The technologies of Internet censorship

With Rafsanjani's speech supporting the resistance in Iran, it seems likely that a new phase of dissent over the fraudulent election will shortly emerge. That prospect may have the IT departments in the Iranian government beefing up their chops. Along those lines, NedaNet, an organization of "computer hackers and computer users from all over the planet doing what we can to help the Iranian people in their struggle for freedom," has issued a paper identifying five key technologies for Internet censorship that Iran is or may be using.

ComputerWorld interviewed NedaNet's Morgan Sennhauser, who has penned a paper on the topic (PDF). The five:

• IP Blocking is used to ban the BBC's Persian news services and take down specific websites, but it can't stop users who set up a proxy ring via multi-hop circuits that use multiple servers.

• Traffic classification is the ability to ban specific protocols by blocking the usual port. Like Comcast, they simply throttle traffic on that port. It's quite a common method since "it is not too resource intensive and is fairly easy to set up," Sennhauser sais.
• Shallow packet inspection is like deep packet inspection (DPI) but it only looks at the packet header to make "broad generalities" about content. While it doesn't provide the infrormation that DPI does, "it's a less refined tool, but it can also deal with a lot more traffic than true DPI can," he explains. "If a packet says that it's SSL (Secure Sockets Layer) in the header, then a shallow packet inspector takes it at face value."
• Packet fingerprinting provides some more detail. It looks not just at the packet header but also length, frequency of transmission and other characteristics to make a guesstimate of content.

"A lot of things don't explicitly say what they are. For example, a lot of VPN traffic is indistinguishable from SSH traffic, which means that it would be throttled if SSH was," he says. "But what if businesses relied on VPN connections? You'd move the system to fingerprinting, where the two are easily distinguishable."

• In deep packet inspection, a message's content is actually examined.

"Viewing a packet's contents doesn't tell you much on its own, especially if it's encrypted," he says. "But combining it with the knowledge gained from fingerprinting and shallow packet inspection, it is usually more than enough to figure out what sort of traffic you're looking at."