OONI reports of Tor blocking in certain ISPs since 2021-12-01

libneko · December 9, 2021, 12:38pm

For some reason, Psiphon on Domru is now fine, while TOR on Megafon is even more degraded:

Now: Tor censorship test result in Russia
Was: Tor censorship test result in Russia

ValdikSS · December 9, 2021, 2:33pm

The filtering towards IP addresses of Tor relays is in effect in Moscow, Tomsk (Zelenaya Tochka TOMSK LLC), Penza (ER-Telecom), Perm (ER-Telecom), Medvedevo (ER-Telecom), Khabarovsk (Transtelecom), Kemerovo (Regional Information Technologies Ltd.), UFA (JSC Ufanet), Ulyanovsk (MTS), Kazan (two unnamed ISP), Novosibirsk (Sibirskie Seti, Truenetwork), Armavir (CityTelekom), Chita (Chitatehenergy), Omsk (RusHost), Voronezh (Transtelecom), Volzhskiy.

ValdikSS · December 9, 2021, 2:35pm

Latest RIPE Atlas measurements (sort by “majority” and watch for timeouts)

https://atlas.ripe.net/measurements/34389285/#probes

tango · December 9, 2021, 2:46pm

Is the block on ajax.aspnetcdn.com still present? In the OONI web connectivity test, I see anomalies between 2021-12-01 and 2021-12-08, but the most recent anomaly is 2021-12-08 13:07, and there are many “accessible” measurements since then.

ValdikSS · December 9, 2021, 2:50pm

Yes, it is still getting blocked, but only on some ISP. Not accessible in Moscow from Beeline, Tele2, Yota, but people report from other cities that ajax.aspnetcdn.com works but Tor relays do not.

https://atlas.ripe.net/measurements/34389508/#probes

tango · December 9, 2021, 3:52pm

Patched snowflake-client builds for testing

@cohosh from the Tor anti-censorship team has made updated Snowflake packages to remove the DTLS fingerprint distinguisher found by @ValdikSS. The change is already merged into Tor Browser and will be available in the next release. But you can test the modified snowflake-client now. If any problems are discovered, there is still a short time to make changes for the next Tor Browser release.

The tests require a moderate level of technical ability—you need to replace a file in the Tor Browser folder, or run a command from the command line. Less technical users, it is better to wait for the next release.

Testing with Tor Browser

Download the .tar.gz file for your platform and extract it. Open your Tor Browser directory and find the snowflake-client binary:

platform	location
linux	TorBrowser/Tor/PluggableTransports/snowflake-client
osx	Contents/MacOS/Tor/PluggableTransports/snowflake-client
windows	TorBrowser/Tor/PluggableTransports/snowflake-client.exe

Rename the existing binary to snowflake-client.backup, and copy the binary from the .tar.gz file into its old location.

Start Tor Browser and choose Snowflake from Tor Network Settings.

Testing from the command line

Download the .tar.gz file for your platform and extract it. Go into the directory containing the snowflake-client binary and create a file called torrc.snowflake:

SocksPort auto
UseBridges 1
Bridge snowflake 192.0.2.3:1 2B280B23E1107BB62ABFC40DDCC8824814F80A72
ClientTransportPlugin snowflake exec ./snowflake-client -log snowflake-client.log -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ -front cdn.sstatic.net -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478

Now run tor using that configuration file:

$ tor -f torrc.snowflake

You will know it is working as soon as you see:

new bridge descriptor 'flakey' (fresh): $2B280B23E1107BB62ABFC40DDCC8824814F80A72~flakey at 192.0.2.3

You can also try using the Tor SOCKS proxy port shown in the log:

Opened Socks listener on 127.0.0.1:XXXX

For example,

$ curl --proxy socks5h://127.0.0.1:XXXX/ https://check.torproject.org/ | head
<html lang="en_US">
<head>
  <meta charset="utf-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  <title>

      Congratulations. This browser is configured to use Tor.

If it does not work, there are logs in the file snowflake-client.log. Logs like the following are a sign of a working connection:

WebRTC: DataChannel.OnOpen
---- Handler: snowflake assigned ----
Traffic Bytes (in|out): 6806 | 134462 -- (19 OnMessages, 138 Sends)
Traffic Bytes (in|out): 1051010 | 33510 -- (854 OnMessages, 169 Sends)
WebRTC: At capacity [1/1]  Retrying...
Traffic Bytes (in|out): 72898 | 10833 -- (85 OnMessages, 29 Sends)
Traffic Bytes (in|out): 3972 | 2363 -- (9 OnMessages, 7 Sends)

ValdikSS · December 9, 2021, 4:04pm

Tor Browser for Android with replaced snowflake: tor-browser-10.5.10-android-armv7-multi-aligned-debugSigned.apk

ValdikSS · December 9, 2021, 5:40pm

Psiphon capture dumps of failed connections.
psiphon-ru-tele2-09dec2021.7z (332.6 KB)

Many psiphon vpn regions work fine, but some do not. Automatic region selection connects successfully.

tango · December 9, 2021, 6:06pm

The Psiphon Data Engine has a region-specific search:
https://psix.ca/d/nyi8gE6Zk/regional-overview?orgId=2&var-region=RU

Public results only go back 14 days, so take a screenshot if you want to make a record. I don’t see any notable change in the graph that ends 2021-12-08.

tango · December 9, 2021, 6:29pm

Updates on Tor obfs4:

Bridges newly added to BridgeDB/Moat are not yet blocked. So it’s possible that Moat will become more usable again as new bridges come online, if the censor does not renew its list.
There’s a new Telegram bot by @meskio for distributing obfs4 bridges. To use it, send /bridges to @GetBridgesBot.
Tor Browser 11.0.2 was released yesterday. It contains a new default obfs4 bridge, which is not blocked yet.

tango · December 11, 2021, 4:52pm

Release candidate builds of Tor Browser with the patched Snowflake are available. These builds also have a new default obfs4 bridge. If no problems are discovered during testing, these builds will become release 11.5a1.

https://people.torproject.org/~boklm/builds/11.5a1-build2/

international · December 11, 2021, 8:38pm

For Telegram users, there is also Telegram: Contact @tor_bridges

gus · December 14, 2021, 2:02am

We need testers to check if our new default bridge is blocked in your ISP. Thanks!

ValdikSS · December 14, 2021, 6:38am

Yota, Beeline, Tele2 — all blocked, as well as my test relay, which was reachable 15 hours ago.

bolvan · December 14, 2021, 7:41am

ISP “tiera” from Saint-Petersburg with TSPU. Tor is blocked

international · December 14, 2021, 1:54pm

When you say “all blocked,” are you talking about the new default bridge mentioned by @gus?

ValdikSS · December 14, 2021, 3:04pm

Yes. This new relay is not accessible from these ISP.

international · December 14, 2021, 3:55pm

So if I am reading this thread correctly, the situation today is:

Blocked

Tor project website
Unobfuscated relays
Widely publicized obfs4 bridges

Open for now

Tor project website mirrors
Snowflake alpha with newest patch
Newly added obfs4 bridges
Meek-azure ?

Last resorts

Private obfs4 bridges
Private pre-proxy (V2Ray or Shadowsocks)

The “last resorts” are limited to those who have the resources to set up a private server, which they could possibly share with trusted contacts.

bolvan · December 14, 2021, 6:53pm

Not all of them. I requested some public bridges and they worked

Also, i use tunelled ipv6 and its not filtered
This in torrc worked :

ClientUseIPv4 0
ClientUseIPv6 1

I don’t know whether TSPU equipped ISPs with ipv6 also block ipv6 tor entry ips
Only a few ISPs in Russia have ipv6

ValdikSS · December 14, 2021, 10:18pm