Technology, Thoughts & Trinkets

Touring the digital through type

Is Iran Now Actually Using Deep Packet Inspection?

Photo by Hamed Saber

I’ve previously written about whether the Iranian government uses deep packet inspection systems to monitor and mediate data content. As a refresher, the spectre of DPI was initially raised by the Wall Street Journal in a seriously flawed article several years ago. In addition to critiquing that article, last year I spent a while pulling together various data sources to outline the nature of the Iranian network infrastructure and likely modes of detecting dissident traffic.

Since January 2010, the Iranian government  may have significantly modified their network monitoring infrastructure. In short, the government seems to have moved from somewhat ham-fisted filtering systems (e.g. all encrypted traffic is throttled/blocked) to a granular system (where only certain applications’ encrypted traffic is blocked). In this post I’ll outline my past analyses of the Iranian Internet infrastructure and look at the new data on granular targeting of encrypted application traffic. I’ll conclude by raising some questions that need to be answered about the new surveillance system, and note potential dangers facing Iranian dissidents if DPI has actually been deployed.

The Iranian Telecommunications Infrastructure

As in most Western states, Iranian citizens can receive Internet service from a variety of Internet Service Providers (ISPs). Unlike many Western nations, however, all data traffic in and out of Iran must pass through state controlled infrastructure. As further evidence of the state’s influence over telecommunications in Iran,  in 2006 the Ministry of Communications and Information Technology (MCIT) issued an order forbidding ISPs from providing Internet connectivity to homes and public access points that exceeded 128 kilobytes/second. Universities and private businesses can obtain high-speed access.

Limiting broadband deployment hinders access to rich-format, non-state controlled/influenced, media sources. When it takes minutes to load a short YouTube video, or access a foreign nations’ news services, citizens who are not driven to access non-sanctioned material are likely to choose the ‘easy and fast’ options. The impact of delaying particular content transmissions (e.g. over-the-top Internet transmissions instead of broadcast transmissions) has been raised by O’Donnell in “Broadband Architectures, ISP Business Plans, and Open Access,” when writing that

…[t]he subtle manipulation of the technical performance of the network can condition users unconsciously to avoid certain “slower” web sites. A few extra milliseconds’ delay strategically inserted here and there, for example, can effectively shepherd users from one web site to another. (53)

O’Donnell is writing about what happens when ISPs in democratic nations delay content. Given that a few milliseconds can have significant effects on where people get their content from, several seconds or minutes’ delay, combined with an awareness that the state might be monitoring a user’s actions, presumably is even more effective in shepherding users away from over-the-top content and towards sanctioned broadcast-centric content. Of course, delaying data communications and the possibilities of surveillance will not convince all users to adopt state-sanctioned news sources, but not all individuals need to comply with a soft deployment of power for the deployment to be reasonably effective in influencing social order.

Iran and DPI 101

On June 22, 2009, the Wall Street Journal published an article arguing that the Iranian government was using DPI systems to monitor dissident communications. More specifically, the WSJ linked Nokia Siemens Networks’ sale of lawful access equipment for mobile services with the sale of equipment enabling whole-scale governmental monitoring and mediation of all wireline Internet transmissions. The authors of the WSJ article proposed that,

In Iran’s case, this is done for the entire country at a single choke point, according to networking engineers familiar with the country’s system.

In a previous post that analyzed the earliest reports of the Iranian government using DPI, and concluded by stating;

I worry that the WSJ is claiming that DPI is more effective in screening communications than it is in reality, much like we hear claims that CCTV is more effective than studies show. This isn’t discounting that DPI could, potentially, in an ideal world do what the WSJ is suggesting, but networking environments where admins are trying to regulate gigabytes of traffic each second are hardly these ideal environments for mass surveillance and content regulation using DPI appliances. Hopefully the pressure gets Nokia-Siemens or other network manufacturer to fess up about what they sold, but I’m not holding my breath.

On August 3, 2009, Arbor Networks released data suggesting that slow Internet speeds experienced during the attempted Green Revolution was likely caused by the government limiting available bandwidth between Iranian networks and the global Internet. The government may also have ramped up the SmartFilter system that all Iranian ISPs are required to implement. Further, the government might have extended the ‘blocked sites’ list, closed particular ports, or increased keyword filtering as data moved through government proxy servers before getting the web-at-large. The Iranian government is well known to have historically used these techniques to mediate Internet traffic. Indeed, these surveillance techniques were foreshadowed in 2006 by the Communication and Information Technology Ministry, when the Ministry announced that their surveillance apparatus would:

…would block access to unauthorized websites, identify Internet users, and keep a record of the sites they visit. The system administrator would have access to this information.

The ministry subsequently denied that the filtering facility could identify users and track their browsing habits, and it stressed that it only wants to block access to pornography. There also were acknowledgements that the previous methodology was imperfect, and a “filtering databank” would be more precise and make fewer mistakes.

Thus, building on independent reports, scholarly investigations, government statements, and technical analyses, it seemed unlikely that deep packet inspection was being used in Iran to mediate communications belonging to members of the Green Revolution in 2009 and early 2010. In the face of recent events, however, we may need to modify the position of ‘no DPI is used to monitor Internet access’ to ‘DPI or something with DPI-like functionality may be being discretely tested by the Iranian government.’

Deep Packet Inspection in Iran Today

In an interview on October 5, 2010, the vice-president of the Communications Infrastructure Company in Iran said that changes to the Iranian filtering system were coming. Filtering would continue to operate at the gateway layer, the point between the Iranian network infrastructure and the world-at-large. As such, filtering would not be happening at the access layer, a point that is much, much closer to where end-users actually sit in the network infrastructure. Of note, however, was that in the same interview the vice-president suggested that analysis and filtering might shift from the gateway to access layer at some later date. This is significant, insofar as more discrete analysis of traffic could be performed while linking communications traffic with the IP address assigned the modem-of-origin and billing information (e.g. real name, address) for that account. While such investigative work is possible when filtering at the gateway, moving analysis towards the access layer may provide faster correlations between ‘suspect’ traffic and the suspect in question. In effect, if the automated the surveillance system is tightly integrated with the subscriber databases, access layer monitoring could let government agents quickly identify prospective dissidents who are trying to evade state filters in violation of the law. Given that such capabilities exist (though aren’t implemented!) within the Canadian ISP infrastructure (i.e. tying DPI information to subscriber information) it’s entirely possible that a similar framework exists in Iran.

It would seem that whatever the vice-president was alluding to in October has recently become active and is operating at the access layer. One of Iran’s ISPs has begun blocking censorship circumvention tools, including Tor, Freegate, Ultrasurf, and Hot Spot Shield. While the throttling of encrypted communications has previously been reported on, in this case the ISP is specifically targeting particular applications that are encrypting traffic; not all SSL traffic is being throttled.  This is significant, as previously Iran’s innovative shift was to centralize all throttling and analysis at the gateway level. The capacity to identify encrypted traffic and take action on it is something many DPI appliances can do; many applications can effectively be ‘fingerprinted’ based on the ways of exchanging data packets and action then be taken on the packet flows. DPI isn’t necessarily the only way to identify these exchanges and take action on them but it is certainly one of the more effective strategies. Such access layer analysis will likely supplement already existing gateway surveillance, enabling a better multilayered surveillance aparatus.

Key Issues, Today

If DPI appliances are being used to monitor and impact data traffic by an Iranian ISP today, the first thing to ask is who has sold the equipment to Iran. As van Schewick notes in Internet Architecture and Innovation,

…when choosing to exclude an application in order to manage bandwidth, network providers may consider whether the application is easy to detect, whether their preferred vendors’ products can detect the application, or whether blocking or throttling the application has a noticeable effect on traffic. (350)

Given van Schewick’s comment, if Iranian ISPs are using DPI, which company or companies provide the capacity to identify and filter data traffic for Tor, Freegate, Ultrasurf, and other censorship evasion tools at an ISP-level? If only a few Western systems can effectively detect this traffic then we might identify who, exactly, sold what to the Iranian government/ISPs. Knowing the vendor and product could help put legal pressure on the vendor, both to prevent future sales and to reveal any flaws in how they mediate censorship evasion traffic.

Next, how quickly and easily can such identification systems, regardless of the underlying technology used in the identification, match up uses of evasion tools and ISP subscriber information? This is important because correlating evasion traffic with individual users heightens the potential for direct state coercion towards Iranian citizens. Further, if other ISPs have deployed similar systems in a passive mode then dissidents might be being mapped right now. Admittedly, if my own aim was to suppress (or identify) technically savvy members of a revolutionary body I would collect intelligence passively for as long as possible. Should the ISP cease its current actions, if it stops impeding the traffic flows of censorship evasion software, I would assume that the government had adopted a passive intelligence strategy to map problematic citizens/Internet subscribers.

Finally, are the tools presently deployed by the Iranian government capable of modifying unencrypted packet streams in a reasonably automated fashion? If so, when subscribers are caught using evasion tools can packet streams be modified such that malware (e.g. key logging software) is installed by taking advantage of browser exploits?

Regardless of whether deep packet inspection or some other monitoring system is being used to limit access to censorship evasion tools, the deployment of such systems constitutes a massive evolution of Iranian surveillance and mediation efforts. The government attacker, partnered with ISPs, has become an even greater threat than before to free speech and association advocates, to say nothing of the members of the Green Revolution, than ever before.


  1. Interesting. I wonder if there will ever be a direct link established between a Western DPI vendor and Iran. Selling such products to Iran is prohibited by US export law (anything with SSL capabilities basically).

    So for Iran to be using a modern SSL intercepting appliance, it would have to be from a company that does not do business in the US, or the products were obtained through 3rd parties, through shell corporations for example.

    I suspect the latter, as even if the vendor was “aware” of what was going on, selling to a legit customer (even if it is just a front) provides plausible deniability all around.

    • I’ve spoken with some vendors – as well as some security folk that are mostly concerned with nuclear arms – and shell companies along with significant intrigue is the most likely way that the country would get their hands on products either from the US or EU. I doubt any company would willingly admit to have sold such goods but maybe some clue is there for an enterprising sleuth to dig up…

  2. You have Deep Packet Inspection, for security and advertising reasons, in the US too, the only difference is that isp’s technology in the US is better, so you can access the web quicker.
    You’re spied every day by Google VOLUNTARILY and don’t complaint why are you so concerned about Iran ?

    • Not just for security and advertising, but the point is taken. I would dispute, however, that the technology is either much better or that it’s used to genuinely make things ‘faster’ for most consumers.

      As for Google: I’m critical of them in my various writings. DPI is my key focus, but writing on one topic more prominently than the other is no indication of my preference for one mode of surveillance over the other.

Leave a Reply

Your email address will not be published.