It seems that Iran's GFW has updated!

[SaintShit]

In the recent days, we've been dealing with MCI (& TCI)'s filtering system which seems to have gotten smarter. but now it seems that this system is coming to other ISPs like Shatel, which yesterday sent a message to it's user about a temporary outage, and now the changes can be felt in Shatel too. What I have got so far is that they are very sensitive to the SNI of the requests (that are going to Cloudflare servers maybe) and filter them quickly. It used to take a long time, but now is it upgraded, for example, in MCI, the domain gets filtered instantly. An interesting thing I noticed is that domains may be filtered temporarily, and after a few hours of being filtered, they might get released. however, they'll be filtered again, this time faster. The more interesting thing is that the domains are filtered according to the IP to which we send the request! For instance, a request with my domain to one of the Cloudflare servers has redirected to 10.10.34.34

➜  ~ curl 172.66.47.92 -m 3 -v -H "Host: example.com"
*   Trying 172.66.47.92:80...
* Connected to 172.66.47.92 (172.66.47.92) port 80 (#0)
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/8.0.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Location: http://10.10.34.34                 <<---- check this
< Content-Type: text/html
< Content-Length: 156
< 
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Moved</title>
</head>
<body>
<h1>Redirected</h1>
</body>
</html>
* Connection #0 to host 172.66.47.92 left intact

but for another server, it works properly

➜  ~ curl 162.159.2.51 -m 3 -v -H "Host: example.com"
*   Trying 162.159.2.51:80...
* Connected to 162.159.2.51 (162.159.2.51) port 80 (#0)
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/8.0.1
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Date: Mon, 10 Apr 2023 09:25:24 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: same-origin
< Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Expires: Thu, 01 Jan 1970 00:00:01 GMT
< CF-RAY: 7b59f13adbc18fc5-FRA
< Server: cloudflare
< 
<!DOCTYPE html>
...

They may have only focused on Cloudflare! Anyway, it is likely that we'll see this system on Irancell and other operators soon.

[IMIEEET]

can you tell me what is this domain? or if its your domain what caused it to be blocked? asking this cause based on different 10.10.X.X ips there is a different reason of censoring that domain. also different from the ISP you resolve the ip.

[ftfws]

First of all this is not the GFW. At least not the censorship system deployed in China known as the GFW. And you are right. This is a new firewall system that seems to be somewhat separate from the old ones. This new censorship system is currently implemented completely in some ISPs (like MCCI, ParsOnline or Shatel) and partially in others (like TCI or Pishgaman). They seem to be trying to replace the old system with this. You can also see #226 for more info.

[m0ckinGuY]

Its seems that it got a major upgrade And @fftws is right its not GFW based on reports shadowtls is working in china flawlessly but recently its server get blocked in iran

[oxer-0]

Why do you expect a plain HTTP request to work?

The command you must use is curl https://example.com --resolve example.com:443:$CLOUDFLARE_IP -v

[aaomidi]

Why do you expect a plain HTTP request to work?

This is using SNI based filtering, https ain't going to solve the problem.

[oxer-0]

Why do you expect a plain HTTP request to work?

This is using SNI based filtering, https ain't going to solve the problem.

SNI is an extension of TLS, FFS. We have HTTP "Smart" censorship since Dragon ages :|

Why do you even set message verbosity if you going to ignore it

From the author's original post

* Connected to 172.66.47.92 (172.66.47.92) port 80 (#0)

Since when port 80 is considered secure?

[MJamshidnejad]

Since when port 80 is considered secure?

Since NEVER. Not even 443. Ports are just numbers. Security is about protocols.