A Deeper Look at The Iranian Firewall

In the previous blog post about the Iranian firewall, we explored macro level Iranian traffic engineering changes (showing that Iran cut all communication after the election and then slowly added back Internet connectivity over the course of several days). Like many other news reports and bloggers, we also speculated on Iran’s intent — how was the government manipulating Internet traffic and why?

Thanks to the cooperation of several ISPs in the region and Internet Observatory data, we can now do a bit better than speculate — we have pieced together a rough picture of what the Iranian government’s Internet firewall appears to be doing. The data shows that DCI, the Iranian state run telecommunications agency, has selectively blocked or rate-limited targeted Internet applications (either by payload inspection or ports).

I’ll step through several of these applications.

On average, Internet traffic is dominated by web pages (roughly 40-50% of all Internet traffic). And the vast majority of this web traffic (unless you happen to be Google or Facebook) goes into ISPs and the millions of associated end users (as opposed to traffic going out of a country or ISP). Iran is no exception.

The below graph shows web traffic (TCP port 80) into Iran over the days before and immediately after the election. Though the graph clearly shows a brief post-election outage followed by a decrease in web traffic, the Iranian web traffic was comparatively unaffected by Iran filter changes. Based on reports of Iran’s pre-existing Internet filtering capabilities, I’d speculate DCI did not require significant additional web filtering infrastructure.

In contrast, the next graph shows streaming video traffic (Adobe Flash) going into and out of Iran. Note the significant increase of video traffic immediately preceding the election (presumably reflecting high levels of Iranian interest in outside news sources). All video traffic immediately stops on the Saturday following the election (June 13th at 6:00pm Tehran / IRDT) and unlike the web, never returns to pre-election levels.

The next graph on Iranian applications filters shows email into and out of the country. Again note the run up in email traffic immediately preceding the election (especially outbound mails). And then? The data suggests DCI began blocking some outgoing email even before the election completed. Following the election, email returned at reduced levels (again, presumably because DCI had filtering infrastructure in place).

Finally, a look at the top applications now blocked by the DCI firewall(s). The chart shows average percentage decrease in application traffic in the days before and after the election. As discussed earlier, the Iranian firewalls appear to be selectively impacting application traffic. I’ll note that ssh (a secure communication protocol) tops the list followed by video streaming and file sharing.

While the rapidly evolving Iranian firewall has blocked web, video and most forms of interactive communication, not all Internet applications appear impacted. Interestingly, game protocols like xbox and World of Warcraft show little evidence of government manipulation.

Perhaps games provide a possible source of covert channels (e.g. “Bring your elves to the castle on the island of Azeroth and we’ll plan the next Ahmadinejad protest rally?”)

66 Responses to “A Deeper Look at The Iranian Firewall”

June 19, 2009 at 12:08 pm, Iran’s Firewall and Election Protests « Weaponized Culture said:

[…] 19, 2009 by Erich Simmers Craig Labovitz from Security to the Core has some interesting observations on the Iranian firewall. I was most interested in what traffic […]

June 20, 2009 at 12:49 am, Analysis confirms Internet clampdown in Iran « Get 2 Vote said:

[…] and routing data gathered by over 100 of Internet service provider (ISP) customers in 17 countries. What it shows is that in the one week or so since the contentious elections, Web and video traffic and most forms […]

June 20, 2009 at 10:11 am, Use videogames to evade Iran’s censors-WSJ « FACT – Freedom Against Censorship Thailand said:

[…] the report, Craig Labovitz includes a graph showing a big uptick in Web video traffic prior to the election […]

June 20, 2009 at 4:37 pm, Zensur-Infrastruktur: Fallbeispiel Iran « Verlorene Generation said:

[…] klar: Weil es nicht einmal im Normalfall dabei bleibt. Im Ernstfall schon mal gar nicht, wie eine Studie zur Internetzensur im Iran […]

June 21, 2009 at 8:03 pm, WoW as a channel for news from Iran? | Wow Strategy Guide said:

[…] does World of Warcraft fit in to all of this? Andrew Lavallee of the WSJ’s Digits blog points to this report by Craig Labovitz, which talks about how Internet traffic has been filtered out of the country around the election. […]

June 21, 2009 at 6:20 pm, WoW as a channel for news from Iran? | The Frozen Gnome said:

[…] World of Warcraft fit in to all of this? Andrew Lavallee of the WSJ’s Digits blog points to this report by Craig Labovitz, which talks about how Internet traffic has been filtered out of the country around the election. […]

June 22, 2009 at 5:54 am, Satar said:

Down with Islamic republic government of Iran

June 22, 2009 at 2:25 am, MARGIE NELSEN said:

I am not as computer savy as most and I take my hat off to you guys. I thank god for you and all your hi tech help for the cause. You are hero’s.

June 22, 2009 at 7:03 am, Iran’s Blocking their Backbone, WWW - Techlog said:

[…] 1 AND […]

June 22, 2009 at 8:29 am, w797 – The Collection of Game Post » Blog Archive » WoW as a channel for news from Iran? said:

[…] World of Warcraft fit in to all of this? Andrew Lavallee of the WSJ’s Digits blog points to this report by Craig Labovitz, which talks about how Internet traffic has been filtered out of the country around the election. […]

June 22, 2009 at 7:50 am, Iran’s Cyber War said:

[…] that again. Iran is blocking a lot of traffic, but not gaming traffic. In fact, researchers have confirmed that WoW and Xbox traffic is not being blocked at […]

June 22, 2009 at 9:07 am, Smithwill said:

The nature of the Internet is similar to a river. Whenever attempts are made to block or control the flow such as with damns or locks, invariably there will be conditions that overwhelm the man-made systems.

If the Iranian government blocks one protocol or port the citizens will merely find another path. Government controls are the catalysts of innovation. Actually, any roadblock or challenge can be the spark for innovation and creativity. This is how problems are solved. I’m sure there are lots and lots of people in Iran and elsewhere who thirst for more freedom. If the Internet is their communications medium of choice, all the government can do is sit back and watch.

Of course, if the govt wanted to thwart all efforts to communicate and cut all Internet access it might bring about a tipping point they don’t want…

June 22, 2009 at 10:57 am, The Iran Elections « Theatre of Consciousness said:

[…] people and countries via many social networking sites, and though there is strong evidence for governmental censorship of the internet in Iran, the plea of Iran’s citizens has most certainly reached the eyes and ears of the rest of the […]

June 22, 2009 at 6:30 pm, Iraniers mogen nog wel World of Warcraften | GamerzOnly • Game Nieuws said:

[…] die al het internetverkeer van het land monitorren. Enkele netwerktechnici maakten een goede technische analyse van wát Iran nou precies in de gaten houdt: webverkeer, Twitter en meer van dat soort zaken. Maar […]

June 22, 2009 at 7:42 pm, hamed said:

What do you suggest now to counter this firewall? Might other secure channel communications on different ports work? is it port based or content based? is it possible to make a upload stream look like a normal browsing?

June 22, 2009 at 7:44 pm, hamed said:

what is dci?

June 23, 2009 at 7:37 am, Erik said:

“…the Iranian web traffic was comparatively unaffected by Iran filter changes….” I don’t get it. Average normal peak (June 7-9) is approx 4200 Mbps and after June 13, 13:30 GMT this is 2000 Mbps. The same reduction of 50% as video (20 Mbps->10 Mbps) and POP (65 Mbp -> 32 Mbps) show. The reduction om port 80 is even slightly more pronounced the others.

June 23, 2009 at 8:14 am, Thomas Themel's Wannabe Everything - Blocking SSH? said:

[…] censorship seems to be more serious in that they actually responded to this by (at least partially) blocking SSH traffic. This, now, annoys me. I need SSH to read my mail (and have unfetterd access to whatever parts of […]

June 23, 2009 at 9:36 am, YJ said:

Im going to write about this article and I wonder if I can use your graphics in my spanish post. Of course, all credits will be given to you and this website

Thanks !

June 23, 2009 at 10:35 am, Gamedibs.com Dibcast, a podcast for gamers by gamers! » Blog Archive » Xbox allows Iranians to Smuggle News said:

[…] story here /blog/asert/2009/06/a-deeper-look-at-the-iranian-firewall/ Post a […]

June 23, 2009 at 2:54 pm, jak said:

Could there be a natural explanation ? Could it be just like a terminate-router which is failing down because of heavy (peak) load ? Just speculating, but the total cut-off right after election seems to be quite short anyway. I mean, they could have taken it down even for longer time.

June 23, 2009 at 6:35 pm, Keine Eisenfaust « Thorstens Blog said:

[…] Der Versuch jener “Iron Fist” durch das Regime in Teheran, um derartige Internetaktivitäten zu unterbinden, dokumentiert Craig Labovitz in zwei Artikeln im Arbor Networks Security Blog. […]

June 24, 2009 at 6:00 am, Tuneup Talk » Blog Archive » Iranian Firewalls vs. Plugged-In Culture said:

[…] elections. These appear to have gotten even more strict once demonstrations began. In fact, they actually cut off communications completely for a period of time (see the graphic near the top of the […]

June 24, 2009 at 2:54 am, On Looking Deeper, Or, Things About Iran You Might Not Know « advice from a fake consultant said:

[…] are suggesting that this is exactly what is happening today in Iran, with more than 80% of traffic bound for ports […]

June 24, 2009 at 3:08 am, Online gaming, una soluzione in più per aggirare la censura iraniana? | Geek Files - Infiltrati nella Rete said:

[…] Labovitz ha pubblicato sul blog di Arbor Networks (società che si occupa di sicurezza in Rete) un interessante report sugli effetti dei firewall governativi iraniani, confrontando i risultati precedenti alla […]

June 24, 2009 at 9:40 am, Online gaming, una soluzione in più per aggirare la censura iraniana? | Fabrizio Savella said:

[…] Labovitz ha pubblicato sul blog di Arbor Networks (società che si occupa di sicurezza in Rete) un interessante report sugli effetti dei firewall governativi iraniani, confrontando i risultati precedenti alla […]

June 24, 2009 at 11:20 am, Iraniërs mogen nog wel World of Warcraften | Vanallesenzo.nl said:

[…] die al het internetverkeer van het land monitoren. Enkele netwerktechnici maakten een goede technische analyse van wát Iran nou precies in de gaten houdt: webverkeer, Twitter en meer van dat soort zaken. Maar […]

June 25, 2009 at 1:45 am, Geridip.net » イランのファイアウォール、ネットワークゲーム系のプロトコルについては検閲だsaid:

[…] イラン大統領選挙の結果を巡る混乱は、このところ全世界的な関心事となっている。Twitterをはじめインターネットを駆使して世界に情 報を発信し続けている改革派勢力を封じ込めるため、イラン政府は様々な手段を講じて情報統制を強化しており、次第にイラン国内外のコミュニケーションが難 しくなりつつあるが、セキュリティ専門家のCraig Labovitz氏が行った調査によれば、依然として検閲フィルタリングには抜け穴があるらしい(A Deeper Look at The Iranian Firewall)。 […]

June 25, 2009 at 10:18 am, Robust McManlyPants on Average Display » The Iranian Firewall said:

[…] colleague sent me a link to a fascinating discussion of Iranian internet traffic patterns surrounding the election and what they say about what methods of access to and distribution of media the Iranian regime cut […]

June 25, 2009 at 10:41 am, Il firewall iraniano | FABblog said:

[…] giorni precedenti e immediatamente successivi alle elezioni: dopo una prima analisi, ne è seguita un’altra, più approfondita, che riporto in […]

June 26, 2009 at 12:12 am, Iran Not Blocking Online Games [World Of Warcraft] | Tech-monkey.info Blogs said:

[…] around for those in Iran trying to communicate with the world as the regime crackdown continues. A Deeper Look at The Iranian Firewall [Arbor via […]

June 26, 2009 at 12:59 am, Iran Not Blocking Online Games [World Of Warcraft]| Latest breaking News on Video Games Hardware and Software.| BadPower.com Blog said:

[…] A Deeper Look at The Iranian Firewall [Arbor via GamePolitics] […]

June 26, 2009 at 1:33 am, Iran Not Blocking Online Games [World Of Warcraft]| The Game Blog | Daily Fresh News of the Latest Games on Playstation, Xbox, Wii and PC| Coeds.cc said:

[…] A Deeper Look at The Iranian Firewall [Arbor via GamePolitics] […]

June 26, 2009 at 2:09 am, Iranian Firewall Not Blocking Online Video Game Services | UpOff.com said:

[…] to an analysis by Craig Labovitz of Security to the Core (via GamePolitics), “While the rapidly evolving Iranian firewall has blocked web, video and […]

June 26, 2009 at 2:34 am, Iranian Firewall Not Blocking Online Video Game Services « Wii Vidz said:

[…] to an analysis by Craig Labovitz of Security to the Core (via GamePolitics), “While the rapidly evolving Iranian firewall has blocked web, video and […]

June 26, 2009 at 3:01 am, www.halfoffds.com » Blog Archive » Iranian Firewall Not Blocking Online Video Game Services said:

[…] to an analysis by Craig Labovitz of Security to the Core (via GamePolitics), “While the rapidly evolving Iranian firewall has blocked web, video and […]

June 26, 2009 at 3:29 am, Iranian government blocking all online activity except gaming| The Game Blog | Daily Fresh News of the Latest Games on Playstation, Xbox, Wii and PC| Coeds.cc said:

[…] of protesters communicating via World of Warcraft to plan the next protest rally, as noted by Security to the Core and GamePolitics. Also, Ahmadinejad has not yet downloaded Prince of Persia’s Epilogue and is […]

June 26, 2009 at 12:02 am, Iran Not Blocking Online Games [World Of Warcraft] | TechDozer.Com said:

[…] A Deeper Look at The Iranian Firewall [Arbor via GamePolitics] […]

June 26, 2009 at 4:21 am, Iranian Government Overlooks Online Games in Censorship said:

[…] Arbor Networks took a look into the Iranian firewall to graph internet usage before and after the election, as well as firewall activity and what is being blocked. […]

June 26, 2009 at 4:40 am, Iranian government blocking all online activity except gaming | v1deogame.com said:

[…] of protesters communicating via World of Warcraft to plan the next protest rally, as noted by Security to the Core and GamePolitics. Also, Ahmadinejad has not yet downloaded Prince of Persia’s Epilogue and is […]

June 26, 2009 at 1:00 am, Iran Not Blocking Online Games | Kotaku Australia said:

[…] A Deeper Look at The Iranian Firewall [Arbor via GamePolitics] Tagged:iranpcworld of warcraft […]

June 26, 2009 at 5:06 am, Iranian government blocking all online activity except gaming| Latest breaking News on Video Games Hardware and Software.| BadPower.com Blog said:

[…] of protesters communicating via World of Warcraft to plan the next protest rally, as noted by Security to the Core and GamePolitics. Also, Ahmadinejad has not yet downloaded Prince of Persia’s Epilogue and is […]

June 26, 2009 at 1:11 am, Iran Not Blocking Online Games [World Of Warcraft] | Amazonys - Wii Games said:

[…] A Deeper Look at The Iranian Firewall [Arbor via GamePolitics] […]

June 26, 2009 at 2:08 am, Iranian Firewall Not Blocking Online Video Game Services | Geek Land said:

[…] to an analysis by Craig Labovitz of Security to the Core (via GamePolitics), “While the rapidly evolving Iranian firewall has blocked web, video and […]

June 26, 2009 at 3:01 am, Iranian Firewall Not Blocking Online Video Game Services | VideoGames Previews said:

[…] to an analysis by Craig Labovitz of Security to the Core (via GamePolitics), “While the rapidly evolving Iranian firewall has blocked web, video and […]

June 26, 2009 at 8:47 am, Iran election and Internet traffic | Seynur - Security said:

[…] Interesting data on Internet activity right after the election. […]

June 26, 2009 at 5:24 am, » A Deeper Look at The Iranian Firewall « Quasi.dot said:

[…] » A Deeper Look at The Iranian Firewall · Security to the Core | Arbor Networks Securi… linkscolor = "000000"; highlightscolor = "888888"; backgroundcolor = "FFFFFF"; channel = "none"; […]

June 26, 2009 at 6:31 am, Video Games Republic » Iran government blocks online activity, but not games said:

[…] [Security to the Core] Share and […]

June 26, 2009 at 1:45 pm, Iranian Firewall Not Blocking Online Video Game Services | Today's Top News said:

[…] to an analysis by Craig Labovitz of Security to the Core (via GamePolitics), “While the rapidly evolving Iranian firewall has blocked web, video and […]

June 26, 2009 at 5:33 pm, Irán no bloquea el tráfico de juegos online. . . por el momento | Elven Force Team said:

[…] ArboR Comparte y disfruta: […]

June 27, 2009 at 10:46 am, Iran: il governo censura internet ma si dimentica dei videogiochi online - Noantri said:

[…] Ma agli studenti ed ai manifestanti è stato lasciato uno spiraglio: i videogiochi. Secondo Security To The Core, blog specializzato nella sicurezza delle reti, i giochi multiplayer non hanno sofferto lo stesso […]

June 28, 2009 at 9:04 am, spam « Alternate Seat of TYR said:

[…] 28, 2009 in Internet, Iran, action, censorship, hacker Arbor Networks has a great post with data on Iranian Internet censorship. As well as the deliberate transit […]

June 28, 2009 at 9:27 pm, Noli Irritare Leones » Blog Archive » The weekend’s Iran Tweets: where to find demonstration footage, cyber warfare, and the fate of one Iranian blogger said:

[…] up on all this stuff later). Others interested in the technical side of things are referred to A Deeper Look at The Iranian Firewall (via Bruce […]

June 29, 2009 at 10:20 am, Verdecchia Blog » Blog Archive » Un’occhiata al firewall dell’Iran said:

[…] /blog/asert/2009/06/a-deeper-look-at-the-iranian-firewall/ […]

June 29, 2009 at 10:02 am, National Traffic Engineering « CIP VIGILANCE said:

[…] – Iranian Traffic Engineering – A Deeper Look at The Iranian Firewall […]

July 02, 2009 at 5:59 am, SMS Iran, supporto ai manifestanti | Consulente web (m4ss.net) said:

[…] questi ultimi giorni abbiamo appreso che in Iran sono stati bloccati gli SMS. Infatti, dopo le censure e i blocchi applicati ai diversi servizi della rete Internet, i manifestanti continuavano ad inviare informazioni via Twitter anche attraverso gli […]

July 02, 2009 at 9:49 am, Twitter revolution in Iran | Consulente web (m4ss.net) said:

[…] da subito gli iraniani si sono trovati di fronte ad una massiccia operazione di censura di buona parte dei servizi della rete Internet. Siti come Facebook e YouTube sono stati i primi ad essere oscurati. Twitter invece godeva della […]

July 08, 2009 at 9:54 am, Threats versus capabilities « Equilibrium Networks said:

[…] In general, DoD offers a weak form of extended deterrence to US and even international network operators: for example, it’s not impossible to imagine the US positioning some forces in the Russian near abroad on behalf of NATO in response to a more dramatic reprise of the 2004 Estonian cyberattacks. If a state didn’t keep its citizens or proxies from waging large-scale cyberattacks on another state, that tacit or explicit sanction might be enough to justify conflict escalation. And the states who might provide that sanction are usually also states that have authoritarian governments capable of shutting down private access to networks in order to avoid conflict escalation. The actions of the Iranian government in June 2009 clearly illustrate this point. […]

July 09, 2009 at 12:20 am, Help protesters in Iran remain anonymous online and circumvent internet censorship systems. « Grievance Project said:

[…] of Iran attempting to block the use of Tor. However, Iran has recntly [sic] been practicing reactive and centralized blocking, which makes any effective block of Tor far more likely.) The Tor bridge configuration differs from […]

August 21, 2009 at 4:34 am, Networks « linknews said:

[…] arbornet – looking at firewalls and statistics during the election […]

September 10, 2009 at 5:52 pm, jms said:

I have some questions regarding Iran’s internet traffic that I don’t feel comfortable posting publicly. If you are willing to help, please contact me. Thank you so much.

May 14, 2010 at 2:31 pm, Thai Video Censorship Widening As Shots Are Fired said:

[…] fact, research from Arbor Networks shows that video traffic to and from Iran almost came to a complete standstill right after the election. […]

May 25, 2010 at 8:18 am, More Web video censorship-New TeeVee « FACT – Freedom Against Censorship Thailand said:

[…] fact, research from Arbor Networks shows that video traffic to and from Iran almost came to a complete standstill right after the election. […]

November 03, 2010 at 12:46 am, La censure « Fadi El Matni's Blog said:

[…] de A Deeper Look at The Iranian Firewall par Craig […]

March 07, 2011 at 11:55 am, Duimschroef » Blog Archive » IraniÃŽrs mogen nog wel World of Warcraften said:

[…] die al het internetverkeer van het land monitoren. Enkele netwerktechnici maakten een goede technische analyse van w·t Iran nou precies in de gaten houdt: webverkeer, Twitter en meer van dat soort zaken. Maar […]

Comments are closed.