https://translate.google.com/ ---------- Forwarded message ---------- From: Leonid Evdokimov <leon@darkk.net.ru> Date: Tue, Jun 27, 2017 at 7:37 AM Subject: [tor-talk] Tor ban discussion at Russian state Duma To: tor-talk@lists.torproject.org As-salamu alaykum! TL/DR: Tor ban is currently discussed in Russian state Duma, first draft of proposed bill was approved the 23th of June, there will be two more drafts (second draft should be ready for discussion at the parliament by the 2nd of July[DU]), there is ~120 days gap after 3rd draft approval before Tor being outlawed. [DU] http://asozd2.duma.gov.ru/main.nsf/%28SpravkaNew%29?OpenAgent&RN=195446-7&02 [DU] https://archive.li/8GxKD ~1300 words more: On 15th of June in the morning there was an open invitation[Oi] published by Leonid Levin, chairman of State Duma (Russian parliament) committee on information politics, information technologies and telecommunication towards representatives of anonymisers to discuss proposed bill that regulates services that may be used to gain access to outlawed information: VPN services, anonymisers, etc. One of the declared purposes of the invitation was to "gather opinions to make the bill more technological from the point of view of the bill goals". [Oi] http://www.komitet5.km.duma.gov.ru/Novosti-Komiteta/item/522019/ [Oi] https://archive.li/dyepC [Oi] https://geektimes.ru/post/290109/ ^^ all three links are in Russian, sorry. Couple of weeks before this invitation there was significant number of outages going on in the Russian segment of the internet. But I should give some context on blocklist used by Russian ISPs before describing the outages: Roskomnadzor[RKN] curates blocklist of IP addresses, domains and URLs that contain links to illegal information that should be blocked. The list is composed of two parts: the list of illegal information that should be blocked[BL] and the registry of illegal information[EAIS]. The second list may contain links that cause too much collateral damage in case of blocking, e.g. https youtube link[YT] that you can verify via [EAIS] that it's both illegal and officially NOT blocked despite the "spirit" of law. Enforced blocklist[BL] is unofficially public as it's distributed to thousands of ISPs, so it leaks to github[ZI] at speed of 24 commits a day. [RKN] https://en.wikipedia.org/wiki/Roskomnadzor [BL] http://blocklist.rkn.gov.ru/ [EAIS] https://eais.rkn.gov.ru/ [YT] https://www.youtube.com/watch?v=nEL_JOXGRu4 [ZI] https://github.com/zapret-info/z-i/ In 2012 when the blocklist was first introduced to protect all children from 0 to 120 years old against extremist content one of the very first bans was zhurnal.lib.ru (Samizdat library that is currently reachable with http://samlib.ru). There were almost no smart filters deployed in ISP networks back in those days, so Maxim Moshkov pointed DNS A records for zhurnal.lib.ru to IP addresses of minjust.ru, website of Ministry of Justice of Russia. I don't know if he did that as a protest or just for fun, but minjust.ru was unreachable via some ISPs. So the sort of trolling pointing A records of blacklisted domains to something fun was quite old. In the beginning of the June 2017 it was back: people across several medias (blogs, Telegram channels, etc.) were publicly suggesting to use expired domains grepped from from zapret-info lists, register these domains and point them to google, yandex, VK, telegram and other popular services. It caused significant amount of media buzz, including bloomberg[BLOOM] as there is significant amount of ISPs doing filtering of HTTPS links based on plain TCP/IP blocking. Someone also pointed one of domains to peering IP addresses of MSK IX and it caused significant traffic dip[MSKIX]. Maybe it was just a coincidence, but I've found several looking glasses showing that routers had /32 routes for blacklisted IPs pointing to some non-default route[OR,RT,TTK] [BLOOM] https://www.bloomberg.com/view/articles/2017-06-13/how-the-russian-internet-... [MSKIX] http://darkk.net.ru/garbage/2017.06-Tor-VPN-and-Duma/msk_ix_2017-06-08_16-50... [OR] https://archive.li/i66ic [RT] https://archive.li/8nK6U [TTK] https://archive.li/JM5If I remember TCAM 512k internet hiccup[TC1,TC2] so I was quite afraid of possible attack causing TCAM overflow. Also there were rumors that some Allot DPI equipment deployed at some ISPs had troubles when the blocklist outgrew 64k entries. Every domain in the blocklist can send ~4000 obsolete IPv4 addresses as a response for single `A` DNS query and ~2300 modern IP addresses for `AAAA` query. There are 623 domains in the blocklist controlled by single entity -- grani.ru[GRN], so this entity has possibility to inject enough routes to consume ~5'357'800 TCAM entries (one per IPv4 and two per modern IP) that's ~10 times larger that current "Internet routing table" size (~630'000 for IPv4). So I registered some of these expired domains, conducted a safe experiment using RIPE Atlas trying to verify that IP addresses for alike domains containing thousands of A and AAAA records are really added to routing tables and published intermediate results[RUFW] on ~midnight of 15th of June (10 hours before the open invitation). I also hope to publish full results in English within couple of weeks. Results were not shocking, but they clearly showed that the risk of TCAM overflow attack against backbone ISPs is non-zero. The thing that really disappointed me was that there were almost no discussion about possibility of this attack among ISPs engineers during Russian internet hiccups on early-June 2017. [TC1] https://bgpmon.net/what-caused-todays-internet-hiccup/ [TC2] https://arstechnica.com/security/2014/08/internet-routers-hitting-512k-limit... [GRN] https://ru.wikipedia.org/wiki/%D0%93%D1%80%D0%B0%D0%BD%D0%B8.%D1%80%D1%83 [RUFW] https://habrahabr.ru/post/330934/ It was obvious to me that round table discussion of the bill unlikely changes anything in terms of anonymisers regulation, but I decided to use the round table discussion as an opportunity to mention the risks produced by the blocklist that is so inaccurately managed: TCAM overflow attack, DPI overload attack and I also wanted to mention compromised DPI equipment that we already observed in Egypt in autumn of 2016[BADPORN]. Extending the blocklist with IP addresses of large networks controlled by people that are often presented as internet anarchists sounded like too risky action to me. IMHO the minimal pre-requirement for alike bill is building of technological framework that mitigates these risks, passing the bill without the framework looks like carelessness to me. The interesting points about the proposed bill are clear copyright lobby behind it[COLOB] and the mantra "we don't ban VPNs and anonymisers that are going to enforce Russian blocklists for Russian customers" repeated over and over again. I still consider the mantra "we don't fight anonymity today" a sort of hypocrisy, but I don't want to discuss ethical & political parts of the matter. [BADPORN] https://ooni.torproject.org/post/egypt-network-interference/#third-party-too... [COLOB] http://komitet5.km.duma.gov.ru/Novosti-Komiteta/item/513823 So I joined round table as an unofficial, technological Tor Project representative and brought five points to the discussion: 1. TCAM overflow attack risk, 2. DPI overload attack risk (routing traffic to DPI with IP injection), 3. Egypt case when filtering equipment "waz hax0d" 4. VPN-over-VPN and inability to deduce if the client is Russian even for __complying__ VPN providers if the client tunnels one VPN connection through another one. 5. Inability to pass a marker "Client is Russian" through chain of tor nodes as it affects anonymity of the client, that likely means that Tor will be unable to comply with the law without sacrificing its goals. There were some fun news and interesting datapoints presented during the round table. A representative of backbone internet provides also complained that current size of Russian segment of the internet in terms of routes is ~40'000 routes and blacklist already adds ~60'000 routes to that, so there is 1.5x times more memory spent to serve blacklist than to serve actual Russian traffic :) DPI deployments for one of backbone ISPs already costs ~1e9 USD according to MTSC delegate. I consider this datapoint being really interesting as MCX:MTSS market cap is 7.8e9 USD. The chairman is, probably, a troll as he encourages to develop something like Tor with parental (governmental) control. I just ignored the suggestion but it may be an interesting case for stubborn lawyer and developer in theory: e.g. Tor Browser showing a nag screen while visiting https://bada-boom.club saying something like "This Website is banned in Barbaristan and United Cities of Barbaria. We don't track you so we don't know your country. Please, proceed only if you're not a citizen of these countries". Technically it reminds me of safe browsing nag screens. I doubt that alike nag screen may be really used as an valid argument in the court during an attempt to "unban" Tor, but it sounds like an interesting fantasy to me, so I mention it here (assuming that everyone loves legal trolling). The bill also mentions that search engine operators have to fetch blocklist and remove links to blacklisted websites from search engine result pages with fine of 12k$ USD if they don't. Obviously search engines have same issue while trying to determine "residence" of the user. Nearby mail thread about Ukrainian users & Tor clearly demonstrates the complexity of the issue :) The following week was also interesting. www.google.com was officially banned for couple of hours on 22nd of June and Leonid Levin said that it was some sort of warning[WAT] for internet companies. The first draft of aforementioned bill was accepted on 23rd, saying that various TORs (sic!) should be regulated and MUST NOT route traffic from users of global network (internet) towards to the banned websites. There were also some bills on messengers discussed and there was a open-letter fighting between Durov from Telegram (that may be banned in Russia this week), Zharov from Roskomnadzor, with comments from Bortnikov from FSB and aforementioned Levin, but that was too much legalese for me and it's not that much relevant to tor-talk@ ML, so I'm putting that part aside :) [WAT] https://rg.ru/2017/06/22/v-gosdume-nazvali-blokirovku-google-predosterezheni... [WAT] http://komitet5.km.duma.gov.ru/Novosti-Komiteta/item/551685/ [WAT] https://archive.li/VxkwR & https://archive.li/MZ1Hu [TORZ] https://youtu.be/a9ZJq4bIiHE?t=1m55s Dear reader! Thank you for your time reading this! Sincerely yours, Acting Gonzo[*] Developer. [*] http://darkk.net.ru/garbage/2017.06-Tor-VPN-and-Duma/Levin-anonymisers-3785.... -- WBRBW, Leonid Evdokimov, xmpp:leon@darkk.net.ru http://darkk.net.ru tel:+79816800702 PGP: 6691 DE6B 4CCD C1C1 76A0 0D4A E1F2 A980 7F50 FAB2 P.S.: And I'm sorry for links mostly in Russian. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk