Large scale blocking of Reality and (relayed) WS + TLS protocols in Iran (MCCI; AS43358) #277
Comments
I am not sure if it still applies, but I managed with this scheme last week:
also, plain tcp+vmess continues to work for as long as you can afford to switch IP regularly. i want to try ipv6-only proxies next |
|
MCI is blocking REALITY servers in Iran #2451 Just wanted to shed some more light on this situation. No big traffic spikes here, just a handful of small video files being sent back and forth for a legit speed test. And to keep things interesting, I've got the VPN running on a couple of devices as well. Rest assured, all the devices are locked down tight. Our client apps and software are up-to-date and set up perfectly. Out of the three VPS instances, one got the Blocked within just 4 hours, while the other two managed to hold on for about a day before they were also blocked. The second and third VPS instances started acting up with erratic and unusually high ping, causing a significant slowdown in speed. After a few hours of this instability, they eventually ended up completely blocked. It's starting to look like a potential DDoS attack on the servers. I hope the information above sheds some light on the subject. |
|
Problems:
Solutions and Suggestions:
|
Regarding the solutions and suggestions:
However, One possible solution could be choosing an SNI that's hosted on your VPS provider. So if you have a VPS from Google Cloud, you must choose an SNI from the whitelisted websites hosted on GCP. (e.g., |
|
Just an Update These serverless methods continue to function with MCI. |
If they were arbitrarily limiting the speed to IPs that see high-traffic, it should have severely impacted non-VPN servers (i.e., normal websites) too. My observation (and inspection with Netreach) shows that normal websites are almost unaffected by MCCI. |
|
Update - Thu 17 Aug - 13:50 Multiple reports from various locations across Iran indicate a common issue: encountering notable throttling, severe disruption, and substantial fluctuations on different ISPs. This scenario strongly suggests the possibility of a coordinated attack, potentially orchestrated by MCI. We speculate that the recent events and peculiar behavior exhibited by ISPs in Iran could be indicative of some form of preparation or demonstration of power, potentially in anticipation of the upcoming commemoration of Mahsa Amini and other brave individuals who tragically killed and murdered during last year's uprising against the dictatorial regime. As a wise man once said: "We can never forget that no matter how much it hurts, how dark it gets, or how far we fall, we are never out of the fight." ✌🏾 |
|
Recent reports have surfaced, indicating that specific individuals have received warning messages from domestic VPS providers. These notifications inform them that their VPS IP addresses have been blocked due to the detection of VPN or proxy services on their servers. Additionally, they are advised not to generate any traffic for the next 72 hours. Here some an example of warning messages
Has anyone else encountered the same problem? |
I'm working to establish a connection between these incidents and coincidences to ascertain whether they are linked to the coordinated attack by MCI. This is prompted by the fact that numerous individuals have reported receiving the same kind of messages over the last 2 to 3 days. OR it's a valid point that we might be experiencing heightened paranoia and caution as a result of the simultaneous occurrence of multiple events!!! |
I would like to see this test behind cloudflare CDN. in order for this censorship method to be effective with cloudflare, one would have to implement bandwidth limits both per destination IP and SNI. or is cloudflare currently just collateral damage? asked another way: is bandwidth limiting done individually per-IP and per-SNI, or per tuple of same question about the whitelist. do we think the whitelist is about IPs, SNI or the combination of both |
I believe this has stopped working on exactly interesting: a proxy of mine where the outbound bandwidth is throttled to 7 MiB/s (intentionally, to control cost) in total continues to work fine at the same bandwidth usage. I think this corroborates @hawshemi's statements |
This is super interesting. However there are still some questions:
|
It could fit if the bandwidth throttling happens on a tuple/combination of |
I won't rule this out, but it's highly unlikely imo. I've been experimenting with reality, with around 10 clients over a few weeks. Around the same time that there were power outages in Tehran, I noticed the IP of the server was suddenly blocked across all providers. I switched a few of them to a new server, and that IP was also blocked within a few hours. I migrated one user to another server on a very little-known VPS provider and that was blocked after about 2 hours. The user didn't even pull over 800KB/s, and didn't transfer more than a few hundred MB in that time window. I didn't change the keys or SNI during that 24 hour window of all these events. There are a few possible methods of filtering that I can think of with this, but I'm not sure yet. Could it be that they are monitoring all SNIs that seem to have a high amount of traffic, collecting the destination IPs, then batch resolving those SNIs to find real IPs, then blocking the non-real ones? The fact that blocking or throttling doesn't happen immediately tells me there's a window where data is collected, and batch operations or waves of blocking/throttling occurs. When throttling is happening, it's likely they observe connection counts for the IP+SNI tuple, then take that IP and throw it in a general block/throttle list. It's very unlikely to be actively done in realtime, as that kind of detection would be CPU expensive. Keep in mind that this new mechanism that's being observed applies simultaneously on all downstream civilian internet providers. Which means that the system was either deployed and enabled at all operator exchanges or datacenters at the same time, or that the new system is operating at a higher aggregation point in the national network. I personally haven't seen it like this before, except for the basic things like the DNS manipulation system. An idea that may both prevent the IP+SNI tuple from being detected in the first place, and also to put a lot of load on the filtering systems, is to perhaps fragment the TLS header of REALITY??? Because a filtering system would have to actively store a 4tuple (src+dest IP+port) and wait a really long time before it can build the full SNI in memory. The filtering system would have to forget the 4tuple and partial SNI after a small time, or run the risk of running out of memory. (if the number of connections doing this is high) |
the idea that ISPs maintain table of SNI to allowed IPs for the top N sites has been widely discussed in a lot of older threads from around this year (in this BBS but also in xray-core issuetracker). we can assume it exists, and it would still allow for the possibility that switching SNI from it doesn't explain though why you can switch IPs and have a time window where the proxy works. assuming you do not switch SNI, and your old proxy has been banned via the above mechanism (ie. SNI-based) and not something else, the new IP should never work therefore it seems more likely to me that the new mechanism you are interacting with is not SNI-based at all |
At the end of my summary of methods, I listed some "last resort" methods. You might try some of those. But there's a general principle here. If a method ever becomes too popular, it gets blocked. You have to be continually looking for something new and different. |
|
Discussion: XTLS/Xray-core#2450 |
Thanks for your reply. Regarding GCP, you're unfortunately right. It's a shame for Google honestly. For Cloudflare there are dozens of websites that are on Cloudflare and you can access them fine with MCI (e.g., What I'm looking for is to use Cloudflare as a reverse proxy for a Reality VPN server. You would use |
|
An interesting observation: If you find "clean" IPs for Cloudflare, WS + TLS configs work somewhat decently for MCCI. However, WS + TLS behind a domestic CDN (e.g., Since they are not catching VPN connections to some clean CF IPs, it tells me that it's not about traffic characteristics, and it's all about IPs. However, Why doesn't it work with Arvan then? I really can't make sense of what's happening here. |
|
cloudflare does not allow for domain fronting so it won't happen. you can use arbitrary cloudflare IP to connect to any website, but stealing somebody else's SNI and connecting to your own server won't work |
Combination of XTLS and Fragment does not work I also tested on a working VLESS + TCP + Reality instance, When I activate the fragments for Reality outbound on the client, It fails to finish SSL handshake. I also tried setting |
Meanwhile someone reported that tunnelling 30G data per day through SSH does not result in a block. XTLS/Xray-core#2451 (comment). Does this incident mainly affect TLS stuff? |
|
Okay. Did some more experiments and here are the results: 1- You need a "clean" IP for your WS + TLS config to work even behind Arvan CDN for MCI. For some IPs, you could perfectly use Arvan CDN and MCI but for some others, it just doesn't work at all. Additionally, A lot of those IPs that don't work for MCI, work perfectly with MTN. I have no idea how this could happen other than Arvan collaborating with the filtering system, which seems unlikely honestly. So this means that Arvan's edge servers would decline to fulfill a proxy request if it's coming from MCI AND the IP is grey-listed but would serve MTN requests regardless? Moreover, one of my IPs that doesn't work with MCI + Arvan CDN is working perfectly with MCI + Cloudflare CDN. I'd love to know what you guys think about this. 2- For those IPs that MCI + Arvan CDN work, you could have perfect direct WS + TLS connections too. (Vless, Vmess, Trojan). But for the IPs that MCI + Arvan CDN didn't work, direct WS + TLS connections don't work either. 3- I also toyed with using Reality with some SNIs that were in the same ASN as my VPN server but they didn't work. There still doesn't seem to be a systematic "method" to choose an SNI that makes it indistinguishable from the "real" traffic. A couple of SNIs work nicely for MCI, but nobody knows why they work and how detectable they are. |
|
I have similar experiences, I would go further and say a truly clean ip unlocks basically every protocol (reality, ws and TCP+vmess) at the moment. what is less clear to me is whether it is a particular traffic pattern or a particular protocol that gets the IP banned
|
Fragment only works in VLESS_WS_TLS setup. |
|
Sure, here's the provided text with the requested formatting: Markdown this: 感谢你们的讨论,请做一个测试,步骤如下: 1: 使用 dokodemo-door 转发服务端的 80 和 443 端口至 www.speedtest.net Testing Results: |
Any Cloudflare IP as a WARP endpoint works? Even 1.1.1.1? |
|
I'm thinking out loud here. Let's say they can't detect Reality's traffic characteristics. Then they get suspicious of a connection and put it into a "further analysis" bucket. Let's say they have a list of whitelisted non-Iranian domains? Then they'd like to do some form of reverse lookup to check if that IP indeed belongs to the SNI that was sent with it. How do they do this? Do they check the DNS Understanding this would be the key to making Reality almost undetectable for now. |
I'd like to know what you think since my comment was inspired by your comment. @markpash |
You can get the IP and SNI to match using the "steal oneself" technique invented by @chika0801. To implement this, you'll need to own a domain name that is either whitelisted or graylisted. |
|
I think this is it really, with REALITY there's no solid proof yet that the way the stream looks on the wire has been identified by DPI systems. For now, our best guess is that they simply look at the pattern of traffic or the destination for these TLS connections and have some form of heuristic. So when doing normal REALITY, when you pick a If your hosting provider does reverse dns records, delete those. If you do The stealoneself method is a good move, assuming you can be sure that your fake site or whatever you choose to host, won't get blocked. On the other hand, rotating domains is more expensive than SNI, depending on how the filters behave with subdomains. |
Maybe existing tools don't allow it, but in theory REALITY is just TLS, what's stopping you from fragmenting the SNI in the REALITY ClientHello? |
I couldn't find this |
Here are the configuration JSON files: https://github.com/chika0801/Xray-examples/tree/main/VLESS-XTLS-uTLS-REALITY/steal_oneself Here are my implementation notes: https://computerscot.github.io/vless-xtls-utls-reality-steal-oneself.html |
|
I read your post and have a question. As this nginx configuration uses the code 80 jump to port 443. You need to tell someone in your article that if they are using acme/cerbot's standalone mode to apply for SSL certificates, please ask them to remove this piece of code or add #'s to comment out the code. Otherwise, acme/cerbot's automatic renewal of SSL certificates every 3 months will fail. (Because port 80 is occupied by nginx) You can tell people that the 80 to 443 code is not a problem even if it is not used. auto_update_acme.sh File permissions are 0755 I am using crontab to design a timed task to handle them all at the same time. It's not technical, but it's simple and works well. crontab -e tips:
With this parameter, I tested using the tool https://github.com/XTLS/RealiTLScanner on my own VPS, and it protects my domain well (from being used as a URL in REALITY DEST) |
|
In China with steal their own form, the main thing is that we will occasionally encounter when not use steal their own form, connect our own VPS, may be for no reason the speed of the time fast and slow, or not connected after a while and then recover themselves. From my personal use of VPS, I have used the form of stealing their own, did not appear above some unknown reasons for the phenomenon. If you need to try this way, you can try in your country (region) how the effect. Of course, if your country (region) has SNI whitelist, only demand you to visit SNI whitelisted sites, your own domain name is obviously not on the SNI whitelist, which is also a problem. |
|
https://computerscot.github.io/vless-xtls-utls-reality-steal-oneself.html https://github.com/XTLS/Xray-core#usage I recommend you to go to Xray's project and send a PR request to add this article request of yours to the Installation Guide project, it can help more people. |
|
PR created. XTLS/Xray-core#2470 Thanks for your help! |
|
Update: It seems like the affected IPs are now working again. Both for Reality and WS + TLS behind Arvan CDN. I still can't wrap my head around that Arvan CDN was working for MTN but not for MCI in these couple of days when these IPs were throttled/banned by MCI. We can only speculate, but maybe they have been just testing the new system for broader deployment or deployment when the times are tough for the government. |
|
Update: It appears that the previously affected Domain/Subdomains that were Filtered & Blocked are now up and running again, and they've been unblocked! We're a bit puzzled about the reasons behind these behavior, and We suspect that this might be in preparation for the anniversary of MAHSA AMINI and the people's uprising against the dictator regime from last year, but as of now, it's all speculation. It's possible that The Iranian regime are conducting tests on the new system for a wider rollout. While we can't definitively pinpoint the cause, this turn of events is undoubtedly positive. It would be greatly appreciated if someone could confirm these changes. |
|
I've come across a new and rather strange issue that I wanted to share with you all. Just in case anyone else is experiencing the same phenomenon or perhaps has a reasonable explanation for it. I've created a new VPS server using a Everything appeared to be in order until I conducted tests across various ISPs and in different cities to ensure that everything is functioning correctly as it should. The client app and software are identical and up-to-date with the latest version. Interestingly, the same configuration that was functioning flawlessly in cities like Tabriz, Isfahan, and Shiraz is no longer operational in Tehran, the capital city. This issue is observed across multiple ISPs in Tehran. I've attempted various whitelisted SNI options, but the outcome remains the same, BUT when I’ve changed the port number from 433 to any 4 or 5 digit number the same config with the same SNI working in Tehran as well as other cities with consistent and decent upload and download speeds. Has anyone else encountered a similar issue? |
|
Our speculation is that the Iranian regime has uses various types of psychological techniques and mind games on numerous occasions in the past same as we are witnessing now. They intentionally downplay restrictions and limitations, while saturating the dissemination of false news through national TV channels and all government websites. This is aimed at creating a false sense of hope and positivity, ultimately leading the general public to believe that things are returning to normal. If you're wondering why they are implementing these measures at this particular time when about 2 weeks ago we witness the Large scale blocking of Reality! We believe that this could be linked to the upcoming anniversary of MAHSA AMINI's death and many others and the events surrounding the people's uprising against the dictatorial regime, which resulted in bloodshed last year. The regime might be aiming to prevent any potential gatherings, online discussions, or movements that could gain momentum during this sensitive time. Exactly, it appears that the Iranian regime is taking preemptive measures to prevent people from organizing and developing new methods to bypass internet filtering and censorship ahead of the anniversary. By implementing these measures now, they aim to disrupt any potential plans or strategies that could emerge closer to the anniversary date. This way, they hope to maintain control over the flow of information and prevent the spread of news or discussions that could challenge their authority. We must remain vigilant and prepared. A storm is approaching, and we need to have alternative options in place in case of a complete blackout of free internet. |
|
As I mentioned in my previous comments
|
|
@Phoenix-999 Your speculations are absolutely correct :/ |
|
And struggle continues Netblocks Confirmed: Live metrics show a significant disruption to internet connectivity in Zahedan, #Iran; the incident continues the weekly pattern of regional internet shutdowns targeting anti-government protests, and comes on the eve of the anniversary of Mahsa Amini's death
|
|
This has been routine since last year. It's because the prayers on Fridays every week in Zahedan. |
|
2023-11-18-Saturday Yes
restriction has begun to a next level. You may look at this if you did not already |
Starting a few days ago, there have been widespread reports that MCCI is blocking Reality-based VPNs in a matter of hours and with low traffic. Additionally, WS + TLS VPNs that take advantage of CDNs (e.g., Cloudflare) are barely working. Even if you use a domestic (Iranian) CDN (e.g., Arvan Cloud), which generally has access to a less censored Internet, they almost don't work anymore.
Here are some of my observations:
speedtest.net,is not working well anymore. However, some start working well again by changing to new SNIs.So, what are the next steps now? When this new system gets used on all the main providers in Iran, I don't think there will be much more options left. Using a domestic relay (whether a CDN or server) was always deemed the last resort to escape censorship.
The text was updated successfully, but these errors were encountered: