[Russia] Some ISPs are blocking Tor

[Anomaly detected in Russia] built-in bridges + dir auths blocked in some ISPs: https://explorer.ooni.org/search?until=2021-12-03&since=2021-11-29&probe_cc=RU&test_name=tor

https://explorer.ooni.org/measurement/20211202T142130Z_tor_RU_12958_n1_BPMooztMGKaVC2yE
AS12958 website: https://msk.tele2.ru/

It may be related to the latest Russian regulatory practices.

See the presentation slides and video of Alexander Isavnin "Sovereign Internet and the Number Resources" from RIPE 83.

Presentation video: https://ripe83.ripe.net/archives/video/630
Presentation slides: https://ripe83.ripe.net/wp-content/uploads/presentations/29-Sovereign-Internet-and-Number-Resources.pdf

Posted to NTC: https://ntc.party/t/ooni-reports-of-tor-blocking-in-certain-isps-since-2021-12-01/1477

Here are all the ASes I see that show anomalous results:

AS	ISP	sample anomaly report
8359	MTS	2021-12-01 18:37:52
12389	Rostelecom	2021-12-02 09:28:31
12714	NetByNet	2021-12-01 15:35:13
12958	Tele2	2021-12-01 11:22:59
15582	Akado-Stolitsa	2021-12-01 23:59:15
16345	Beeline	2021-12-01 23:35:33
25159	MegaFon	2021-12-01 23:30:01

There are many ASes that have normal measurements. This not all of them, I stopped after going through a few.

AS	ISP	sample normal report
12389	Rostelecom	2021-12-02 22:56:07
12668	KomTehCentr	2021-12-02 23:17:03
16345	Beeline	2021-12-02 22:09:15
21479	Rostelecom	2021-12-02 23:09:26
24955	Ufanet	2021-12-02 21:06:08
25513	Moscow city telephone network	2021-12-02 23:12:55
41275	Lovitel	2021-12-02 21:49:40
42610	Rostelecom	2021-12-02 22:09:45
51570	ER-Telecom	2021-12-02 23:53:20

Note that Rostelecom appears in both lists, under different ASes (12389 is common to both lists). AS 16345 also appears in both lists, but it had only a single normal measurement.

changed the description

@championquizzer I created a new article on RT to support Russian users. It seems vanilla Tor connections, built-in obfs4, Snowflake, and meek-azure aren't working. So, we should give them some HTTPS bridges (https://bridges.torproject.org). Follow @dcf link and you find the ongoing analysis.

@emmapeel could you translate the RT article to Russian?

Is the RT article public? We can post it also to the NTC thread, which has over 6k views already.

I've just noticed https://forum.torproject.net/t/tor-blocked-in-russia-how-to-circumvent-censorship/982, which I will link.

Thank you, @dcf!

The python version of Vanilla Tor test (ooniprobe legacy) seems to be able to connect and bootstrap (except one time on AS56377).

Probed networks: AS24955, AS3216, AS3239, AS39289, AS41661, AS41682, AS41733, AS48642, AS51035, AS51570, AS51604, AS56330, AS56377, AS8369 and AS8427

An aggregate view of all Vanilla Tor measurements for the aforementioned mentioned networks from 01/12/2021 - 08/12/2021: https://explorer.ooni.org/experimental/mat?probe_cc=RU&test_name=vanilla_tor&since=2021-12-01&until=2021-12-08&axis_x=measurement_start_day&axis_y=probe_asn

FWIW, Tor connections block has been lifted - 2021-12-08 2000UTC.

Thanks. It looks based on the above like they might be blocking by IP address?

According to ValdikSS's tests, yes, it looks like in most cases it is IP address blocking: no response to the client's TCP SYN. This applies even to the IP addresses of ajax.aspnetcdn.com, 152.199.19.160 and 40.118.185.161.

However, in one case, ajax.aspnetcdn.com looks like it's blocked by SNI in the ClientHello, because SNI-less TLS to the IP address works. The measurement site that showed that behavior is located in Yuzhno-Sakhalinsk, in the far east of Russia, far from Moscow, so it may be an unrelated phenomenon.

Based on the discussion, it seems that the Snowflake proxy is blocked by DTLS fingerprint. I wonder if WebRTC in browser is still working.

Calling the names of @cohosh, @meskio, @shelikhoo so they know about this ticket too.

Today, TPA has received a notice of abuse because the message below was flagged as spam/undesirable and contains a URL of ours.

Reproducing here in case it provides any additional info.

Направляется уведомление о внесении в «Единый реестр доменных имен, указателей страниц сайтов в сети «Интернет» и сетевых адресов, позволяющих идентифицировать сайты в сети «Интернет», содержащие информацию, распространение которой в Российской Федерации запрещено» следующего(их) указателя (указателей) страницы (страниц) сайта в сети «Интернет»: https://www.torproject.org .

В случае непринятия провайдером хостинга и (или) владельцем сайта мер по удалению запрещенной информации и (или) ограничению доступа к сайту в сети «Интернет», будет принято решение о включении в единый реестр сетевого адреса, позволяющего идентифицировать сайт в сети «Интернет», содержащий информацию, распространение которой в Российской Федерации запрещено, а доступ к нему будет ограничен.

Сведения о включении доменных имен, указателей страниц сайтов сети «Интернет» и сетевых адресов доступны круглосуточно в сети «Интернет» по адресу http://eais.rkn.gov.ru .

С уважением, ФЕДЕРАЛЬНАЯ СЛУЖБА ПО НАДЗОРУ В СФЕРЕ СВЯЗИ, ИНФОРМАЦИОННЫХ ТЕХНОЛОГИЙ И МАССОВЫХ КОММУНИКАЦИЙ.

---

Запущено официальное мобильное приложение РОСКОМНАДЗОРА. Посредством мобильного приложения возможно:

1. Подать жалобу в «Единый реестр запрещенной информации» на обнаруженный в сети «Интернет» запрещенный контент;
2. Проверить ограничение доступа к интернет-ресурсам;
3. Получить оповещение о внесении в «Единый реестр запрещенной информации» интернет-ресурса в случае, если Вы являетесь его владельцем или провайдером хостинга. Мобильное приложение можно скачать по следующим ссылкам: https://apps.apple.com/ru/app/ркн/id1511970611 https://play.google.com/store/apps/details?id=org.rkn.ermp

It is notice of making an entry into the "Unified register of domain names, Internet web-site page links and network addresses enabling to identify the Internet web-sites containing the information prohibited for public distribution in the Russian Federation” the Internet web-site page (s) link (s): https://www.torproject.org .

In case the hosting provider and (or) the Internet web-site owner fail to take these measures, the network address enabling to identify Internet web-sites containing the information prohibited for distribution in the Russian Federation will be decided to be entered into the Register and access will be limited.

The information about entering the domain names, Internet web-site page links and network addresses into the Register shall be available on a 24-hour basis at the following Internet address: http://eais.rkn.gov.ru/en/ .

Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (ROSKOMNADZOR).

---

The official mobile application of ROSKOMNADZOR has been launched. Through the mobile application, it is possible to:

1. Submit a complaint to the "Unified Register of Prohibited Information" about the prohibited content revealed on the Internet;
2. Check the restriction of access to Internet resources;
3. Get a notification on inclusion of an Internet resource into the" Unified Register of Prohibited Information " if you are its owner or hosting provider. The mobile app can be downloaded at the following links: https://apps.apple.com/ru/app/ркн/id1511970611
   https://play.google.com/store/apps/details?id=org.rkn.ermp

If it's not a fake message, then it sounds torproject.org domain will be blocked by ROSKOMNADZOR.

@lavamind - you received the message forwarded in an abuse notice? In other words, some third party received an email from Roskomnadzor regarding torproject.org, did not understand what it was about, and reported it as abuse?

I haven't seen such a letter before, but searching on the wording shows letters like it to be common. Here's an example dated 2014: https://seo-aspirant.ru/roskomnadzor-informiruet (archive).

What's confusing me is why some random third party is getting notices for torproject.org, rather than the notices going to the whois contact or whatever. Is this the "notification on inclusion of an Internet resource ... if you are its owner or hosting provider" feature of the RKN app that's mentioned? Did someone sign up for notices for torproject.org?

The mentioned «Единый Реестр» "Unified Register" is queryable at https://eais.rkn.gov.ru/en/. A query for "www.torproject.org" returns a response that I don't know how to interpret: one part says "blacklisted" but another says "not restricted".

The requested address is blacklisted

Blacklisting authorization number and date	Blacklisting decision maker	Access restriction
2-1-1373/2017 от [of] 18.12.2017	Саратовский районный суд - Саратовская область [Saratov District Court - Saratov oblast]	доступ не ограничивается [access is not restricted]

https://github.com/zapret-info/z-i is an independent archive of the Unified Register, I believe. I checked it at commit c7cf9b08c7dd49d40ba439a134c11793ecd20e28 (2021-12-06 18:16:45) and did not find "torproject.org", nor the IP addresses "38.229.82.25", "116.202.120.165", "95.216.163.36", "116.202.120.166" listed anywhere.

git clone --depth=100 https://github.com/zapret-info/z-i
cd z-i
git grep -F torproject.org

@dcf That's right, we received it from abuse@hetzner.com but it's not clear from that message what is the precise origin of the notice.

Subject: Abuse Message [AbuseID:99C521:1D]: AbuseInfoRoscomnadzor: [eais#1695913] /the Roscomnadzor is informing

Dear Sir or Madam,

We have received information regarding spam and/or abuse from zapret-info-out@rkn.gov.ru.

We are automatically forwarding this complaint on to you, for your information. You do not need to respond, but we do expect you to check the complaint and to resolve any potential issues.

Please note again that this is a notification email only, you do not need to respond.

Kind regards

Abuse Team

added For Anticensorship Team Next labels

Metrics are reporting a massive spike in Moat requests (100k). I believe that bridges distributed by Moat aren't working (maybe it was enumerated), and users are trying again and again to get a new bridge line.

But it seems that we're limiting how many bridges you can get via Moat per IP/day. See ValdikSS comment: "obfs4 bridges requested from Tor Browser: no successful connection with 176.170.168.5, 213.135.244.242, 82.65.171.173. This is the only bridge set which Torproject returned, I’ve tried to request multiple times and also disconnected and connected again to the cellular network to change my IP."

New blog post: https://blog.torproject.org/tor-censorship-in-russia/

torproject.org domain is officially blocked in Russia:

https://github.com/zapret-info/z-i commit 2d81831c4ea5723d8896d2e6b9c3303ab8ba7470 Updated: 2021-12-07 16:54:00 +0000
116.202.120.165 | 116.202.120.166 | 38.229.82.25 | 95.216.163.36 | 2604:8800:5000:82:466:38ff:fecb:d46e | 2a01:4f8:fff0:4f:266:37ff:fe2c:5d19 | 2a01:4f8:fff0:4f:266:37ff:feae:3bbc | 2a01:4f9:c010:19eb::1;*.www.torproject.org;;Саратовский районный суд - Саратовская область;2-1-1373/2017;2017-12-18

December 7th - AS25159 - OONI connectivity test shows torproject.org censored.

https://reestr.rublacklist.net/record/3845366/

Date of the decision: 18.12.2017
Date of first blocking: 07.12.2021
Date of last update: 07.12.2021

Also: https://blocklist.rkn.gov.ru/

torproject.org

Nothing was found for your query

www.torproject.org

15.1

(decision-making authority, number, date)
Saratov District Court - Saratov region
2-1-1373/2017
18.12.2017

Access restriction: access to the site

The registry entry's hostname was expanded from *.www.torproject.org to *.torproject.org on 2021-12-08.

• https://github.com/zapret-info/z-i/commit/7ef5c6ab4e1a71d2a659282cc5c066736adbf7dd#diff-9e35c803ddf71fefd2643c4ef35e1b76a1c340b257b9c27784048602a42e89b1

  116.202.120.165 | 116.202.120.166 | 38.229.82.25 | 95.216.163.36 | 2604:8800:5000:82:466:38ff:fecb:d46e | 2a01:4f8:fff0:4f:266:37ff:fe2c:5d19 | 2a01:4f8:fff0:4f:266:37ff:feae:3bbc | 2a01:4f9:c010:19eb::1;*.torproject.org;;Саратовский районный суд - Саратовская область;2-1-1373/2017;2017-12-18

• https://reestr.rublacklist.net/record/3845366/
• https://ntc.party/t/ooni-reports-of-tor-blocking-in-certain-isps-since-2021-12-01/1477/40

mentioned in issue tpo/anti-censorship/team#45

FWIW, Tor connections block has been lifted - 2021-12-08 2000UTC.

@ValdikSS and others report that the blocking has returned, since no later than 2021-12-09 10:00 UTC.

https://ntc.party/t/ooni-reports-of-tor-blocking-in-certain-isps-since-2021-12-01/1477/51

The filtering towards IP addresses of Tor relays is in effect in Moscow, Tomsk (Zelenaya Tochka TOMSK LLC), Penza (ER-Telecom), Perm (ER-Telecom), Medvedevo (ER-Telecom), Khabarovsk (Transtelecom), Kemerovo (Regional Information Technologies Ltd.), UFA (JSC Ufanet), Ulyanovsk (MTS), Kazan (two unnamed ISP), Novosibirsk (Sibirskie Seti, Truenetwork), Armavir (CityTelekom), Chita (Chitatehenergy), Omsk (RusHost), Voronezh (Transtelecom), Volzhskiy.

A RIPE Atlas test towards a relay on port 443 has 467 successes and 120 failures.

https://atlas.ripe.net/measurements/34389285/#map

ajax.aspnetcdn.com is filtered on even fewer networks than Tor is (still only in Moscow and Saint Petersburg, apparently). For some people for whom Tor is censored, meek-azure may still work.

https://atlas.ripe.net/measurements/34389508/#map

meskio and i picked out a moat bridge yesterday, which was new as of yesterday, and I just tested it now from behind the censorship, and it works.

So, preliminary guess is that they scraped the moat bridges some days ago, and they haven't scraped them again since then.

It's also possible that while torproject.org is universally blocked in Russia, the Tor network is only blocked for a few users.

On the "censored" network, did you try connecting to Tor directly? If it failed, the network is "censored". It could be possible you tested moat on an "uncensored" network, or a network where Tor was "unblocked" (unlikely), since I put in my Moat Bridge IP address into https://blocklist.rkn.gov.ru/ and it didn't show anything.

I connected a Tor browser via a Russian proxy server on Rostelecom (Russian ISP) and could still get on.

Majority of the Ooni tests for Tor connectivity still pass: https://explorer.ooni.org/search?since=2021-11-09&until=2021-12-10&probe_cc=RU&test_name=tor

The website is universally blocked, however: https://explorer.ooni.org/search?since=2021-11-09&until=2021-12-10&probe_cc=RU&test_name=tor

While Russia probably will eventually block the Tor network, right now most people just can't access the website.

added 1 deleted label

I did some investigations on the meek-azure blocking today. We first thought that they blocked ajax.aspnetcdn.com by SNI (which would have been bad enough for collateral damage), but it turns out they blocked the whole IP address 152.199.19.160, which is what domains like ajax.aspnetcdn.com, clientlogin.cdn.skype.com, and many many others resolve to in that region of the world.

I set a line in /etc/hosts to resolve ajax.aspnetcdn.com to a different azure IP address (not really practical as a suggestion for users, but good for doing the test), and meek-azure connected successfully from behind the censorship.

Then @anadahz suggested I try www.santorini-view.com as a front, since it resolves to a different address, and it works as a front out-of-the-box with meek-azure.

• Conclusion 1, Russia was happy to sign up for significant collateral damage here. Wonder if they thought that through. Maybe they did (see previous run-ins with Russia and domain fronting).

• Conclusion 2, I now believe it makes sense to load up the meek-azure line with a variety of front domains to round-robin among -- and ideally we should pick ones that don't resolve to the same IP address.

but it turns out they blocked the whole IP address 152.199.19.160, which is what domains like ajax.aspnetcdn.com, clientlogin.cdn.skype.com, and many many others resolve to in that region of the world.

Looks like clientlogin.cdn.skype.com now resolves to a different (reachable, working) IP address. But ajax.aspnetcdn.com remains on the same (blocked, not working) IP address.

Update from Dec 13: ajax.aspnetcdn.com still resolves to 152.199.19.160 from a censored location, but now that IP address is reachable from that censored location.

I just did a test launch of Tor using Tor Browser's default meek_lite bridge, and it bootstrapped (albeit super super slowly).

So, preliminary guess is that they scraped the moat bridges some days ago, and they haven't scraped them again since then.

This conclusion led to tpo/anti-censorship/team#47 (closed)

As of Dec 14, the fresh moat obfs4 bridges are working nicely for one user I talked to.

Do we know what mechanism is being used to block Snowflake? Is it the same thing as Moat?

Snowflake is blocked with DPI by recognizing the supported_groups extension in ServerHello that is sent by the pion WebRTC library. This extension is not present in the browser's WebRTC implementation's packet. We have prepared a workaround for this with help from ValdikSS.

It seems that at least two ISPs in Russia are filtering our new default bridge deusexmachina, released on Tor Browser 11.0.2 - December 8th.

My relay, which was reachable yesterday evening (~15 hours ago), now does not connect over SSH on Beeline.

Apologies if this is already answered somewhere on the metrics.tpo page, but what is the distributor of the blocked relay? (Default/moat/https/gmail/telegram/riseup)

I believe it is a public relay, i.e. not a bridge, so the distribution mechanism is "the IP address is listed in the public Tor consensus".

So, it does seem like they are freshing some of their IP-based blocks, which we knew was inevitable in the arms race but it's still sad to see it happen.