Re: [tor-bugs] #20348 [Metrics/Censorship analysis]: Kazakhstan blocking of vanilla Tor and obfs4 by Allot Communications hardware, 2016-06

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#20348: Kazakhstan blocking of vanilla Tor and obfs4 by Allot Communications
hardware, 2016-06
-----------------------------------------+--------------------------
 Reporter:  dcf                          |          Owner:
     Type:  project                      |         Status:  reopened
 Priority:  Medium                       |      Milestone:
Component:  Metrics/Censorship analysis  |        Version:
 Severity:  Normal                       |     Resolution:
 Keywords:  censorship block kz          |  Actual Points:
Parent ID:                               |         Points:
 Reviewer:                               |        Sponsor:
-----------------------------------------+--------------------------

Comment (by dcf):

 == Summary of information about Allot Communications ==

 kzblocked found some evidence that at least part of the Kazakh firewall is
 provided by [https://en.wikipedia.org/wiki/Allot_Communications Allot
 Communications], which seems to be some firewall/DPI vendor.

 As I understand it, the main evidence that Allot hardware is in use is
 comment:177, import applications (I think that's what they are) dated
 2014-11-07 that show `АО "Казахтелеком"` ([https://en.wikipedia.org/wiki
 /Joint-stock_company JSC] Kazakhtelekom) asking to import equipment from
 `"Allot Communications LTD"` in Israel.
  *
 [http://www.rep.nca.kz/index.php?mode=r3&SERT=4%D2%D1.KZ.1900193.21.01.02407
 4ТС.KZ.1900193.21.01.02407] (https://archive.is/UXbwA): 1 ×
 [https://www.allot.com/products/platforms/service-gateway/#1461143657367
 -91864faf-6cb8 SG-Sigma E6]
  *
 [http://www.rep.nca.kz/index.php?mode=r3&SERT=4%D2%D1.KZ.1900193.21.01.02408
 4ТС.KZ.1900193.21.01.02408] (https://archive.is/1vSE6): 3 ×
 [https://www.allot.com/products/platforms/service-gateway/#1461143538377
 -8005dcec-ef24 SG-Tera 14]
  *
 [http://www.rep.nca.kz/index.php?mode=r3&SERT=4%D2%D1.KZ.1900193.21.01.02409
 4ТС.KZ.1900193.21.01.02409] (https://archive.is/UdfAf): 2 ×
 [https://www.allot.com/products/platforms/service-gateway/#1461143538377
 -8005dcec-ef24 SG-Tera 14]:
  *
 [http://www.rep.nca.kz/index.php?mode=r3&SERT=4%D2%D1.KZ.1900193.21.01.02410
 4ТС.KZ.1900193.21.01.02410] (https://archive.is/2p3Sa): 2 ×
 [https://www.allot.com/products/platforms/service-gateway/#1461143538377
 -8005dcec-ef24 SG-Tera 14]

 The other piece is from comment:175, in which a past 0.2090000.ru
 blockpage, which [[comment:161|we previously found]] to have the same HTTP
 signature as a Kazakhstan block page, explicitly said "Allot" on it.

 They call their DPI tech [https://www.allot.com/technology/dart-dpi/
 "DART"]. It's unclear how much is their own and how much is integration of
 other companies' such as Sophos and Kaspersky. Their page of
 [https://www.allot.com/products/platforms/supported-
 protocols/#1460974307058-a61550f0-8196 supported protocols]
 (https://archive.is/AuA8b) explicitly mentions Tor, ScrambleSuit, obfs4,
 and meek, among others:
 > === June 13, 2016 ===
 > Private VPN services provided by the Tor project are used by millions
 the world over, including IT professionals, law enforcement, journalists,
 bloggers, business execs, researchers and everyday users who want to
 protect their privacy. A number of applications, like bridges and
 pluggable transports have sprouted up around Tor to improve the privacy
 and the experience. Some Tor browsers provide bridges by default. And if
 not, these tools can be downloaded at any time. A bridge is a tool that
 makes Tor traffic look like any other traffic, such that censors and other
 monitors do not identify it as Tor per se. In Allot’s latest DART Protocol
 Pack, we refined our signature for the Tor obfs4 safe transport, to assure
 accruate identification of this kind of traffic on your network:
 >  * Tor Obfs4
 > === April 4th, 2016 ===
 > Online anonymity is often viewed as counter-productive and there is a
 vigorous and ongoing debate regarding the unprecedented anonymity enabled
 by the Internet. The creators of the Tor project are understandably pro-
 anonymity, arguing in favor of the many positive and productive uses of
 TOR by all kinds of people, including IT professionals, law enforcement,
 journalists, bloggers, business execs, researchers and everyday users who
 want to protect their privacy. In Allot’s latest DART Protocol Pack we
 revisited and refined these TOR transport protocols to assure accurate
 detection of their use:
 >  * TOR ScrambleSuit (pluggable proxy transport protocol)
 >  * TOR Obfs4 (TCP obfuscation layer)
 >  * TOR
 > === February 2nd, 2016 ===
 > TOR is popular anonymizer application that uses the “onion router.”
 Onion Router is a website that takes requests for web-pages and routes
 them through other onion router nodes, until your requested page reaches
 you. Onion routers encrypt the traffic which means no one can see what
 you’re asking for, and the layers of the onion don’t know who they’re
 working for.  In Allot’s latest DART Protocol Pack we added signatures
 that identify these TOR transport protocols that use the Onion Router
 network:
 >  * TOR ScrambleSuit (pluggable proxy transport protocol)
 >  * TOR Obfs4 (TCP obfuscation layer)
 > === April 27th, 2015 ===
 > In recent weeks we announced the new anonymizer applications that were
 added to Allot’s signature library. This week we focused on updating and
 refining existing DART signatures for these popular VPN and encryption
 protocols:
 >  * TOR (default mode, 3 available bridge modes, CDN meek)
 >  * Psiphon
 > === January 26th, 2015 ===
 > Allot’s latest DART Protocol Pack helps you identify traffic from users
 of the Psiphon circumvention system, which has becoming a popular way to
 bypass content-filtering systems in order to access sites that have been
 blocked due to geographical or regulatory restrictions. It’s also used to
 add a layer of identity protection. In this pack, we refined the Psiphon
 signature to cover all operation modes, including SSH, SSH+ and VPN. We
 also added two new Psiphon signatures for identifying traffic to and from:
 >  * Psiphon Proxy Server
 >  * Psiphon CDN (Meek mode)

 Allot's LinkedIn pages are what you would expect from a DPI firm, and one
 mentions Tor and domain fronting:
  * https://www.linkedin.com/in/anton-nosikovsky-2798a218
 (https://archive.is/H42Rm)
    > DPI Researcher and Algorithms Developer at Allot Communications
    > Deep Packet Inspection professional, Network Protocols Research
 Expert
    > Data mining (Extraction and Analysis), Reverse Engineering Network
 Protocols
    > Analysis of encrypted services (VPNs, anonymizers, domain fronting
 etc.)
    > Protocol research experience: BitTorrent, Skype, TOR, Psiphon,
 Ultrasurf, Freegate, Network Games, Video game consoles etc.
  * https://www.linkedin.com/in/liran-keren-334688111
 (https://archive.is/AUTz8)
    > DPI researcher at Allot Communications
  * https://www.linkedin.com/in/tanya-goldenfeld-81bba317
 (https://archive.is/GdWzV)
    > DPI researcher at Allot Communications
  * https://www.linkedin.com/in/yuliashnaiderheimlich
 (https://archive.is/O1obQ)
    > DPI Researcher at Allot Communications
    > Research methodology and algorithm development for deep packet
 inspection
  * https://www.linkedin.com/in/meidan-kronenfeld-a82516109
 (https://archive.is/R8qzx)
    > Senior DPI Researcher at Allot Communications
  * https://www.linkedin.com/in/gustavo-goldenstein-6701795
 (https://archive.is/Ta5Ae)
    > SE, DPI Researcher and Algorithms Developer at Allot Communications
  * https://www.linkedin.com/in/noa-tal-62b08a105
 (https://archive.is/VRRKk)
    > Automation Leader - DPI team at Allot Communications
    > Responsibility over three major DPI projects: Device identification,
 Video analysis and Browsing-Application differentiation.
  * https://www.linkedin.com/in/alexey-minevich-75969814
 (https://archive.is/Y7xu9)
    > Team Leader, DPI, R&D , Allot Communications
    > Data Extraction and Analysis, Network Protocols Research Expert, Deep
 Packet Inspection professional

 Interestingly, Allot has been in trouble before for selling censorship
 hardware to Iran:
  * https://en.wikipedia.org/wiki/Allot_Communications#Controversy
    > In 2011, reports alleged that Allot had been illegally selling
 equipment to Iran. However, in January 2012 Allot was cleared by the
 Ministry of Defense of any wrongdoing.
  * [https://web.archive.org/web/20160516013255/http://www.haaretz.com
 /israel-news/report-israeli-company-sold-surveillance-equipment-to-
 iran-1.403107 Haaretz: Israeli Company Sold Surveillance Equipment to
 Iran]
  *
 [https://web.archive.org/web/20150712191941/http://www.bloomberg.com/news/articles/2011-12-23
 /israel-didn-t-know-high-tech-gear-was-sent-to-iran-via-denmark Bloomberg:
 Israel Didn’t Know Tech Gear Was Sent to Iran Via Denmark]
  *
 [https://web.archive.org/web/20140314035640/http://www.globes.co.il/en/article-1000718874
 globes.co.il: Defense Ministry closes probe into Allot's alleged Iran
 sales]

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:184>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs