Technical Analysis of the IRGFW: Understanding The Iranian Great Firewall

[irgfw]

Understanding The Iranian Great Firewall

Report 1 - December 2024

The first technical report on IRGFW, titled Technical Analysis of IRGFW: Understanding Iran’s Great Firewall, is now available. This report comprehensively examines the infrastructure and operations of Iran’s Great Firewall.

Key topics covered in this report include the status of DNS, UDP, and QUIC, the state of IPs, active probes, DPI systems, and an overview of various protocols.

This report serves as a thorough and precise resource for those interested in analyzing internet filtering methods in Iran. By sharing and distributing this report, you can raise awareness and foster a deeper understanding of internet censorship in Iran.

Access the full report below for detailed analysis.

• English: https://irgfw.report/projects/project1
• Persian: https://irgfw.report/fa/projects/project1

[gfw-report]

Hi irgfw,

What a fascinating report! It offers us an updated view of the censorship situation in Iran.

Below are some comments and/or questions:

On page 9:

we observe the client sending the ClientHello. However, ... the client is not receiving a response from the server.... when testing with a non-blocked domain, the blockage consists.

it sounds like a typical blocking based on the TLS fingerprint (see: #54 and https://censorbib.nymity.ch/#Frolov2019a) of the DoH client (YogaDNS). Could you still reproduce it now?

On page 25:

September 2023... The server, utilizing VLess-TCP-Reality protocol (Port 2053), operated for 24 hours, transferring ~2TB of data before being blocked. ... probing activity—likely from the IRGFW

We remembered this incident, but we are still not sure what the content of the probe is? Do you have more details about the payload of the probe and the intentions of the censor?

On page 30:

When we tested with uTLS (both official and fragmentation modes), the handshake was completed, indicating that the IRGFW had fingerprinted the DNS client. This issue also affects major VPN clients: despite having a whitelisted server IP and SNI domain, the TLS handshake times out.[32] However, when using a less common or non-standard client with different fingerprinting characteristics, the handshake succeeds, and the VPN tunnel is established without issues.

This is very interesting. Is the DNS client the yogaDNS you mentioned? What else clients were blocked?

On page 36:

This is in contrast to China, where ECH and ESNI continue to be actively blocked by the Great Firewall (GFW).[31]

Our understanding and observations were that while ESNI has been blocked (see: #43), ECH has not been blocked by the GFW in China (see: #393, #292, and #280).

On page 38:

This reduced control intensity may allow for increased data flow and somewhat more open access to previously restricted internet services. However, this shift may be reversible depending on future policy decisions and technological adjustments.

We've heard reports about reduced censorship in Iran, including the unblocking of WhatsApp. Based on your experience, understanding, and expertise, what reasons might the Iranian government have for making such changes?

---

Finally, great job on this detailed and informative report! We are looking forward to seeing more and more reports from you!

[irgfw]

@gfw-report Hi, Thanks.

On page 9:

we observe the client sending the ClientHello. However, ... the client is not receiving a response from the server.... when testing with a non-blocked domain, the blockage consists.

it sounds like a typical blocking based on the TLS fingerprint (see: #54 and https://censorbib.nymity.ch/#Frolov2019a) of the DoH client (YogaDNS). Could you still reproduce it now?

Yes, it can be reproduced now on major Iranian ISPs. the default ClientHello of the YogaDNS is fingerprinted and blocked.

On page 25:

September 2023... The server, utilizing VLess-TCP-Reality protocol (Port 2053), operated for 24 hours, transferring ~2TB of data before being blocked. ... probing activity—likely from the IRGFW

We remembered this incident, but we are still not sure what the content of the probe is? Do you have more details about the payload of the probe and the intentions of the censor?

We did not include more details about Active-Probes in the report because of depreciation of and abandoning of it in the IRGFW system.

But:

Most of them were malformed HTTP requests.
But some of them were the initial data packets from VLess connections without uuid (obviously). They wanted to mimic a regular VLess request to observe the response. For REALITY, it was different, it sent malformed TLS handshakes (version 1.0, 1.1, 1.2) but when the server and client were set to TLS min_ver: 1.3, the probes were gone. first, we thought they were using some weakness in the code (like XTLS/REALITY#7, XTLS/Xray-core#3502) but after testing heavily, we concluded the IRGFW was/is blocking REALITY based on a Reverse DNS Mapping system.

Note: As stated in the report, from Jan 2024 there are no signs of Active-probes at all. That part in the report was just included to show how the IRGFW is evolving and changing over time.

On page 30:

When we tested with uTLS (both official and fragmentation modes), the handshake was completed, indicating that the IRGFW had fingerprinted the DNS client. This issue also affects major VPN clients: despite having a whitelisted server IP and SNI domain, the TLS handshake times out.[32] However, when using a less common or non-standard client with different fingerprinting characteristics, the handshake succeeds, and the VPN tunnel is established without issues.

This is very interesting. Is the DNS client the yogaDNS you mentioned? What else clients were blocked?

YogaDNS, AdguardDNS, DNSCrypt, Unbound, NextDNS, Technitium, Xray-core (as DNS client), singbox-core (as DNS client) and hysteria2 (as DNS client).

On page 36:

This is in contrast to China, where ECH and ESNI continue to be actively blocked by the Great Firewall (GFW).[31]

Our understanding and observations were that while ESNI has been blocked (see: #43), ECH has not been blocked by the GFW in China (see: #393, #292, and #280).

The links are about Cloudflare enabling ECH. but as of December 2024, ECH is unstable in major Chinese provinces as Iran once was following this policy in the past; but now, they are separated. But if you do have more insights about ECH in China, contact me via email.

On page 38:

This reduced control intensity may allow for increased data flow and somewhat more open access to previously restricted internet services. However, this shift may be reversible depending on future policy decisions and technological adjustments.

We've heard reports about reduced censorship in Iran, including the unblocking of WhatsApp. Based on your experience, understanding, and expertise, what reasons might the Iranian government have for making such changes?

• Public Pressure and Civil Unrest
  Prolonged internet restrictions have historically led to increased public dissent and unrest. By unblocking popular platforms, the regime may aim to placate the populace, reducing the likelihood of protests that could threaten its oppressive control. (e.g., strategically buys time to consolidate authoritarian control and strengthen alliances with other oppressive regimes)

• Surveillance and Information Control
  Allowing access to widely used platforms can facilitate state surveillance. The regime may exploit this to monitor communications, identify dissenters, and disseminate propaganda, thereby strengthening its authoritarian rule.

• International Image and Diplomatic Strategy
  Facing international scrutiny, the regime might ease internet restrictions to project a facade of reform. This could be a tactical move to alleviate external pressures without enacting genuine change, preserving its repressive policies.

• Technological Limitations and Resource Allocation
  Maintaining comprehensive internet censorship is resource-intensive. The widespread use of circumvention tools like VPNs can render such efforts less effective, leading the regime to selectively lift bans as a cost-saving measure while continuing to oppress through other means.

• Strategic Deception
  The unblocking of certain platforms may be a calculated move to create an illusion of liberalization, thereby pacifying both domestic and international critics. This deceptive tactic allows the regime to continue its oppressive practices under the guise of reform.

While the unblocking of platforms like WhatsApp and Google Play may appear as steps toward liberalization, they are likely strategic maneuvers by the Iranian regime to maintain its oppressive control over the populace. These actions should be scrutinized within the broader context of the regime's history of using internet censorship as a tool of repression.

An interesting note: After unblocking WhatsApp IP addresses, some of the Instagram/Meta IPs were unblocked too. But because the SNI of Instagram is blocked, if you use Fragmentation on geosite:meta you can simply bypass the blocking on all Meta products like Facebook and Instagram. (https://github.com/GFW-knocker/gfw_resist_HTTPS_proxy)