Investigation on Blocking of Reality in IRAN - Test Results #3269
Replies: 87 comments 3 replies
-
Nice job |
Beta Was this translation helpful? Give feedback.
-
👍 |
Beta Was this translation helpful? Give feedback.
-
The problem is that we couldn't know if that's correct! Did you have that IP address you stated Before we buy a VPS IP address, maybe someone had Shadowsocks set up on the server! That would just put that IP address on the graylist.(or any other ancient and not safe proxies.) And this is not solely just on Reality. if you set up a simple TLS proxy like vless-tcp-tls with flow=vision, it will be blocked if your IP address is on the graylist. IRGFW has zoomed on TLS proxies now. all kinds of them. AND have a very large list of IP addresses (Gray List). For example, we had many IP addresses that didn't have any traffic for 3 months on them but got blocked last week! and by traffic I mean the VPS server had no xray-core or panel or any VPN services... By the way, the CPU usage report: It's interesting and others reported this! they are probably or likely Active-probes as we are investigating it. Did you check what was using the CPU? or strange IP addresses with many requests to the server? |
Beta Was this translation helpful? Give feedback.
-
I think they are targeting the tls in tls features of the proxy flow (according to this paper) In the paper mentioned above if the GFW allows for more false positives they could detect more xtls-vision traffic and my theory is that IPs from hetzner are set to have a very high false positives and servers from GCP or azure are set to have very low false positives. So hetzner proxies are more likely to be detected and blocked rather than GCP or azure. |
Beta Was this translation helpful? Give feedback.
-
In fact, it is easy to easily block all connections of reality. Reality manifests as port forwarding (a relatively common service) to the outside. As long as GFW is willing to block all port forwarding, no reality connection can survive |
Beta Was this translation helpful? Give feedback.
-
Hi @Phoenix-999 and @irgfw, Your report and findings fascinating to us. We'd be happy to help with this concerning situation. We are a group of researchers that have experiences on revealing the censorship mechanisms, such as real-time traffic analysis and active probing by the GFW of China, in the past few years. If you think it's a good idea, we'd be happy to help investigate this situation, together with Xray developers and other anti-censorship researchers. We'd like to establish a more private communication channel to exchange information, but we couldn't find your email addresses. Can you drop us an email? Our email address can be found on our Github profile page. We can still use this thread for public communication for transparency and to let more people aware of the situation in Iran and our latest progress. |
Beta Was this translation helpful? Give feedback.
-
Hi @irgfw , we agreed with you that we could not conclude that both servers have "clean" IP addresses without holding the IP addresses for a long long time; and there may be one thing to test: Our understanding is that while @Phoenix-999's high-traffic volume server has been blocked, the low traffic-volumne server has not. @Phoenix-999 can now assign the low-traffic volume servers to more people to use. And if this server that hasn't been blocked for a while suddenly got blocked after getting high traffic volume, it shows evidence that traffic volume may indeed affect censors' blocking decisions. We'd be happy to discuss more in detail and even help setup more controlled experiments. |
Beta Was this translation helpful? Give feedback.
-
But how do you detect port forwarding? One server forwarding (reverse proxying) another would look exactly like the original with no way for a third party to tell, or am I missing something? |
Beta Was this translation helpful? Give feedback.
-
It's very easy |
Beta Was this translation helpful? Give feedback.
-
Reality on MCI is getting blocked on a large scale (having tested more than 10 reality servers with different configurations and SNIs) so GFW is advanced enough to block the Reality at least.
www.speedtest.net is a website and anyone wanting to use it has to connect to cloudflare IPs outside of Iran, it doesn't matter if you test your speed with a server in Iran because you first connect to www.speedtest.net to get the server information and then connect to a different server with a different domain (most likely ending in ooklaserver.net) to test the speed. |
Beta Was this translation helpful? Give feedback.
-
I used different SNIs (nixos.org, www.speedtest.net, my own domain etc..) all got blocked on MCI network |
Beta Was this translation helpful? Give feedback.
-
me too ! |
Beta Was this translation helpful? Give feedback.
-
I used www.speedtest.net only for the server with www.speedtest.net SNI and used other servers with other dests relating to their respective SNIs. I have not used www.speedtest.net as an SNI or dest for other servers. |
Beta Was this translation helpful? Give feedback.
-
Hi @gfw-report. great to hear from you. We are actively investigating new Iran's firewall behavior, especially in one of the operators named MCI (mci.ir) Hope we hear from you soon... |
Beta Was this translation helpful? Give feedback.
-
Please do ask questions on this thread for configuration, etc Guys do not zoom in to just X-Ray or Reality! The targeted zone by MCI is not realty, it is any kind of SSL-VPN including
which they have two key features in common
Here are what we know so far (TESTED)
how a server is detected (best guess)
Clients (TESTED - Android)affected area (TESTED)Those provinces protected more
The Kurdistan MIC Phone numbers start with 0918--* and Ardabil starts with 0914-- . At the moment of this witting 0918- cannot access a server that is blocked while 0914 can access . So the issue/throttle differs from City to City. |
Beta Was this translation helpful? Give feedback.
-
@RPRX Good. That "may" help for this situation in Iran. as any combination of VLESS/VMESS/Trojan is blocked within 4 hours or 4 days or 2 weeks in Iran. There is something in these combinations that they could "possibly" fingerprint or DPI the packets of them. |
Beta Was this translation helpful? Give feedback.
-
Yes. we can confirm this. many normal websites are blocked without any reason we tested this (downloading and refreshing from a normal webserver) and they were blocked after 4 days of constant traffic and downloading. (the VPSs were located at Hetzner/Linode/DigitalOcean/Vultr)
Correct. |
Beta Was this translation helpful? Give feedback.
-
我有个邮箱, |
Beta Was this translation helpful? Give feedback.
-
I had a rather interesting observation lately that I would like to share. I had a trojan and TUIC config running with a tunneled configuration and it has been running on the same IP for almost 9 10 months now. |
Beta Was this translation helpful? Give feedback.
-
Thanks for your information. It certainly will help. For everyone who has some test results and technical information about Iran's GFW, please email me at [email protected] |
Beta Was this translation helpful? Give feedback.
-
Hi, Don't you think that identifying the IP address where X-Ray is running or which is the actual public server (www.microsoft.com and etc) - can be easily determined by reverse IP address resolving? That is, the GFW monitors TLS traffic. It checks first of all addresses with high traffic volume, and then does rozolving (PTR record, in Linux you can use
Here we can see the pattern that for IP addresses of real microsoft.com at least there is a pattern - SOA record has email ( So, if your VPS responds only to port 443, pretending to be a public server www.microsoft.com, then if somebody set a simple task for GFW - find out if this IP really belongs to a pool of Microsoft servers, it will be easy to do it by reverse resolving, just by analyzing SOA and PTR records for the IP or reverse zone of the address block. To this method you can also add a whois query to the same address block. UPDATE: example about www.speedtest.net:
Here I got real IP addresses of SpeedTest. Let's see resolved IP addresses:
Same pattern here: although IP addresses are not resolved back to any domain names, the reverse zones themselves have a SOA that clearly has a pattern: email & primary DNS from the
It says which immediate upper zone is responsible for return addresses. Let's find the authoritative DNS for this zone:
Now let's imagine that, for example, the address 8.8.8.8 (I took the public Google DNS example just as an example - you can use your own IP) is pretending to be a www.speedtest.net server, and GFW has a simple task - can the IP address 8.8.8.8 be a www.speedtest.net address (let's hypothetically imagine that Google has prescribed SOA or PTR records for 8.8.8.8 that also point to the cloudflare.com server to be similar to it as much as possible). A simple query to cloudlfare DNS on behalf of GFW will get a response:
Now compare that to requesting an IP address from his responsibility:
Conclusion: no matter how X-Ray server pretends to be any server via SNI, there is a simple way to check its IP address via reverse resolving, and if it is not there - then through analyzing SOA records and queries to DNS responsible for the reverse zone. If you look at the first post - it may very well be that the increased traffic triggers a check that was performed in a similar manner. This is just as an idea. |
Beta Was this translation helpful? Give feedback.
-
Guys |
Beta Was this translation helpful? Give feedback.
-
@neo2enigma Yes. |
Beta Was this translation helpful? Give feedback.
-
@Perlover Test 0 Test 1 wisdom-mahsa Test 2 zolan-mahsa
Test 3 starandstripe configs In order, doc, cli, fiber, search. IP is banned by irancell now, and I wonder why it does not sync with the other operators. Test 4 my personal |
Beta Was this translation helpful? Give feedback.
-
look at this article https://irgfw.report/projects/project1/ |
Beta Was this translation helpful? Give feedback.
-
If anyone is interested, we can discuss it here:net4people/bbs#441 |
Beta Was this translation helpful? Give feedback.
-
Before delving into the issue concerning the reality protocol, I would like to make a couple of notes.
• As we are aware, the Great Firewall (GFW) employs various techniques to detect and block proxy servers. This discussion specifically addresses recent events involving the blocking of the reality protocol in Iran, primarily by MCI ISP.
• The information provided below is our speculation and arises from several users experiencing similar test results, raising suspicions about GFW's techniques and methods for identifying the reality protocol.
• Additionally, this issue is a continuation of the previous conversation regarding the blocking of reality. If you are new to this topic, I recommend reading the previous issues, which can be found at the following links:
Link 1
Link 2
Link 3
Link 4
Now, let’s delve into the matter.
Over the last five months, most Iranian users have encountered challenging situations, given that the reality protocol was the only one functioning seamlessly in Iran. Most other protocols were easily detected by the Great Firewall (GFW). It's a challenging task but still a viable choice.
Now, in the last 10 to 15 days, we are experiencing new waves of blocking Reality, which seem a bit different and more aggressive compared to the blocking waves of the past couple of months. We recently observed something that has been discussed before and rejected by many. Still, we believe that GFW, operating under MCI command, might have found a way to block reality by analyzing heavy traffic. We are not 100% sure, but our test results strongly suggest that these new waves of blocking are due to traffic monitoring by GFW. This is how we think GFW might find reality.
Test Conducted:
• We created two fresh VPS servers, correctly set up with all security measures in place.
• Both servers had clean IP addresses in the same range, and SSH was done through VPN proxy to provide extra security.
• In both servers, the reality protocol was created using the same port (443) and the same whitelisted SNI.
•The only difference was that VPS number one was shared with only 5 to 7 people with low to medium traffic, while VPS number 2 was shared by more than 200 people, and heavy traffic was directed to it in a short period.
After about 2 hours, VPS number 2 was suddenly disconnected, and the CPU usage spiked to 100%, causing the server to temporarily disconnect. It then returned to normal percentage, but the IP was subsequently blocked by GFW.
The screenshot below illustrates exactly what we experienced while using the reality protocol with heavy traffic. Of course, we considered the possibility of it being accidental, so we tried it multiple times with different users, and the same thing happened consistently.
Although VPS number one survived for about two days, after reaching a certain traffic point, we realized it was also blocked by GFW. Additionally, we had VPS number 03, which we subjected to very low traffic with one to two users. After a week, it was still running and had avoided detection by GFW.
It's essential to mention that we took careful measures to implement security, blocking all domestic IPs and domains on the servers and bypassing them through VPN client applications. We used IP protection, random DNS switching, fragmentation, and many other techniques in our X-ray configuration to see if we could escape detection. However, every time the traffic reached a certain point within a specific period, GFW detected and blocked it.
After IPs are blocked by GFW, we can still conduct the SSH connection, as evidenced in the screenshots below. Additionally, even after MCI blocks reality, Shatel ISP follows suit; however, reality continues to function in some other ISPs. Once again, the above is our speculation, based on the same test results conducted by different users in various regions of the country.
While not certain, we offer some suggestions that might help reality withstand the GFW's new measures. Please forgive us in advance, as we might not be as technically proficient as many of the great people here. Consider utilizing advanced obfuscation techniques such as:
⚪ Decoy Traffic Ratio
⚪ Dummy Traffic Ratio
⚪ Traffic Padding
⚪ Adaptive Behavior
⚪ Dynamic Switching
⚪ Dynamic Switching Interval
⚪ Fingerprint Spoofing
We would be immensely grateful for any help, guidance, and suggestions from any of you.
🇮🇷 To all my fellow Iranians, we would greatly appreciate it if anyone could conduct the same test and share their results with us here for more clarity
@RPRX, we are eagerly and patiently awaiting your thoughts on this matter.
Beta Was this translation helpful? Give feedback.
All reactions