Ethiopia (#6045)

Summary of the current situation

When to block started in May 2012, DPI boxes were only looking for Tor TLS server hellos sent by relays or bridges to Tor clients. If such a packet was found, it was simply dropped and the TCP connection eventually timed out. Since the middle of July, the DPI boxes were also looking for TLS client hellos as sent by Tor clients < version and dropping them as well when found. The dropping of client and server hellos seems to happen independently of each other. The DPI boxes seem to operate in-band and stateless.

The usage statistics increased in October 2012 so the block might have been lifted.

First witnessed

The block became known at May 22, 2012. According to the metrics page, the block might have started several days earlier. A blog post was published at May 31st. An update followed.

Last witnessed

The usage statistics seem to have recovered since the beginning of October 2012. At the moment it is unclear, whether the block is still ongoing.

Type of Tor censorship

  • Deep packet inspection: #6045
    • Fingerprint: Multiple strings in the Tor TLS ServerHello/Certificate/ServerKeyExchange/ServerHelloDone records were matched in the beginning (#6045). If a packet matched, it was simply dropped. After several weeks, at least the cipher list in the TLS client hello (in versions < leads to the client hello being dropped as well.

Types of non-Tor censorship

Ways to bypass censorship

  • Bridges were patched to pick the cipher TLS_DHE_RSA_WITH_AES_128_CBC_SHA instead of TLS_DHE_RSA_WITH_AES_256_CBC_SHA. This used to be sufficient to evade the DPI boxes. Three patched bridges were published in a blog post. However, since the DPI boxes started filtering for the client hello as well, a client with an updated cipher list (>= version is also necessary.
  • A bridge which selects TLS_DHE_RSA_WITH_AES_128_CBC_SHA as cipher and splits its cipher list (e.g. using brdgrd) can work for Ethiopian users.
  • Obfsproxy probably evades the DPI boxes too.

Type of firewall

  • Manufactorer: No hard facts but perhaps something from ZTE Corp. It is hard to narrow down the DPI boxes because traceroutes are dropped somewhere in the network backbone.

Reproducing the blocking

  • Binaries, patches etc. can be found in censorship-timeline.git
  • Due to the firewall being stateless and in-band, it is easy to trigger and analyze blocking. Even outside the country. The tool hping3 can be used to send data to an arbitrary machine in Ethiopia. If the machine answers with a RST segment, the data passed. If it does not answer, the data was probably dropped by the DPI boxes:
  • A vanilla Tor (v0.2.2.37) TLS server hello can be used to trigger dropping:
  • Running Ethiopian machines for the test can be found by iterating over the address blocks announced by Alternatively, blockfinder can be used.
Last modified 6 years ago Last modified on Dec 21, 2012, 12:26:58 AM