by In the past month or so, Iran has used physical disconnection and firewalls to restrict Internet users from accessing the Internet. Physical disconnection is relatively rare, and there is basically no way to bypass it, but there are many ways to deal with firewalls. Observations of its firewalls can also inform its censorship policies. The Iranian government has deployed DPI (Deep Packet Inspection) at all inbound and outbound international peering points, and local telecom operators have their own firewalls, but most of them are static with configuration issues, and only a small number use DPI. The firewall resolves all blacklisted domains to the IP address 10.0.34.35; it continuously scans for services such as Socks5 proxies; it rarely blocks IP addresses completely, but keeps the TCP handshake from completing by dropping syn-acks. The Iranian government restricts access to the Internet from 4:00 pm to 12:00 pm, many proxy services such as Tor and Wireguard/OpenVpn are blocked, DPI will perform blocking based on TLS plaintext SNI, and all outbound traffic after transmitting 1k-4k will be blocked, Cloudflare, Google Play, and the App Store are blocked, Docker is partially blocked, and some ISPs use a whitelist system to block all other sites.
