[HN Gopher] A technical look at Iran's internet shutdowns
___________________________________________________________________
A technical look at Iran's internet shutdowns
Author : znano
Score : 86 points
Date : 2025-07-13 16:45 UTC (6 hours ago)
(HTM) web link (zola.ink)
(TXT) w3m dump (zola.ink)
| naryJane wrote:
| I appreciate the final paragraphs which suggest a solid method
| for those inside the country and under this oppressive regime to
| remain connected without surveillance. I wonder how many are up
| to this, and what active resistance or movements inside the
| country look like these days.
| justusthane wrote:
| Does it, though? It doesn't mention whether or not hosting your
| own encrypted messaging platform is illegal, what the
| repercussions are, or how to hide that you are doing so.
|
| I found the whole article to be unfortunately light on both
| technical details and practical details, and certainly wouldn't
| suggest that anyone use it as a guide.
| Vulturus wrote:
| I was wondering myself, if it isn't very dangerous to host
| those kinds of services in an opressive state such as Iran?
| Hosting a site on Iranian IPs certainly sounds easy to track
| and I'm sure a Starlink receiver also makes substential RF
| noise. Anyone has any information about how likely is the
| Iranian government is to shut down such a site/service? Also,
| doesn't encrypted traffic in general (like Matrix servers)
| fall into this category?
| immibis wrote:
| > whether or not hosting your own encrypted messaging
| platform is illegal
|
| Matrix isn't meaningfully encrypted, so it's mostly
| irrelevant, hooray!
| joecool1029 wrote:
| Synapse sucks to run and it doesn't minimize metadata
| collection. It's not a great choice unless you're running it
| outside the country where they can't seize the server (but then
| you have all the problems of not being able to access it when
| the country is cut off from the rest of the world). It's a pig
| on resources which means it has to be run on hardware that can
| handle it, barely runs on SBC's.
|
| Other stuff is weird in their post and suggests they are
| speaking for Iranians without actually knowing any online. I
| know a few from the Cellmapper community and SMS is very much
| not expensive. 1000 SMS costs around 0.03USD worst case:
| https://irancell.ir/en/p/3771/tariffs-and-voice-packages-en
|
| Finally it's not really that Starlink uses proprietary
| encryption that's special. They can use any sort of common
| encryption standard and there's not much Iran can do but locate
| and seize the terminal since they don't have the keys to it. I
| imagine at some point they were start looking for signal
| emissions in known Starlink bands and use that to locate
| terminals. Allegedly Russia has a detection system 'Kalinka'
| already built: https://www.space.com/space-
| exploration/tech/russia-and-chin...
| RiverCrochet wrote:
| I wish this article went into more details on what the "National
| Information Network" is. I would guess it's at least a set of
| nationally managed DNS servers that will always resolve national
| IPs even if upstream global DNS is cut off.
|
| Looking at a bigger picture though, honestly I think we're seeing
| the end of the raw global Internet for the masses. 20 years ago,
| it seemed impossible, but here we are.
|
| It's simply not going to be possible to meaningfully use the
| Internet unauthenticated and unapproved in a few years. Costs to
| reach mass audiences online will increase until only the big
| players can do it, and it'll be their platforms or nothing.
| There's going to be no room for anything that those with millions
| and billions of dollars don't want or can't make money off of in
| some way.
|
| Overall, this makes me want to reduce the role of the Internet
| and tech in my life. I don't need the fastest data plan, latest
| PC, newest phone, or whatever AI trend is hot to use the apps I
| need for daily life or to line up events and meetings with others
| that I actually know.
| alephnerd wrote:
| > more details on what the "National Information Network" is
|
| Some sources [0][1]
|
| > I would guess it's at least a set of nationally managed DNS
| servers that will always resolve national IPs even if upstream
| global DNS is cut off.
|
| Yep. Along with an entire ecosystem of domestically created and
| regulated search engines, DPI, centrally managed certs, AV,
| networking backbone, etc.
|
| It's similar in intention to the Great Firewall in China,
| except much more restrictive.
|
| Imagine corporate IT restrictions and posture being deployed
| nationwide on all endpoints, that's how these kind of
| initiatives tend to architected.
|
| SSE/Zero Trust, DPI, Cert Mgmt, etc are all dual-use, and it's
| essentially a logistics and organization problem.
|
| [0] - https://apps.dtic.mil/sti/pdfs/AD1107324.pdf
|
| [1] -
| https://www.article19.org/data/files/medialibrary/38316/The-...
| hexomancer wrote:
| I wrote a blog post which hopefully clears up the "National
| Network": https://ahrm.github.io/jekyll/update/2025/06/20/iran-
| interne...
|
| It is way more than just DNS.
| alephnerd wrote:
| Is Google's AI Mode working? That might solve the problem you
| mentioned.
| hexomancer wrote:
| Well, the internet is not national anymore (for now!), but
| isn't Google AI Mode US only? Anyway, the only google
| service that did work at that time was google search as far
| as I know nothing else worked (no gmail, maps, etc.).
| alephnerd wrote:
| Ah - I didn't realize Google AI Mode is US Only!
|
| > the only google service that did work at that time was
| google search as far as I know nothing else worked (no
| gmail, maps, etc.)
|
| Yea, sounds like they resorted to a hard whitelist. How
| were other Internet services impacted in Iran? My
| understanding is payment is increasingly tap-to-pay or
| via digital wallets within Iran? How was that impacted
| during the shutdown?
| hexomancer wrote:
| Well, Iran is sanctioned as fuck, so no global payment
| system works in Iran anyway. All the payment systems used
| by Iranians are local so they work even in national
| internet.
| alephnerd wrote:
| Yep! What I meant was during the recent conflict, was the
| domestic payment system working? How brittle or robust
| was it during that, especially given that my
| understanding is that Iran has transitioned to a cashless
| society?
| hexomancer wrote:
| Yes, it was working at least in my experience.
| joecool1029 wrote:
| > Looking at a bigger picture though, honestly I think we're
| seeing the end of the raw global Internet for the masses. 20
| years ago, it seemed impossible, but here we are.
|
| This is defeatist. You're probably right 'for the masses' but
| there will always be those networking and collaborating and
| bypassing whatever restrictions get put in place. I have online
| contacts in 'firewalled' regimes that use v2ray/shadowsocks or
| whatever the thing of the now is to get around the
| restrictions.
|
| There's a ton of cheap tools now that can be used for running
| local or citywide networks, hams have their own packet radio
| stuff. There's now all those new LoRa networks that only really
| popped up in the past few years.
|
| What I'm trying to say is the stuff is there and it's
| accessible, but it's only going to be a minority of people that
| use it just as it's a small minority that comments on posts
| like this (people like us) and even smaller yet again that
| write content on how to do it and create those tools to begin
| with. But it has always been this way....
| ZoomZoomZoom wrote:
| > What I'm trying to say is the stuff is there and it's
| accessible, but it's only going to be a minority of people
| that use it
|
| Exactly. This is why the tech has to be made resistant to
| surveillance and censorship by default. Until usage of
| alternative connectivity and circumvention methods sticks out
| as a sore thumb (turns out, for most tools it does), it
| applies a constant pressure on anyone under oppression to
| stop, increasing the risks for those who continue to use
| them.
| mschuster91 wrote:
| > hams have their own packet radio stuff
|
| We got basically three different things. First we got APRS,
| mostly used for position reports (go on aprs.fi for a map).
| That is pretty nice but unusable for anything more than a SMS
| worth of things, and you need repeaters and not just internet
| gateway collectors to actually have something that's
| resilient.
|
| Next thing is AX25, the technical foundation behind APRS. Yes
| you can use it to create actual data links, but it's about
| modem speeds so virtually useless outside of toying around.
|
| And finally there is HamNet but it's line of sight based and
| not cross routed to the internet, and identically to all
| things ham radio, encryption is banned by law.
|
| And on top of that, you can expect regulatory agencies to
| crack down on ham radio fast and hard, should it be used for
| political dissency motives at scale. It's already against ham
| practice to talk politics, especially with people in
| repressive countries - we don't want _more_ countries other
| than Yemen and North Korea to just blanket ban ham radio.
| swores wrote:
| Am I right to assume that it's easy to locate the source of
| ham radio signals?
|
| i.e. if there's a blanket ban, can you use your radio
| hidden in your house or can the government easily find out
| that the user they've noticed on the airwaves is located
| there and knock down your door?
| ridgeguy wrote:
| It's very easy, has been for a long time. See the story
| of Israeli Eli Cohen, an operative in Syria.
|
| https://en.wikipedia.org/wiki/Eli_Cohen
| Ray20 wrote:
| >there will always be those networking and collaborating and
| bypassing whatever restrictions get put in place.
|
| I don't think so. It's just a question of the severity of the
| punishment for violating regulations. A couple of small fines
| for an unlicensed networking and collaborating - and there
| will be no one left.
|
| >There's a ton of cheap tools now that can be used for
| running local or citywide networks, hams have their own
| packet radio stuff.
|
| The issue has never been in the technical plane. The
| equipment for building and operating networks has become
| dozens of times more accessible over the past couple of
| decades. The problem is in the increasing number of
| regulations that purposefully lock all clients into a few
| select controlled service providers. They have a goal and
| they have the tools to achieve it, so it's only a matter of
| time before they reach the minority of network-enthusiasts.
| rs186 wrote:
| Live in China/Iran for a few years and see if you would still
| post this same comment.
| one-note wrote:
| The only way to have global uncensored sharing of information
| is shortwave radio. Always has been, always will be.
| LocalH wrote:
| Triangulation exists to locate such stations
| one-note wrote:
| Did I say untraceable?
|
| You'll be found on the internet too btw. But far more
| easily.
| mensetmanusman wrote:
| Maybe, or Starlink and software destabilize the authoritarians.
| immibis wrote:
| The current global Internet is an anomaly in space and time,
| and it's held together by spit, prayers, and the hope the
| reliability gains from multiple redundant paths outweigh the
| reliability losses from so many distinct actors being involved.
| It would be quite easy for any major government to cause major
| problems in global connectivity. So far, they mostly seem
| content to only cut themselves off, and the ones with the power
| to mess up the global net don't seem to want to. But the NSA
| was diverting a whole lot of intra-Europe traffic via the USA
| at one time so they could snoop it.
| ZoomZoomZoom wrote:
| > WireGuard uses UDP and a small handshake footprint, making
| detection and blocking via DPI harder.
|
| Not quite true. Wireguard is already actively detected and
| suppressed if necessary. There's already a fork that employs
| basic changes to improve the protocol in this regard. AmneziaWG
| was shown to be more robust to detection for now.
|
| https://docs.amnezia.org/documentation/amnezia-wg/
|
| Too bad managing WG is such a pain and Tailscale/Netbird don't
| support this protocol yet. The following two issues need
| attention:
|
| https://github.com/tailscale/tailscale/issues/10696
|
| https://github.com/netbirdio/netbird/issues/1096
| dongcarl wrote:
| At Obscura we just tunnel WireGuard over QUIC's unreliable
| datagram mechanism to make it look like HTTP/3 (for DPI):
| https://github.com/Sovereign-Engineering/obscuravpn-client/b...
|
| We just upstreamed our patch to quinn-rs that pads Datagrams to
| MTU: https://github.com/quinn-rs/quinn/pull/2274
| antonkochubey wrote:
| Some DPIs just flat out block HTTP/3 already.
| xkcd1963 wrote:
| How do people do this in China?
| mohas wrote:
| this is much more severe than in China. I've never been
| completely shut of Internet before. each time one of my servers
| had access to global Internet. this time no connection
| whatsoever. I hope people realise that encryption needs
| transmission, with no wire to transfer data encryption won't
| help you
| heraldgeezer wrote:
| Just
|
| enable
|
| configure terminal
|
| router bgp <your-AS-number>
|
| neighbor <neighbor-IP-address> shutdown
|
| end
|
| Easy
| heraldgeezer wrote:
| >SMS in Iran is unencrypted.
|
| SMS everywhere is unencrypted
| bawolff wrote:
| Yes, although many people probably don't know the difference
| between SMS and RCS and use SMS to refer to both.
| bawolff wrote:
| > IPv4 addresses are limited and constantly reallocated. Most are
| rented and passed between hosting providers, resold between
| datacenters, or migrated across regions. The Iranian filtering
| system uses GeoIP databases and BGP information to decide which
| IP ranges to trust and which to block. But those records lag
| behind the changes.
|
| This is surprising to me. Surely iranian ISPs would have directly
| allocated IP space?
|
| Or alternatively, surely Iran's gov would be in the routers and
| be able to blackhole any routes leaving the country?
| immibis wrote:
| Are they sanctioned away from RIPE? Russia is. Russia isn't
| allowed to be allocated any IP addresses they don't already
| have. They're Russia, so they already have a bunch, but if they
| didn't, they'd have to keep borrowing them on grey markets,
| possibly different ones each time.
|
| (Fun fact about sanctions: the International Criminal Court is
| sanctioned away from Microsoft, so they can't legally get
| access to Windows or Office. This is because they prosecuted a
| war criminal the USA likes.)
| elternal_love wrote:
| If you are ever thinking of writing somethings like this: please
| be aware that people could be executed based upon the validity of
| your assumptions and advice offered.
___________________________________________________________________
(page generated 2025-07-13 23:00 UTC)