OONI reports of Tor blocking in certain ISPs since 2021-12-01

Thank you very much! Through the website and through the browser, some blocked ones come across.

New type of block spotted for a selected number of Tor IP addresses.
Previously Tor bridges and relays were TCP-filtered, but ICMP and UDP worked fine. Now UDP and ICMP is getting filtered (no ping responses), as well as TCP, but this time with TCP RST reply.

212.109.198.56 is hosted in Moscow data center.

OBIT, Filtered connection

# traceroute --tcp --port=443 212.109.198.56
traceroute to 212.109.198.56 (212.109.198.56), 30 hops max, 60 byte packets
 1  _gateway (192.168.69.1)  0.501 ms  0.482 ms  0.694 ms
 2  95-161-156-121.obit.ru (95.161.156.121)  1.498 ms  1.897 ms  2.304 ms
 3  172.29.194.72 (172.29.194.72)  3.726 ms  3.720 ms  3.918 ms
 4  172.29.192.121 (172.29.192.121)  2.278 ms  2.680 ms  2.878 ms
 5  172.29.194.77 (172.29.194.77)  2.457 ms  2.450 ms  2.649 ms
 6  172.29.194.102 (172.29.194.102)  2.436 ms  1.635 ms  1.606 ms
 7  172.29.255.217 (172.29.255.217)  1.801 ms  1.082 ms  1.215 ms
 8  172.29.194.121 (172.29.194.121)  1.616 ms  1.815 ms  1.807 ms
 9  172.29.194.37 (172.29.194.37)  1.800 ms  1.794 ms  1.788 ms
10  vi-xx-0150.brc2.spb.obit.ru (85.114.1.13)  2.409 ms  2.614 ms  2.607 ms
11  gw2-msk.global-ix.ru (109.239.137.252)  12.210 ms  13.357 ms  13.342 ms
12  mail-ru.gw.gblnet.ru (109.239.134.30)  12.505 ms  11.215 ms  11.195 ms
13  * * *
14  * * *
15  * * *
16  stierlitz.rednoize.su (212.109.198.56)  10.862 ms  10.648 ms  11.052 ms

# traceroute --udp 212.109.198.56
traceroute to 212.109.198.56 (212.109.198.56), 30 hops max, 60 byte packets
 1  _gateway (192.168.69.1)  0.562 ms  0.744 ms  0.722 ms
 2  95-161-156-121.obit.ru (95.161.156.121)  1.529 ms  2.093 ms  2.321 ms
 3  172.29.194.72 (172.29.194.72)  1.920 ms  2.052 ms  2.289 ms
 4  172.29.192.121 (172.29.192.121)  2.482 ms  2.473 ms  2.930 ms
 5  172.29.194.77 (172.29.194.77)  2.911 ms  2.901 ms  2.891 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * *^C

# traceroute --icmp 212.109.198.56
traceroute to 212.109.198.56 (212.109.198.56), 30 hops max, 60 byte packets
 1  _gateway (192.168.69.1)  0.382 ms  0.588 ms  0.585 ms
 2  95-161-156-121.obit.ru (95.161.156.121)  1.298 ms  1.944 ms  2.113 ms
 3  172.29.194.72 (172.29.194.72)  3.948 ms  3.946 ms  4.129 ms
 4  172.29.192.121 (172.29.192.121)  2.102 ms  2.305 ms  2.540 ms
 5  172.29.194.77 (172.29.194.77)  1.926 ms  1.924 ms  1.922 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * *^C

# curl https://212.109.198.56 -v
*   Trying 212.109.198.56:443...
* connect to 212.109.198.56 port 443 failed: Connection refused
* Failed to connect to 212.109.198.56 port 443 after 11 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 212.109.198.56 port 443 after 11 ms: Connection refused

Regular unfiltered connection (Rostelecom)

# traceroute 212.109.198.56 -n -w1
traceroute to 212.109.198.56 (212.109.198.56), 30 hops max, 38 byte packets
 1  192.168.100.1  0.489 ms  0.324 ms  0.285 ms
 2  92.101.242.1  3.434 ms  3.281 ms  3.072 ms
 3  212.48.194.52  3.558 ms  3.608 ms  3.327 ms
 4  188.254.2.2  7.173 ms  6.811 ms  6.191 ms
 5  87.226.222.82  6.486 ms  5.854 ms  7.680 ms
 6  *  *  *
 7  109.239.134.30  17.571 ms  16.268 ms  14.943 ms
 8  *  *  *
 9  *  *  *
10  *  *  *
11  212.109.198.56  15.523 ms  15.412 ms  17.446 ms

# curl -vk https://212.109.198.56
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
> GET / HTTP/1.1
> Host: 212.109.198.56
> User-Agent: curl/7.74.0
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Server: nginx/1.14.2
< Date: Mon, 20 Dec 2021 10:05:27 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
< 
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>

Previously TCP Traceroute shown no hops for this IP address, as seen in the quoted message. Now it also shows the same hops as 212.109.198.56.

% sudo traceroute 154.35.175.225 -n --tcp --port=443
traceroute to 154.35.175.225 (154.35.175.225), 30 hops max, 60 byte packets
 1  192.168.69.1  0.524 ms  0.507 ms  0.703 ms
 2  95.161.156.121  1.310 ms  1.919 ms  2.115 ms
 3  172.29.194.72  2.098 ms  2.297 ms  2.290 ms
 4  172.29.192.121  2.488 ms  2.684 ms  2.883 ms
 5  172.29.194.77  2.469 ms  2.463 ms  2.457 ms
 6  * * *
 7  * * *
 8  * * *
…

Seems like TSPU connection scheme or its configuration has been changed.

I happened to be checking something and opened a page in Tor Browser. I clicked on the padlock icon to show my circuit. The middle node was inside Russia. I did not know this was possible.

Tor filtering is done using government black box called TSPU. Not all providers have them
Tor is not blocked if TSPU is not present. According to tor metrics graph directly connecting users decreased only by 1/3. This indicates TSPU is not everywhere.
Also there’re datacenters mostly unfiltered.

UPD: I checked this morning: meek is working.

I have run VPS with TOR bridge for two weeks. I have never connected to it. I noticed that some ISP (AS15582, AS25513) began block it very soon. I receive TCP RST when I try to connect to my VPS via ssh.
But many other TOR nodes are TCP-filtered still, ICMP and UDP work fine.

Maybe some nodes are blocked by ISP (TCP-filtered) and some other nodes are blocked by TSPU in another place (IXP)?

Ростелеком, Свердловская область, Tor Browser 11.0.3 (based on Mozilla Firefox 91.4.1esr) (64-bit), GNU/Linux.

1/5/22, 11:50:42.391 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/5/22, 11:50:43.787 [NOTICE] Opening Socks listener on 127.0.0.1:9150
1/5/22, 11:50:43.787 [NOTICE] Opened Socks listener connection (ready) on 127.0.0.1:9150
1/5/22, 11:50:44.396 [NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
1/5/22, 11:50:44.397 [NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
1/5/22, 11:50:44.516 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 31.19.177.147:9030 ID=<none> RSA_ID=FA6DE2541AF0C13CD0DADB1C12E2D90EA07C29DD ("general SOCKS server failure")
1/5/22, 11:50:44.579 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 44.76.6.29:8443 ID=<none> RSA_ID=519FBC05C0F2826A2DA3D2363E448FE1D8268276 ("general SOCKS server failure")
1/5/22, 11:50:45.489 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 31.19.177.147:9030 ID=<none> RSA_ID=FA6DE2541AF0C13CD0DADB1C12E2D90EA07C29DD ("general SOCKS server failure")
1/5/22, 11:50:45.583 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 44.76.6.29:8443 ID=<none> RSA_ID=519FBC05C0F2826A2DA3D2363E448FE1D8268276 ("general SOCKS server failure")
1/5/22, 11:50:46.577 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 44.76.6.29:8443 ID=<none> RSA_ID=519FBC05C0F2826A2DA3D2363E448FE1D8268276 ("general SOCKS server failure")
1/5/22, 11:50:47.499 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 31.19.177.147:9030 ID=<none> RSA_ID=FA6DE2541AF0C13CD0DADB1C12E2D90EA07C29DD ("general SOCKS server failure")
1/5/22, 11:50:47.588 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 44.76.6.29:8443 ID=<none> RSA_ID=519FBC05C0F2826A2DA3D2363E448FE1D8268276 ("general SOCKS server failure")
1/5/22, 11:50:49.521 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 31.19.177.147:9030 ID=<none> RSA_ID=FA6DE2541AF0C13CD0DADB1C12E2D90EA07C29DD ("general SOCKS server failure")
1/5/22, 11:50:49.611 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 44.76.6.29:8443 ID=<none> RSA_ID=519FBC05C0F2826A2DA3D2363E448FE1D8268276 ("general SOCKS server failure")
1/5/22, 11:50:54.515 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 31.19.177.147:9030 ID=<none> RSA_ID=FA6DE2541AF0C13CD0DADB1C12E2D90EA07C29DD ("general SOCKS server failure")
1/5/22, 11:50:54.596 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 44.76.6.29:8443 ID=<none> RSA_ID=519FBC05C0F2826A2DA3D2363E448FE1D8268276 ("general SOCKS server failure")
1/5/22, 11:51:03.930 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
1/5/22, 11:51:03.930 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/5/22, 11:51:03.930 [WARN] Pluggable Transport process terminated with status code 0
1/5/22, 11:51:04.694 [NOTICE] Opening Socks listener on 127.0.0.1:9150
1/5/22, 11:51:04.694 [NOTICE] Opened Socks listener connection (ready) on 127.0.0.1:9150
1/5/22, 11:51:05.525 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 31.19.177.147:9030 ID=<none> RSA_ID=FA6DE2541AF0C13CD0DADB1C12E2D90EA07C29DD ("general SOCKS server failure")
1/5/22, 11:51:05.607 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 44.76.6.29:8443 ID=<none> RSA_ID=519FBC05C0F2826A2DA3D2363E448FE1D8268276 ("general SOCKS server failure")

Это попытки подключиться к мостам, полученным через BridgeDB. К мостам, полученным по почте, тоже не подключается как будто бы.

У меня ещё был запущен демон tor. Я его отключил, думая, что дело в этом, но ничего не изменилось.

$ traceroute 212.109.198.56 -n -w1
traceroute to 212.109.198.56 (212.109.198.56), 30 hops max, 60 byte packets
 1  192.168.1.1  1.189 ms  1.168 ms  1.568 ms
 2  87.226.146.223  9.134 ms  9.338 ms  9.561 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

FA6DE2541AF0C13CD0DADB1C12E2D90EA07C29DD
First Seen
2021-12-28 14:32:46

519FBC05C0F2826A2DA3D2363E448FE1D8268276
First Seen
2021-12-30 04:26:30

Bridge distribution mechanism
Moat

Свежие.

С адресов мск эти бриджи Moat не выдаст.

Утечка из BridgeDB?
Или ТСПУ еще и капчи разгадывает? (и в майнинг умеет?)

Или выдаст?

1200×750 61 KB

Упссь. Эти данные могут быть ошибочны.

Please try a bridge from our Telegram bot: @GetBridgesBot.

We removed blocked bridges from being distributed to Russians users early in December, but since then, the censors have already blocked many new bridges. We will do a new clean up soon.

1/5/22, 17:21:56.935 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/5/22, 17:21:57.149 [NOTICE] New control connection opened from 127.0.0.1.
1/5/22, 17:21:57.149 [NOTICE] New control connection opened from 127.0.0.1.
1/5/22, 17:23:06.894 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/5/22, 17:23:06.894 [NOTICE] Switching to guard context "default" (was using "bridges")
1/5/22, 17:23:11.712 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/5/22, 17:23:11.713 [NOTICE] Switching to guard context "bridges" (was using "default")
1/5/22, 17:23:14.262 [NOTICE] Opening Socks listener on 127.0.0.1:9150
1/5/22, 17:23:14.262 [NOTICE] Opened Socks listener connection (ready) on 127.0.0.1:9150
1/5/22, 17:23:15.623 [NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
1/5/22, 17:23:15.624 [NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
1/5/22, 17:23:15.825 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:16.849 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:18.896 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:20.786 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:22.887 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:27.903 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:28.823 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:29.847 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:30.804 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:32.918 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:36.909 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:42.810 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:51.852 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 78.47.198.110:59572 ID=<none> RSA_ID=C05F217B73D40F00F90045B0E9E210FBCA92AFF7 ("general SOCKS server failure")
1/5/22, 17:23:54.617 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
1/5/22, 17:23:54.617 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
1/5/22, 17:23:54.626 [WARN] Pluggable Transport process terminated with status code 0
1/5/22, 17:23:55.468 [NOTICE] Opening Socks listener on 127.0.0.1:9150
1/5/22, 17:23:55.468 [NOTICE] Opened Socks listener connection (ready) on 127.0.0.1:9150

I’ve already tried.

Заработало через мосты BridgeDB.

Возможно тестировали работу только разрешенных протоколов. На рутрекере тоже отмечали аномалии с обфусцированными мостами через ростелеком, но все рассосалось и списали на праздничный перегруз в сети.

Мосты блокируют только на ТСПУ. У Ростелекома он то «появляется», то «исчезает», хаотичным образом. См. Массовое внедрение ТСПУ в Ростелекоме - #4 by ValdikSS

Мостов не настолько много, чтобы рота курсантов ФСБ не могла их в ручном режиме все высканить.
Да, посадят людей, дадут им всякие прокси/впски , сделают удобный инструмент и ручками ручками.
Хотя ИИ современный вполне способен распознавать такие капчи, как выдает tor browser, это не стоит усилий, проще людей запрячь.
Говорят в китае миллион китайцев сидит на слежке за китаенетом