mode, I've tested this extensively with multiple individuals in the country, the connection is cut off almost immediately upon establishment. Syria suffers from the same problem. OpenVPN isn't a magic protocol, it's being blocked just like all the rest.

https tunnels? (1)

smash (1351) | more than 2 years ago | (#37626778)

Or they're going to block internet banking now?

Re:https tunnels? (1)

cpghost (719344) | more than 2 years ago | (#37627038)

How many of them are doing online banking with foreign banks anyway? If they blocked encrypted traffic at the international peering point(s), it wouldn't break their internal internet banking system at all.

Re:https tunnels? (1)

Parham90 (2478210) | more than 2 years ago | (#37627070)

This seems to have happened, in fact. I can access HTTPS inside of Iran, but accessing Google AdWords, for example, over https is impossible.

From a NOC perspective (5, Informative)

cpghost (719344) | more than 2 years ago | (#37626962)

I'm working at the Network Operation Center (NOC) of a major Tier-1 backbone operator, and I'm somewhat familiar with the Nokia-Siemens DPI software used in some places of the world, including Iran. And guess what? I'm NOT surprised that they were able to block VPN traffic, even encrypted one at this point.

Unencrypted VPN traffic is incredibly easy to flag anyway, and even the handshake of popular encrypted VPN tunnels has a pattern that's predictable enough to be quite effective. I don't need to point out that ALL ports are affected. Switching to another port is basically useless in this context.

All this DPI doesn't require huge CPU processing power, as one would naively expect; since it (currently) happens only at the beginning of a session (yes, including UDP). And that is currently the Achilles' heel of this filter: if you initiate a "harmless" (as in allowed-by-policy) connection, and switch to encryption a couple of 10k packets later, you slip right through the firewall. Try it. If it doesn't work, they've upgraded to a new release and had to invest heavily in additional routers.

what about iodine (2)

WhiteDragon (4556) | more than 2 years ago | (#37628182)

Iodine [code.kryo.se] is IP over DNS. Since it is actually the DNS protocol (and not just using the DNS ports), it might not be susceptible to Deep Packet Inspection. However, it could presumably still be detected.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...