Russia’s Twitter throttling may give censors never-before-seen capabilities

Cartoon padlock and broken glass superimposed on a Russian flag.
Enlarge / What’s happened to Russia’s flag?

Russia has implemented a novel censorship method in an ongoing effort to silence Twitter. Instead of outright blocking the social media site, the country is using previously unseen techniques to slow traffic to a crawl and make the site all but unusable for people inside the country.

Research published Tuesday says that the throttling slows traffic traveling between Twitter and Russia-based end users to a paltry 128kbps. Whereas past Internet censorship techniques used by Russia and other nation-states have relied on outright blocking, slowing traffic passing to and from a widely used Internet service is a relatively new technique that provides benefits for the censoring party.

Easy to implement, hard to circumvent

“Contrary to blocking, where access to the content is blocked, throttling aims to degrade the quality of service, making it nearly impossible for users to distinguish imposed/intentional throttling from nuanced reasons such as high server load or a network congestion,” researchers with Censored Planet, a censorship measurement platform that collects data in more than 200 countries, wrote in a report. “With the prevalence of ‘dual-use’ technologies such as Deep Packet Inspection devices (DPIs), throttling is straightforward for authorities to implement yet hard for users to attribute or circumvent.”

The throttling began on March 10, as documented in tweets here and here from Doug Madory, director of Internet analysis at Internet measurement firm Kentik.

In an attempt to slow traffic destined to or originating from Twitter, Madory found, Russian regulators targeted t.co, the domain used to host all content shared on the site. In the process, all domains that had the string *t.co* in it (for example, Microsoft.com or reddit.com) were throttled, too.

That move led to widespread Internet problems because it rendered affected domains as effectively unusable. The throttling also consumed the memory and CPU resources of affected servers because it required them to maintain connections for much longer than normal.

Roskomnadzor—Russia’s executive body that regulates mass communications in the country—has said last month that it was throttling Twitter for failing to remove content involving child pornography, drugs, and suicide. It went on to say that the slowdown affected the delivery of audio, video, and graphics, but not Twitter itself. Critics of government censorship, however, say Russia is misrepresenting its reasons for curbing Twitter availability. Twitter declined to comment for this post.

Are Tor and VPNs affected? Maybe

Tuesday’s report says that the throttling is carried out by a large fleet of “middleboxes” that Russian ISPs install as close to the customer as possible. This hardware, Censored Planet researcher Leonid Evdokimov told me, is typically a server with a 10Gbps network interface card and custom software. A central Russian authority feeds the boxes instructions for what domains to throttle.

The middleboxes inspect both requests sent by Russian end users as well as responses that Twitter returns. That means that the new technique may have capabilities not found in older Internet censorship regimens, such as filtering of connections using VPNs, Tor, and censorship-circumvention apps. Ars previously wrote about the servers here.

The middleboxes use deep packet inspection to extract information, including the SNI. Short for “server name identification,” the SNI is the domain name of the HTTPS website that is sent in plaintext during a normal Internet transaction. Russian censors use the plaintext for more granular blocking and throttling of websites. Blocking by IP address, by contrast, can have unintended consequences because it often blocks content the censor wants to keep in place.

One countermeasure for circumventing the throttling is the use of ECH, or Encrypted ClientHello. An update for the Transport Layer Security protocol, ECH prevents blocking or throttling by domains so that censors have to resort to IP-level blocking. Anti-censorship activists say this leads to what they call “collateral freedom” because the risk of blocking essential services often leaves the censor unwilling to accept the collateral damage resulting from blunt blocking by IP address.

In all, Tuesday’s report lists seven countermeasures:

  • TLS ClientHello segmentation/fragmentation (implemented in GoodbyeDPI and zapret)
  • TLS ClientHello inflation with padding extension to make it bigger than 1 packet (1500+ bytes)
  • Prepending real packets with a fake, scrambled packet of at least 101 bytes
  • Prepending client hello records with other TLS records, such as change cipher spec
  • Keeping the connection in idle and waiting for the throttler to drop the state
  • Adding a trailing dot to the SNI
  • Any encrypted tunnel/proxy/VPN

It’s possible that some of the countermeasures could be enabled by anti-censorship software such as GoodbyeDPI, Psiphon, or Lantern. The limitation, however, is that the countermeasures exploit bugs in Russia’s current throttling implementation. That means the ongoing tug of war between censors and anti-censorship advocates may turn out to be protracted.