Changes between Version 9 and Version 10 of doc/OONI/censorshipwiki/CensorshipByCountry/Ethiopia


Ignore:
Timestamp:
Dec 21, 2012, 12:26:58 AM (6 years ago)
Author:
phw
Comment:

Added some additional info.

Legend:

Unmodified
Added
Removed
Modified
  • doc/OONI/censorshipwiki/CensorshipByCountry/Ethiopia

    v9 v10  
    1 ----
    21== Ethiopia (#6045) ==
    32=== Summary of the current situation ===
    4 At the beginning, DPI boxes only looked for Tor TLS server hellos sent by relays or bridges to Tor clients. If such a packet is found, it is dropped. Since the middle of July, the DPI boxes are ''also'' looking for TLS client hellos as sent by Tor clients < version 0.2.3.17-beta and dropping them. The dropping of client and server hello seems to happen independently of each other.
     3When to block started in May 2012, DPI boxes were only looking for Tor TLS server hellos sent by relays or bridges to Tor clients. If such a packet was found, it was simply dropped and the TCP connection eventually timed out. Since the middle of July, the DPI boxes were ''also'' looking for TLS client hellos as sent by Tor clients < version 0.2.3.17-beta and dropping them as well when found. The dropping of client and server hellos seems to happen independently of each other. The DPI boxes seem to operate ''in-band'' and ''stateless''.
    54
    6 The DPI boxes seem to operate ''in-band'' and ''stateless''.
     5The usage statistics increased in October 2012 so the block might have been lifted.
    76
    87=== First witnessed ===
    9 The block became known at May 22, 2012. According to the [https://metrics.torproject.org/users.html?graph=direct-users&start=2012-03-18&end=2012-06-16&country=et&dpi=72#direct-users metrics page], the block might have started several days earlier. A [https://blog.torproject.org/blog/ethiopia-introduces-deep-packet-inspection blog post] was published at May 31st.
     8The block became known at May 22, 2012. According to the [https://metrics.torproject.org/users.html?graph=direct-users&start=2012-03-18&end=2012-06-16&country=et&dpi=72#direct-users metrics page], the block might have started several days earlier. A [https://blog.torproject.org/blog/ethiopia-introduces-deep-packet-inspection blog post] was published at May 31st. An [https://blog.torproject.org/blog/update-censorship-ethiopia update] followed.
    109
    1110=== Last witnessed ===
    12 The usage statistics [https://metrics.torproject.org/users.html?graph=direct-users&start=2012-01-22&end=2012-12-21&country=et&events=off#direct-users seem to have recovered] since the beginning of October 2012.
     11The usage statistics [https://metrics.torproject.org/users.html?graph=direct-users&start=2012-01-22&end=2012-12-21&country=et&events=off#direct-users seem to have recovered] since the beginning of October 2012. At the moment it is unclear, whether the block is still ongoing.
    1312
    1413=== Type of Tor censorship ===
    1514 * '''Deep packet inspection''': #6045
    16    * '''Fingerprint''': Multiple strings in the Tor TLS ServerHello/Certificate/ServerKeyExchange/ServerHelloDone records were matched in the beginning (#6045). If a packet matches, it is dropped. After several weeks, at least the cipher list in the TLS client hello (in versions < 0.2.3.17-beta) leads to the client hello being dropped as well.
     15   * '''Fingerprint''': Multiple strings in the Tor TLS ServerHello/Certificate/ServerKeyExchange/ServerHelloDone records were matched in the beginning (#6045). If a packet matched, it was simply dropped. After several weeks, at least the cipher list in the TLS client hello (in versions < 0.2.3.17-beta) leads to the client hello being dropped as well.
    1716
    1817=== Types of non-Tor censorship ===
     
    2524
    2625=== Type of firewall ===
    27  * '''Manufactorer''': nothing definitive, possibly something from ZTE Corp. It is hard to narrow down the DPI boxes because traceroutes get dropped somewhere in the network backbone.
     26 * '''Manufactorer''': No hard facts but perhaps something from ZTE Corp. It is hard to narrow down the DPI boxes because traceroutes are dropped somewhere in the network backbone.
    2827
    2928=== Reproducing the blocking ===
    30  * Binaries, patches etc can be found in [https://gitweb.torproject.org/censorship-timeline.git censorship-timeline.git]
    31  * Due to the firewall being stateless and in-band, it is easy to trigger and analyze blocking. The tool `hping3` can be used to send data to an arbitrary machine in Ethiopia. If the machine answers with a RST segment, the data passed. If it does not answer, the data was probably dropped by the firewall:
     29 * Binaries, patches etc. can be found in [https://gitweb.torproject.org/censorship-timeline.git censorship-timeline.git]
     30 * Due to the firewall being stateless and in-band, it is easy to trigger and analyze blocking. Even outside the country. The tool `hping3` can be used to send data to an arbitrary machine in Ethiopia. If the machine answers with a RST segment, the data passed. If it does not answer, the data was probably dropped by the DPI boxes:
    3231{{{
    3332hping3 -p <RANDOM-HIGHPORT> -E <FILE> -d <FILE-LENGTH> -A <ETHIOPIAN-MACHINE>
    3433}}}
    3534 * A vanilla Tor (v0.2.2.37) TLS server hello can be used to trigger dropping: http://files.7c0.org/tor/Ethiopia-Tor-TLS-Server-Hello.bin
    36  * Running Ethiopian machines for the test can be found by iterating over the address blocks announced by [http://bgp.he.net/AS24757#_prefixes bgp.he.net].
     35 * Running Ethiopian machines for the test can be found by iterating over the address blocks announced by [http://bgp.he.net/AS24757#_prefixes bgp.he.net]. Alternatively, [https://github.com/ioerror/blockfinder blockfinder] can be used.