Outline server is not accessible by certain time after connecting by client in Russia

[mshtmfv]

Seems that Outline server is not accessible for around of 15 minutes by client (client ip address was connected to Outline server).

Flow to reproduce:

1. Connecting to Outline Server
2. Do some web surfing for 5-15 minutes
3. Server IP banned (none of ports are working and ip is not accessible)
4. Wait 15 minutes
5. Server IP unbanned

Cloud Provider - SwissMade Host
Tried with every ISP Provider in Russia

Does anyone have ideas how to fix it?

[wkrp]

The fact that the server is blocked after a variable delay of up to 15 minutes is interesting. It is similar to what was observed by Winter and Lindskog with GFW active probing in 2012:

https://www.usenix.org/system/files/conference/foci12/foci12-final2.pdf#page=5

The diagrams show that depending on the time of the day, on average, scanners connect either close to the respective 15 minutes multiple or a little bit later.

We conjecture that the GFC maintains scanning queues. When the DPI boxes discover a potential Tor connection, the IP:port tuple of the suspected bridge is added to a queue. Every 15 minutes, these queues are processed and all IP:port tuples in the queue are being scanned.

Are you using the Outline client to connect to the Outline server, or is the client a different implementation of Shadowsocks?

[gfw-report]

The latest Outline server has been patched to defend against all known active probing attacks, thanks to Frolov et al. #26. If this is indeed related to active probing, it may be something new that we are not aware of.

Another hypothesis is that the blocking is related to traffic analysis. Blocking Shadowsocks with purely traffic analysis based approach has been proved to be practical: China has been blocking all seemingly random traffic to a large number of popular foreign VPS providers since November 2021.

Considering Russia has not been observed to use active probing before, we lean towards a traffic analysis based approach.

We are willing to help investigate more, if we could get a vantage point in Russia and SwissMade Host.

[mshtmfv]

@wkrp I am using Outline Client.

[mshtmfv]

@gfw-report how can I help with investigation?

[darkk]

China has been blocking all seemingly random traffic ... Russia has not been observed to use active probing before

Russian 4G ISP Yota was throttling look-like-nothing traffic back in 2018, I've reported on that at CryptoInstallFest and Chaos Communication Congress. Also, Russia was using active probing against Socks5 proxies that summer as well.

@mshtmfv I'm curious to know if Wireguard-based and IPsec-based VPNs observe the same behavior given the network path between your ISP and Cloud provider. My wild guess is to expect Outline throttled or banned way earlier than IPsec in the current circumstances.

[wkrp]

My wild guess is to expect Outline throttled or banned way earlier than IPsec in the current circumstances.

@darkk – good article.

[gfw-report]

Thank you for sharing the article and report. I find them very informative and interesting. I machine translated them into English for documentation purpose:

Russian 4G ISP Yota was throttling look-like-nothing traffic back in 2018, I've reported on that at CryptoInstallFest and Chaos Communication Congress.
...
My wild guess is to expect Outline throttled or banned way earlier than IPsec in the current circumstances.

https://vas3k.club/post/14748/

"Обфускация" и "маскировка" может быть вредна. Во-первых, операторы могут обрабатывтаь "камуфлированый" трафик с наименьшим приоритетом. Во-вторых, провайдер любой self-hosted VPN может опознать по простому принципу, что 99% трафика абонента идут на один и тот же IP-адрес. Поэтому я считаю, что дополнительно маскировать VPN до наступления кризиса не имеет смысла.
В какой-то момент могут начать блокировать и "маленькие" VPN, подобные прецеденты с Telegram-proxy уже были. Существенная разница в том, что Telegram-proxy не используются для IT-бизнеса, банкоматов и терминалов для платёжных карт.
Отдельно скажу про популярные self-hosted решения:
Outline и shadowsocks. Он удобен в администрировании, но shadowsocks используется ТОЛЬКО для обхода цензуры и может быть заблокирован или замедлен DPI-фильтрами мобильных операторов как "нераспознанный трафик" или "файлообмен". На Yota подобное уже наблюдалось.

Machine translation:

"Obfuscation" and "masking" can be harmful. First, operators may process "camouflaged" traffic with the lowest priority. Secondly, any self-hosted VPN provider can identify by the simple principle that 99% of the subscriber's traffic goes to the same IP address. Therefore, I believe that it does not make sense to additionally mask the VPN before the crisis.
At some point, "small" VPNs may start to be blocked as well, similar precedents with Telegram-proxy have already happened. The significant difference is that Telegram-proxy is not used for IT businesses, ATMs and payment card terminals.
I will also talk about popular self-hosted solutions:
Outline and shadowsocks. It is easy to administer, but shadowsocks is used ONLY to bypass censorship and can be blocked or slowed down by DPI-filters of mobile operators as "unrecognized traffic" or "file exchange". This has already been observed on Yota.

---

Russia was using active probing against Socks5 proxies that summer as well.

https://slides.ooni.io/2018/cif/#/15?presenter

Эти славные люди рассказали следующую историю про сеть MT_FREE, про тот самый Wi-Fi в московском метро.
При использовании Socks5 для соединения с Telegram из сети MT_FREE (провайдер Максима Телеком) через полчаса-час на адрес Socks5 приходит сканер с адреса из "клиентской" сети датацентра Мегафона, судя по PTR записям вида clients-221.30.176.178.misp.ru. Как миниум с августа IP адрес этого сканера не меняется.
А если это делать с автобусной остановки, которую обслуживает Net-By-Net, то сканер не приходит...
Т.е. Максима Телеком или аплинки (МТС? Мегафон?) слушают трафик в поисках Socks5 проксей.
Затем сканер проверят доступность TCP порта полу-открытым сканированием (SYN, SYN-ACK, RST). После успешной проверки сканер пытается установить Socks5 соединение с сервером из подсети Telegram и произвести обмен данными с ним.
Фил считает, что в этой истории снифер — это бомба.
Но на мой вкус самое интересное — дальше.

Machine translation:

These nice people told the following story about the MT_FREE network, about the very same Wi-Fi in the Moscow subway.
When I use Socks5 to connect to Telegram from the MT_FREE network (the provider is Maxima Telecom) after half an hour or so the Socks5 address receives a scanner from the "client" network of the Megafon data center, judging by PTR records like clients-221.30.176.178.misp.ru. At least the IP address of this scanner hasn't changed since August.
And if you do it from a bus stop served by Net-By-Net, the scanner does not come...
That is, Maxima Telecom or uplinks (MTS? Megafon?) listen to the traffic looking for Socks5 proxies.
The scanner will then check the TCP port availability by a half-open scan (SYN, SYN-ACK, RST). After a successful check, the scanner tries to establish a Socks5 connection to a server in the Telegram subnet and exchange data with it.
Phil thinks the sniffer is the bomb in this story.
But for my taste, the most interesting part is next.

https://slides.ooni.io/2018/cif/#/16?presenter

Через час-полтора после прихода сканера НЕКОТОРЫЕ провайдеры начинают блокировать доступ к просканированному серверу: МГТС, МТС, Мегафон, Yota, Билайн и др.

Ещё через час-полтора IP адрес появляется в "выгрузке" и "дельтах", при этом отметка времени ts у IP-адреса соответствует времени появления в выгрузке и "отстаёт" от времени начала блокировки на выделенных провайдерах.
...
Т.е. на графике явно видно, что провайдеры разделяются на блокировщиков первой и второй гильдии.
Я не знаю, как это интерпретировать. И не знаю, легально ли это вообще.

Machine translation:

In an hour or an hour and a half after the scanner arrives, some ISPs start blocking access to the scanned server: MGTS, MTS, Megafon, Yota, Beeline, etc.
After another hour or an hour and a half the IP address appears in the "unloading" and "delta", and the time ts mark of the IP address corresponds to the time of appearance in the unloading and "lags behind" the time of the start of blocking on the dedicated providers.
...
I.e., the graph clearly shows that ISPs are divided into first guild and second guild blockers.
I don't know how to interpret that. And I don't know if it's even legal.

[darkk]

how can I help with investigation?

@mshtmfv first and foremost it would be interesting to know exact names of the ISPs you've tried. There are still hundreds of small-scale landline ISPs in Russia and dozens of MVNOs. Federal-level ISPs have differing network policies in different regions sometimes, so city-level information might be useful as well. You've probably meant something that is very different from "every ISP Provider in Russia".

[mshtmfv]

@darkk I tried these ISP Providers:

• MTS (mobile)
• Yota
• Megafon (mobile)
• DOM.RU (ER Telecom)
• Rostelecom

I tried almost every big ISP Provider in Russia, sorry for misunderstanding

[gulprun]

Just curious, how much fidelity in this article:
https://www.vice.com/en/article/z3n5e9/russian-internet-lantern

The amount of traffic passing through Lantern’s servers has risen 100,000% in the last four weeks according to the company, though it did not provide a baseline figure for comparison. Lantern said it would not break out country-level user numbers but told VICE News that globally the app has been downloaded 150 million times and has 7 million active monthly users, double the number it had three years ago.

And more curiosity on the claimed "peer-to-peer" technology. Will it be possible to be gauged from servers?