A sneak peek into Iran’s blocking of Global Voices

Frederic Jacobs
Apr 8, 2015 · 4 min read

This article is a technical note to an article posted on Global Voices Advocacy.

The Global Voices website has recently been blocked in Iran. The goal of this blog post is to document the process of understanding internet censorship events. Here’s what we know so far.

Is it DNS-based blocking?

A very common way for blocking websites has been to spoof DNS entries to return the address of a block page or simply an incorrect IP address. This technique has been used by a broad range of countries ranging from blocking The Pirate Bay in Belgium to blocking Twitter and Facebook in Turkey. However, multiple measurements using the RIPE Atlas network are showing that Iran DNS servers are consistently returning the correct IP address for the Global Voices website.

globalvoicesonline.org has address
globalvoicesonline.org mail is handled by 10 mail.globalvoicesonline.org.

Is it IP-based blocking?

We know that it’s not DNS-based blocking, so what else could it be? IP-based blocking has been fairly common to prevent connections to a specific website with static IP addresses that doesn’t own wide IP ranges.

There are multiple techniques that show that the Global Voices IP address is not blocked. One example of this is that the Global Voices website is still accessible over HTTPS in Iran, but the HTTP version is showing a block page.

Screenshot by Mahsa Alimardani

Additionally to this, after performing a full port scan, we were able to open Telnet and SSH connections to the server. So it does appear to only affect port 80 HTTP traffic.

Is it IP/Port-based blocking?

So we know that there is some way of reaching the Global Voices server from Iran, but it seems that it’s not possible to browse http://www.globalvoicesonline.org from our web browser. Maybe they block the combination of IP address and port number? That’s what any other firewall allows us to configure so it’s something to consider. We were however to determine that this is not the case. Indeed, we are perfectly able to make a HTTP request on port 80 to the Global Voices server! What’s the trick? We have to remove the HTTP header “Host: www.globalvoicesonline.org”! Then the request suddenly goes through without trouble.

On the left, this is the simplified equivalent of the HTTP connection that would be done in your web browser if you were to visit www.globalvoicesonline.org. This returns an iframe (embedded version) of the block page.

On the right, the same request but by dropping the “Host” header that determines that the website being visited is globalvoicesonline.org. If you notice that the Global Voices website says “server error” it’s because it does expect the “Host” header to be defined. Since they have multiple sub-domains (including https://advocacy.globalvoicesonline.org), the server needs to know what sub-domain was requested.

Just for sanity check, let’s check that any other “Host”-field works and that specifying the it wasn’t causing the issue.

Indeed, it seems we can add anything as value of the “Host” field and it seems to work!

But what if we change the “Host” header field to a website known to be blocked like Facebook?

Interestingly, the request is returning the iframe of the block page! That’s a pretty interesting result. If you want to build a list of websites blocked in Iran, you don’t even have to bother resolving their domain using the DNS, you can just always test the same IP address with different “Host” fields.

Is it Deep Packet Inspection?

Deep packet inspection (often abbreviated DPI) is one of those cyber buzzwords that I hate. But if deep packet inspection means that they are actually filtering internet traffic based on packet content, this is indeed the case. We know that Iran purchased equipment (including US BlueCoat devices) that makes this kind of filtering possible at the entire country’s scale. The fact that they filter based on the “Host” HTTP header explains why the website was still accessible over HTTPS where the headers are encrypted.

Don’t underestimate Iran internet censorship

This kind of censorship stays really simple and easy to circumvent. Iran has however been deploying more advanced rules to block OpenVPN, Tor and other circumvention software. It’s a matter of economics, really. They probably won’t put more resources into blocking a specific website unless a lot of people start using circumvention techniques to access it.

If you have the privilege to live in a country where Global Voices isn’t blocked, visit their website, tons of interesting articles over there. If you live in Iran, I would strongly recommend you to use Tor with ScrambleSuit, you can learn more about that on https://bridges.torproject.org.

Stay tuned about Internet Censorship in Iran on Advox

If you have any additional information about this block, feel free to reach out to me on Twitter or by email.

On Spec

Headlines, analysis and opinion from around the world

Frederic Jacobs

Written by

Security Researcher

On Spec

On Spec

Headlines, analysis and opinion from around the world

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade