Summary of the current situation
When to block started in May 2012, DPI boxes were only looking for Tor TLS server hellos sent by relays or bridges to Tor clients. If such a packet was found, it was simply dropped and the TCP connection eventually timed out. Since the middle of July, the DPI boxes were also looking for TLS client hellos as sent by Tor clients < version 0.2.3.17-beta and dropping them as well when found. The dropping of client and server hellos seems to happen independently of each other. The DPI boxes seem to operate in-band and stateless.
The usage statistics increased in October 2012 so the block might have been lifted.
The usage statistics seem to have recovered since the beginning of October 2012. At the moment it is unclear, whether the block is still ongoing.
Type of Tor censorship
Deep packet inspection: #6045
- Fingerprint: Multiple strings in the Tor TLS ServerHello/Certificate/ServerKeyExchange/ServerHelloDone records were matched in the beginning (#6045). If a packet matched, it was simply dropped. After several weeks, at least the cipher list in the TLS client hello (in versions < 0.2.3.17-beta) leads to the client hello being dropped as well.
Types of non-Tor censorship
Ways to bypass censorship
- Bridges were patched to pick the cipher
TLS_DHE_RSA_WITH_AES_256_CBC_SHA. This used to be sufficient to evade the DPI boxes. Three patched bridges were published in a blog post. However, since the DPI boxes started filtering for the client hello as well, a client with an updated cipher list (>= version 0.2.3.17-beta) is also necessary.
- A bridge which selects
TLS_DHE_RSA_WITH_AES_128_CBC_SHAas cipher and splits its cipher list (e.g. using brdgrd) can work for Ethiopian users.
- Obfsproxy probably evades the DPI boxes too.
Type of firewall
- Manufactorer: No hard facts but perhaps something from ZTE Corp. It is hard to narrow down the DPI boxes because traceroutes are dropped somewhere in the network backbone.
Reproducing the blocking
- Binaries, patches etc. can be found in censorship-timeline.git
- Due to the firewall being stateless and in-band, it is easy to trigger and analyze blocking. Even outside the country. The tool
hping3can be used to send data to an arbitrary machine in Ethiopia. If the machine answers with a RST segment, the data passed. If it does not answer, the data was probably dropped by the DPI boxes:
hping3 -p <RANDOM-HIGHPORT> -E <FILE> -d <FILE-LENGTH> -A <ETHIOPIAN-MACHINE>
- A vanilla Tor (v0.2.2.37) TLS server hello can be used to trigger dropping: http://files.7c0.org/tor/Ethiopia-Tor-TLS-Server-Hello.bin
- Running Ethiopian machines for the test can be found by iterating over the address blocks announced by bgp.he.net. Alternatively, blockfinder can be used.