If you put 65 million people in a locked room, they're going to find all the exits pretty quickly, and maybe make a few of their own. In the case of Iran's crippled-but-still-connected Internet, that means finding a continuous supply of proxy servers that allow continued access to unfiltered international web content like Twitter, Gmail, and the BBC.
A proxy server is a simple bit of software that you run on your computer. It effectively lets you share your computer with anonymous strangers as a "repeater" for content that they aren't allowed to fetch themselves. For example, an Iranian web browser might be manually configured to use your computer (identified by an IP address and a port number) as a Web proxy. When your anonymous friend reads twitter.com, or posts a tweet, the request goes via your computer, instead of to Twitter's web server directly. Except for a little delay, and the fact that your friend gets to see what the uncensored Internet looks like from New York or London or São Paolo instead of Tabriz or Qom, surfing through a proxy is pretty much like surfing without one.
As you might imagine, open web proxies are valuable commodities in places where it's forbidden, possibly dangerous, to surf the Internet. Iran's opposition movement has been vigorously trading lists of open proxies over the past week. And as you might further imagine, the Iranian government censors have worked overtime to identify these proxies and add them to the daily blacklists.
As an experiment, we geolocated a list of about 2,000 web proxies (unique IP addresses and port numbers) that were shared on Twitter and other web sites over the course of the last week, to see if we could discern patterns in the places that are hosting them. Most of these are no longer reachable from inside Iran, of course, precisely because they were made public. The following map shows the distribution of those proxies worldwide.
The USA and Western Europe were well-represented, but so were China, India, Russia, Romania, Bulgaria, Vietnam, ... 87 countries in all, a pretty impressive breadth of representation, considering the relatively small size of this sample. (You can also see about a dozen Iranian IP addresses represented in the set. Not surprisingly, all but one of these belong to networks originated by DCI, the government-run service provider who operates the modern-day Internet equivalent of the Alamūt Castle.)
Here's a geographic visualization of the proxies, drawn in Google Earth. In the first one, we've drawn Iran in green, with some of their domestic network sketched in white, and their major international connections drawn in red. Each of the colored arcs represents a single open web proxy; they are "fountaining" out of a cable landing or Internet traffic exchange point that makes approximate sense for their Iranian Internet routing. For example, all of the web proxies in Europe are drawn from the Marseilles termination of the Sea-Me-We-4 cable. The web proxies in Turkey are drawn in light blue, radiating from Ankara, where the Iran-Turkey gas pipeline passes through on its way from Bazargan. Those unusual Iranian proxies emerge from Tehran, and so forth.
If we rotate the globe, you can see how the countries of Asia are doing their part to keep the bits flowing in Iran. India, China, South Korea, Taiwan, Vietnam, and Japan are all visible sources of web proxy activity.
I'd like to be able to say that these maps are a measure of the strength of the democratic impulse and volunteer spirit in all the countries of the world. But that might be a stretch. You see, looked at another way, an open proxy is a security hole, something you might find in a machine that's been compromised, or at the very least, badly administered. Security purists think of them as the "unlocked gun cabinet" of the Internet — a resource for anyone who wants to abuse a website, commit fraud, cover their tracks.
Some of the proxies in this dataset are undoubtedly fresh, created by people who want to keep the Internet alive for the Iranian people. But many of these proxies have probably been around for months or years, mapped out by those that map out such things.
We did see a few organizers try to explain the concept of an ACL (Access Control List) to all the new proud parents of open proxies. If you are diligent, it is possible to restrict the anonymous users of your new proxy to just the Iranians, or even just the Iranian non-government networks, if you have a good enough list of the IP address blocks (network prefixes) in question. But I expect that the complexity of configuring anything tighter than an "open access" proxy is going to prove too high a barrier to entry for most people who might volunteer to run one.
For one thing, we know how hard this is. Renesys has pretty good lists of per-country networks and their transit patterns, based on our analysis of the global routing tables, and trust me, they take some work to maintain. And even given good maps of Iran's address space to work from, ACLs are notoriously hard to test, if you don't have Iranian friends who can try your server from inside the protest zone and report back to you with problems. Most people aren't going to bother, and that's probably okay. Freedom is messy. There'll be time for security later.
Perhaps the strangest thing of all, given how diverse and active and vocal the proxy server farmers have been, is that by and large, it isn't working. The rate with which new proxies are being created has slumped over the last few days. It's getting harder and harder to propagate new proxies to the people who need them, as the government consolidates its hold on the filtering mechanisms. Any new proxy addresses that are posted to Twitter, or emailed, will be blocked very quickly.
People we talk to inside Iran say that almost no proxies are usable any more. Freegate, a Chinese anti-censorship application that makes use of networks of open proxies, has proven popular in Iran. But this week, it, too, has been experiencing problems. Many popular applications, like Yahoo! Messenger, have stopped working. The authorities are said to be using power interruptions as a cyberweapon, causing brief outages during rallies that cause computers to reboot, just as people are trying to upload images and video. The net result, as Arbor's excellent analysis shows, has been a drastic reduction in inbound traffic on filtered ports since the election.
If there's a lesson here for the rest of the world, perhaps it's this: Install a few proxy instances on machines you control. Learn how to lock them down properly. Swap them with your friends overseas who live in places where the Internet is fragile. Set up your tunnels and test them. And don't wait until the tanks are in the streets to figure this out, because by that point, you may have already lost the proxy war.
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»