Russia may have found a new way to censor the internet


Russia has implemented a new method of censorship in an ongoing effort to silence Twitter. Instead of outright blocking the social media site, the country is using new techniques to slow down traffic and make the site virtually unusable for people inside the country.

A study released Tuesday indicates that the throttling slows down traffic between Twitter and Russian-based end users at 128 kbps. While the old internet censorship techniques used by Russia and other nation states have relied on simply blocking and slowing traffic to and from a widely used Internet service, a relatively new technique that offers benefits to the censoring party.

“Unlike blocking, where access to content is blocked, throttling aims to degrade the quality of service, making it almost impossible for users to distinguish the imposed / intentional throttling from nuanced reasons such as high server load or network congestion, “Censored Planet, a censorship measurement platform that collects data in more than 200 countries, wrote in a report. “With the prevalence of ‘dual-use’ technologies such as deep packet inspection (DPI) devices, the limitation is simple for authorities to implement, but difficult for users to assign or circumvent.”

Strangulation started on March 10, as reported in the tweets here and here by Doug Madory, director of Internet analytics at Internet measurement firm Kentik.

In an attempt to slow traffic to or from Twitter, Madory discovered that Russian regulators had targeted t.co, the domain used to host all content shared on the site. In the process, all domains containing the string “t.co” (for example, Microsoft.com or reddit.com) were also restricted.

This decision led to widespread internet problems, as it rendered the affected domains unusable. The throttling also consumed the memory and CPU resources of the affected servers, causing them to maintain connections for much longer than normal.

Roskomnadzor – the Russian executive body that regulates mass communications in the country – said last month it was strangling Twitter for failing to remove content involving child pornography, drugs and suicide. He went on to say that the slowdown affected the delivery of audio, video and graphics, but not Twitter itself. Critics of government censorship, however, say Russia is distorting the reasons for limiting the availability of Twitter. Twitter declined to comment for this post.

Tuesday’s report says the throttling is being carried out by a large fleet of “middleboxes” that Russian ISPs are installing as close as possible to the customer. This hardware, Censored Planet researcher Leonid Evdokimov told me, is usually a server with a 10 Gbps network interface card and custom software. A central Russian authority provides the boxes with instructions on which areas to limit.

Middle boxes inspect both requests sent by Russian end users as well as responses returned by Twitter. This means that the new technique may have capabilities not found in old internet censorship regimes, such as filtering connections using VPN, Tor, and censorship bypass applications. Ars has already written about the servers here.

Middleboxes use deep packet inspection to extract information, including SNI. Short for “server name identification,” SNI is the domain name of the HTTPS website that is sent in clear text during a normal Internet transaction. Russian censors use plain text for more granular blocking and throttling of websites. Blocking by IP address, on the other hand, can have unintended consequences because it often blocks content that the censor wants to keep in place.

A countermeasure to get around the limitation is the use of ECH, or Encrypted ClientHello. An update to the transport layer security protocol, ECH prevents blocking or throttling by domains, so censors must resort to blocking at the IP level. Anti-censorship activists claim this leads to what they call “freedom of collateral” because the risk of blocking essential services often leaves the censor reluctant to accept the collateral damage resulting from a brutal blockade by IP address.

In total, Tuesday’s report lists seven countermeasures:

  • ClientHello TLS segmentation / fragmentation (implemented in GoodbyeDPI and zapret)
  • Inflation TLS ClientHello with padding extension to make it larger than a packet (over 1500 bytes)
  • Prepare real packets with a scrambled fake packet of at least 101 bytes
  • Prepare client hello records with other TLS records, such as changing encryption specifications
  • Keep the connection idle and wait for the throttler to abandon the state
  • Adding an endpoint to the SNI
  • Any encrypted tunnel / proxy / VPN

It is possible that some of the countermeasures can be activated by anti-censorship software such as GoodbyeDPI, Psiphon or Lantern. The limitation, however, is that the countermeasures exploit bugs in the current implementation of the limitation in Russia. This means that the ongoing standoff between censors and anti-censorship supporters may prove to be prolonged.

This story originally appeared on Ars Technica.


More WIRED stories



Leave a Reply

Your email address will not be published. Required fields are marked *