“Contrary to blocking, where access to the content is blocked, throttling aims to degrade the quality of service, making it nearly impossible for users to distinguish imposed/intentional throttling from nuanced reasons such as high server load or a network congestion,” researchers with Censored Planet, a censorship measurement platform that collects data in more than 200 countries, wrote in a report. “With the prevalence of ‘dual-use’ technologies such as deep packet inspection devices (DPIs), throttling is straightforward for authorities to implement yet hard for users to attribute or circumvent.”
The throttling began on March 10, as documented in tweets here and here from Doug Madory, director of internet analysis at internet measurement firm Kentik.In an attempt to slow traffic destined to or originating from Twitter, Madory found, Russian regulators targeted t.co, the domain used to host all content shared on the site. In the process, all domains that had the string “t.co” in it (for example, Microsoft.com or reddit.com) were throttled too.
The Two Myths of the Internet
That move led to widespread internet problems because it rendered affected domains as effectively unusable. The throttling also consumed the memory and CPU resources of affected servers because it required them to maintain connections for much longer than normal.
Roskomnadzor—Russia's executive body that regulates mass communications in the country—said last month that it was throttling Twitter for failing to remove content involving child pornography, drugs, and suicide. It went on to say that the slowdown affected the delivery of audio, video, and graphics, but not Twitter itself. Critics of government censorship, however, say Russia is misrepresenting its reasons for curbing Twitter availability. Twitter declined to comment for this post.Tuesday’s report says that the throttling is carried out by a large fleet of “middleboxes” that Russian ISPs install as close to the customer as possible. This hardware, Censored Planet researcher Leonid Evdokimov told me, is typically a server with a 10-Gbps network interface card and custom software. A central Russian authority feeds the boxes instructions for what domains to throttle.
The middleboxes inspect both requests sent by Russian end users as well as responses that Twitter returns. That means that the new technique may have capabilities not found in older internet censorship regimens, such as filtering of connections using VPNs, Tor, and censorship-circumvention apps. Ars previously wrote about the servers here.The middleboxes use deep packet inspection to extract information, including the SNI. Short for “server name identification,” the SNI is the domain name of the HTTPS website that is sent in plaintext during a normal internet transaction. Russian censors use the plaintext for more granular blocking and throttling of websites. Blocking by IP address, by contrast, can have unintended consequences because it often blocks content the censor wants to keep in place.
One countermeasure for circumventing the throttling is the use of ECH, or Encrypted ClientHello. An update for the Transport Layer Security protocol, ECH prevents blocking or throttling by domains so that censors have to resort to IP-level blocking. Anti-censorship activists say this leads to what they call “collateral freedom” because the risk of blocking essential services often leaves the censor unwilling to accept the collateral damage resulting from blunt blocking by IP address.
In all, Tuesday’s report lists seven countermeasures:
Responding to many questions about the speed of their reaction and the continued availability of the shooting video, several companies published posts or gave interviews that revealed new information about their content moderation efforts and capacity to respond to such a high-profile incident. The post-Christchurch push for centralizing censorship goes well beyond the GIFCT hash database.
It’s possible that some of the countermeasures could be enabled by anti-censorship software such as GoodbyeDPI, Psiphon, or Lantern. The limitation, however, is that the countermeasures exploit bugs in Russia's current throttling implementation. That means the ongoing tug of war between censors and anti-censorship advocates may turn out to be protracted.
- TLS ClientHello segmentation/fragmentation (implemented in GoodbyeDPI and zapret)
- TLS ClientHello inflation with padding extension to make it bigger than 1 packet (1,500-plus bytes)
- Prepending real packets with a fake, scrambled packet of at least 101 bytes
- Prepending client hello records with other TLS records, such as change cipher spec
- Keeping the connection in idle and waiting for the throttler to drop the state
- Adding a trailing dot to the SNI
- Any encrypted tunnel/proxy/VPN
This story originally appeared on Ars Technica.
- 📩 The latest on tech, science, and more: Get our newsletters !
- The buzzy, chatty, out-of-control rise of Clubhouse
- In Brazil’s favelas, esports is an unlikely source of hope
- Physicists learn to superfreeze antimatter (hint: pew pew! )
- AI could enable “swarm warfare” for tomorrow's fighter jets
- Bed tricks, cod, and the hidden history of catfishing
- 👁️ Explore AI like never before with our new database
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 📱 Torn between the latest phones? Never fear—check out our iPhone buying guide and favorite Android phones