OONI reports of Tor blocking in certain ISPs since 2021-12-01

Yes, you are right, currently birdgedb doesn’t distribute IPv6 bridges. We want to fix that, but it will take some time:

But Tor Browser comes with a IPv6 bult-in bridge, maybe @quantalFox means that bridge? Or you could set up your own bridge and use it’s IPv6.

Alright, here’s a new vanilla Tor bridge (IPv4 or IPv6):

5.161.66.77:55882
[2a01:4ff:f0:214d::1]:55882

obfs4 bridge:

Bridge obfs4 5.161.66.77:55441 F3EABDE3937418457B993A03F0B2BFDED55B2CB4 cert=xHA5BH3ch7U3nH7W1NEw9L0lAHs2zc3Uc0z/Od74g8eJ5+O/TEgK7dZKdmJ9FqBDZgptOQ iat-mode=0

Right now about 12.9% of Tor nodes are reachable from ISP with TSPU DPI systems.
Nmap done: 6702 IP addresses (868 hosts up)

How I tested that:

1. Extracted router IP addresses from /var/lib/tor/cached-descriptors file of long-running Tor relay
2. Executed nmap scan from Russian filtered network: nmap -iL input.txt -n -PS22,80,443,9001 -sn -T4 (remember, TSPU blocks only TCP connectivity, that’s why we can’t rely on default nmap’s ICMP reachability test — this would be false positive).
3. Used some of found ip:port fingerprint combination as a bridge, confirmed that the connection succeeded.

This could be used to enumerate working IP addresses and publish them as bridges.

Good work. So now the list of ways to reach the Tor network goes:

Open for now

• Snowflake bridge in Tor Browser 11.5a1 release candidate
• Not-yet-blocked obfs4 bridges, hundreds added recently
• Not-yet-blocked relays used as vanilla bridges
• Meek-azure – has anyone tested this?

Last resorts

• Private obfs4 bridges
• Private pre-proxy (SS/v2ray)

meek-azure works fine. They’ve unblocked ajax.aspnetcdn.com.

Пользователи из России могут запросить мосты через механизм «запросить мост у torproject.org», встроенный в Tor Browser. По состоянию на 16 декабря мосты, получаемые через этот механизм, работают у всех провайдеров РФ.

МОСТЫ → ИСПОЛЬЗОВАНИЕ MOAT

В десктопном браузере это делается так (страница настроек):

Screenshot_20211216_021530-fs8899×591 19.6 KB

Более подробная информация о других способах обхода блокировок Tor: Tor blocked in Russia: how to circumvent censorship - Censorship Circumvention - Tor Project Forum

Today I found that on ISP “tiera” they started to block tcp inside 6in4 tunnels making them mostly useless for any purpose. icmp and udp are not filtered.
It’s TSPU equipped ISP. Likely others are affected. ISPs without TSPU are OK.
They broke entire 6in4 tunnel technology, including 6to4 and tunnelbroker.net

NOTE. They are likely reading this. Care what you write, do not give them more ideas they can use

Still available in both:

• OnionBrowser in Apple Store
• Tor Browser in Google Play Store

The author or tor.encryptionin.space mirror has received roskomnadzor’s notification:

I updated my tor.encryptionin.space mirror a few days ago, and we then added it to the forum post (about getting around russian censorship), today my hosting provider got an email from ROSCOMNADZOR

Dear Sir or Madam,

we received the following notification of ROSCOMNADZOR (the Russian “The Federal Service for Supervision of Communications, Information Technology, and Mass Media”).
…

Yes, sorry for misunderstanding.

I don’t know if it is related, but TorGuard is not available for me via MTS (both wired and mobile provider). I cannot ping vast majority of the servers and any attempt to connect to them results in the infinite connection attempt.

Maybe, they thought that “Tor” in the name is the Tor as in the Tor Browser, not a short-hand for “torrent”. Who knows.

Working IP addresses stopped falling out.
Snowflake and Meek-azure don’t work.
Are there any other working methods?

obfs4 from bridges.torproject.org works fine

There have been 200 new bridges added over the last couple of weeks. Newly issued bridges retrieved from within Tor Browser (“moat”) may work.

Here are 10 working relays which could be used as bridges:

Bridge 159.69.156.131:9001 F1A800765664CA7D983897D133C825945C288745
Bridge 84.117.255.228:9001 B0DD9A8FF7D1E6B457D2AF27272841441458BB80
Bridge 37.120.182.1:12443 9235FCBDAC4A139DC1D736D76A23A9F00D2B99A3
Bridge 188.68.62.244:11443 6C0E52E5FAC27F131146666D56FC6811CEC287D0
Bridge 50.7.178.34:443 40FAE4540CF4C126B1B15C0F5E048FDBD66E2D88
Bridge 87.174.114.28:9001 B96A2DF1C23DF9169D70ADE0993BD003311F51DA
Bridge 83.97.20.80:9001 C505A4E16004512DA5A041D7DF3C29B5DCA982CD
Bridge 80.241.214.102:443 44DF1007B545B4D8057F279025EBB33CF99BE227
Bridge 80.67.172.162:443 8E6EDA78D8E3ABA88D877C3E37D6D4F0938C7B9F
Bridge 188.68.32.47:9001 6FF18BEE3EE1F341ADF132AAB22D29D209D858C4

Right now about 900 regular relays are still reachable.

Thank you very much! Through the website and through the browser, some blocked ones come across.

New type of block spotted for a selected number of Tor IP addresses.
Previously Tor bridges and relays were TCP-filtered, but ICMP and UDP worked fine. Now UDP and ICMP is getting filtered (no ping responses), as well as TCP, but this time with TCP RST reply.

212.109.198.56 is hosted in Moscow data center.

OBIT, Filtered connection

# traceroute --tcp --port=443 212.109.198.56
traceroute to 212.109.198.56 (212.109.198.56), 30 hops max, 60 byte packets
 1  _gateway (192.168.69.1)  0.501 ms  0.482 ms  0.694 ms
 2  95-161-156-121.obit.ru (95.161.156.121)  1.498 ms  1.897 ms  2.304 ms
 3  172.29.194.72 (172.29.194.72)  3.726 ms  3.720 ms  3.918 ms
 4  172.29.192.121 (172.29.192.121)  2.278 ms  2.680 ms  2.878 ms
 5  172.29.194.77 (172.29.194.77)  2.457 ms  2.450 ms  2.649 ms
 6  172.29.194.102 (172.29.194.102)  2.436 ms  1.635 ms  1.606 ms
 7  172.29.255.217 (172.29.255.217)  1.801 ms  1.082 ms  1.215 ms
 8  172.29.194.121 (172.29.194.121)  1.616 ms  1.815 ms  1.807 ms
 9  172.29.194.37 (172.29.194.37)  1.800 ms  1.794 ms  1.788 ms
10  vi-xx-0150.brc2.spb.obit.ru (85.114.1.13)  2.409 ms  2.614 ms  2.607 ms
11  gw2-msk.global-ix.ru (109.239.137.252)  12.210 ms  13.357 ms  13.342 ms
12  mail-ru.gw.gblnet.ru (109.239.134.30)  12.505 ms  11.215 ms  11.195 ms
13  * * *
14  * * *
15  * * *
16  stierlitz.rednoize.su (212.109.198.56)  10.862 ms  10.648 ms  11.052 ms

# traceroute --udp 212.109.198.56
traceroute to 212.109.198.56 (212.109.198.56), 30 hops max, 60 byte packets
 1  _gateway (192.168.69.1)  0.562 ms  0.744 ms  0.722 ms
 2  95-161-156-121.obit.ru (95.161.156.121)  1.529 ms  2.093 ms  2.321 ms
 3  172.29.194.72 (172.29.194.72)  1.920 ms  2.052 ms  2.289 ms
 4  172.29.192.121 (172.29.192.121)  2.482 ms  2.473 ms  2.930 ms
 5  172.29.194.77 (172.29.194.77)  2.911 ms  2.901 ms  2.891 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * *^C

# traceroute --icmp 212.109.198.56
traceroute to 212.109.198.56 (212.109.198.56), 30 hops max, 60 byte packets
 1  _gateway (192.168.69.1)  0.382 ms  0.588 ms  0.585 ms
 2  95-161-156-121.obit.ru (95.161.156.121)  1.298 ms  1.944 ms  2.113 ms
 3  172.29.194.72 (172.29.194.72)  3.948 ms  3.946 ms  4.129 ms
 4  172.29.192.121 (172.29.192.121)  2.102 ms  2.305 ms  2.540 ms
 5  172.29.194.77 (172.29.194.77)  1.926 ms  1.924 ms  1.922 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * *^C

# curl https://212.109.198.56 -v
*   Trying 212.109.198.56:443...
* connect to 212.109.198.56 port 443 failed: Connection refused
* Failed to connect to 212.109.198.56 port 443 after 11 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 212.109.198.56 port 443 after 11 ms: Connection refused

Regular unfiltered connection (Rostelecom)

# traceroute 212.109.198.56 -n -w1
traceroute to 212.109.198.56 (212.109.198.56), 30 hops max, 38 byte packets
 1  192.168.100.1  0.489 ms  0.324 ms  0.285 ms
 2  92.101.242.1  3.434 ms  3.281 ms  3.072 ms
 3  212.48.194.52  3.558 ms  3.608 ms  3.327 ms
 4  188.254.2.2  7.173 ms  6.811 ms  6.191 ms
 5  87.226.222.82  6.486 ms  5.854 ms  7.680 ms
 6  *  *  *
 7  109.239.134.30  17.571 ms  16.268 ms  14.943 ms
 8  *  *  *
 9  *  *  *
10  *  *  *
11  212.109.198.56  15.523 ms  15.412 ms  17.446 ms

# curl -vk https://212.109.198.56
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
> GET / HTTP/1.1
> Host: 212.109.198.56
> User-Agent: curl/7.74.0
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Server: nginx/1.14.2
< Date: Mon, 20 Dec 2021 10:05:27 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
< 
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>

Previously TCP Traceroute shown no hops for this IP address, as seen in the quoted message. Now it also shows the same hops as 212.109.198.56.

% sudo traceroute 154.35.175.225 -n --tcp --port=443
traceroute to 154.35.175.225 (154.35.175.225), 30 hops max, 60 byte packets
 1  192.168.69.1  0.524 ms  0.507 ms  0.703 ms
 2  95.161.156.121  1.310 ms  1.919 ms  2.115 ms
 3  172.29.194.72  2.098 ms  2.297 ms  2.290 ms
 4  172.29.192.121  2.488 ms  2.684 ms  2.883 ms
 5  172.29.194.77  2.469 ms  2.463 ms  2.457 ms
 6  * * *
 7  * * *
 8  * * *
…

Seems like TSPU connection scheme or its configuration has been changed.

I happened to be checking something and opened a page in Tor Browser. I clicked on the padlock icon to show my circuit. The middle node was inside Russia. I did not know this was possible.