Updates on Kazakhstan Internet Censorship

by phobos | March 2, 2012

Two weeks ago we announced the use of deep packet inspection to censor the Internet in Kazakhstan. Over those two weeks we've continued working on how they are blocking native tor connections. The good news is that our obfsproxy bundle continues to work well in country. Thanks to wanoskarnet, ann, and others for their help.

We have some network-level data captures at both ends to help us assess what is occuring. It seems the Kazakhstan firewall finds something unique in the TLS "Server Hello" message as sent by the Tor relay or bridge and therefore blocks subsequent communications. IP address and TCP port are irrelevant to the censorship. Research continues. Anonymized network flows are available here:

.kz client to relay: https://media.torproject.org/misc/2012-02-28-tor-kz-client-flow.txt

and

the relay view of that same conversation: https://media.torproject.org/misc/2012-02-28-tor-kz-bridge-relay-flow.t…

Here's a graph of what this censorship looks like nationwide. The red dots are probable censorship events.
. The full image is here, https://media.torproject.org/image/blog-images/direct-users-off-2011-12…

Comments

Please note that the comment area below has been archived.

March 02, 2012

Permalink

Offtopic, but I have a bit of a question.
Are there any security risks/is is plausible to set up a web-based proxy? I'm saying to set it up similarily to Glype(You visit a url, and it serves your webpages. It acts as your browser for you, and it acts as a proxy. Websites see this glype'd website's IP instead of yours), but instead of it serving the server's IP, it takes advantage of TOR relays. Anyways, is it plausible, and would people use it?
~Jarwain

March 02, 2012

Permalink

What about filering on certificate on the server hello ?

I think about Subject commonName of Certificate used by tor.
Example:
- A simple rule: does the commonName resolve to DNS ? (and not wildcard)
- A more complex: what is entropy of commonName ? (as Tor use strong alea fo generation of commonName, with www.XXXXXXX.net)

Or more simple using length of certificate, as Tor certificate are simple (the issuer is not a chain a certificate) and so, there are short: certificate length < 500.
A wireshark rule like: "ssl.handshake.certificate_length < 500" report only tor connection for me (but not test on a big connection pool).

Hope that help.

March 03, 2012

Permalink

Hello Tor project.
Im user from Kazakhstan, i cant use Tor, because my ISP block this.
I downloaded obfsprohy, but it did not help. Please contact me, please. Those who can help me.
E-mail: millermax34@gmail.com

March 03, 2012

Permalink

Tor check told me I wasn't using Tor with this IP:

93.114.43.29

A search led me to your Tor's Dec 2011 status report comments section where another user posted the same error.

This IP does not appear at blutmagie's tor node listing site as of this posting date, it too said I wasn't using Tor, but I am.

Please backlist this IP address: 93.114.43.29

As it appears something, "funny" is going on here.

March 04, 2012

Permalink

Thanks a lot for the tip (and your work for developing essential for us software). Downloaded the obfsproxy bundle and it works.
Our gov's cencorship struggle sucks.

March 10, 2012

Permalink

In Kazakhstan, completely blocked Tor and bridges!

Works only obfsproxy-bundle.

Nazarbayev - fu...ing fascist, destroying their own people!!!

March 10, 2012

Permalink

Hi. I'm from Kazakhstan. Seems that tor 0.2.2.29-beta works !
I'd like to try this bundle from another place, but can't find win32 distro...
(i wrote this using tor right now ;)

March 11, 2012

Permalink

For Kazakhtelecom users: simple tor bundle 0.2.2.29 is working at some business networks, but not in home adsl. At "home adsl" network "tor obfuscating bundle" (0.2.3.13) working ok. Good news, but we need more obfs2 bridges in future.

Hi! ( Privet bratan! )

Where did you find the version (obfuscating bundle) (0.2.3.13) ?

The site has only version (obfsproxy-browser-bundle-2.3.12-3)

March 12, 2012

Permalink

Obfuscating bundle also working here for me (in Astana). Note: I have also noticed some business connections (one through KazTransCom, though they feed into KazTelecom's network) are NOT censoring some sites like Wordpress, Livejournal, etc. where home connections through Megaline still ARE. Some selective censoring going on? "Technical problems." That excuse didn't fly well in Tajikistan recently....

March 21, 2012

Permalink

Today, GFW in china was updated either. I have tried obfsproxy, but it did not work. I can ping through all ip address in that bundle, yet still can't connect to the tor network.
Here is the message log:
Mar 21 19:27:07.285 [Notice] Heartbeat: Tor's uptime is 0:00 hours, with 0 circuits open. I've sent 0 kB and received 0 kB.
Mar 21 19:27:09.658 [Notice] Bootstrapped 5%: Connecting to directory server.
Mar 21 19:27:09.658 [Notice] Bootstrapped 10%: Finishing handshake with directory server.
Mar 21 19:27:13.108 [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 10; recommendation warn)
Mar 21 19:27:13.108 [Warning] 11 connections have failed:
Mar 21 19:27:13.108 [Warning] 10 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE
Mar 21 19:27:13.108 [Warning] 1 connections died in state handshaking (proxy) with SSL state (No SSL object)
Mar 21 19:27:13.201 [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 11; recommendation warn)
Mar 21 19:27:13.201 [Warning] 12 connections have failed:
Mar 21 19:27:13.217 [Warning] 11 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE
Mar 21 19:27:13.217 [Warning] 1 connections died in state handshaking (proxy) with SSL state (No SSL object)

March 21, 2012

Permalink

Obfsproxy doesn't work in china.
Here is the message log:
Mar 21 19:40:58.570 [Notice] Heartbeat: Tor's uptime is 0:00 hours, with 0 circuits open. I've sent 0 kB and received 0 kB.
Mar 21 19:41:01.021 [Notice] Bootstrapped 5%: Connecting to directory server.
Mar 21 19:41:01.021 [Notice] Bootstrapped 10%: Finishing handshake with directory server.
Mar 21 19:41:05.282 [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 10; recommendation warn)
Mar 21 19:41:05.313 [Warning] 12 connections have failed:
Mar 21 19:41:05.313 [Warning] 10 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE
Mar 21 19:41:05.313 [Warning] 2 connections died in state handshaking (proxy) with SSL state (No SSL object)