Network shutdown, all around Kazakhstan

FFR0G · January 9, 2022, 8:38pm

The IPv4 obfs4 bridge is working!

tango · January 9, 2022, 10:13pm

I did some port scans. It looks like some other ports to try are 179, 646, 3784, 3785, 4784, 5060.

First I did a scan to see if any hosts in the /24 neighborhood of gov.kz were reachable on port 3785. Only one of them was, 195.12.114.89 (whois), which is part of “National Information Technologies Joint-Stock Company”:

# nmap -PS3785 -sn -n gov.kz/24
Nmap scan report for 195.12.114.89
Host is up (0.21s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 15.57 seconds

Then, I scanned all the ports on that host. 6 ports were responsive, including 3785:

# nmap -n -PS3785 -p- --reason 195.12.114.89
Nmap scan report for 195.12.114.89
Host is up, received reset ttl 236 (0.21s latency).
Not shown: 65529 filtered ports
Reason: 65529 no-responses
PORT     STATE  SERVICE       REASON
179/tcp  closed bgp           reset ttl 233
646/tcp  closed ldp           reset ttl 236
3784/tcp closed bfd-control   reset ttl 234
3785/tcp closed bfd-echo      reset ttl 234
4784/tcp closed bfd-multi-ctl reset ttl 233
5060/tcp open   sip           syn-ack ttl 50

Nmap done: 1 IP address (1 host up) scanned in 344.21 seconds

A port scan could also be a way to discover what foreign ports are accessible from inside Kazakhstan. You need to target a host that responds to every port (with either a SYN/ACK or a RST), like scanme.nmap.org. Any port that has reason syn-ack or rst is making it through the shutdown. Any port that has no-response is blocked by the shutdown.

# nmap -v -n -Pn -p- -T4 --reason scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received user-set (0.23s latency).
Not shown: 65531 closed ports
Reason: 65531 resets
PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack ttl 55
80/tcp    open  http       syn-ack ttl 55
9929/tcp  open  nping-echo syn-ack ttl 56
31337/tcp open  Elite      syn-ack ttl 56

Nmap done: 1 IP address (1 host up) scanned in 108.98 seconds

# nmap -v -n -Pn -p- -T4 --reason -6 scanme.nmap.org
Nmap scan report for scanme.nmap.org (2600:3c01::f03c:91ff:fe18:bb2f)
Host is up, received user-set (0.23s latency).
Not shown: 65532 closed ports
Reason: 65532 resets
PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack ttl 55
80/tcp    open  http    syn-ack ttl 56
31337/tcp open  Elite   syn-ack ttl 56

Nmap done: 1 IP address (1 host up) scanned in 146.68 seconds

zinoid · January 9, 2022, 11:28pm

I see you have already set up the bridge. But Softether VPN also allows to encapsulate VPN in DNS or ICMP. I don’t know if this is available for public VPNGate servers.

cypherpunks · January 10, 2022, 3:27am

Провайдер Казахтелеком.
Интернет отключили 17:00 05.01.2022
Дальше отключили полностью мобильную связь, не ловило в любых режимах(2G, 3G, 4G)
Через несколько дней включили мобильную связь, но звонки до сих пор отвратно работают.

Вывод traceroute:
traceroute to dns.google (8.8.4.4), 30 hops max, 60 byte packets
1 _gateway (192.168.100.1) 1.340 ms 2.627 ms 2.562 ms
2 82.200.242.218 (82.200.242.218) 6.005 ms 6.513 ms 7.061 ms
Дальше одни звездочки

С этим выводом я воодушёвленный пошёл проверять связь с другими клиентами сети казахтелекома. И пинг был(3 хопа)! И даже больше, кажется на них нету фильтра.
Мы спокойно прокидывали порты, HTTP, SSH, и прочие протоколы.
До других IP происходит полная фильтрация(даже icmp). Режим белый список.
В белом списке находится:
dns.google(8.8.8.8), akorda.kz, IP банков и государственых новостных агенств, а также мобильных операторов
Ставлю предположение, что фильтрующее обуродование на третьем/четвертом хопе стоит.
С этим уже кажется можно получить доступ в интернет, через dns туннель. Но к сожалению у меня нету сервера за рубежом. Также скорее фильтрация, крайне сильная с урезанием функционала до минимума, так я не смог icmp трафик сделать до всех хостов в whitelist. Кроме altel.kz
09.01.2022 дали доступ ко всем подсетям hoster.kz, neolabs.kz, ps.kz. Мне кажется или у хостингов есть интернет, так как судя по зеркалу репозиториев там они относительно свежие.
Сегодня, 10.01.2022 в 8:45 дали интернет.
В Астане давали интернет уже 3 дня назад. Но временно, с 8:00-13:00

Megum1n · January 10, 2022, 10:19am

I verified that shadowsocks+v2ray works just fine trough 3785 port.

sasha0552 · January 10, 2022, 1:51pm

Almaty, Kazakhtelecom

OpenVPN on port 3785 (udp) works.

Some information:

$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time ms

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=100 time= ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=100 time= ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=100 time= ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time ms

$ dig google.com @8.8.8.8
; <<>> DiG  <<>> google.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             272     IN      A       173.194.222.113
google.com.             272     IN      A       173.194.222.138
google.com.             272     IN      A       173.194.222.100
google.com.             272     IN      A       173.194.222.102
google.com.             272     IN      A       173.194.222.101
google.com.             272     IN      A       173.194.222.139

;; Query time:  msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 10 18:58:53 +06 2022
;; MSG SIZE  rcvd: 135

$ curl https://8.8.8.8
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://dns.google/">here</A>.
</BODY></HTML>

hoster.kz, neolabs.kz, ps.kz - timeout
altel.kz, akorda.kz - works

(If you want to investigate, you can contact me using Discord (invite: rTjTadmYvt))

anonymous13 · January 10, 2022, 3:59pm

TCP, UDP, ICMP трейсы (-T, -U, -I) до 8.8.8.8 нормально выглядят в Казахтелекоме?

ValdikSS · January 10, 2022, 5:18pm

Wrote you PM but it seems that Kazakhstan net is getting shut down again.

tango · January 10, 2022, 7:02pm

#Internet connectivity was shutdown in #Kazakhstan again at ~1300 UTC after 6th brief service restoration since shutdowns started on Jan. 5. @cloudflareradar shows that this one saw peak traffic 2x or more as compared to previous restorations.

That matches the IODA signals as well. The restoration of access of January 10 (starting 00:00 UTC) lasted 13 hours and seemed to include more networks than past ones.

https://ioda.caida.org/ioda/dashboard#lastView=overview&view=inspect&entity=country/KZ&from=1641236120&until=1641840860

adamfisk · January 10, 2022, 8:56pm

We’ve switched all Lantern (https://lantern.io) servers in the region to listen on 3785, 5060, as well as randomized high ports.

FFR0G · January 10, 2022, 8:58pm

I found that port 179 works fine on both ISPs (KazakhTelecom and Beeline).
Thanks @sasha0552 for help!

tango · January 10, 2022, 9:13pm

The Tor community team posted a guide on how to get working bridges. You will not be able to use BridgeDB or Moat; instead, email frontdesk@torproject.org with subject “bridge kz”.

Thank you for the information. I opened port 179 on the the bridge from earlier as a backup in case 3785 gets blocked.

Bridge obfs4 172.105.56.235:179 DD9769A0D6A9F18C24FCE731583597012E66273F cert=AEu2dF5cSjzQwA8kDx4R+38u10TReImk3ERjWFmzBGA0tPGyFxnsJRke5iSBef6+QDejew iat-mode=0

Bridge obfs4 [2400:8904::f03c:92ff:fe93:f42d]:179 DD9769A0D6A9F18C24FCE731583597012E66273F cert=AEu2dF5cSjzQwA8kDx4R+38u10TReImk3ERjWFmzBGA0tPGyFxnsJRke5iSBef6+QDejew iat-mode=0

I did it with port forwarding:

iptables -A PREROUTING -t nat -p tcp --dport 179 -j REDIRECT --to-ports 3785

cypherpunks · January 11, 2022, 3:45am

Репортирую, что вчера при включение интернета было ограничение скорости до 3Мбит /с примерно. На https видимо максимум по 20Кбит/с, не смог даже обновить репозитории.

gus · January 11, 2022, 12:37pm

Thanks! Today we heard from a user that Beeline is blocking 3785:

К сожалению, у Билайн Казахстан заблокирован порт 3785, есть ли другой способ обхода блокировки?

We will try your bridge.

FFR0G · January 11, 2022, 12:39pm

Фиксирую падение интернета до начала шатдауна:
ISP: Beeline KZ (“Интернет Дома”).
Время: 17:10 - 17:24 (GMT+6).
Таймаут до Google DNS.
Внутренние DNS провайдера остались доступны - dnstt работал.
Порты tcp/179 и tcp/3785 были заблокированы.

zinoid · January 11, 2022, 5:13pm

Tor used to have fteproxy bridge, which claimed to masquerade as unencrypted http. Although, I think it would be easy to block by fingerprint. Binary is still available, but no one is providing this type of bridge right now. However I would like to test it.
Binary is static with python embedded inside.

zinoid · January 11, 2022, 5:32pm

In networks with low bandwidth it would be useful to use HandyCache caching proxy.
It can also decrypt and cache https traffic, but this functionality in the trial mode only works for the first 30 minutes after each start of application (and then you need to restart HC). There is an English and Russian interface. Works in Wine.

tango · January 13, 2022, 7:09pm

IODA measurements say that access has been restored since about 2022-01-11 00:00 (06:00 Almaty time). Does that match people’s experience? I can access gov.kz now.

https://ioda.caida.org/ioda/dashboard#lastView=overview&view=inspect&entity=country/KZ&from=1641168000&until=1642032000

FFR0G · January 14, 2022, 8:41am

Yes, there were no more shutdowns.

tango · January 17, 2022, 5:02am

I have shut down this bridge now.

Here are graphs of its usage over the past few days:
https://metrics.torproject.org/rs.html#details/0E9783A73F029E0910FD72F1EC120CA818868DA0