Russian DPI check supported_groups extension in ServerHello payload (byte 0x5a in udp packet).
It looks for DTLS packet header “magic” “16 FE FD” and then looks for “1D 00 17 00 18” at 0x5a offset.
But in this case, the offset of the byte pattern appears to be targeting the Snowflake Client Hello, not the Server Hello. Presence of supported_groups in Client Hello is not a bug, but the offset of the extension is still a fingerprinting feature.
At this point there is no information about which ISPs may be affected (whether it’s one ISP, all TSPU, etc.).
The filter is applied for both DTLS v1.0 in record (16 fe ff), which is used by both Chrome and Firefox in ClientHello, and DTLS v1.2 in record (16 fe fd), which is used at least by Jitsi Meet, all at offset 0. Then, 1D 00 17 00 18 at 0x6f offset is checked. This is indeed different than the previous offset 0x5a (which is also blocked).
I have tested filtering only by sending the packets from Russia, not to Russia.
So, in the end, as for 19 May 2022, the filter is applied to: