Fortinet
This pages documents the presence of the Fortinet devices in Syria that are present to monitor and/or censor the traffic at a country-wide range using Deep Packet Inspection (implemented through their IPS system).
Contents
Devices
At least two FortiGate 51-B are running in Syria for country-wide Internet censorship and monitoring. These devices are in theory not designed for such a role but rather for medium-sized company networks, as the bandwidth they can handle is much smaller than what a country is expected to generate (about 50 Mbps per device).
These devices can be configured to intercept virtually any packet, by matching its headers and/or payload with customizable signatures. This document explains howto use IPS (the DPI system) featured by FortiOS - the operating system running on FortiGates - to use predefined signatures, insert new ones and tell the device what to do when packets match signatures. They can also perform traffic shaping.
These devices do not require to have an IP address on the network they are watching. It reduces the chances of detection.
Technical evidence elements
First mention
VPN blocking was mentioned on July, 23rd, 2011:
13:58:24< zeitgeist> TOR IPs are blocked, can be used with bridges, not easy though. OpenVPN is blocked, not all protocols are blocked. 13:58:45<@KheOps> Is it a per-protocol blocking ? 13:58:54<@KheOps> I mean, not based on ports but on traffic inspection ? 13:59:11< zeitgeist> dont know. thats all the info i got this morning. time difference means my info is delayed
Fortinet devices were mentioned for the first time on Telecomix IRC by a Syrian insider, on July, 27th, 2011:
01:15:29<@KheOps> Any VPN available for people ofSyria please ? 01:16:02< rain> the Gov is useing devices from fortinet..... they do a limitation on the band width.... so vpn will not work... don't bather yourself 01:16:37<@KheOps> rain: How do they limit bandwidth ? Based on the IP you are connecting to ? 01:17:14< rain> no..... they do it globaly.... for all ppl
And on September, 25th:
13:09:45< hazrid> openVPN hasn't been working since may, we've talked about that a dozen times 13:09:49< hazrid> this isn't new information 13:10:58< hazrid> they're using fortinet equipment to block it
Symptoms from inside
Symptoms observed from inside the country indicate pretty clearly the presence of DPI-capable devices, but no data has allowed to draw more precise conclusions.
Some TCP, UDP ports and IP protocols are blocked, which can be done without DPI. It has however been noticed by people from Damascus, Aleppo, Homs and Hassake that OpenVPN was unable to connect to hosts outside the country, either in TCP, UDP and no matter the used port, when used not with a pre-shared static key. OpenVPN through Obfsproxy however connects very well. OpenVPN protocol can be easily recognized by the first three bytes that it sends upon connection, which are (hexadecimal codes):
00 0E 38
Inputting such a signature is easy to do on FortiOS, as well as setting the device to close a connection when detecting such a packet. In short, FortiGate 51-B devices can be easily used to block OpenVPN.
From the outside
On October, 13th 2011, a scanning of the Syrian Telecommunications Establishment's PDN first DNS server (82.137.192.141) seemed to lead nmap to recognize packet signature of a FortiGate device. It is unsure whether a conclusion can be drawn out of this observation : nmap could either be mistaking, or a Fortinet device could actually be in front of that DNS server.
On July, 7th, 2012, a scanning on 82.137.204.54 revelead a Fortinet Web administration console, but this IP address is assigned to a Syrian company (Karkour) which has probably no relation with country's Internet backbone.
No other scan revealed more significant signs. The absence of IP address of the devices may explain this.
Additional reports
In a recent presentation, Syrian activist and creator of Virtus Linux Dshlad Othman has confirmed the OpenVPN blockade.
Several people reported to us that two FortiGates 51-B were connected to the international gateways, that their purpose was actually to do traffic shaping and blocking traffic. It was also reported that the access to their administration was kept outside any network, and that not more than 3 people were able to maintain them, for example by adding new signatures.
Fortinets shipping and installation
Shipping into Syria
Date of arrival of the devices in Syria is unsure; it is very probably between 2009 and 2011. Engineer Waseem Jawad took care of ordering the BlueCoat devices to an authorized United Arab Emirates company. It is not known whether he has any relation with the Fortinets.
It was reported that the Fortinets were shipped from the United Arab Emirates, and the shipping has probably been covered by the following UAE-based company:
Network Information Technology (NIT) LLC P.O. Box 23043 Dubai United Arab Emirates Tel: +971 4 2822522 Fax: +971 4 2827080
owned by a Syrian citizen named Bassel Fakir. NIT has a public website showing Fortinet as their partner.
Bassel Fakir is also the founder and owner of the INET Syrian Internet Service Provider in Syria and owner of SCAN Syria, which is an affiliate of the Malaysian company Scan Associates specialized in security. SCAN is mentioned as a partner of INET (mirrored page) and INET annouce that they are the only ISP in Syria to be certified by SCAN after passing penetration tests. Reports confirmed that the Fortinets were imported by "the owner of INET at that time", which points to Bassel Fakir.
A whois request on an INET IP range (109.238.144.0/21) gives the following output:
person: Bassel Fakir address: INET Internet Service Provider (INET) address: Mohajreen - Damascus address: Syrian Arab Republic mnt-by: INETMNT-1 phone: +963 11 99 14 fax-no: +963 11 37 431 91
Bassel Fakir thus participated in shipping or organizing the shipping of the devices into Syria. His name also appears in INET IP ranges registration for 212.11.208.0/21 and 109.238.144.0/21 in "Charif, Fakir & Co". His name appears as Billing Contact on the whois reply for scan.sy (in Arabic). He is listed as dealer (see letter N) in UAE for Scan Associates (Malaysian).
Bassel Fakir's SCAN company has both domains scan.sy and scansyria.com, the latter's whois data being anonymized by a Malaysian registrar:
Registrant Contact: Whoisprotection.cc Domain Admin (reg_452246@whoisprotection.cc) Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000 P: +603.89966788 F: +0.0
The ScanSyria Twitter account (screenshot) seems to report how they help authorities, even though this may be a leaking attempt. The name of one engineer is mentioned in recent tweets, and his full name, Iyad Al Houshi, appears on a network security conference website dated back 2009. The domain scan.sy is managed by INET's servers. "Iyad" appears again in some DNS entries of scan.sy:
scan.sy. 86400 IN MX 10 mail.scan.sy. scan.sy. 86400 IN TXT "v=spf1 +a +mx -all" scan.sy. 86400 IN SOA ns6.inet.sy. iyad\.random.gmail.com. 1341447218 10800 3600 604800 10800 scan.sy. 86400 IN NS ns6.inet.sy. scan.sy. 86400 IN NS ns5.inet.sy. scan.sy. 86400 IN A 91.144.8.193
Fortinets were initially tested and configured inside the INET offices in Damascus, for which the NOC is currently (July, 7th 2012) located in Muhajreen area (see map). It was reported that they have been configured by two engineers, one from INET and one from SCAN Syria.
Current location
Sources reported that they were then handled to Security Branch 225 and installed in the Muhajreen telephone exchange center (see exact location) and installed there. This place is also the offices of the old 190.sy dial-up ISP as well as the place of most (if not all) international interconnection points. Security Branch 225 is a part of the Syrian intelligence services and, is responsible for communications security in general, and has offices in several ISPs operations centers. Branch 225 thus overviews and monitors the activites of the Ministry of Telecommunications and Technology. The national operator Syrian Telecommunications Establishment (STE) is a body part of the MTCT, and every ISP apart from the Syrian Computer Society (SCS) are technically dependant on STE.
The devices are currently still in a Muhajreen building (reportedly, the same one). More precisely, the devices may be on the second floor, northern part of the building.
The BlueCoat devices have been reported to be in the exact same building as the Fortinets.
Some SCAN and INET engineers are acting to improve the global surveillance performed in this building, and the INET Network Operations Center is less than 2km far. Bassel Fakir has the domain name fakir.me with a registered address that is a exactly between INET and the Branch 225 building (whois):
Registrant Name:Bassel Fakir Registrant Organization:Inet Registrant Address:Muhajereen, Shata, 3rd Block Registrant City:Damascus Registrant State/Province:Damascus
A report additionally indicates that Bassel Fakir obtained a direct fiber optics link between the Muhajreen Branch 225 building and the INET NOC. It would thus be also technically possible and totally coherent that the BlueCoat and Fortinet devices are in the INET NOC. This possibility should not be removed yet.
People involved in massive surveillance
INET/SCAN technical staff
Several people skilled in IT are present in SCAN Syria and INET. One must keep in mind that INET and SCAN have several people in common among the executives, making the borders between the two entities fuzzy for an external observer.
Most of the involved people studied at the Higher institute of applied Science and Technology (HIAST), into which entering and staying is not easy (high skills are needed, loyalty to the regime is often required to avoid being kicked out). Not more than 50 people are graduated from HIAST every year, making it a very small and connected world. Graduated HIAST people are considered as the best in all the country in terms of technology skills.
Iyad Al Houshi
Iyad Al Houshi (Facebook page):
- graduated from HIAST in December 2004;
- he was afterwards an assistant lecturer at the Higher Institute of Business Administration (HIBA), during approximately one semester;
- started in early 2005 to work for the Platinum company, which was in contract to do the management and administration of the 190.sy ISP, and acquired relations in STE and security branches during that period -- Platinum is probably still involved in maintenance of 190 and Tarassul ISPs;
- was granted the right by HIBA to go to the United Kingdom for a Master in Network Security, probably in the Univerty of Plymouth (Syrian students are extremely rarely granted this right given the studies being expansives in UK, meaning he had the help of high ranked people);
- obtained in master probably in 2007, his master's thesis can be seen on the Univeristy of Plymouth's website
- was in Syria in the summer 2009, founded SCAN Syria with Bassel Fakir, attended the 5th ICT Security Forum as Project Manager of SCAN, together with Bassel Fakir, CEO of INET ISP;
- has probably been with Bassel Fakir since then, working in SCAN and INET and teaching at HIBA, although his spent some time in Dubai (UAE) and maybe in the UK.
The domain name scansyria.com was registered on June, 7th, 2009. Iyad's email address (iyad.random@gmail.com) appears in the SOA record of this domain. His PGP key associated to this address is signed by Bassel Fakir, and vice-versa. He has an additional email address hosted by Bassel Fakir's UAE company (iyad@nit.ae, with another PGP key). Bassel Fakir's and Iyad Al Houshi's PGP keys were created at the same time, on December, 13th and 14th, 2010: they probably needed to exchange confidential information one with the other. While in the UK in 2007, he was already in contact with people from Scan Associates (Malaysia) through a collaboration with Platinum.
He also has an INET address (iyad.houshi@inet.sy). He sent an email to several people of the Turkish SSL Certification Authority TürkTrust using his INET address on January, 16th, 2012 at 2:50PM (information obtained from unprotected logfiles of the INET's webmail), who are the issuers of the SSL certificate for webmail.inet.sy.
He had an email address at Platinum (iyadh@platinum.sy), but most probably left Platinum to found SCAN.
His Facebook profile leaves no doubt that he supports the regime. It was reported that he never tried to hide his support to the regime, even when he was a student. Information from Twitter (here and here) show that his work for SCAN notably consists in helping the regime in spying on and spotting opponents, notably mentioning that he helped the government in detaining the blogger Anas Maarawi.
He is reported to have high-ranked relatives and contacts with army generals. Thanks to his relations, he probably participates in configuring the networking equipment managed by STE (and/or INET and/or SCAN) in accordance to the needs of the Branch 225. His skills, study background, orientation and relations make him a key technical person in the global monitoring ongoing in Syria.
Loay Medani
Another person working at at SCAN, who studied at SVU and obtained a Bachelor of Information Technology. He is reported to be a network administrator. He possibly worked at Platinum and moved afterwards to SCAN in order to work (or continue working) with Iyad Al Houshi, maybe to continue benefitting from the relations established during the project for 190.
He has an email address hosted by INET that appears in the logfiles from webmail.inet.sy (loay.medani@inet.sy).
It is unknown to what extent he helps the massive surveillance (if he does at all).
Fadi Almoussa
Knowing Iyad (see his Facebook page, they're "friends"), he studied in HIAST too and graduated in 2002 in the field "Electric Systems". It is not known whether he participates to the Fortinet maintenance and what are his exact orientations towards the regime.
He started working with Iyad Al Houshi at SCAN approximately in March 2011 (beginning of the uprising), after his previous company had to move to Jordan due to the situation in Syria getting bad. He was offered to move to Jordan but preferred to stay in Syria.
He is not known to have networking skills but rather datamining and Web programming. No trace of him has been found in relation to INET.
Non-technical responsabilities
Bassel Fakir
He is a businessman of Syrian citizenship. He is founder and owner of SCAN (Syria), INET (Syria) and Network Information Technology (United Arab Emirates). He is reported to be a rich person, having many relations with the military and security branches. His situation technically allows him to bring the Fortinets into Syria. He has an email address at INET (bassel.fakir@inet.sy).
- INET was founded in 2006 (domain inet.sy registered on November, 6th, 2006);
- SCAN was founded in 2009 together with Iyad Al Houshi (domain scansyria.com registered on June, 7th, 2009 and scan.sy registered on June, 20th, 2012);
- NIT was founded in 1994.
It has been reported that the goal of SCAN at his creation was to ease the cooperation with the regime, as it is only possible for the government to sign contracts with companies (by opposition to individuals). One of the main purposes of SCAN seems to be the importation of networking devices (such as the Fortinets) which are normally embargoed: Iyad Al Houshi and Bassel Fakir seem involved together in this activity. The importation activity may be parts of contracts signed with the government. The next part of the contracts may be the installation, configuration and maintenance of the devices. Only a few people (less than 10) are known to be working at SCAN.
SCAN Syria is a subsidiary of Scan Associates, a Malaysian company. According to some sources, being an affiliate of a foreign company is something that adds value and allows more expansive contracts with the government. Moreover, Malaysia has apparently been rather supporting to Assad.
INET is probably much bigger, with several dozens of employees (check the list of people logging onto INET's webmail using a LAN IP). Involvment and awareness of the massive surveillance may vary a lot among the employees, depending on their degree of proximity to the security branches. The executives are much more probably aware of the massive monitoring details than the others. INET's NOC location was reportedly very careful chosen to be as close as possible and easy to connect to the Muhajreen telephone exchange center.
The domain name fakir.me is registered with an address that is exactly in the middle between the INET NOC and the Muhajreen telephone exchange center, much probably on the path of the fiber optics link. Obtaining the fiber optics in this area requires to have good relations, as it his highly control and close to the Presidential house.
His relations allow him to transfer the will of the Branch 225 onto technically capable people at both SCAN and INET.
Maher Alaboud
Maher Alaboud is a regime supporter that currently works both at the Syrian Atomic Energy Commission (AEC) and at SCAN. His work at the AEC is due to his commitment to the Syrian government implicated by his studies at HIAST.
His technical background in computer science is low, and he has a much more important role in establishing contracts with the government and taking care of administrative matters as well as preparing financial and technical offers. He is helped by his brother Muhannad Alaboud on legal issues.
Connection to national and international networks
The way connectivity is organized is still unsure, as it has to be done in such a way that allows the devices to intercept all the traffic. The Syrian Telecommunications Establishment Autonomous System view may give a first insight on the international connections.
It has been reported that the devices are connected in "special mode without an IP address".
OpenVPN blockade on its protocol seems to have begun in May 2011 and the Internet has been reported to be slowed down since mid-2011.
The devices are very probably not capable of handling the whole country's output traffic at full-speed. The monitoring and blocking of the traffic is thus very probably shared between several device types. Several facts are known:
- all port-80 traffic is redirected to the BlueCoats, which accept the connection, wait for a valid HTTP request, log the request and act as proxy in case the request must not be blocked -- non-HTTP request are not forwarded;
- many TCP and UDP ports are blocked, which does not require DPI-capable devices but can help in decreasing the country's global traffic;
- there is a global slowdown of the connection speeds reported by all the users, and even reported by STE in early summer 2011.
It is not sure whether these facts are enough to allow the Fortinets to cope with the whole remaining traffic. Figures reported that the peer-to-peer traffic represents the major part of bandwidth usage in the world, followed by Web traffic. It is possible that the Fortinets are unloaded from the port-80 traffic by the BlueCoats. The global slowdown can be done through traffic shaping to let the Fortinets cope with the remaining traffic.
Remaining questions/unclear points
- When did the devices arrive in Syria?
- When were they installed on the interconnection?
- What path did they take between Fortinet themselves and NIT?
- Who exactly is in charge of maintaining the Fortinets (don't we miss INET engineers)?
- Who is behing the ScanSyria Twitter account, and what's the point?
