[tor-talk] Tor ban discussion at Russian state Duma

[Leonid Evdokimov <leon@xxxxxxxxxxxx>]

As-salamu alaykum!

TL/DR: Tor ban is currently discussed in Russian state Duma, first draft
of proposed bill was approved the 23th of June, there will be two more
drafts (second draft should be ready for discussion at the parliament by
the 2nd of July[DU]), there is ~120 days gap after 3rd draft approval
before Tor being outlawed.

[DU] http://asozd2.duma.gov.ru/main.nsf/%28SpravkaNew%29?OpenAgent&RN=195446-7&02
[DU] https://archive.li/8GxKD

~1300 words more:

On 15th of June in the morning there was an open invitation[Oi]
published by Leonid Levin, chairman of State Duma (Russian parliament)
committee on information politics, information technologies and
telecommunication towards representatives of anonymisers to discuss
proposed bill that regulates services that may be used to gain access to
outlawed information: VPN services, anonymisers, etc. One of the
declared purposes of the invitation was to "gather opinions to make the
bill more technological from the point of view of the bill goals".

[Oi] http://www.komitet5.km.duma.gov.ru/Novosti-Komiteta/item/522019/
[Oi] https://archive.li/dyepC
[Oi] https://geektimes.ru/post/290109/
^^ all three links are in Russian, sorry.

Couple of weeks before this invitation there was significant number of
outages going on in the Russian segment of the internet.  But I should
give some context on blocklist used by Russian ISPs before describing
the outages:

Roskomnadzor[RKN] curates blocklist of IP addresses, domains and URLs
that contain links to illegal information that should be blocked.
The list is composed of two parts: the list of illegal information
that should be blocked[BL] and the registry of illegal information[EAIS].
The second list may contain links that cause too much collateral damage
in case of blocking, e.g. https youtube link[YT] that you can verify
via [EAIS] that it's both illegal and officially NOT blocked despite
the "spirit" of law.

Enforced blocklist[BL] is unofficially public as it's distributed to
thousands of ISPs, so it leaks to github[ZI] at speed of 24 commits
a day.

[RKN] https://en.wikipedia.org/wiki/Roskomnadzor
[BL] http://blocklist.rkn.gov.ru/
[EAIS] https://eais.rkn.gov.ru/
[YT] https://www.youtube.com/watch?v=nEL_JOXGRu4
[ZI] https://github.com/zapret-info/z-i/


In 2012 when the blocklist was first introduced to protect all children
from 0 to 120 years old against extremist content one of the very
first bans was zhurnal.lib.ru (Samizdat library that is currently
reachable with http://samlib.ru). There were almost no smart filters
deployed in ISP networks back in those days, so Maxim Moshkov pointed
DNS A records for zhurnal.lib.ru to IP addresses of minjust.ru, website
of Ministry of Justice of Russia. I don't know if he did that as a
protest or just for fun, but minjust.ru was unreachable via some ISPs.

So the sort of trolling pointing A records of blacklisted domains to
something fun was quite old. In the beginning of the June 2017 it was
back: people across several medias (blogs, Telegram channels, etc.) were
publicly suggesting to use expired domains grepped from from zapret-info
lists, register these domains and point them to google, yandex, VK,
telegram and other popular services. It caused significant amount of
media buzz, including bloomberg[BLOOM] as there is significant amount of
ISPs doing filtering of HTTPS links based on plain TCP/IP blocking.
Someone also pointed one of domains to peering IP addresses of MSK IX
and it caused significant traffic dip[MSKIX]. Maybe it was just a
coincidence, but I've found several looking glasses showing that routers
had /32 routes for blacklisted IPs pointing to some non-default
route[OR,RT,TTK]

[BLOOM] https://www.bloomberg.com/view/articles/2017-06-13/how-the-russian-internet-censor-banned-itself
[MSKIX] http://darkk.net.ru/garbage/2017.06-Tor-VPN-and-Duma/msk_ix_2017-06-08_16-50-10.png
[OR] https://archive.li/i66ic
[RT] https://archive.li/8nK6U
[TTK] https://archive.li/JM5If

I remember TCAM 512k internet hiccup[TC1,TC2] so I was quite afraid of
possible attack causing TCAM overflow. Also there were rumors that some
Allot DPI equipment deployed at some ISPs had troubles when the
blocklist outgrew 64k entries.  Every domain in the blocklist can send
~4000 obsolete IPv4 addresses as a response for single `A` DNS query and
~2300 modern IP addresses for `AAAA` query. There are 623 domains in the
blocklist controlled by single entity -- grani.ru[GRN], so this entity
has possibility to inject enough routes to consume ~5'357'800 TCAM
entries (one per IPv4 and two per modern IP) that's ~10 times larger
that current "Internet routing table" size (~630'000 for IPv4). So I
registered some of these expired domains, conducted a safe experiment
using RIPE Atlas trying to verify that IP addresses for alike domains
containing thousands of A and AAAA records are really added to routing
tables and published intermediate results[RUFW] on ~midnight of 15th of
June (10 hours before the open invitation). I also hope to publish full
results in English within couple of weeks. Results were not shocking,
but they clearly showed that the risk of TCAM overflow attack against
backbone ISPs is non-zero. The thing that really disappointed me was
that there were almost no discussion about possibility of this attack
among ISPs engineers during Russian internet hiccups on early-June 2017.

[TC1] https://bgpmon.net/what-caused-todays-internet-hiccup/
[TC2] https://arstechnica.com/security/2014/08/internet-routers-hitting-512k-limit-some-become-unreliable/
[GRN] https://ru.wikipedia.org/wiki/%D0%93%D1%80%D0%B0%D0%BD%D0%B8.%D1%80%D1%83
[RUFW] https://habrahabr.ru/post/330934/

It was obvious to me that round table discussion of the bill unlikely
changes anything in terms of anonymisers regulation, but I decided to
use the round table discussion as an opportunity to mention the risks
produced by the blocklist that is so inaccurately managed: TCAM overflow
attack, DPI overload attack and I also wanted to mention compromised DPI
equipment that we already observed in Egypt in autumn of 2016[BADPORN].
Extending the blocklist with IP addresses of large networks controlled
by people that are often presented as internet anarchists sounded like
too risky action to me.  IMHO the minimal pre-requirement for alike bill
is building of technological framework that mitigates these risks,
passing the bill without the framework looks like carelessness to me.

The interesting points about the proposed bill are clear copyright lobby
behind it[COLOB] and the mantra "we don't ban VPNs and anonymisers that
are going to enforce Russian blocklists for Russian customers" repeated
over and over again. I still consider the mantra "we don't fight
anonymity today" a sort of hypocrisy, but I don't want to discuss
ethical & political parts of the matter.

[BADPORN] https://ooni.torproject.org/post/egypt-network-interference/#third-party-tools-curl-showing-injected-content
[COLOB] http://komitet5.km.duma.gov.ru/Novosti-Komiteta/item/513823

So I joined round table as an unofficial, technological Tor Project
representative and brought five points to the discussion:
1. TCAM overflow attack risk,
2. DPI overload attack risk (routing traffic to DPI with IP injection),
3. Egypt case when filtering equipment "waz hax0d"
4. VPN-over-VPN and inability to deduce if the client is Russian even
for __complying__ VPN providers if the client tunnels one VPN connection
through another one.
5. Inability to pass a marker "Client is Russian" through chain of tor
nodes as it affects anonymity of the client, that likely means that Tor
will be unable to comply with the law without sacrificing its goals.

There were some fun news and interesting datapoints presented during the
round table.

A representative of backbone internet provides also complained that
current size of Russian segment of the internet in terms of routes is
~40'000 routes and blacklist already adds ~60'000 routes to that, so
there is 1.5x times more memory spent to serve blacklist than to serve
actual Russian traffic :)

DPI deployments for one of backbone ISPs already costs ~1e9 USD
according to MTSC delegate.  I consider this datapoint being really
interesting as MCX:MTSS market cap is 7.8e9 USD.

The chairman is, probably, a troll as he encourages to develop something
like Tor with parental (governmental) control. I just ignored the
suggestion but it may be an interesting case for stubborn lawyer and
developer in theory: e.g.  Tor Browser showing a nag screen while
visiting https://bada-boom.club saying something like "This Website is
banned in Barbaristan and United Cities of Barbaria. We don't track you
so we don't know your country. Please, proceed only if you're not a
citizen of these countries". Technically it reminds me of safe browsing
nag screens.  I doubt that alike nag screen may be really used as an
valid argument in the court during an attempt to "unban" Tor, but it
sounds like an interesting fantasy to me, so I mention it here (assuming
that everyone loves legal trolling).

The bill also mentions that search engine operators have to fetch
blocklist and remove links to blacklisted websites from search engine
result pages with fine of 12k$ USD if they don't. Obviously search
engines have same issue while trying to determine "residence" of the
user. Nearby mail thread about Ukrainian users & Tor clearly
demonstrates the complexity of the issue :)

The following week was also interesting.  www.google.com was officially
banned for couple of hours on 22nd of June and Leonid Levin said that it
was some sort of warning[WAT] for internet companies. The first draft of
aforementioned bill was accepted on 23rd, saying that various TORs
(sic!) should be regulated and MUST NOT route traffic from users of
global network (internet) towards to the banned websites. There were
also some bills on messengers discussed and there was a open-letter
fighting between Durov from Telegram (that may be banned in Russia this
week), Zharov from Roskomnadzor, with comments from Bortnikov from FSB
and aforementioned Levin, but that was too much legalese for me and it's
not that much relevant to tor-talk@ ML, so I'm putting that part aside :)

[WAT] https://rg.ru/2017/06/22/v-gosdume-nazvali-blokirovku-google-predosterezheniem.html
[WAT] http://komitet5.km.duma.gov.ru/Novosti-Komiteta/item/551685/ 
[WAT] https://archive.li/VxkwR & https://archive.li/MZ1Hu
[TORZ] https://youtu.be/a9ZJq4bIiHE?t=1m55s

Dear reader! Thank you for your time reading this!

Sincerely yours, Acting Gonzo[*] Developer.

[*] http://darkk.net.ru/garbage/2017.06-Tor-VPN-and-Duma/Levin-anonymisers-3785.jpg

-- 
WBRBW, Leonid Evdokimov, xmpp:leon@xxxxxxxxxxxx http://darkk.net.ru tel:+79816800702
PGP: 6691 DE6B 4CCD C1C1 76A0  0D4A E1F2 A980 7F50 FAB2
P.S.: And I'm sorry for links mostly in Russian.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk