SSH through the AS12880 / DCI Iranian government-run firewall?
June 22, 2009 8:54 PM Subscribe
Iranian firewallfilter: How to make SSH traffic not resemble SSH traffic, when examined by a deep packet inspection device (Ellacoya, Narus, etc)? Other advice on specific types of VPN from within Iran also welcome.
posted by thewalrus to Computers & Internet (18 answers total) 5 users marked this as a favorite
I've been following the news about Iranian Internet censorship for a few years now, but obviously started paying more attention in the last couple of weeks. There's two interesting papers examining AS12880 (DCI)'s Internet transit from Arbor Networks:
Iranian Traffic Engineering
Deeper Look at the Iranian Firewall
Robtex page examining AS12880's uplinks to the world
Rense page, strange changes in Iranian Internet transit
What I'm wondering specifically is methods which can be taken to make SSH traffic look -less- like SSH traffic. Assume that a person inside Iran has root on a European-colocated FreeBSD or Linux system (or root on a VPS/Virtual Machine) running the latest OpenSSH. The sshd would of course be listening for incoming connections on a nonstandard port, it could be any port, or multiple different ports. If I remember right OpenSSH now defaults to SSH2/AES but can also use Blowfish. Are there any methods that can be used to disguise the initial SSH handshake and packet headers? Any special tricks from the client software end, assuming that the client (OSX or Linux) can run any ssh client that will compile on it?
Is VPN traffic (Cisco, or Juniper-Netscreen SSL-VPN) less likely to trigger flags or get blocked than SSH?
Does anyone have firsthand or secondhand experience of Windows Remote Desktop / RDP 5.1 being blocked from within Iran?