Open Collections

Abstract

The Great Firewall of Iran (GFI) has evolved significantly over the past decade, constantly adding sophisticated blocking techniques. Prior research into Iran's Internet censorship, however, has primarily been one-off studies, leaving significant gaps in understanding the GFI. Exploiting the bidirectional blocking behaviors of the GFI and its own injection mechanisms as a side-channel to determine traffic disruption, we developed IRBlock, a novel large-scale, multi-protocol measurement system designed to measure DNS, HTTP, HTTPS, and UDP-based censorship across Iran, enabling continuous monitoring of the GFI's blocking behavior. Over a period of 4 months, IRBlock has periodically measured the entirety of Iran's IP address space and tested the blocking status of over 500M apex domains, uncovering new insights into the GFI's censorship of core network protocols. Notably, IRBlock identified 6.8M IPs subjected to DNS poisoning and HTTP blockpage injection, 3.2M IPs subjected to HTTPS connection tear-down, and 6.6M IPs subjected to UDP-based traffic disruption. Overall, IRBlock discovered over 8.4M censored fully-qualified domain names and 3.9M apex domains. We found that many domains are inadvertently overblocked due to blanket blocking policies of entire top-level domains (e.g., .il). We also find that the GFI's blocking strategies show many similarities to those observed for the Great Firewall of China. Our study represents the most comprehensive view of Iran's Internet censorship to date. IRBlock's data sheds light on the GFI's evolving filtering strategies and the challenges faced by circumvention tools. We discuss the implications of our work on existing censorship measurement and circumvention efforts. We hope that our insights can inform the research community, as well as policymakers and activists working to promote digital freedom in Iran and beyond.