Clever Geek Handbook

Not blocking, but slowing down

The equipment TSPU (technical means of countering threats) is indicated in red - "black boxes" from the ILV, which telecom operators place with power supply in separate racks at their site throughout the country, but do not have access to the devices.



On March 10, 2021, from 10 am Moscow time, the Runet entered into new rules of the game. Roskomnadzor began to " slow down " by 100% mobile and 50% broadband traffic of the microblogging service Twitter.



This was followed by several significant events. A global accident at Rostelecom's equipment for half a day disrupted access to state sites and the operator's network. More than 113 thousand domains werein the ILV “slowdown” loop, since they have in their name “t.co”, a short Twitter domain to which the TSPU equipment responds.



Habr, together with colleagues from RosKomSvoboda , tried to tell why such a situation became possible, what users should do now and how events will develop with Twitter and other social networks.





How did it happen that Roskomnadzor has the technical ability to slow down websites?



There is no official public information on how exactly RKN does this. The department began to prepare for this in the summer of 2019. It was then that the territorial departments of Roskomnadzor began to send out to telecom operators throughout Russia requests to provide information about traffic exchange points, as well as connection schemes for providers' equipment. It was through the integration of the special equipment of the TSPU into these schemes that the ILV employees were able to "control" Runet.



On November 1, 2019, the law on the isolation of the Runet came into force. Roskomnadzor and telecom operators began to conductfull equipment testing, which will allow you to change traffic routing and filter out unwanted content. DPI (Deep Packet Inspection) system operates at different levels of the OSI model (from the second to the seventh) for protocols, applications, services, including multicast and service protocols. The Urals Federal District was selected for the first tests of the universal traffic filtering system (DPI) . It is likely that in the Murmansk region, some providers have also carried out similar DPI testing.



Due to the secrecy of Roskomnadzor, it is not yet known exactly what kind of equipment is supplied for the "sovereign Runet", but one can make assumptions, based on the range of RDP.RU products, that these are mainly systems based on EcoDPI .



Not so long ago, telecom operators stated that there is not a single ready-made complex that fully meets the requirements of the legislation of the Russian Federation, for "looking" inside SNI , determining the domain, as well as using a deeper and extended traffic analysis.



TSPU kits from RKN analyze all Internet traffic (packages) of users by a number of parameters and decide whether to let it through (by default), limit the speed (rules for Twitter) or block (for prohibited sites). RKN specialists set up and manage the elements of the TSPU.



RKN turned on specially tuned TSPU equipment in Russia this morning in order to shape, and thereby limit the speed of access to Twitter resources. In fact, social network speed limiting is carried out by domain names, DPI. And not only the Twitter domains directly, but also the CNAMEs of Akamai. In particular, video content slowdown is seen on video.twimg.com, eip-ntt.video.twimg.com.akahost.net, video.twimg.com.eip.akadns.net, but not on more technical domains like cs531. wpc.edgecastcdn.net. When accessing the IP address of the service directly, without SNI, the speed remains high. Passive DPI bypass helps to bypass slowdowns, for example when using nfqws.



The activation of TSPU led to the fact that RKN began to shape many other domains as well. Now on the Runet, any domain that contains the string t.co (short Twitter domain) in some place in the domain name is slowing down. For example, rt.com, reddit.com, microsoft.com, githubusercontent.com got under the distribution. A check was inserted into the TSPU logic to slow down everything. * T.co. *, instead of, for example, ^ t.co $.



As a result, according to initial estimates, more than 113 thousand hosts fell under the speed limit due to Roskomnadzor, including icloud-content.com, pinterest.com, microsoft.com, blogspot.com, snapchat.com, googleusercontent.com (a special domain for distributing various files from Google , incl.media), deviantart.com, beget.com (Russian hoster), appspot.com (domains of the Google App Engine service), * .steamcontent.com, dropboxusercontent.com, digicert.com, championat.com, eset.com , avast.com.



More detailed list
ValdikSS



  • pinterest.com
  • microsoft.com
  • enable-javascript.com
  • blogspot.com
  • bluehost.com
  • mydomaincontact.com
  • reddit.com
  • namebright.com
  • dreamhost.com
  • t.co
  • akismet.com
  • trustpilot.com
  • dynadot.com
  • constantcontact.com
  • hubspot.com
  • cointernet.com.co
  • getpocket.com
  • washingtonpost.com
  • opencart.com
  • sciencedirect.com
  • shinystat.com
  • huffingtonpost.com
  • snapchat.com
  • proofpoint.com
  • googleusercontent.com
  • pinterest.co.uk
  • cnet.com
  • format.com
  • cookiebot.com
  • onetrust.com
  • independent.co.uk
  • ewebdevelopment.com
  • matterport.com
  • deviantart.com
  • indiamart.com
  • blogspot.co.uk
  • quantcast.com
  • ft.com
  • angieslist.com
  • blogspot.com.es
  • mapquest.com
  • xinhuanet.com
  • sharepoint.com
  • swsoft.com
  • walmart.com
  • marriott.com
  • cdnbest.com
  • justhost.com
  • beget.com
  • aparat.com
  • about.com
  • appspot.com
  • carecredit.com
  • zdnet.com
  • cookieconsent.com
  • vistaprint.com
  • redhat.com
  • economist.com
  • photobucket.com
  • venturebeat.com
  • childnet.com
  • providesupport.com
  • domainmarket.com
  • lbpicmt.com
  • pardot.com
  • target.com
  • netcraft.com
  • yoast.com
  • hotmart.com
  • shieldbreakfast.com
  • wolt.com
  • nypost.com
  • allaboutdnt.com
  • projectrockit.com.au
  • geotrust.com
  • huffpost.com
  • engadget.com
  • theknot.com
  • cvent.com
  • pinterest.com.au
  • zibbet.com
  • themezhut.com
  • b-eat.co.uk
  • just-eat.com
  • att.com
  • talabat.com
  • facebookblueprint.com
  • mimecast.com
  • toreta-takeout.com
  • tencent.com
  • techtarget.com
  • adjust.com
  • intuit.com
  • producthunt.com
  • thelancet.com
  • semalt.com
  • dropboxusercontent.com
  • githubusercontent.com
  • provenexpert.com
  • pixieset.com


It is likely that this is indirectly or directly related to the inoperative services of the RTK, since the TSPU processed and slowed down all resources that contain the sequence t.co. For example, www.rtcomm.ru and subdomains like ns01.rtcomm.ru and so on were affected. Such a problem could arise due to inaccurate compilation of blocking rules: in common syntax of regular expressions, an unescaped period character means any character.



Now rt.com is no longer shaped in some regions. Most likely, this resource was urgently included in the exceptions in the TSPU, but not everywhere.





Why does Roskomnadzor have the legal ability to slow down sites?



Since the beginning of this year, in accordance with the Federal Law of December 30, 2020 No. 482-FZ "On Amendments to the Federal Law" On Measures of Influence on Persons Involved in Violations of Fundamental Human Rights and Freedoms, Rights and Freedoms of Citizens of the Russian Federation "(pages 5- 6). And also in accordance with the law "On information, information technology and information protection" ( 149-FZ ), after the dissemination of information via the Twitter Internet service was included in the list of threats by the RKN.



It is according to the text of the Federal Law of December 30, 2020 No. 482 that the RKN can restrict, in whole or in part, the access of Russian users to a problematic service on the Internet. This department and began to do, taking measures of a centralized response.





50 % . ?



This is a rather bizarre statement by the RKN, which adds even more confusion to working hypotheses about how exactly this is now being implemented. The fact is that if the current working hypothesis about the use of DPI equipment for shaping is correct, through which providers are obliged to "drive" their traffic, then the question arises "why exactly 50%, and not all?" It is likely that some local agreements are used with specific providers so that they ignore user requests about slowing down and do not turn off the corresponding filtering equipment, since some too even number has been chosen. Or RKN is aware that it can control mobile traffic from telecom operators almost completely, while many small local providers in the country have not yet installed TSPU.Or the department does not have the ability to quickly manage such a large number of pieces of hardware, so broadband access is also controlled by TSPU only for telecom operators, which is estimated by RKN as half of all stationary users.





How can a user check if he is hit by a slowdown?



Firstly, the majority of stationary users, except in the network of RTK and Dom.ru, do not notice the slowdown. For the most part, the effect of slowdown and slow loading of services was noticed today by users of mobile telecom operators. For example, the site takes longer to load than usual, the pictures are first indicated by squares, the video slows down and takes a long time to turn on.



There is a more definitive method for "hitting slowdown", but it requires some technical training. The method consists in using, for example, the cURL utility and substitution of different domains in SNI when making requests to the desired site (in which case it is possible to measure the download speed of a certain file repeatedly), and comparing the results: if the slowdown is significant (it does not exactly fit into the statistical error) and is reproduced constantly, that means there is a slowdown. However, ordinary users may well rely on personal observations and "feelings" based on the results of the usual comparison of the download speed of content on a smartphone, stationary PC or on a smartphone via a VPN.





What should the user do to get around the slowdown? Can this be done without traffic proxying?



The easiest and most affordable way is proxying or tunneling traffic, including using a VPN. Yes, now it is becoming a pressing problem for us. There are also options related to traffic obfuscation (attempts to disguise it as something that it is not), but certain skills and capabilities are needed to implement them. Not every user will be able to use them.





Will Twitter make concessions? What will the microblogging service do now?



Alas, it is rather difficult to predict whether Twitter will make concessions now. It all depends, as they say, "on the mood" of the owners. We have examples of "negotiating" social networks (like the same Facebook), and examples of social networks that decided that the overhead costs of such contracts are higher than the profit from a partial loss of the market - LinkedIn.



And also, I would very much like to dream that Twitter will join the so-called Fediverse - a community of private social networks that can communicate with each other and do not have a single center, and therefore do not have a single point of failure. And then there will also be no potential blockage, which can then be discussed in the bowels of the ILV in the event that shaping does not have an effect.





What will ILV do next? Are new slowdowns in other social networks possible?



RKN has no plans to block social networks yet and has just started testing the work of TSPU elements. It is likely that for some time there will be various problems and limitations for many users, until the agency resolves them either on its own or with the help of telecom operators. RKN can slow down other social networks, for example, Facebook. In fact, RKN uses Twitter with ~ 100 thousand users in Russia as a testbed for TSPU. The TSPU also has limitations on the number of simultaneously processed sessions. You can't just take and start shaping all custom services - the network will freeze, up to a temporary shutdown.


More articles:


All Articles