Tor (dirauths and default bridges) blocked by certain Russian ISPs since 2021-12-01

[wkrp]

The Tor Project's community team noticed that OONI's Tor test, which tests access to Tor's directory authorities and Tor Browser's default obfs4 bridges, showed evidence of blocking in a small number of ASes in Russia since 2021-12-01. The same ASes, before that date, did not show signs of blocking. Further analysis shows that the blocking is mostly concentrated in Moscow.

• https://gitlab.torproject.org/tpo/community/support/-/issues/40050
• https://explorer.ooni.org/search?until=2021-12-03&since=2021-11-29&probe_cc=RU&test_name=tor
• A sample anomalous measurement (notice "Tor Browser Bridges: 0/15 OK, Tor Directory Authorities: 0/10 OK")
• A sample normal measurement (notice "Tor Browser Bridges: 13/15 OK, Tor Directory Authorities: 10/10 OK")

@ValdikSS did manual testing and found that it is not only plain Tor and default obfs4 bridges that are blocked, but all default pluggable transports present in Tor Browser:

• Plain Tor (no obfuscation) – connection timeout (no response to SYN).
• Default obfs4 bridges – connection timeout (no response to SYN).
• meek-azure – connection timeout (in some cases as if the IP addresses of ajax.aspnetcdn.com were blocked, in at least one other case looking like SNI filtering of ajax.aspnetcdn.com).
• Snowflake – connection breaks after several KB are transfered.
• obfs4 bridges from Moat – returns bridge IP addresses, but none of the three bridges worked.

However, obfs4 bridges from bridges.torproject.org, obfs4 bridges from bridges@torproject.org, and a private obfs4 bridge all worked.

@ValdikSS ran additional diagnostics for blocking of ajax.aspnetcdn.com specifically (used in meek-azure).

service	target	result
Ping-Admin.Ru 2021-12-03 11:10:06 (archive)	ajax.aspnetcdn.com	19/109 timeout
Ping-Admin.Ru 2021-12-03 13:58:54 (archive)	152.199.19.160	1/37 timeout
Ping-Admin.Ru 2021-12-03 14:01:21 (archive)	40.118.185.161	2/36 timeout
Ping-Admin.Ru 2021-12-03 14:03:23 (archive)	ajax.aspnetcdn.com	3/35 timeout
Ping-admin.Ru 2021-12-03 14:07:23 (archive)	ajax.aspnetcdn.com	5/123 timeout
Globalcheck.net	ajax.aspnetcdn.com	4/5 timeout
RIPE Atlas 2021-12-03 14:42:57	ajax.aspnetcdn.com	1 "no route to host", 16 timeout, 466 correct

From the RIPE Atlas measurement map page, we can see that the blocking of ajax.aspnetcdn.com correlates with geography. 16 of the failed probes are in Moscow, and 1 is in Saint Petersburg:

The 466 non-failed probes are located all over Russia, including in Moscow and Saint Petersburg:

[wkrp]

The Tor Project community team has posted a guide, in Russian, that explains how to get a private obfs4 bridge.

Tor blocked in Russia: how to circumvent censorship

Здравствуйте! Похоже, ваш Интернет-провайдер блокирует Tor. Подробнее об этом см. https://ntc.party/t/ooni-reports-of-tor-blocking-in-certain-isps-since-2021-12-01/1477.

Tor Browser включает инструменты обхода блокировок.
О том, как использовать мосты Tor, можно прочесть здесь (на русском языке):
МОСТЫ | Как стать переводчиком для Tor Project
TOR ДЛЯ МОБИЛЬНЫХ УСТРОЙСТВ | Как стать переводчиком для Tor Project

(НОВОСТИ НА 7 ДЕКАБРЯ) В настоящее время мосты, встроенные непосредственно в Tor Browser, в России заблокированы. Вам нужно получить работающий мост obfs4. Это можно сделать тремя способами:

1. отправить сообщение Telegram-боту Tor;
2. отправить email по адресу bridges@torproject.org;
3. посетить страницу https://bridges.torproject.org/.

[wkrp]

On 2021-12-07, www.torproject.org and its IPv4 and IPv6 addresses were added to the Unified Register of blocked sites in Russia, meaning that ISPs have an obligation to block access to it.

• https://gitlab.torproject.org/tpo/community/support/-/issues/40050#note_2765035

  torproject.org domain is officially blocked in Russia:

  https://github.com/zapret-info/z-i commit 2d81831c4ea5723d8896d2e6b9c3303ab8ba7470 Updated: 2021-12-07 16:54:00 +0000
  116.202.120.165 | 116.202.120.166 | 38.229.82.25 | 95.216.163.36 | 2604:8800:5000:82:466:38ff:fecb:d46e | 2a01:4f8:fff0:4f:266:37ff:fe2c:5d19 | 2a01:4f8:fff0:4f:266:37ff:feae:3bbc | 2a01:4f9:c010:19eb::1;*.www.torproject.org;;Саратовский районный суд - Саратовская область;2-1-1373/2017;2017-12-18
  

• Discussion on NTC

  gitlab.torproject.org works.

  For me not only torproject.org and www.torproject.org are blocked, but also *.torproject.org, including gitlab.torproject.org.

  Looks like there is no torproject.org in the list, only www.torproject.org and it’s subdomains like sub.www.torproject.org. But it’s ips are banned, so it will not be accessible.

• Blacklist record

• zapret-info commit (see dump-01.csv)

[wkrp]

It looks like the obfs4 bridges that are available through Moat, the convenient in-browser bridge discovery interface in Tor Browser, have already been enumerated and blocked. The Tor Project has updated the access guide to explain how to get bridges from other sources: Telegram, email, or HTTPS.

https://forum.torproject.net/t/tor-blocked-in-russia-how-to-circumvent-censorship/982

The Telegram option is new: contact the @GetBridgesBot account in Telegram and send the text /bridges. The same user account will receive the same bridges over a 24-hour period.

[wkrp]

There has been progress in understanding how Snowflake connections are being detected. In short, it looks like fingerprinting a feature in DTLS Server Hello messages. The discussion may interest you if you are into TLS fingerprinting—DTLS fingerprinting is comparatively under-researched.

https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40014#note_2765061

[wkrp]

The block of Tor relays and default bridges, meek, and Snowflake stopped for a while on 2021-12-08, but resumed on 2021-12-09, affecting more ISPs.

It appears that newly established bridges from Moat are not blocked. This suggests that the censor had somehow enumerated most of the available Moat bridges before effecting the block, but has not updated the list of bridges since then. Tor Browser 11.0.2, released 2021-12-08, contains a new default obfs4 bridge, which has not been blocked yet.

On 2021-12-08, the web server block was expanded, from *.www.torproject.org to *.torproject.org.

• zapret-info/z-i@7ef5c6a#diff-9e35c803ddf71fefd2643c4ef35e1b76a1c340b257b9c27784048602a42e89b1
• https://reestr.rublacklist.net/record/3845366/

There has been progress in understanding how Snowflake connections are being detected. In short, it looks like fingerprinting a feature in DTLS Server Hello messages.

@cohosh developed a mitigation for the snowflake-client DTLS fingerprint that will be in the next release of Tor Browser. If you want to test it manually, there are instructions here.

[wkrp]

OONI reports anomalies with Psiphon in Russia, as do human testers. @ValdikSS has posted pcaps of failed Psiphon connections and says that "automatic region selection" connects successfully.

I don't see any change yet in the Psiphon Data Engine graph, but it currently stops at 2021-12-08:
https://psix.ca/d/nyi8gE6Zk/regional-overview?orgId=2&var-region=RU

To be fair, you wouldn't know anything was happening with Tor either, if you were only looking at the graph of relay users. (The graph of bridge users shows an increase in obfs4 and Snowflake users.) This is a good reminder that Tor is blocked on only a few networks in Russia, not all of them.
https://metrics.torproject.org/userstats-relay-country.html?start=2021-09-01&end=2021-12-10&country=ru

[wkrp]

OONI has published a report on Tor blocking in Russia. The part of the report about the Tor network covers the time span 2021-12-01 to 2021-12-08.

https://ooni.org/post/2021-russia-blocks-tor/

OONI's Tor test tests for blocking of Tor directory authorities' dirport and OR port, and of Tor Browser's default obfs4 bridges. Between 2021-12-01 and 2021-12-08, the measurements showed evidence of Tor blocking in 15 out of 65 networks tested in Russia:

AS48092, AS3216, AS8334, AS8359, AS8402, AS12714, AS12958, AS15493, AS15582, AS15672, AS16345, AS24955, AS25159, AS31133, AS31208

[avirkud]

Censored Planet measurements from the past week also indicate likely IP blocking of default Tor bridges within some Russian ASes. We have Spooky Scan measurements for 255 ASes in Russia, belonging to 203 organizations. Spooky Scan uses infrastructure vantage points with a global IPID to measure reachability.

55 ASes had at least one vantage point with anomalous measurements for all tested IPv4 default bridges:

50509, 44158, 25227, 35810, 20764, 24811, 44881, 43176, 31499, 57209, 29076,
42861, 25408, 30733, 29470, 21127, 20485, 8985, 39125, 48858, 8641, 28917,
47694, 8359, 201776, 44020, 12714, 34123, 8732, 58002, 39289, 49342, 31133,
3216, 8402, 12722, 41829, 12389, 29456, 33934, 42610, 44237, 47379, 50037,
41794, 35807, 199860, 200044, 34995, 44622, 56724, 3267, 43567, 48670, 51892

Similar to OONI, we noted nonuniform results within a single AS (e.g., in AS20764, some vantage points indicated anomalies for a bridge while others indicated no blocking). Further, Spooky Scan can also determine the direction of packet drops - out of the 55 ASes mentioned, there were ASes with either predominantly bridge->vp dropped anomalies (2, e.g., AS34123) or vp->bridge dropped anomalies (15, e.g., AS31499), and some ASes with both types (38, e.g., AS31133). Individual ASes or more granular entities may implement varying blocking rules, consistent with Russia's decentralization.

[wkrp]

On 2021-12-07, www.torproject.org and its IPv4 and IPv6 addresses were added to the Unified Register of blocked sites in Russia, meaning that ISPs have an obligation to block access to it.

The Tor Project and Roskomsvoboda started a legal challenge of the blocking of the Tor web site. As a result of the challenge, an appellate court reversed the block (EN, RU) on procedural grounds.

There will be a new trial to decide whether the web site will be re-added to the blocking register, this time with the Tor Project present. However, the scope of the case has been expanded: it is no longer only about the blocking of the torproject.org domain, but also whether Tor Browser is prohibited and whether Tor Browser should be removed from the Google Play store. The government prosecutor has added Google to the case.

https://torrentfreak.com/tor-project-unblocked-but-russia-redemands-censorship-embroils-google-220527/ (archive)

After the main domain of privacy-focused anti-censorship tool Tor was blocked by Russian authorities last December, digital rights activists stepped in with a successful legal challenge. TorProject.org is now unblocked but as part of a new legal process, prosecutors are restating and broadening their case. Tor Browser must be banned and deleted from Google Play, they insist.

https://roskomsvoboda.org/post/google-v-dele-tor/ (archive)

Прокуратура привлекла Google к делу The Tor Project

Ведомство просит удалить из Google Play приложение Tor Browser.

Прокуратура Саратовского района привлекла Google к делу организации The Tor Project, интересы которой представляют юристы «Роскомсвободы». Ведомство просит у суда следующее:

• признать информацию, содержащуюся в в программном приложении Tor Browser, запрещённой в России;
• признать запрещённым приложение Tor Browser, размещённое в Google Play;
• ограничить доступ к приложению Tor Browser;
• обязать Google LLC удалить приложение Tor Browser из Google Play.

Напомним, на прошлой неделе юристам «Роскомсвободы» удалось отменить блокировку сайта The Tor Project. Апелляционный суд отправил дело на рассмотрение в суд первой инстанции, уже с участием владельца сайта, и это означает, что основанием для отмены стали процессуальные нарушения, на которые указали наши специалисты.

Первое заседание по существу по делу The Tor Project назначено на 26 мая. Пройдёт оно в Саратовском районном суде Саратовской области (пос. Дубки).

UPD 26.05.2022: Саратовский райсуд принял уточнение требований прокуратуры и решил привлечь Google LLC к делу в качестве заинтересованного лица. Об этом сообщила медиаюрист «Роскомсвободы», адвокат Екатерина Абашина.

Между тем в уточнении прокурора появились весьма интересные требования. По его мнению, российское законодательство нарушают браузер Tor (в качестве адреса снова указан https://torproject.org), а также приложение Tor Browser в Google Play. В связи с чем надзорное ведомство требует ограничить доступ к приложениею Tor Browser, а Google — обязать удалить одноимённое приложение из Google Play.

Prosecutor's Office has brought Google into the The Tor Project case

Office requests removal of Tor Browser app from Google Play.

The Saratov District Prosecutor's Office brought Google to the case of The Tor Project, whose interests are represented by Roskomsvoboda lawyers. The office asks the court for the following:

• To recognize the information contained in the Tor Browser software application as banned in Russia;
• Prohibit the Tor Browser app on Google Play;
• Restrict access to the Tor Browser app;
• oblige Google LLC to remove the Tor Browser app from Google Play.

Recall that last week Roskomsvoboda's lawyers managed to cancel the blocking of The Tor Project website. The court of appeals sent the case back to the court of first instance, already with the participation of the site owner, which means that the grounds for cancellation were procedural violations that our experts pointed out.

The first meeting on the merits of The Tor Project case is scheduled for May 26. It will take place in Saratov district court of Saratov region (Dubki settlement).

UPD 26.05.2022: Saratov district court accepted the clarification of the prosecutor's claims and decided to involve Google LLC in the case as an interested party. This was reported by the media lawyer of Roskomsvoboda, lawyer Ekaterina Abashina.

Meanwhile, in the clarification of the prosecutor there were very interesting requirements. In his opinion, the Tor browser (https://torproject.org is indicated again as the address), as well as the Tor Browser application on Google Play, violate the Russian law. In this regard, the supervisory authority demands to restrict access to the Tor Browser application, and Google - to oblige to remove the application of the same name from Google Play.

[wkrp]

The Tor Project and Roskomsvoboda started a legal challenge of the blocking of the Tor web site. As a result of the challenge, an appellate court reversed the block (EN, RU) on procedural grounds.

It looks like the unblocking actually happened on 2022-07-14 (one week ago). The Tor Project admins received an email from Roskomnadzor on that date stating that the torproject.org domain and various IP addresses would be unblocked.

Направляется уведомление об исключении записи из «Единый реестр доменных имен, указателей страниц сайтов в сети «Интернет» и сетевых адресов, позволяющих идентифицировать сайты в сети «Интернет», содержащие информацию, распространение которой в Российской Федерации запрещено» следующего(их) указателя (указателей) страницы (страниц) сайта в сети «Интернет»: https://torproject.org .

С уважением,
ФЕДЕРАЛЬНАЯ СЛУЖБА ПО НАДЗОРУ В СФЕРЕ СВЯЗИ, ИНФОРМАЦИОННЫХ ТЕХНОЛОГИЙ И МАССОВЫХ КОММУНИКАЦИЙ.

It is notice of excluding an entry from the "Unified register of domain names, Internet web-site page links and network addresses enabling to identify the Internet web-sites containing the information prohibited for public distribution in the Russian Federation” the Internet web-site page (s) link (s): https://torproject.org .

Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (ROSKOMNADZOR).

In this OONI MAT query, you can see connection attempts starting to succeed across Russia starting 2022-07-14:

https://explorer.ooni.org/chart/mat?probe_cc=RU&test_name=web_connectivity&domain=www.torproject.org&since=2022-06-22&until=2022-07-22&axis_x=measurement_start_day

The email had an attached RTF document (gzipped to attach here), and another attachment of type application/pgp-signature whose format I don't recognize, but which contains some email addresses:

• 1509981_notification_off.rtf.gz - possibly interesting, the Created and Modified dates in the RTF metadata are 2019-11-21 19:19.
• 1509981_notification_off.rtf.sig.gz - contains the apparent email addresses uc_fk@roskazna.ru, e.semykin@rkn.gov.ru, dit@minsvyaz.ru

Transcript of RTF attachment

Уведомление
об исключении информации из Единого реестра доменных имен, указателей страниц сайтов в сети "Интернет" и сетевых адресов, позволяющих идентифицировать сайты в сети "Интернет", содержащие информацию, распространение которой в Российской Федерации запрещено

В соответствии с пунктом 14 Правил создания, формирования и ведения единой автоматизированной информационной системы "Единый реестр доменных имен, указателей страниц сайтов в информационно-телекоммуникационной сети "Интернет" и сетевых адресов, позволяющих идентифицировать сайты в информационно-телекоммуникационной сети "Интернет", содержащие информацию, распространение которой в Российской Федерации запрещено", утвержденных постановлением Правительства Российской Федерации
от 26 октября 2012 г. № 1101 Федеральная служба по надзору в сфере связи, информационных технологий и массовых коммуникаций уведомляет, что на основании обращения владельца сайта в сети "Интернет", провайдера хостинга, оператора связи принято решение от 14.07.2022 № 296828-IP-off об исключении указателя (указателей) страницы (страниц) сайта в сети "Интернет" https://www.torproject.org, сетевого адреса (сетевых адресов) 95.216.163.36/32, 116.202.120.165/32, 116.202.120.166/32, 38.229.82.25/32, 2a01:04f9:c010:19eb:0000:0000:0000:0001/128, 2a01:04f8:fff0:004f:0266:37ff:fe2c:5d19/128, 2a01:04f8:fff0:004f:0266:37ff:feae:3bbc/128, 2604:8800:5000:0082:0466:38ff:fecb:d46e/128 из Единого реестра доменных имен, указателей страниц сайтов в сети "Интернет" и сетевых адресов, позволяющих идентифицировать сайты в сети "Интернет", содержащие информацию, распространение которой в Российской Федерации запрещено", номер реестровой записи 1509981-РИ.

Сведения о наличии указателей страниц сайтов, доменных имен сети «Интернет» и сетевых адресов в Едином реестре доступны круглосуточно в сети «Интернет» по адресу http://eais.rkn.gov.ru/.

Настоящее Уведомление подписано квалифицированной электронной подписью Федеральной службы по надзору в сфере связи, информационных технологий и массовых коммуникаций.

Notice
of information cancellation from the "Unified register of domain names, Internet web-site page links and network addresses enabling to identify the Internet web-sites containing the information prohibited for public distribution in the Russian Federation”.

In accordance with No. 14 of Rules of organization, function and maintenance of the unified automated information system "Unified register of domain names, Internet web-site page links and network addresses enabling to identify the Internet web-sites containing the information prohibited for public distribution in the Russian Federation” approved by the Resolution of the Government of the Russian Federation of 26.10.2012 No. 1101 the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications informs that based on the application of an Internet web-site owner, hosting provider or communications service provider a decision was adopted 14.07.2022 № 296828-IP-off on the withdrawal Internet web-site page (s) link (s) https://www.torproject.org, network address 95.216.163.36/32, 116.202.120.165/32, 116.202.120.166/32, 38.229.82.25/32, 2a01:04f9:c010:19eb:0000:0000:0000:0001/128, 2a01:04f8:fff0:004f:0266:37ff:fe2c:5d19/128, 2a01:04f8:fff0:004f:0266:37ff:feae:3bbc/128, 2604:8800:5000:0082:0466:38ff:fecb:d46e/128 from the "Unified register of domain names, Internet web-site page links and network addresses enabling to identify the Internet web-sites containing the information prohibited for public distribution in the Russian Federation". The register number of the decision is 1509981-РИ.

The information on the availability of Internet web-site page links, Internet domain names and network addresses in the Unified Register is accessible on a 24-hour basis at the following web address: http://eais.rkn.gov.ru/en/.

This Notice is duly signed electronically by the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications.

[wkrp]

Roger Dingledine will give a talk about about Tor blocking in Russia next week at DEF CON 30.

How Russia is Trying to Block Tor
Friday 2022-08-12 15:30 PDT, Track 2

In December 2021, some ISPs in Russia started blocking Tor's website,
along with protocol-level (DPI) and network-level (IP address) blocking to
try to make it harder for people in Russia to reach the Tor network. Some
months later, we're now at a steady-state where they are trying to find
new IP addresses to block and we're rotating IP addresses to keep up.

In this talk I'll walk through what steps the Russian censors have taken,
and how we reverse engineered their attempts and changed our strategies
and our software. Then we'll discuss where the arms race goes from here,
what new techniques the anti-censorship world needs if we're going to
stay ahead of future attacks, and what it means for the world that more
and more countries are turning to network-level blocking as the solution
to their political problems.

[gfw-report]

The slides How Russia is Trying to Block Tor by Roger Dingledine are available here.