Download PDF
Accessibility
Text Size
100%

Network Monitor: Iran Attacks Circumvention Tools, Encryption and Hijacked DNS in Favor of Children’s Internet

In June, authorities set their sights on sabotaging internationally provided circumvention tools while starting  to introduce their own government sanctioned VPNs and internet censorship measures for children. In this context, Iranians experienced less intense, more sporadic, and shorter internet disruptions than they did in May.

Circumvention Tools Disruptions

Starting in mid-June, the Filterwatch team observed disruptions targeting circumvention tools. Specifically, from June 16-25, the Telecommunication Infrastructure Company (TIC) aggressively targeted the encryption protocols used by circumvention tools such as Psiphon and Google Outline.

Screenshot of Psiphon Post on Twitter That Announced Disruptions on Its Traffic and Secure Protocols
Screenshot of Psiphon Post on Twitter That Announced Disruptions on Its Traffic and Secure Protocols

On June 29, the head of the Information and Public Relations Center of the Information and Communications Technology (ICT) Ministry announced that their intention was not to disrupt internet access but to prevent the “illegal sale of VPNs.”

“We’ve observed a significant portion of the protests [against internet disruption]. A group of companies that sell illegal VPNs believe that the internet has been intentionally disrupted. We are not required to cover illegal group work and let them do illegal work,” said Mehdi Salem, head of the Information and Public Relations Center of the ICT ministry in a June 29 interview.

Curiously, these disruptions come as the government tries to launch a legal VPN project. For years, authorities have been promising to roll out state-sanctioned VPNs that could enable “qualified individuals” access to otherwise blocked content. These VPNs would basically give different users varying levels of access to online content based on factors such as their  profession, gender, and age. Moreover, these VPNs are very likely to bolster the state’s information control and surveillance capabilities.

Authorities could be disrupting circumvention tools in a bid to promote legal VPNs. It is unclear, however, if the aim was to deliberately target the encryption protocols of these circumvention tools or if authorities are cracking down on encryption protocols more broadly and targeting multiple platforms.For example, the recent disruptions impacted Whatsapp, making it temporarily inaccessible in Iran.

Screenshot of Whatsapp error message that shows disruptions.
Screenshot of Whatsapp error message that shows disruptions

Disruption on Encrypted Internet Traffic

At the same time Iranian authorities are preparing to roll out the legal VPN project, they are also getting set to introduce an internet for children. The plan, introduced by a resolution of the Supreme Council of Cyberspace (SCC), aims to create SIM cards that provide curated access to content based on age and gender.

“Creating a restricted, safe, healthy and useful dedicated network for children and teenagers and increasing the traffic of useful content, specific to the age groups of children and teenagers, to fifteen percent of the traffic of the whole country.” -Article 2-2-3-6 of The Master Plan And Architecture Of The National Information Network.

In May, Filterwatch had access to a sample of children’s internet on MCI network, one of Iran’s largest mobile operators. In this sample, if you try to go to google.com, you would automatically be redirected to https://boomino.ir which is a platform full of local services, including a search engine, developed by MCI.

This example provides us with  an alternate explanation on why Iran is trying to disturb encrypted internet traffic, such as those traveling through Pisphone and Google Outline. In order to implement a scenario like redirecting google.com authorities need to interfere with encrypted internet traffic. In other words, a request made to a website with a SSL/TLS  certificate, which proves an encrypted connection and makes traffic encrypted cannot, as a technical matter, be redirected unless the encryption is interfered with. As long as encryption is working, you cannot redirect from https://google.com to https://boomino.ir.

It is, however, not clear to FilterWatch whether the end goal has been to attack circumvention tools or encrypted communication more broadly. A source under condition of anonymity has told FilterWatch that the long-term plan in Iran is to redirect all Google requests to something similar to https://boomino.ir.

DNS Hijacking

As Filterwatch was writing this June Network Monitor, we predicted that in the coming days and months, as Iran approaches the launch of the children’s internet, we will see more disruptions on encryption protocols and probably DNS.

On July 12, as we were finalizing this report, Iran’s Telecommunication Infrastructure Company (TIC) started to implement DNS hijacking to force Iranian users to use Google SafeSearch instead of the regular Google search engine. Google SafeSearch is a feature designed, in part, for children that excludes explicit content from search results. SafeSearch was on for almost the entire internet users base in Iran with the exception of users of the Rightel service provider. It’s not clear why Rightel is an exception.

Screenshot of a from a user who was forces to use https://www.google.com/safesearch instead of Https://google.com
Screenshot of a from a user who was forces to use httpswwwgooglecomsafesearch instead of httpsgooglecom

Network Outages

After at least 26 days of nationwide throttling and mobile data shutdowns across Iran in May, during the month of June Iranians experienced less intense, sporadic, and short-term internet disruptions as street protests died down.

The bulk of internet disruptions impacted Kerman, Ardabil, Qazvin, Fars, and Zanjan provinces. Users in Kerman, Ardabil, Fars, and Zanjan provinces faced prolonged outages lasting several days as the graphs below demonstrate. Qazvin users experienced several short-term outages in the middle of June. No outages were reported for Chahar Mahall and Bakhtiari, Lorestan, Kermanshah, or Markazi provinces.

Outages in the Kerman province that began in late June are ongoing, leaving Iranians cut-off from the global internet since the end of June; users of certain internet service providers have similarly been cut off from the global internet for much of June. In one case, the Internet Service Provider Dadehgostar experienced an outage which impacted their network of users since June 3rd.

Regional Disruptions

NOTE:  In some cases the available data allows FilterWatch to determine if the disruption is a type of shutdown of access or throttling (i.e., a dramatic slowing of connection speeds). In other cases we can just observe a disruption or outage of some kind without more specificity. Overall we  still existing tools are not able to always accurately identify and fully examine the nature and scale of disruptions to Iran’s domestic internet connection. 

Timeline of internet shutdowns, throttling, and disruptions based on regions and cites.

  • June 1: A brief outage occurred in the provinces of Ardabil, West Azerbaijan, and Kurdistan.
West Azarbaijan
West Azarbaijan

  • June 4: A brief outage occurred in Fars province.
Fars
Fars
  • June 4- 10: An outage occurred in Ardabil, lasting the entirety of this time frame.
  • June 5: A brief outage occurred in the provinces of North Khorasan, Yazd, Hormozgan,  Bushehr, Kohgiluyeh and Boyer-Ahmad, and Ilam.
Bushehr
Bushehr
  • June 6: A brief outage occurred in the provinces of North Khorasan, Yazd, Golestan,  Hormozgan, Bushehr, Kohgiluyeh and Boyer-Ahmad, andIlam.
Golestan
Golestan
  • June 7: A brief outage occurred in the provinces of Zanjan, Razavi Khorasan, Qom, and West Azerbaijan. A prolonged outage occurred in Fars and Kurdistan provinces.
  • June 7-8: A prolonged outage occurred in Khuzestan province.
Razavi Khorasan
Razavi Khorasan
Zanjan
Zanjan
  • June 8: A brief outage occurred in the provinces of Zanjan, Razavi Khorasan, Fars, Qom, West Azerbaijan, Semnan, Khuzestan, Kurdistan provinces.
Khuzestan
Khuzestan
  • June 8: A brief outage occurred in Zanjan, Razavi Korasan, Semnan, Fars, Khuzestan, Qom, West Azerbaijan, Kordestan provinces.
Qom
Qom
  • June 9: Brief Internet outage in Kerman, Bushehr and Hamadan provinces.
Hamadan
Hamadan

  • June 10: A brief outage occurred in the province of Kohgiluyeh & Buyer Ahmad. A brief outage occurred in West Azerbaijan. A brief outage occurred in Kordestan.
Kohgiluyeh and Boyer-Ahmad province
Kohgiluyeh and Boyer Ahmad province
  • June 9-June 10: A brief outage occurred in East Azerbaijan, lasting from late night June 9th to early morning June 10th.

  • June 11: Two brief outages occurred in Ardabil and Ilam provinces.
Ilam
Ilam
  • June 11-14: A prolonged outage occurred in Fars province.
  • June 12-14: A prolonged outage occurred in Kohgiluyeh & Buyer Ahmad province.
  • June 13-June 20: An outage in Zanjan province occurred, lasting for the entirety of this timeframe.
  • June 14: A brief outage occurred in Qom and Kordestan provinces.
Kordestan
Kordestan
  • June 15: A brief outage occurred in Qazvin, Fars, Khuzestan, Hamadan, Mazandaran, East Azerbaijan provinces.

  • June 16:  A brief outage occurred in Qazvin and Mazandaran provinces.
Mazandaran
Mazandaran
  • June 18: A brief outage occurred in Fars, Qom, Kordestan provinces.
  • June 19: A brief outage occurred in South Khorasan, Fars, Hormozgan and Tehran provinces.
Hormozgan
Hormozgan
  • June 19-23: Internet outage in Kerman lasting from the morning of Sunday, June 9th until the evening of Thursday, June 23
  • June 20: A brief outage occurred in Qazvin, Ardabil, North Khorasan, Sistan & Baluchestan, Golestan and Esfahan provinces.
Esfahan
Esfahan
North Khorasan
North Khorasan
  • June 21: An outage occurred in Qazvin, Fars, Bushehr, Kohgiluyeh & Buyer Ahmad, Ilam, Tehran and Mazandaran provinces.
Tehran
Tehran
  • June 21-23: A prolonged outage occurred in Fars and Kohgiluyeh & Buyer Ahmad provinces.
  • June 22: A brief outage occurred in Golestan province.
  • June 23: A brief outage occurred in Esfahan, Khuzestan and Gilan provinces.
  • June 24-26: Brief, sporadic outages in Kerman experiences each day during this timeframe
  • June 26: Two brief outages occurred in Yazd, Hormozgan and Bushehr provinces.
Yazd
Yazd
  • June 27: A brief outage occurred in Kordestan province.
  • June 28-June 30: Ongoing outage in Kerman province.
  • June 30: A brief outage occurred in Fars and Kordestan provinces.

Provider Outages

  • AS44208 of Farahoosh Dena PLC which is a Shiraz-based internet provider. This outage affected users in the provinces of Tehran, Kohkeluye Boyer-Ahmad, Fars, and Bushehr.

  • AS197343 of Toloe Rayaneh Loghman Educational and Cultural Co. which is an educational center. This outage affected users in Tehran and Khuzestan provinces.

  • AS59441 of Hostiran Network which is a hosting company. This outage affected users in  Fars, Bushehr, and Tehran provinces.

  • AS31549 of Aria Shatel Company Ltd which is a telecommunication company. This outage affected users in Fars, Tehran, Semnan, and Razavi Khorasan provinces.

  • AS44400 of Ertebatat Sabet Parsian Co. PJS which is a private sector consortium consisting of a total of 140 shareholders, who are among the leading individuals and companies providing communication and telecommunication services nationwide. This outage affected users in the provinces of Fars, Khuzestan, Ilam, Esfahan, and Tehran.

  • AS50530 of Shabdiz Telecom Network PJSC which is an internet provider and according to their website, Shabdiz Telecom has more than 60,000 users. This outage affected users in Alborz and Tehran provinces.

  • AS57218 of RighTel which is the third biggest mobile network in Iran. This outage affected users in Tehran province.

  • AS51469 of Petiak System Co JSC which is a local internet service provider company in Tehran. This outage affected users in Tehran province.

  • AS39308 of ANDISHE SABZ KHAZAR CO which is a local ISP in the city of Rasht. This outage affected users in East Azerbaijan province.

author avatar
Amir Rashidi
Filterwatch
Tags
Text Size
100%