Kazakhstan upgrades censorship to deep packet inspection

by phobos | February 16, 2012

In December 2011 we were aware of Kazakhstan increasing Internet censorship in response to some unrest and protests in Zhanaozen in the west. The censorship was then deployed around the country, in many cases with the full support of the populace. The initial invesitgation showed simple IP address blocking coupled with basic dns censorship. Tor continued to work without incident until this week.

JSC KazTransCom, AS35104, has deployed or begun testing deep packet inspection (dpi) of all Internet traffic. They specifically target SSL-based protocols for blocking. This includes Tor, IPsec, and PPTP-based technologies, as well as some SSL-based VPNs. Business and private users of these technologies are equally affected.

An example of the censorship, as recorded by volunteers in country, can be found in this network flow diagram. Kazakhstan is identifying and blocking the SSL client key exchange during the setup of an SSL connection. This graph shows the effects of this deployment of censorship based on dpi.

Luckily, due to our recent experience with Iran we have an answer for people: use obfsproxy. Obfsproxy continues to work in Kazakhstan, as well as Iran. In fact, it works in any country where dpi is used to censor citizens' access to the Internet.

Thank you to the volunteers for spending their Valentine's Day collecting and analyzing data.


Please note that the comment area below has been archived.

February 16, 2012


I think Australia or Google or IE are trying to block TOR websites I am a IT consultant in Australia and I am having a lot of trouble trying to download and install the TOR web-browser setup on my clients computers, I have tried different internet providers and still have the same problem Ie page cannot be loaded however if I use the TOR network bingo it the package downloads fine just wondering if anyone else is having the same problems.

Australia has a track record of blocking access to numerous websites, it could be that they block Tor to prevent people from overcoming their censorship list. I don't think Google has anything to do with it :)

February 17, 2012


Comments made in bug #4902 about #3962 indicate some deep trouble in how Tor is developed, with real privacy improvements sitting in limbo because effectively nobody can merge the code. I love what you're doing to fight the power, but don't forget to take good care of your project governance.

February 18, 2012


I recommend this:

"Is your ISP interfering with your BitTorrent connections? Cutting off your VOIP calls? Undermining the principles of network neutrality? In order to answer those questions, concerned Internet users need tools to test their Internet connections and gather evidence about ISP interference practices. After all, if it weren't for the testing efforts of Rob Topolski, the Associated Press, and EFF, Comcast would still be stone-walling about their now-infamous BitTorrent blocking efforts.

Developed by the Electronic Frontier Foundation, Switzerland is an open source software tool for testing the integrity of data communications over networks, ISPs and firewalls. It will spot IP packets which are forged or modified between clients, inform you, and give you copies of the modified packets."

:: https://www.eff.org/pages/switzerland-network-testing-tool

"Before you run Switzerland, be sure to check out the notes about privacy, security, and firewalls. Switzerland is currently in alpha release as a command line tool. In other words, right now it is aimed at relatively sophisticated users. However, because it's an open source effort, we anticipate making it easier to use over time (please please please let us know by email, by IRC, or by filing bugsif you're running the client but it isn't working for you — we've seen some clients reconnecting in cycles that makes us think there's a bug we should fix!).

Switzerland is designed to detect the modification or injection of packets of data traveling over IP networks, including those introduced by anti-P2P tools from Sandvine (widely believed to be used by Comcast to interfere with BitTorrent uploads) and AudibleMagic, advertising injection systems like FairEagle, censorship systems like the Great Firewall of China, and other systems that we don't know about yet."

===> On the same topic, but previously/older work:


Older tool (note: use Switzerland above instead) missing from EFF's site but archived here:

- pcapdiff-0.1.tar.gz
:: http://web.archive.org/web/20110712170326/https://www.eff.org/testyouri…

===> "Detecting packet injection: a guide to observing packet spoofing by ISPs"

:: (Intro): http://web.archive.org/web/20110712163418/https://www.eff.org/wp/detect…

:: (PDF): http://web.archive.org/web/20110712163418/https://www.eff.org/files/pac…

"Certain Internet service providers have begun to interfere with their users' communications by injecting forged or spoofed packets - data that appears to come from the other end but was actually generated by an Internet service provider (ISP) in the middle. This spoofing is one means (although not the only means) of blocking, jamming, or degrading users' ability to use particular applications, services, or protocols. One important means of holding ISPs accountable for this interference is the ability of some subscribers to detect and document it reliably. We have to learn what ISPs are doing before we can try to do something about it. Internet users can often detect interference by comparing data sent at one end with data received at the other end of a connection.

Techniques like these were used by EFF and the Associated Press to produce clear evidence that Comcast was deliberately interfering with file sharing applications; they have also been used to document censorship by the Great Firewall of China. In each of these cases, an intermediary was caught injecting TCP reset packets that caused a communication to hang up - even though the communicating parties actually wanted to continue talking to one another. In this document, we describe how to use a network analyzer like Wireshark to run an experiment with a friend and detect behavior like this. Please note that these instructions are intended for use by technically experienced individuals who are generally familiar with Internet concepts and are comfortable installing software, examining and modifying their computers' administrative settings, and running programs on a command line."

February 19, 2012


Okay, so the million-dollar question: what (if any) Western companies are selling the technology to Kazakhstan to enable this?

February 20, 2012


It sounds to me like encryption is going to have to become the word of the day, to prevent this kind of censorship anywhere in the world.

April 26, 2012


I'm from Kazakhstan. I just can't believe thing like this happening in my country. It cannot be explained.