Russia started blocking Tor
Maria Xynou, Arturo Filastò
2021-12-17
On 1st December 2021, some Internet Service Providers (ISPs) in Russia
started
blocking
access to the Tor anonymity network.
In this report, we share OONI network measurement data
on the blocking of the Tor network and www.torproject.org
in Russia.
About Tor
If you want real privacy and anonymity on the internet, the answer is
simple: use Tor.
This is not a question of promotion, but a question of software
design: Tor software is designed to bounce communications around a
distributed network of relays (run by volunteers around the world),
thereby hiding its users’ IP addresses and enabling them to circumvent
online tracking and internet censorship.
When you use Tor, the online
services that you connect to don’t see your real IP address, but some
other IP address of the Tor relay you are exiting from. As a result,
it’s harder for governments and corporations to track your online
activity, and you can circumvent internet censorship in your country
because you look like you’re connecting from a different location (where
that service may not be blocked).
In short, the Tor network is uniquely designed in such a way that
actually guarantees you online privacy and anonymity. Tor software is
developed by a nonprofit organization (the Tor Project), whose mission is to advance
human rights and freedoms by creating and deploying free and open source
anonymity and privacy technologies, supporting their unrestricted
availability and use, and furthering their scientific and popular
understanding. The fact that it’s free and open source means that potentially
anyone can use it, and its codebase is regularly reviewed (and improved
upon) by security experts around the world.
This is why human rights defenders,
journalists,
and
whistleblowers
around the world rely on Tor for online privacy, anonymity, and
censorship circumvention (along with other digital security tools). But it’s also why some governments (in
countries like
China
and
Iran)
target and block access to Tor. The Tor Project has therefore created
Tor bridges, enabling the
circumvention of Tor blocking. Tor Browser – the main way that Tor
is used by millions of users around the world – is shipped with a set of
public bridges (called built-in
obfs4
bridges) that users in censored environments can enable.
On 1st December 2021, Russia started blocking access to Tor,
and the Tor Project
responded
with a call for support from the internet freedom community. According
to the Tor Project, Russia is the country with the second largest number of Tor users with
more than 300,000 daily users (about 15% of all Tor users).
To learn about the impact of Tor blocking, view the Tor Project’s
online PrivChat event to hear
from an artist and activist who lives in Russia and relies on Tor.
Methods
Since 2012, OONI (a project born out of the Tor
Project) has developed free and open source software – called OONI Probe – designed to measure internet
censorship and other forms of network interference. Every month, OONI
Probe is run by tens of thousands of users in around 200 countries, including
Russia.
As soon as OONI Probe users run tests on their network, their test
results (“measurements”) are automatically submitted to OONI servers,
processed, and openly published in real-time.
The OONI Probe app includes a variety of
different network measurement tests,
including a test specifically
designed to measure Tor reachability. The OONI Probe Tor test provides
an automated way of examining whether
Tor works in a tested network.
To this end, this
test
measures the reachability of a set of services that allow Tor to work.
These include the following services:
Tor directory authorities (used by Tor relays)
OR port (used by Tor bridges)
OR port of directory authorities (used by Tor clients)
Built-in obfs4 bridges (Tor bridge that speaks the OBFS4 protocol)
By measuring the reachability of selected Tor directory authorities and
bridges, this test evaluates whether they can be used within the tested
network.
More specifically, this test attempts to perform the following actions
from the vantage point of the user:
HTTP GET request to the tor/status-vote/current/consensus.z
resource, which is required for Tor directory authorities;
Connect to OR ports and OR ports of directory authorities and
perform a TLS handshake;
Connect to obfs4 addresses and perform an OBFS4 handshake (an
obfuscated handshake).
Based on our heuristics, if the test succeeds in performing all of the
above, Tor may work on a tested network (unless it’s blocked in ways
that aren’t being measured). In these cases, we automatically annotate
Tor measurements as “OK”, indicating that Tor works on the tested
network.
If the test fails in performing any of the above, Tor may not work in
the tested network and may be blocked. In these cases, we automatically
annotate Tor measurements as
“anomalies”,
providing a sign of potential Tor blocking.
To examine Tor blocking in Russia, we
analyzed all Tor measurements collected from Russia
between 1st January 2021 to 8th December 2021. We explored whether the
testing of Tor presented anomalies, and we aggregated anomalous measurements
to evaluate whether they were persistent on the same AS networks. These
aggregated anomalies were compared with other measurements
collected from the same AS networks, as well as with measurements
collected from other AS networks. Beyond aggregation, we analyzed the
raw measurement data within anomalous measurements
to evaluate how access to Tor was being interfered with in Russia.
Similarly, we analyzed OONI Web Connectivity measurements
to examine the blocking of www.torproject.org
. The OONI Probe Web Connectivity test is
designed to measure URLs (provided in the Citizen Lab test lists) by
performing a DNS lookup, TCP connection, and HTTP GET request to each
tested URL over two vantage points: the local vantage point of the user
and a control (non-censored) vantage point. The results from both
networks are automatically compared and if they are the same, the tested
URL is annotated as “accessible” (unless if the measurement fails). If
the results differ, the measurement is annotated as an “anomaly”.
Anomalous measurements are further annotated as dns
, tcp/ip
,
http-diff
, and http-failure
, depending on the reason which
caused the anomaly (for example, if the DNS responses from the local and
control vantage points do not match).
To analyze Web Connectivity measurements
pertaining to the testing of www.torproject.org
in Russia, we
aggregated the measurements to identify on which AS networks they
presented the highest volume of anomalies. We further analyzed the
measurements based on the types of anomalies that they presented
(dns
, tcp/ip
, http-diff
, and http-failure
) to evaluate
whether those types of anomalies were consistent on each network. By
analyzing the raw data (for example, examining what was served in the
HTTP response of measurements), we were able to characterize the blocks.
The summary findings from our analysis are presented in the following
sections.
Findings
As of 1st December 2021, several ISPs in Russia started blocking access to the Tor network.
OONI data also shows that some Russian ISPs
block
access to the Tor Project’s website (www.torproject.org
) as well.
Blocking of the Tor network
Starting from 1st December 2021, OONI data suggests that several ISPs in
Russia started blocking access to the Tor network.
The block does not seem to be implemented across all ISPs in Russia,
but only a
subset
of them. The following chart aggregates Tor measurement coverage from Russia
over the last months (providing a per-ASN breakdown), illustrating that
Tor blocking differs significantly from ISP to ISP in Russia.
Source: OONI Probe Tor measurements collected from Russia between
June 2021 to December 2021, https://explorer.ooni.org/search?since=2021-11-08&until=2021-12-09&failure=false&probe_cc=RU&test_name=tor
As OONI measurement coverage from Russia is quite large (OONI data
collected from Russia covers 2,556 local networks since December 2012),
we have limited the above chart to:
Out of 65 AS networks included in the above chart, the testing of Tor
only presented signs of blocking on the following 15 networks:
AS48092
, AS3216
, AS8334
, AS8359
, AS8402
,
AS12714
, AS12958
, AS15493
, AS15582
, AS15672
,
AS16345
, AS24955
, AS25159
, AS31133
, AS31208
.
The anomalous measurements
from those networks provide a strong signal of Tor blocking because we
observe that they began on several AS networks on the same day (1st
December 2021), whereas previous measurements show that Tor was
previously reachable on those networks. Moreover, Tor testing continued
to present anomalies on those networks thereafter, providing a further
signal of Tor blocking.
Tor blocking is further suggested by the recent spike in the use of
Tor bridges (used for circumventing
Tor blocking) in Russia, as illustrated below by Tor Metrics.
Source: Tor Metrics: Bridge users from Russia, https://metrics.torproject.org/userstats-bridge-country.html?start=2021-11-09&end=2021-12-08&country=ru
When looking at raw OONI data from anomalous Tor measurements,
we can see that the block is implemented by means of IP blocking,
which is consistent with how we
have seen ISPs in Russia implement blocks in the past. In particular,
OONI data shows that attempts to connect to OR ports, OR ports of
directory authorities, and obfs4 addresses consistently failed,
resulting in generic timeout errors. This, for example, is illustrated
from the following summary table, taken from an OONI measurement
collected from the AS8359
network in Russia on 8th December 2021.
Source: OONI Probe Tor measurement collected from the AS8359
network in Russia on 8th December 2021, https://explorer.ooni.org/measurement/20211208T181239Z_tor_RU_8359_n1_vpm7c98293BSrYkD
In cases where obfs4 addresses (the default Tor bridges shipped as part of Tor Browser) are blocked, Tor users
in Russia would need to get private bridges
(which are not publicly listed and therefore less likely to be blocked).
Interestingly, we observe that within the same network, Tor blocking
does not appear to be implemented for all users. For example, on
AS16345
(VEON), some users appear to experience Tor blocking,
while other users on the same AS network do not.
This could potentially be explained if the rollout of Tor blocking is
not being carried out in the same way across all their infrastructure.
The non-deterministic nature of Tor blocking is further suggested by
OONI measurements which show that Tor was reachable from multiple AS networks
during certain windows of time (such as on 8th December 2021),
corroborating what was
reported
by internet users in Russia.
Russia’s Federal Service for Supervision of Communications, Information
Technology and Mass Media (Roskomnadzor) maintains a blocklist and
provides a portal through which
internet users can check if specific IP addresses, domains, or URLs are
included in their blocklist. A GitHub
project provides a dump of the
IPs which are present in their blocklist, but none of the IP addresses
associated with Tor directory authorities or bridges appear to currently
be present in this registry. It is therefore likely that ISP
coordination to implement Tor blocking happened through other means.
It’s worth highlighting though that most Tor measurements from most AS
networks in Russia were
successful,
suggesting that it’s still possible to connect directly to Tor on many
networks in Russia.
Blocking of the Tor Project website
On 6th December 2021, the Tor Project received an abuse notice from Roskomnadzor,
threatening to block access to the Tor Project’s main website
(www.torproject.org
). By 7th December 2021, www.torproject.org
had officially been added to the blocklist.
This is corroborated by OONI data,
which not only shows that some ISPs in Russia appear to block access
to www.torproject.org
, but which also suggests that the blocking may
have begun as early as September 2021.
The following chart aggregates OONI measurement coverage
from the testing of www.torproject.org
across AS networks in Russia
over the last months, illustrating how the blocking of the site varies
across ISPs in the country.
Source: OONI measurements from the testing of
www.torproject.org
in Russia between
January 2021 to December 2021, https://explorer.ooni.org/search?since=2021-11-08&until=2021-12-09&failure=false&probe_cc=RU&test_name=web_connectivity&domain=www.torproject.org
Similarly to the graph produced for the testing of Tor (based on OONI
data), we have limited this chart to AS networks where the testing of
www.torproject.org
presented anomalies and which received at least
16 measurements during the analysis period.
OONI data shows that the testing of www.torproject.org
presented
signs of blocking on several AS networks. However, the censorship
techniques across ISPs differ.
On some networks (such as AS21127
), OONI data provides evidence
of torproject.org blocking, as we observe that a block page was served
(as illustrated below).
Image: Block page served on AS21127
in Russia when
torproject.org was tested on 8th December 2021, https://explorer.ooni.org/measurement/20211208T105240Z_webconnectivity_RU_21127_n1_vuA5flblHujkP12E?input=http%3A%2F%2Ftorproject.org
Similarly, we observe a block page being served
when torproject.org was tested on AS31163
on 8th December 2021, as
illustrated below.
Image: Block page served on AS31163
in Russia when
torproject.org was tested on 8th December 2021, https://explorer.ooni.org/measurement/20211208T103229Z_webconnectivity_RU_31163_n1_HMGBbnFmuqyMIAtE?input=http%3A%2F%2Ftorproject.org
We also observe block pages
on other networks, such as AS8359
(shared below).
Image: Block page served on AS8359
in Russia when torproject.org
was tested on 8th December 2021, https://explorer.ooni.org/measurement/20211208T101854Z_webconnectivity_RU_8359_n1_4ergxVLtT3HvXoYO?input=http%3A%2F%2Ftorproject.org
In some cases though (such as on AS42437
), OONI data suggests that
access to torproject.org is being interfered with by means of a TLS man-in-the-middle attack,
while in other cases (such as on AS51570
), we observe that the
connection is reset once the TLS handshake has been initiated,
suggesting the use of Deep Packet Inspection (DPI) technology.
On many tested networks in Russia though, OONI data suggests that
www.torproject.org
is
accessible.
Conclusion
OONI data collected from Russia suggests that access to both the Tor network
and the Tor Project’s website
is blocked on some AS networks in Russia.
Tor blocking. On 1st December 2021, some ISPs in Russia
started blocking access to the Tor network by means of IP
blocking.
Out of (more than) 65 tested AS networks, OONI data only shows
signs of Tor blocking
on 15 AS networks in Russia.
The block also impacts obfs4 addresses,
which means that Tor users in Russia may need to use private Tor bridges
to circumvent the block.
Tor blocking differs from ISP to ISP in Russia. However, not all
users on the same AS network experience Tor blocking.
Blocking of Tor Project website. In September 2021, some ISPs
in Russia started blocking access to www.torproject.org
.
Censorship techniques across ISPs differ.
Despite these blocks, OONI data suggests that both the Tor network and
www.torproject.org
are still
accessible
on most networks in Russia. The blocking of the Tor network and
www.torproject.org
appears to vary from ISP to ISP in Russia, and
different ISPs adopt different censorship techniques.
This variance could be explained by the fact that internet
infrastructure in Russia is fairly
decentralized,
limiting the ability to implement a uniform country-wide internet
censorship policy. As a result, it is at the discretion of each ISP to
independently implement blocking orders from the central government
authority (Roskomnadzor).
To circumvent Tor blocking, you
can:
Meanwhile, the Tor Project identified and responded to the use of DTLS fingerprinting to block the Snowflake pluggable transport,
and they will be rolling out the fix in the next Tor Browser release. We therefore recommend
keeping an eye out for (and updating to) the next Tor Browser version,
and configuring Tor Browser to use Snowflake.
If access to www.torproject.org
is blocked on your network, you can:
Circumvent this block by visiting the Tor Project’s website mirror;
Get Tor Browser by sending an email to gettor@torproject.org
(GetTor), while specifying the
operating system and language (eg. windows ru
) you would like
a download link for.
If you’re in Russia and would like to contribute more OONI measurements,
please consider running OONI Probe to
continue testing Tor reachability.
Acknowledgements
We thank OONI Probe users in Russia who
contributed measurements, supporting this study.
We also thank the Tor Project for their
tireless efforts in building an online world that protects humans
worldwide.