[tor-bugs] #7141 [Censorship analysis]: How is Iran blocking Tor? (was: How is Pars Online blocking Tor?)

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 29 23:14:21 UTC 2012 

#7141: How is Iran blocking Tor?
------------------------------------------+---------------------------------
 Reporter:  phw                           |          Owner:  phw
     Type:  task                          |         Status:  new
 Priority:  normal                        |      Milestone:     
Component:  Censorship analysis           |        Version:     
 Keywords:  dpi, censorship, block, iran  |         Parent:     
   Points:                                |   Actualpoints:     
------------------------------------------+---------------------------------
Description changed by phw:

Old description:

> Some users reported that the Iranian ISP
> "[https://en.wikipedia.org/wiki/Pars_Online Pars Online]" is (partially?)
> blocking Tor.
>
> One user looked into it and believes that Tor is identified based on the
> server_name extension in the TLS client hello. It looks like DPI boxes
> extract the domain and do a DNS lookup for it. If the domain resolves and
> the relay/bridge is listening on port 443, the connection passes.
> Apparently, an omitted server_name or a server_name rewritten to
> `www.google.com` passed the filter.
>
> Obfsproxy seems to work.
>
> Some open questions:
>
>  * Can we reproduce and verify the existing hypothesis?
>  * Is this an attempt to only allow HTTPS and no other SSL/TLS-based
> protocols? Or is it targeting only Tor?
>  * Can we modify [https://gitweb.torproject.org/brdgrd.git brdgrd] to
> evade the server_name extraction?
>  * Is this type of block limited to Pars Online?

New description:

 Note that currently it looks like there might be more than just one
 filtering technique in place. The following was the initial report
 describing one possible filtering technique and
 [https://trac.torproject.org/projects/tor/ticket/7141#comment:7 this
 comment] describes another technique.

 ----
 Some users reported that the Iranian ISP
 "[https://en.wikipedia.org/wiki/Pars_Online Pars Online]" is (partially?)
 blocking Tor.

 One user looked into it and believes that Tor is identified based on the
 server_name extension in the TLS client hello. It looks like DPI boxes
 extract the domain and do a DNS lookup for it. If the domain resolves and
 the relay/bridge is listening on port 443, the connection passes.
 Apparently, an omitted server_name or a server_name rewritten to
 `www.google.com` passed the filter.

 Obfsproxy seems to work.

 Some open questions:

  * Can we reproduce and verify the existing hypothesis?
  * Is this an attempt to only allow HTTPS and no other SSL/TLS-based
 protocols? Or is it targeting only Tor?
  * Can we modify [https://gitweb.torproject.org/brdgrd.git brdgrd] to
 evade the server_name extraction?
  * Is this type of block limited to Pars Online?

--

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7141#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list