The clinic and the edge router up to north had to be reset based
Well thats some work π
Well thats some work π
π188β€55β€βπ₯11π€1
The iran government preparing itself for a complete cut out on emergency.
Ive been told that they want to cut out the chain of connection in domestic internet so they dont let people share there tools to connect to international internet.
They plan to :
- Block the free fileshare services on mobile ISP's .
- block sharing links and content in all domestic messengers vastly.
- threatening people blindly by sending sms massages.
- gathering info about remaining connected vpns from vpn channels and groups manually or using crawlers like sparta to block them
These are happening right now.
In this situation i suggest three things:
-learn how to share youre files from youre computer for the hole internet (it is possible).
- send the links in base64 or be creative .there are otherways sending links and configs to people.
- for channels its better to send there configs in base64 or other creative ways.
We are going to help publicly or anonymously too.
Ive been told that they want to cut out the chain of connection in domestic internet so they dont let people share there tools to connect to international internet.
They plan to :
- Block the free fileshare services on mobile ISP's .
- block sharing links and content in all domestic messengers vastly.
- threatening people blindly by sending sms massages.
- gathering info about remaining connected vpns from vpn channels and groups manually or using crawlers like sparta to block them
These are happening right now.
In this situation i suggest three things:
-learn how to share youre files from youre computer for the hole internet (it is possible).
- send the links in base64 or be creative .there are otherways sending links and configs to people.
- for channels its better to send there configs in base64 or other creative ways.
We are going to help publicly or anonymously too.
12β€335π’39π33π€£8π₯5
CIDRS can be calculated wrongly
We shouldnt write such important things in notepad though
Someone will accidentally come and replace range 103 with 102
Or just adds an ip like 217.60... at the end of 217.219 range
Or maybe worse
Opens a hole 195 range
We should be carefull !
We shouldnt write such important things in notepad though
Someone will accidentally come and replace range 103 with 102
Or just adds an ip like 217.60... at the end of 217.219 range
Or maybe worse
Opens a hole 195 range
We should be carefull !
17π198β€35π17π8π₯5
Sample ips for dns are as below:
(They are other ranges that are open now, scan and find out )
102.133.160.77
102.133.139.154
102.133.235.79
102.133.128.244
102.22.82.129
102.22.81.212
102.22.82.17
102.22.81.249
102.22.27.125
102.22.82.53
102.22.83.78
102.22.81.20
102.22.81.195
102.22.83.114
102.22.83.149
102.22.83.72
102.22.81.122
102.22.83.102
102.22.195.246
102.22.108.25
102.22.81.37
102.22.80.182
102.22.81.140
102.22.83.155
102.22.82.5
102.22.82.45
102.22.82.94
102.22.82.242
102.23.163.244
102.23.226.71
102.23.226.70
102.37.158.250
102.37.142.149
(They are other ranges that are open now, scan and find out )
102.133.160.77
102.133.139.154
102.133.235.79
102.133.128.244
102.22.82.129
102.22.81.212
102.22.82.17
102.22.81.249
102.22.27.125
102.22.82.53
102.22.83.78
102.22.81.20
102.22.81.195
102.22.83.114
102.22.83.149
102.22.83.72
102.22.81.122
102.22.83.102
102.22.195.246
102.22.108.25
102.22.81.37
102.22.80.182
102.22.81.140
102.22.83.155
102.22.82.5
102.22.82.45
102.22.82.94
102.22.82.242
102.23.163.244
102.23.226.71
102.23.226.70
102.37.158.250
102.37.142.149
16β€249β€βπ₯29π10π’8π6
We pulled gigabytes of data straight from Iran's regime censorship network.
Inside:
Millions of IPs whitelisted during shutdowns (external ones locals use + the ones they allow)
Their plans to hunt down Starlink terminals inside the country
Ways they try to trace whoβs still online during blackouts
and plenty more
Weβll drop some parts that can actually help people get to the free internet.
Inside:
Millions of IPs whitelisted during shutdowns (external ones locals use + the ones they allow)
Their plans to hunt down Starlink terminals inside the country
Ways they try to trace whoβs still online during blackouts
and plenty more
Weβll drop some parts that can actually help people get to the free internet.
13β€251π₯24π19π€1
all-range-dns-UDP.txt
380.7 KB
all dns ips whitelisted in iran (some whitelisted by us! and others they use)
110β€420π₯42π26π19π€©8
Void Verge pinned Β«We pulled gigabytes of data straight from Iran's regime censorship network. Inside: Millions of IPs whitelisted during shutdowns (external ones locals use + the ones they allow) Their plans to hunt down Starlink terminals inside the country Ways they tryβ¦Β»
Until the data-centers be inaccessible, why dont we just do the below?
We have tested the implementation and saw its benefits π
https://telegra.ph/The-Idea-of-dns-multiplexing-03-08
We have tested the implementation and saw its benefits π
https://telegra.ph/The-Idea-of-dns-multiplexing-03-08
Telegraph
The Idea of dns multiplexing in other side
During my observation of DNS network traffic passing through a firewall, I noticed an interesting pattern: the firewall initially allows the first packet in DNS tunneling to pass, but eventually, the Deep Packet Inspection (DPI) system detects the unusualβ¦
6π₯134β€25π6π4π2
We are watching the traffic coming from Iran, and itβs starting to look unusual.
Some techniques that previously worked are now widely used, and they have become visible at the firewall level.
Let me give you some advice.
When you play chess against an opponent who is more experienced, has studied your games, and already controls the center of the board, you donβt rush your queen into the middle. The center is where the board is most contested. If your opponent already controls those squares, placing your most valuable piece there only makes it an easy target.
Instead, strong players develop quietly, protect their pieces, and look for indirect ways to challenge control of the board.
The Thirty-Eight Barrier is close to run !
Some techniques that previously worked are now widely used, and they have become visible at the firewall level.
Let me give you some advice.
When you play chess against an opponent who is more experienced, has studied your games, and already controls the center of the board, you donβt rush your queen into the middle. The center is where the board is most contested. If your opponent already controls those squares, placing your most valuable piece there only makes it an easy target.
Instead, strong players develop quietly, protect their pieces, and look for indirect ways to challenge control of the board.
The Thirty-Eight Barrier is close to run !
7β€180π32π€24β€βπ₯6π3
New leak from Iran's regime censorship docs:
Theyβve got ways to spot Starlink users and people on VPNs.
Some popular Iranian apps come bundled with hidden networking scripts that run in the background.
These scripts keep sending DNS queries and TCP requests outside your network β even when VPN is active (and in some apps, it doesn't even care if VPN is on).
They do it in 3 main ways:
to public/blocked servers (just to check if they connect)
to regime-controlled endpoints (to figure out how you're connecting)
to special DNS resolvers (to detect your leaks/IP)
Then they collect all this data and either send you threatening messages or pinpoint if you're on Starlink.
Be careful what apps you run. Stay sharp.
we may publish a complete report later , but for now just learn to use app proxing or split tunneling
Theyβve got ways to spot Starlink users and people on VPNs.
Some popular Iranian apps come bundled with hidden networking scripts that run in the background.
These scripts keep sending DNS queries and TCP requests outside your network β even when VPN is active (and in some apps, it doesn't even care if VPN is on).
They do it in 3 main ways:
to public/blocked servers (just to check if they connect)
to regime-controlled endpoints (to figure out how you're connecting)
to special DNS resolvers (to detect your leaks/IP)
Then they collect all this data and either send you threatening messages or pinpoint if you're on Starlink.
Be careful what apps you run. Stay sharp.
we may publish a complete report later , but for now just learn to use app proxing or split tunneling
7β€193π33π€14π6π2
We performed a controlled lab test on several messaging apps. Observations are based solely on network traffic; no payload decryption or app reverse engineering was done.
1. DNS behavior
Some apps (e.g., Bale) requested DNS from multiple sources outside the deviceβs configured servers.
At least three DNS servers were contacted, all located outside the country.
2. Tunnel-flag behavior
When the tunnel flag was toggled on and off (no real network change), some apps behaved unusually.
Eita repeatedly closed otherwise successful server connections when the tunnel was on.
This behavior did not occur when the tunnel was off.
3. DNS resolution inconsistencies
Eita sometimes resolved a domain to an IP (e.g., a.b.c.d) but connected to a different IP (e.g., a.b.c.e), ignoring the resolved IP for extended periods.
4. Reconnection and traffic patterns
Eita repeatedly re-established connections after closing them.
We saw forground netowork activity in app that first thought is for notifications.
We tested with a chat message showed the app did not load the message or notifications.
but meanwhile
Upload traffic volume was much higher than download, which is not typical for getting notification request
5. Comparison with other apps
Rubika: similar to Eita, opening multiple connections to different servers, sending data, and closing connections frequently.
Bale: maintained a single, persistent TCP connection to its server, behaving normally.
These apps exhibit unusual and potentially suspicious network behavior.
Some easy to undrestand info are in the zip below:
1. DNS behavior
Some apps (e.g., Bale) requested DNS from multiple sources outside the deviceβs configured servers.
At least three DNS servers were contacted, all located outside the country.
2. Tunnel-flag behavior
When the tunnel flag was toggled on and off (no real network change), some apps behaved unusually.
Eita repeatedly closed otherwise successful server connections when the tunnel was on.
This behavior did not occur when the tunnel was off.
3. DNS resolution inconsistencies
Eita sometimes resolved a domain to an IP (e.g., a.b.c.d) but connected to a different IP (e.g., a.b.c.e), ignoring the resolved IP for extended periods.
4. Reconnection and traffic patterns
Eita repeatedly re-established connections after closing them.
We saw forground netowork activity in app that first thought is for notifications.
We tested with a chat message showed the app did not load the message or notifications.
but meanwhile
Upload traffic volume was much higher than download, which is not typical for getting notification request
5. Comparison with other apps
Rubika: similar to Eita, opening multiple connections to different servers, sending data, and closing connections frequently.
Bale: maintained a single, persistent TCP connection to its server, behaving normally.
These apps exhibit unusual and potentially suspicious network behavior.
Some easy to undrestand info are in the zip below:
7π155β€68π₯14π€6π€3
The firewall required a routing update, and several CDN service IPs were added to enable access for certain governmentβaffiliated individuals and organizations.
We have successfully injected most of the IP ranges from the companyβs cloud-based NS (AWS, Akamai, etc.) into the routing table. The changes are currently propagating and are expected to be fully applied by 06:00 AM Iran local time. Connectivity should now be smoother, allowing most users to connect more easily.
For now, focus on the following ranges (eventually, the full subnets will be applied):
2.144.x.x/24
3.160.x.x/20
18.154.x.x/24
23.49.x.x/20
You can also scan the range under 50.x.x.x, which has now been fully applied.
We have successfully injected most of the IP ranges from the companyβs cloud-based NS (AWS, Akamai, etc.) into the routing table. The changes are currently propagating and are expected to be fully applied by 06:00 AM Iran local time. Connectivity should now be smoother, allowing most users to connect more easily.
For now, focus on the following ranges (eventually, the full subnets will be applied):
2.144.x.x/24
3.160.x.x/20
18.154.x.x/24
23.49.x.x/20
You can also scan the range under 50.x.x.x, which has now been fully applied.
16β€407π55π23π₯14π¨βπ»6
Void Verge
The firewall required a routing update, and several CDN service IPs were added to enable access for certain governmentβaffiliated individuals and organizations. We have successfully injected most of the IP ranges from the companyβs cloud-based NS (AWS, Akamaiβ¦
The change is now completely applied and many ranges are open
Scan and find them out
Scan and find them out
2β€234π₯29π26π18π¨βπ»6