This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Investigation on Blocking of Reality in IRAN - Test Results #2778
Comments
|
Nice job |
|
👍 |
The problem is that we couldn't know if that's correct! Did you have that IP address you stated Before we buy a VPS IP address, maybe someone had Shadowsocks set up on the server! That would just put that IP address on the graylist.(or any other ancient and not safe proxies.) And this is not solely just on Reality. if you set up a simple TLS proxy like vless-tcp-tls with flow=vision, it will be blocked if your IP address is on the graylist. IRGFW has zoomed on TLS proxies now. all kinds of them. AND have a very large list of IP addresses (Gray List). For example, we had many IP addresses that didn't have any traffic for 3 months on them but got blocked last week! and by traffic I mean the VPS server had no xray-core or panel or any VPN services... By the way, the CPU usage report: It's interesting and others reported this! they are probably or likely Active-probes as we are investigating it. Did you check what was using the CPU? or strange IP addresses with many requests to the server? |
ghost
mentioned this issue
|
I think they are targeting the tls in tls features of the proxy flow (according to this paper) In the paper mentioned above if the GFW allows for more false positives they could detect more xtls-vision traffic and my theory is that IPs from hetzner are set to have a very high false positives and servers from GCP or azure are set to have very low false positives. So hetzner proxies are more likely to be detected and blocked rather than GCP or azure. |
|
In fact, it is easy to easily block all connections of reality. Reality manifests as port forwarding (a relatively common service) to the outside. As long as GFW is willing to block all port forwarding, no reality connection can survive |
|
Hi @Phoenix-999 and @irgfw, Your report and findings fascinating to us. We'd be happy to help with this concerning situation. We are a group of researchers that have experiences on revealing the censorship mechanisms, such as real-time traffic analysis and active probing by the GFW of China, in the past few years. If you think it's a good idea, we'd be happy to help investigate this situation, together with Xray developers and other anti-censorship researchers. We'd like to establish a more private communication channel to exchange information, but we couldn't find your email addresses. Can you drop us an email? Our email address can be found on our Github profile page. We can still use this thread for public communication for transparency and to let more people aware of the situation in Iran and our latest progress. |
Hi @irgfw , we agreed with you that we could not conclude that both servers have "clean" IP addresses without holding the IP addresses for a long long time; and there may be one thing to test: Our understanding is that while @Phoenix-999's high-traffic volume server has been blocked, the low traffic-volumne server has not. @Phoenix-999 can now assign the low-traffic volume servers to more people to use. And if this server that hasn't been blocked for a while suddenly got blocked after getting high traffic volume, it shows evidence that traffic volume may indeed affect censors' blocking decisions. We'd be happy to discuss more in detail and even help setup more controlled experiments. |
But how do you detect port forwarding? One server forwarding (reverse proxying) another would look exactly like the original with no way for a third party to tell, or am I missing something? |
It's very easy |
Reality on MCI is getting blocked on a large scale (having tested more than 10 reality servers with different configurations and SNIs) so GFW is advanced enough to block the Reality at least.
www.speedtest.net is a website and anyone wanting to use it has to connect to cloudflare IPs outside of Iran, it doesn't matter if you test your speed with a server in Iran because you first connect to www.speedtest.net to get the server information and then connect to a different server with a different domain (most likely ending in ooklaserver.net) to test the speed. |
I used different SNIs (nixos.org, www.speedtest.net, my own domain etc..) all got blocked on MCI network |
me too ! |
I used www.speedtest.net only for the server with www.speedtest.net SNI and used other servers with other dests relating to their respective SNIs. I have not used www.speedtest.net as an SNI or dest for other servers. |
Hi @gfw-report. great to hear from you. We are actively investigating new Iran's firewall behavior, especially in one of the operators named MCI (mci.ir) Hope we hear from you soon... |
|
Please do ask questions on this thread for configuration, etc Guys do not zoom in to just X-Ray or Reality! The targeted zone by MCI is not realty, it is any kind of SSL-VPN including
which they have two key features in common
Here are what we know so far (TESTED)
how a server is detected (best guess)
Clients (TESTED - Android)Xray OpenConnect Client Pro OpenVPN + obfs SSTP affected area (TESTED)Those provinces protected more
The Kurdistan MIC Phone numbers start with 0918--* and Ardabil starts with 0914-- . At the moment of this witting 0918- cannot access a server that is blocked while 0914 can access . So the issue/throttle differs from City to City. |
It may be obvious to you in your specific example, but this requires someone to manually maintain a database of what IPs a domain should and shouldn't use for every single domain, and make sure it's always up to date no less. I seriously doubt this is the case. Am I right in assuming that there isn't really an SNI whitelist in Iran, and the reason you guys use common domains like apple.com is just to look less suspicious? If random, niche domains (which certainly aren't in the database mentioned above, if it exists at all) are still allowed, has anyone tested the chances of getting blocked vs. using common domains like Apple & Microsoft? |
no , never |
|
Does anyone know about rprx? There is no news of him for several days! I wish him health and well. |
|
"every time the traffic reached a certain point within a specific period, GFW detected and blocked it" why is this a secret? why can't you just tell the number? |
|
MCI is working perfectly fine in my area, so I can't test it myself. Can someone run a Reality server according to below and report results :
|
|
They are more stupid than this The second theory involves a simple test. For example, your server might use SNI like apple.com. Initially, irgfw checks your server's SNI and IP via a client hello. Then, it performs a basic ICMP ping or a DNS request to a reputable DNS server like Cloudflare or Google to see the IP behind that SNI. If irgfw can detect a discrepancy between the actual IP of the site you SNI and your server's IP through a simple ping or DNS request, it might be able to block it. (Note: They are confident that a reality behind a CDN can't stay hidden because even with a CDN, two simultaneous users might get two different IPs.) However, considering the expanding number of websites, it's unlikely they can restrict all sites to specific IP ranges. Yet, it's a possibility. In summary, I believe irgfw employs a simple mechanism for relative identification: checking the real IP behind your SNI and blocking if the SNI IP doesn't match your server's IP. Providers like Hetzner, DigitalOcean, Linode, and others may have a higher chance of being blocked. |
According to this post this is exactly what happened with MCI right now. Iran GFW resolve SNI in tls client hello and forward Reality handshake to real SNI IP. |
I clearly remember that this happened last year too. RPRX was not active from September to the end of December. |
|
The problem we are currently dealing with might not have much to do with Reality or cryptography in general anyways. Back when MCI was still throttling upload speeds a few months ago I tried creating a new VPS and I loaded a speed test script on it. From my browser when I used that script to test my download and upload speeds everything was fine, the upload speed was not limited. But when I created any sort of v2ray inbound (same IP, same/different SNI, TLS/no TLS, tested many protocols) and did a speed test through that VPN, the upload speeds would be limited. It is almost as if they could identify which connections were made through xray-core and they could effectively throttle the upload speeds to near inexistence. MTN started throttling upload speeds after MCI but the difference was if you used a "whitelisted" SNI like speedtest.net or fast.com you wouldn't face the upload speed bottleneck. A little while ago there was this news about gas station networks getting hacked and after that the blocking of VPN servers by MTN and other operators rose to the same levels as MCI. Similar things had happened before with MCI as well. These same limitations never existed for relay servers hosted inside Iran, only the servers situated outside of Iran ever got blocked by these operators; and looking at the price of internet traffic set by Iranian VPS providers, the financial incentive here is pretty clear. It seems though as of today, the upload speed limitations are mostly lifted now (by landline ADSL/fiber providers like TCI, Shatel, etc. . There was no throttling on MTN and MCI anyways - More testing still needed) It would seem as though they are now confident that they can more reliably identify and block proxy servers and they don't need to impose speed limits anymore. I'm not sure if this has to do with uTLS fingerprints, or perhaps the way xray-core establishes connections, or maybe the traffic behavior in general but it appears that Iran's GFW is not targeting the cryptographic features of the connections, rather the traffic behavior. Do you think there is any way to verify? @RPRX |
|
@AmirReza2012 I agree with you. Today all my sing-box reality and x-ray reality were detected by GFW. They were detected exactly at the same time (9 am) and I checked with many internet providers in different locations. That wasn't an ongoing process, It was offline batch process. My hypothesis:
After one day the background machine learning will start and find outlier of IP address. What is the problem: |
|
I had considered some other possibilities as well. I thought maybe they were using Iranian applications like Snapp, Bazar, MyMCI, Digikala, etc. to figure out the IP address of your server and flag it as a VPN server. They could run a server in say Finland for example, use these Iranian apps to send to request to that server and then see if the IP address of the request going out from your phone belongs to a VPS server. This seems like a pretty efficient tactic to me. So to test this out I started using a different outgoing IP address in my servers for a few days. The IP address which I used to connect to the VPN was different than the IP address that my server used to connect to everything else. This didn't seem to make any difference though and I got well over 10 different IP addresses from different ranges blocked after doing that. Also I tried the following: I thought maybe if each IP address transmitted less traffic then it wouldn't be flagged and blocked by the GFW. But even IP addresses that I used for a very short time got blocked the morning after, This might mean they don't necessarily need you to transmit a lot of traffic to/from your server. |
|
We talk all about IP and it gets blocked. So why hasn't the Warp application been blocked? How does it work then? Wouldn't it be better to focus on Warp instead? |
|
@farhadsaberi I suspect that is because CloudFlare has servers situated inside Iran.
And last time I checked you could make WireGuard, OpenVPN, AnyConnect, etc. connections to Iranian servers just fine. So either WARP can successfully connect out of pure coincidence or they are intentionally not blocking it. Either way I doubt this will be helpful for us, since they are currently not blocking CloudFlare WSS CDN connections but as we remember they have shown they are willing to go far enough as to block every single CF IP address possible. |
|
Report: Thesis: White list, Black List, Gray list: How can find Gray List: Do not use a direct method to connect gray list IPs, and use CDN to solve this problem. |
|
MCI is sensitive to derivative on bandwidth Today I executed my code on white IP, I used Vmess method and change UUID, header and response and ports every 4 hours. My bandwidth received to 100 MB per second. and Server send 60 GB data to clients in one day. MCI has detected the server and it is block. Other internet provider can access to the server. I have another server and I used 6GB per day and it still working. Future work: If you want share a config in public channel, Block the MCI connection. My another server didn't detect by the MCI: |
|
In simple terms, the GFW seems to follow specific patterns that may not make much sense to us individually. However, when these patterns are combined, they form a basis for filtering robots to determine whether a server should be blocked or not. Whatever triggers the GFW to detect a server happens well before the proxy protocol is activated. Whether a VPS server has a new IP address or is an old server reactivated or previously deleted, the activation process initiates. The GFW starts inspecting right at that moment, as soon as the first SSH connection is established. Upon this initial connection, information about the targeted VPS is collected and stored temporarily. This data is later used by the GFW to check if the VPS IP server is on the It's crucial to note that the Iranian GFW has been gathering information about proxy VPS servers detected and blocked in the past 15 to 17 months. They likely have a comprehensive list of whitelisted, grey-listed, and blacklisted IPs, along with SNI domain lists from the mass server blockages. Another factor to consider is the presence of informers blending with the general public, collecting information on platforms like GitHub and Telegram. They share experiences and discuss solutions, contributing to the GFW's adaptive behavior in tweaking its filtering strategy. Now armed with this information, the GFW can effectively use The second stage involves checking newly activated VPS by IP addresses. ⚫ If an IP is 🔘 For ⚪ New IPs without a history of the past 12 months undergo a review after Based on my tests using personal VPS servers from the past and new servers from different providers, it seems this could be the strategy behind the GFW's recent upgrade. While we might have heard bits and pieces of this information, putting it together forms a more comprehensive understanding of the GFW's filtering mechanism. However, these are all personal hypotheses regarding my test environments and have nothing to do with the group test we are conducting. |
|
Report: Server number one: 196.20 GB and 19.51 Mbit/s used in one day Conclusion : |
|
After One month of investigation I have found a solution for the IRGFW problem:
Solution:
|
Really? So I can delete my account? :))
False. we have tested over 20 IP addresses that were blocked WITHOUT any traffic on them for the past 3 months.
Machine learning algorithm? come on! we know many insiders in the firewall to TIC. they use simple hardware and firewalls like
What is an abnormal situation?
Please first read this article: https://t.me/irgfw/13 .
What defines
There are some patterns right now. we are testing it. 3or4 Hours / 3or4 Days / 2 Weeks.
Fragmentation is a good solution but it's not the final one. as discussed here: #2504
Good solution but be aware, for example, we are saying our server is an innocent webserver. a web server can be accessed from all around the world. so you should not just Iran-Access-Only the server but rather just block specific countries like China and Russia. |
|
i guess it's better to read this article that is from @uoosef (https://github.com/uoosef) twitter post : How does the new filtering system of Hamrah Aval (a mobile operator) work? It's worth noting that the active part's operators differ from each other, each having their own bugs, indicating that the system is not entirely consistent. 2- The passive part: The solution: The effectiveness of filtering relies on the absence of an easy way to modify existing protocols and share the results of modifications among users. The purpose of the Bypass SDK is to simplify this process. A final note regarding VPS: translated by chat gpt 3.5 |
|
i invite @uoosef to this article about irgfw and if he decide to help xray community with his idea it would be very appreciated |
|
@realartin @uoosef 感谢你们,其实我们正计划在中国春节期间发布 Xray-core v1.9.0,为 Vision 加上 Seed 支持,它允许用户自定义 Vision 的一些 padding 参数等,并支持与其它传输方式比如 H2、gRPC、WS 等结合使用,到时你们可以测试一下 |
tnx for your great work sir , you save a lot of people from censorships ❤️🙏 |
|
Dears I had two tests with a domain.
My hypothesis:
|
|
@RPRX Good. That "may" help for this situation in Iran. as any combination of VLESS/VMESS/Trojan is blocked within 4 hours or 4 days or 2 weeks in Iran. There is something in these combinations that they could "possibly" fingerprint or DPI the packets of them. |
Yes. we can confirm this. many normal websites are blocked without any reason we tested this (downloading and refreshing from a normal webserver) and they were blocked after 4 days of constant traffic and downloading. (the VPSs were located at Hetzner/Linode/DigitalOcean/Vultr)
Correct. |
我有个邮箱, |
|
I had a rather interesting observation lately that I would like to share. I had a trojan and TUIC config running with a tunneled configuration and it has been running on the same IP for almost 9 10 months now. |
|
Thanks for your information. It certainly will help. For everyone who has some test results and technical information about Iran's GFW, please email me at [email protected] |
|
Hi, Don't you think that identifying the IP address where X-Ray is running or which is the actual public server (www.microsoft.com and etc) - can be easily determined by reverse IP address resolving? That is, the GFW monitors TLS traffic. It checks first of all addresses with high traffic volume, and then does rozolving (PTR record, in Linux you can use Here we can see the pattern that for IP addresses of real microsoft.com at least there is a pattern - SOA record has email ( So, if your VPS responds only to port 443, pretending to be a public server www.microsoft.com, then if somebody set a simple task for GFW - find out if this IP really belongs to a pool of Microsoft servers, it will be easy to do it by reverse resolving, just by analyzing SOA and PTR records for the IP or reverse zone of the address block. To this method you can also add a whois query to the same address block. UPDATE: example about www.speedtest.net: Here I got real IP addresses of SpeedTest. Let's see resolved IP addresses: Same pattern here: although IP addresses are not resolved back to any domain names, the reverse zones themselves have a SOA that clearly has a pattern: email & primary DNS from the It says which immediate upper zone is responsible for return addresses. Let's find the authoritative DNS for this zone: Now let's imagine that, for example, the address 8.8.8.8 (I took the public Google DNS example just as an example - you can use your own IP) is pretending to be a www.speedtest.net server, and GFW has a simple task - can the IP address 8.8.8.8 be a www.speedtest.net address (let's hypothetically imagine that Google has prescribed SOA or PTR records for 8.8.8.8 that also point to the cloudflare.com server to be similar to it as much as possible). A simple query to cloudlfare DNS on behalf of GFW will get a response: Now compare that to requesting an IP address from his responsibility: Conclusion: no matter how X-Ray server pretends to be any server via SNI, there is a simple way to check its IP address via reverse resolving, and if it is not there - then through analyzing SOA records and queries to DNS responsible for the reverse zone. If you look at the first post - it may very well be that the increased traffic triggers a check that was performed in a similar manner. This is just as an idea. |
|
Guys |
|
@neo2enigma Yes. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
and others
Before delving into the issue concerning the reality protocol, I would like to make a couple of notes.
• As we are aware, the Great Firewall (GFW) employs various techniques to detect and block proxy servers. This discussion specifically addresses recent events involving the blocking of the reality protocol in Iran, primarily by MCI ISP.
• The information provided below is our speculation and arises from several users experiencing similar test results, raising suspicions about GFW's techniques and methods for identifying the reality protocol.
• Additionally, this issue is a continuation of the previous conversation regarding the blocking of reality. If you are new to this topic, I recommend reading the previous issues, which can be found at the following links:
Link 1
Link 2
Link 3
Link 4
Now, let’s delve into the matter.
Over the last five months, most Iranian users have encountered challenging situations, given that the reality protocol was the only one functioning seamlessly in Iran. Most other protocols were easily detected by the Great Firewall (GFW). It's a challenging task but still a viable choice.
Now, in the last 10 to 15 days, we are experiencing new waves of blocking Reality, which seem a bit different and more aggressive compared to the blocking waves of the past couple of months. We recently observed something that has been discussed before and rejected by many. Still, we believe that GFW, operating under MCI command, might have found a way to block reality by analyzing heavy traffic. We are not 100% sure, but our test results strongly suggest that these new waves of blocking are due to traffic monitoring by GFW. This is how we think GFW might find reality.
Test Conducted:
• We created two fresh VPS servers, correctly set up with all security measures in place.
• Both servers had clean IP addresses in the same range, and SSH was done through VPN proxy to provide extra security.
• In both servers, the reality protocol was created using the same port (443) and the same whitelisted SNI.
•The only difference was that VPS number one was shared with only 5 to 7 people with low to medium traffic, while VPS number 2 was shared by more than 200 people, and heavy traffic was directed to it in a short period.
After about 2 hours, VPS number 2 was suddenly disconnected, and the CPU usage spiked to 100%, causing the server to temporarily disconnect. It then returned to normal percentage, but the IP was subsequently blocked by GFW.
The screenshot below illustrates exactly what we experienced while using the reality protocol with heavy traffic. Of course, we considered the possibility of it being accidental, so we tried it multiple times with different users, and the same thing happened consistently.
Although VPS number one survived for about two days, after reaching a certain traffic point, we realized it was also blocked by GFW. Additionally, we had VPS number 03, which we subjected to very low traffic with one to two users. After a week, it was still running and had avoided detection by GFW.
It's essential to mention that we took careful measures to implement security, blocking all domestic IPs and domains on the servers and bypassing them through VPN client applications. We used IP protection, random DNS switching, fragmentation, and many other techniques in our X-ray configuration to see if we could escape detection. However, every time the traffic reached a certain point within a specific period, GFW detected and blocked it.
After IPs are blocked by GFW, we can still conduct the SSH connection, as evidenced in the screenshots below. Additionally, even after MCI blocks reality, Shatel ISP follows suit; however, reality continues to function in some other ISPs. Once again, the above is our speculation, based on the same test results conducted by different users in various regions of the country.
While not certain, we offer some suggestions that might help reality withstand the GFW's new measures. Please forgive us in advance, as we might not be as technically proficient as many of the great people here. Consider utilizing advanced obfuscation techniques such as:
⚪ Decoy Traffic Ratio
⚪ Dummy Traffic Ratio
⚪ Traffic Padding
⚪ Adaptive Behavior
⚪ Dynamic Switching
⚪ Dynamic Switching Interval
⚪ Fingerprint Spoofing
We would be immensely grateful for any help, guidance, and suggestions from any of you.
🇮🇷 To all my fellow Iranians, we would greatly appreciate it if anyone could conduct the same test and share their results with us here for more clarity
@RPRX, we are eagerly and patiently awaiting your thoughts on this matter.
"Everything that has a beginning has an end. I see the end coming. I see the darkness spreading. I see death. And you are all that stands in his way."
The text was updated successfully, but these errors were encountered: