Drop in Snowflake users from Russia and evidence of blocking starting 2024-11

We’ve noticed a significant drop in Snowflake users from Russia, starting earlier this month, along with some vantage point testing that suggests a different kind of block than what we’ve seen before.

users-ru1000×390 12.6 KB

At first we thought this was due to several recent certificate renewals of Fastly front domains that were used for Snowflake, but we’ve since ruled out blocking of rendezvous channel. The timing of the drop in users also doesn’t quite match up with the domain renewals.

From our vantage point tests, it does not look like the DTLS fingerprinting of Snowflake that happened in Russia in 2021. The DTLS handshake completes and several bytes of application data are received from the proxy before the client suddenly stops receiving data. This doesn’t rule out fingerprinting. There are a few proxies that do not appear to be blocked and Tor can be fully bootstrapped through these proxies, but we haven’t noticed any difference in the DTLS fingerprint between working proxies and proxies that go stale. It’s also possible that our vantage point tests aren’t offering an accurate view of why there is a drop in users.

Related Links:

• Snowflake GitLab issue: Snowflake partially blocked in Russia 2024-11 (#40407) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
• Full analysis of previous DTLS fingerprinting: Make Snowflake's DTLS fingerprint more similar to popular WebRTC implementations (#40014) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
• net4people BBS issue: Drop in Snowflake users from Russia and evidence of blocking starting 2024-11 · Issue #422 · net4people/bbs · GitHub

To me it looks similar to wireguard blocking, there is hardshake, but it drops systematically after 20 seconds had passed. Luckily, due to decentralized design of snowflake, it will eventually hop to life through many peers. Even if it takes hours.

I suspect they sooner will block the broker (along all the CDNs), if you read the recent news. They don’t care about collateral damage anymore, look at Hetzner thread, so I’m not sure why they bothering with… blocking the snowflakes in the first place?

It works for me on Yota. But the ISP is blocking Hetzner.

Nov 14 01:00:04.999 [notice] Tor 0.4.8.6 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.2, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.4.8 and Glibc 2.35 as libc.
Nov 14 01:00:04.999 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Nov 14 01:00:05.000 [notice] Read configuration file "/etc/tor/torrc".
Nov 14 01:00:05.016 [notice] Opening Socks listener on 127.0.0.1:9050
Nov 14 01:00:05.017 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050
Nov 14 01:00:05.000 [warn] Your log may contain sensitive information - you disabled SafeLogging. Don't log unless it serves an important reason. Overwrite the log afterwards.
Nov 14 01:00:05.000 [notice] Bootstrapped 0% (starting): Starting
Nov 14 01:00:05.000 [notice] Starting with guard context "bridges"
Nov 14 01:00:05.000 [notice] Delaying directory fetches: No running bridges
Nov 14 01:00:06.000 [notice] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
Nov 14 01:00:06.000 [notice] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
Nov 14 01:00:06.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Nov 14 01:00:06.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:00:07.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker rendezvous peer received
Nov 14 01:00:08.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": connected
Nov 14 01:00:08.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
Nov 14 01:00:11.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:00:12.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker rendezvous peer received
Nov 14 01:00:14.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": connected
Nov 14 01:00:29.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": trying a new proxy: no messages received, closing stale connection
Nov 14 01:00:34.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": trying a new proxy: no messages received, closing stale connection
Nov 14 01:00:36.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:00:41.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:00:41.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker failure Unexpected error, no answer.
Nov 14 01:00:41.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker rendezvous peer received
Nov 14 01:00:46.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:00:51.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker failure Unexpected error, no answer.
Nov 14 01:00:51.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": trying a new proxy: timeout waiting for DataChannel.OnOpen
Nov 14 01:00:56.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:00:56.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:00:57.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker rendezvous peer received
Nov 14 01:01:00.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": connected
Nov 14 01:01:02.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker failure Unexpected error, no answer.
Nov 14 01:01:07.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:01:07.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker rendezvous peer received
Nov 14 01:01:09.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": connected
Nov 14 01:01:21.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": trying a new proxy: no messages received, closing stale connection
Nov 14 01:01:26.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:01:27.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker rendezvous peer received
Nov 14 01:01:28.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": connected
Nov 14 01:01:29.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": trying a new proxy: no messages received, closing stale connection
Nov 14 01:01:30.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
Nov 14 01:01:30.000 [notice] Bootstrapped 20% (onehop_create): Establishing an encrypted directory connection
Nov 14 01:01:33.000 [notice] Bootstrapped 25% (requesting_status): Asking for networkstatus consensus
Nov 14 01:01:35.000 [notice] new bridge descriptor 'flakey6' (fresh): $2B280B23E1107BB62ABFC40DDCC8824814F80A72~flakey6 [1zOHpg+FxqQfi/6jDLtCpHHqBTH8gjYmCKXkus1D5Ko] at 192.0.2.3
Nov 14 01:01:37.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:01:37.000 [notice] Bootstrapped 30% (loading_status): Loading networkstatus consensus
Nov 14 01:01:42.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker failure Unexpected error, no answer.
Nov 14 01:01:47.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:01:52.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker failure Unexpected error, no answer.
Nov 14 01:01:53.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Nov 14 01:01:55.000 [notice] Bootstrapped 40% (loading_keys): Loading authority key certs
Nov 14 01:01:57.000 [notice] The current consensus has no exit nodes. Tor can only build internal paths, such as paths to onion services.
Nov 14 01:01:57.000 [notice] Bootstrapped 45% (requesting_descriptors): Asking for relay descriptors
Nov 14 01:01:57.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/7994, and can only build 0% of likely paths. (We have 100% of guards bw, 0% of midpoint bw, and 0% of end bw (no exits in consensus, using mid) = 0% of path bw.)
Nov 14 01:01:57.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:01:57.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:01:57.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:01:57.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:01:57.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:01:57.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:01:57.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:01:57.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:01:57.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:01:57.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:01:57.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:01:58.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:02:00.000 [notice] Bootstrapped 50% (loading_descriptors): Loading relay descriptors
Nov 14 01:02:03.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker failure Unexpected error, no answer.
Nov 14 01:02:04.000 [notice] The current consensus contains exit nodes. Tor can build exit and internal paths.
Nov 14 01:02:04.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:04.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:04.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:04.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:04.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:04.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:04.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:05.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:05.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:05.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:06.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:06.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Nov 14 01:02:08.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:02:08.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker rendezvous peer received
Nov 14 01:02:10.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": connected
Nov 14 01:02:21.000 [notice] Bootstrapped 55% (loading_descriptors): Loading relay descriptors
Nov 14 01:02:23.000 [notice] Bootstrapped 62% (loading_descriptors): Loading relay descriptors
Nov 14 01:02:23.000 [notice] Bootstrapped 69% (loading_descriptors): Loading relay descriptors
Nov 14 01:02:23.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Nov 14 01:02:23.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Nov 14 01:02:23.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Nov 14 01:02:23.000 [notice] Failed to find node for hop #1 of our path. Discarding this circuit.
Nov 14 01:02:23.000 [notice] Failed to find node for hop #1 of our path. Discarding this circuit.
Nov 14 01:02:23.000 [notice] Failed to find node for hop #1 of our path. Discarding this circuit.
Nov 14 01:02:23.000 [notice] Failed to find node for hop #1 of our path. Discarding this circuit.
Nov 14 01:02:23.000 [notice] Our circuit 0 (id: 7) died due to an invalid selected path, purpose Unlinked conflux circuit. This may be a torrc configuration issue, or a bug.
Nov 14 01:02:23.000 [notice] Our directory information is no longer up-to-date enough to build circuits: We're missing descriptors for 1/3 of our primary entry guards (total microdescriptors: 6830/7994). That's ok. We will try to fetch missing descriptors soon.
Nov 14 01:02:24.000 [notice] Bootstrapped 100% (done): Done
Nov 14 01:02:30.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": trying a new proxy: no messages received, closing stale connection
Nov 14 01:02:38.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:02:38.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker rendezvous peer received
Nov 14 01:02:48.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": trying a new proxy: timeout waiting for DataChannel.OnOpen
Nov 14 01:02:53.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created
Nov 14 01:02:59.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": broker failure Unexpected error, no answer.
Nov 14 01:03:04.000 [notice] Managed proxy "/usr/local/bin/snowflake-client": offer created

Снежинка это расширение для браузеров?

Snowflake из многих частей состоит. Расширение - это для тех стран, где есть прямой доступ к Tor, чтобы помогать проксировать через себя трафик. Есть мост (pluggable transport), который прописывается в torrc. И есть вспомогательные части, такие как сервер и брокер.

Идея была в том что любой человек становился прокси. У них была даже страничка без расширений с банальным джаваскрипт кодом которые превращал юзера в готовый сервер или пира по правильному.

However, if I use a VPN, there are almost no warnings.

snowflake-64.exe --version
snowflake-client 2.9.2 (028ff826*)

2024-11-14T10:55:36Z WARN tor_guardmgr::guard: Could not connect to guard [192.0.2.3:80 via snowflake $2b280b23e1107bb62abfc40ddcc8824814f80a72]. We’ll retry later, and let you know if it succeeds.

2024-11-14T10:55:45Z INFO tor_guardmgr::guard: We have found that guard [192.0.2.4:80 via snowflake ed25519:tO9nYvNCAdAh9lPoEEv2pZ9BJq+YzmPAMY6pxoFrLuk $8838024498816a039fcbbab14e6f40a0843051fa] is usable.

snowflake-64.exe --version
snowflake-client 2.10.1 (23935750*)

2024-11-14T11:16:02Z INFO tor_guardmgr::guard: We have found that guard [192.0.2.4:80 via snowflake ed25519:tO9nYvNCAdAh9lPoEEv2pZ9BJq+YzmPAMY6pxoFrLuk $8838024498816a039fcbbab14e6f40a0843051fa] is usable.

2024-11-14T11:16:26Z INFO tor_guardmgr::guard: We have found that guard [192.0.2.3:80 via snowflake ed25519:1zOHpg+FxqQfi/6jDLtCpHHqBTH8gjYmCKXkus1D5Ko $2b280b23e1107bb62abfc40ddcc8824814f80a72] is usable.

Ну дык что было в соседней теме?

Российские власти могут принять меры в отношении хостинг-провайдеров Akamai и CDN77

Скоро сдохнут все брокеры.

их постоянно добавляют/изменяют

fastfly вроде не работает

а тут обычно только 1 “актуальный”

так же есть немало списков альтернативных frontend