2020-bock-detecting

Detecting and Evading Censorship-in-Depth: A Case Study of Iran's Protocol Filter

Kevin Bock, Yair Fax, Kyle Reese, Jasraj Singh, Dave Levin · Free and Open Communications on the Internet · 2020

canonical link →

Tags

censors: ir
techniques: dpi active-probing fully-encrypted-detect
defenses: geneva protocol-versioning

findings extracted from this paper

Using Geneva's genetic algorithm trained against Iran's live protocol filter, four evasion strategies achieving 100% success were discovered in under two hours: (1) injecting a fingerprint-matching PSH/ACK with a corrupt checksum before the real data; (2) sending two FIN packets before the SYN; (3) sending nine non-data-carrying packets (any flags, any seq/ack) during the handshake to exhaust the filter's per-flow packet limit; (4) a server-side variant that sends nine corrupted SYN+ACKs, inducing nine client RSTs before the real ACK, enabling fully unmodified clients to benefit.

§5.2–§5.3 defense dpimiddlebox-interference ir
The protocol filter's HTTPS fingerprint requires only that the first 5 bytes match a TLS header (type 0x16, version 0x03 0x01–0x03, correct length field); all subsequent bytes of the Client Hello are unchecked. Any TLS-based circumvention tool naturally satisfies this fingerprint and will bypass the filter by default. Furthermore, any one of the three permitted fingerprints (DNS, HTTP, HTTPS) can be used on any of the three monitored ports to whitelist an entire flow.

§4.3 defense dpitls-fingerprint ir
Testing the Alexa top-20,000 websites from within Iran, 3,595 IP addresses (17.9%) triggered the protocol filter at least 8 out of 10 times, and 3,499 (17.4%) were affected all 10 times. IP address provider is not correlated with filtering; instead, specific IP prefixes are targeted—for Cloudflare, only two prefixes (104.18.0.0/16 and 104.31.82.0/24) were fully affected while all others were unaffected.

§4.2 evaluation ip-blockingdpi ir
Iran's protocol filter monitors only the first two data-carrying packets of a TCP connection on ports 53, 80, and 443, permitting only DNS, HTTP, and HTTPS. Once tripped, it drops all subsequent client-side packets for 60 seconds, with the timer resetting on each TCP retransmit. The filter is unidirectional (client-inside-Iran only), cannot reassemble TCP segments, and does not verify checksums.

§4.1 detection dpiport-blocking ir
Existing segmentation strategies effective against Iran's standard HTTP DPI can be counterproductive when the protocol filter is also active: if the first segment is fewer than 8 bytes, it fails the HTTP fingerprint check and trips the filter. However, segmenting such that the first segment is a valid HTTP fingerprint (≥8 bytes, well-formed verb + space) while splitting the Host: header into the second segment defeats both the protocol filter and the standard DPI censor simultaneously.

§5.1 defense dpimiddlebox-interference ir