Russia’s Twitter throttling can give censors unprecedented capabilities


Enlarge /. What happened to Russia’s flag?

Russia has introduced a novel censorship method to silence Twitter. Instead of completely blocking the social media site, the country is using previously invisible techniques to slow down traffic into a crawl and make the site all but unusable for people in the country.

Research released on Tuesday said the throttling slowed traffic between end users from Twitter and Russia to a paltry 128 kbps. While previous internet censorship techniques used by Russia and other nation-states relied on complete blocking, slowing down traffic to and from a widely used internet service is a relatively new technique that offers advantages to the censorship party.

Easy to implement, difficult to work around

“Unlike blocking, which blocks access to the content, throttling aims to degrade the quality of service so that users can barely distinguish the imposed / deliberate throttling from nuanced reasons such as high server load or network congestion,” the researchers said Censored Planet, a platform for measuring censorship that gathers data in more than 200 countries, wrote in a report. “With the proliferation of dual-use technologies, such as deep packet inspection devices (DPIs), throttling is straightforward for government agencies to implement, but difficult for users to map or circumvent.”

The throttling began on March 10, as documented in tweets here and here from Doug Madory, director of internet analytics at internet measurement company Kentik.

In an attempt to slow down traffic destined for or coming from Twitter, Russian regulators have found that Russian regulators are targeting, the domain used to host all of the content shared on the site. All domains with the character string * * (e.g. or were also throttled.

This move created widespread internet problems as affected domains were viewed as practically unusable. The throttling also consumed the memory and CPU resources of the affected servers, as these connections had to maintain much longer than normal.

Roskomnadzor – Russia’s executive body that regulates mass communications in the country – said last month it had throttled Twitter for not removing content related to child pornography, drugs and suicide. The slowdown had an impact on the delivery of audio, video and graphics, but not on Twitter. However, critics of government censorship say Russia is misrepresenting its reasons for limiting Twitter’s availability. Twitter declined to comment on this post.


Are Tor and VPNs affected? May be

Tuesday’s report said the throttling is being done by a large fleet of “middleboxes” that Russian ISPs are installing as close to the customer as possible. That hardware, Censored Planet researcher Leonid Evdokimov told me, is usually a server with a 10 Gbps network interface card and custom software. A central Russian authority gives the boxes instructions as to which domains are to be throttled.

The middleboxes check both the requests sent by Russian end users and the responses returned by Twitter. This means that the new technology may offer features that are not present in older internet censorship programs, such as: For example, filtering connections using VPNs, Tor, and apps to bypass censorship. Ars previously wrote about the servers here.

The middleboxes use deep packet inspection to extract information, including the SNI. The abbreviation for “Server Name Identification” (SNI) is the domain name of the HTTPS website, which is sent in clear text during a normal Internet transaction. Russian censors use the plaintext to more precisely block and throttle websites. Blocking by IP address, on the other hand, can have unintended consequences as it often blocks content that the censor wants to keep.

A countermeasure to bypass the throttling is to use ECH or Encrypted ClientHello. ECH is an update to the Transport Layer Security protocol and prevents blocking or throttling by domains, so censors have to resort to blocking at the IP level. Anti-censorship activists say this leads to what they call “collateral freedom” as the risk of blocking essential services often makes the censor unwilling to accept the collateral damage resulting from blunt blocking of the IP address results.

In total, Tuesday’s report contains seven countermeasures:

  • TLS ClientHello segmentation / fragmentation (implemented in GoodbyeDPI and zapret)
  • TLS ClientHello inflation with padding extension to make it bigger than 1 packet (1500+ bytes)
  • Precede real packets with a fake, encrypted packet of at least 101 bytes
  • Preceding client hello records with other TLS records, e.g. B. Change the encryption specification
  • Keep the connection idle and wait for the throttler to exit
  • Adding a trailing point to the SNI
  • Any encrypted tunnel / proxy / VPN

It is possible that some of the countermeasures are activated by anti-censorship software such as GoodbyeDPI, Psiphon or Lantern. The caveat, however, is that the countermeasures exploit flaws in Russia’s current throttling implementation. That means the ongoing tug-of-war between censors and anti-censorship advocates could prove to be protracted.


Steven Gregory