Turkey blocking of direct connections, 2016-12-12

Turkey Blocks article: https://turkeyblocks.org/2016/12/18/tor-blocked-in-turkey-vpn-ban/

After getting some reports on twitter about Tor being blocked in Turkey and some chat on IRC, aka aka ran some tests and found some interesting information about how Turkey is blocking vanilla Tor connections. I paste their findings here:

16:48 < trdpi> 10 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE 
16:48 < trdpi> after less than 10 seconds
...
16:55 < trdpi> this isp injects rst it seems
16:56 < trdpi> to both side, as i got 2 rst one legit and 2 not
16:57 < mrphs> oh apparently today is an special day in turkey
...
17:00 < trdpi> telneting to or port, no rsts. it triggered by something more than ip:port connection
17:01 < trdpi> yay, window trick for split req works for tr
17:02 < trdpi> magic tool allows to bypass vanilla tor censorship
17:04 < trdpi> so it's about ciphersuits or something
17:07 < trdpi> it's like kz, but obfs4 works
17:07 < trdpi> and kz do not rsts
17:07 < trdpi> it controlls connection
17:07 < trdpi> and tr like do not controlls and to inject fraud only

added Turkey in Legacy / Trac UX in Legacy / Trac block in Legacy / Trac censorship in Legacy / Trac component::circumvention/censorship analysis in Legacy / Trac owner::metrics-team in Legacy / Trac priority::medium in Legacy / Trac resolution::wontfix in Legacy / Trac severity::normal in Legacy / Trac status::closed in Legacy / Trac tr in Legacy / Trac type::task in Legacy / Trac labels

Trac:
Keywords: N/A deleted, censorship, Turkey added

Trac:
Keywords: censorship, Turkey deleted, censorship block tr Turkey added
Component: Core Tor/Tor to Metrics/Censorship analysis
Type: defect to task
Owner: N/A to metrics-team

Trac:

https://metrics.torproject.org/userstats-relay-country.png?start=2016-09-18&end=2016-12-17&country=tr&events=off

Trac:

https://metrics.torproject.org/userstats-bridge-country.png?start=2016-09-18&end=2016-12-17&country=tr

Trac:

https://metrics.torproject.org/userstats-bridge-combined.png?start=2016-09-18&end=2016-12-17&country=tr

Tor metrics graphs show a large increase in users (both relay and bridge) in recent days, starting on 2016-12-12. I first heard of it from Joss Wright's twitter reporting a find of their anomaly detector.

The brief spike in relay users and sustained jump in bridge users on November 4 was the same date as government orders to block Tor and VPNs. The more recent increase on December 12, I don't know what might have caused.

link

link

link

Trac:

There is one ooniprobe in Turkey, and it reports that it has not been able to make a vanilla Tor connection starting on 2016-12-13 (T means success and F means failure).

test_start_time,success,probe_cc,transport_name,test_runtime
...
2016-12-11 00:01:04,T,TR,vanilla,91.0027029514
2016-12-12 00:01:01,T,TR,vanilla,80.7238359451
2016-12-13 09:16:40,F,TR,vanilla,300.1475861073
2016-12-13 10:20:30,F,TR,vanilla,300.1046140194
2016-12-15 17:14:54,F,TR,vanilla,300.1320888996
2016-12-16 00:00:35,F,TR,vanilla,300.1127798557

source code for graph

# mkdir -p reports
# wget -O - 'http://staging.measurements.ooni.io/api/v1/files?probe_cc=TR&test_name=vanilla_tor' | jq -r '.results[].download_url' | wget --no-http-keep-alive -P reports -c -i -
# (echo "test_start_time,success,probe_cc,transport_name,test_runtime"; jq -j '.test_start_time,",",if .test_keys.success then "T" else "F" end,",",.probe_cc,",",.test_keys.transport_name,",",.test_runtime,"\n"' reports/*) > tr.csv
library(ggplot2)
x <- read.csv("tr.csv")
x$test_start_time <- as.POSIXct(x$test_start_time, tz="GMT")
p <- ggplot(x)
p <- p + geom_linerange(aes(test_start_time, ymin=0, ymax=test_runtime, color=success), size=1.5, alpha=0.8, stat="identity")
p <- p + scale_x_datetime(date_breaks="1 month", date_minor_breaks="1 week")
p <- p + ggtitle("time to bootstrap Tor in Turkey")
p <- p + theme_bw()
p <- p + theme(legend.position="top")
filename <- sprintf("tr-tor-%s.png", strftime(max(x$test_start_time), "%Y%m%d"))
ggsave(filename, p, dpi=120, width=5, height=3)

Trac:
Summary: TR is blocking Tor connections to Turkey blocking of direct connections, 2016-12-12

If what trdpi says is correct, that the firewall is breaking connections that are already partly underway, that could account for the seemingly increased number of users. Users are counted indirectly by counting directory requests. Connections might be getting broken after a directory request is sent but before the connection becomes useful. This is just a guess. The OONI reports say that bootstrapping failed at 10%, which is where you make a directory request, but you can also get to 10% even with no connectivity, I believe.

turk telekom, vanilla tor detected by ciphers, injected rst after client hello, split of segment works, obfs4 works. tellcom, vanilla tor detected by ciphers, connection stalled after client hello, split of segment doesn't works, obfs4 works.

Connections might be getting broken after a directory request is sent but before the connection becomes useful.

No, it seems connection broken before successful tls handshake, client can't get server hello.

Trac:

obfs3_connection-error.jpg

Trac:

obfs4_connection-error

ISPs and ASnumbers tested:

Turksat uydunet: 47524 Turk Telekom: 9121

Here are some tests from inside TR on Pluggable Transports:

obfs4

12/17/2016 12:16:46 PM.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:16:46 PM.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:16:46 PM.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:16:46 PM.900 [NOTICE] Opening Socks listener on 127.0.0.1:9150 
12/17/2016 12:16:46 PM.900 [NOTICE] Renaming old configuration file to "C:\Users\X\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc.orig.1" 
12/17/2016 12:16:46 PM.900 [NOTICE] Bootstrapped 5%: Connecting to directory server 
12/17/2016 12:16:47 PM.000 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server 
12/17/2016 12:19:32 PM.800 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150 
12/17/2016 12:19:32 PM.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:19:32 PM.800 [NOTICE] Closing old Socks listener on 127.0.0.1:9150 
12/17/2016 12:19:32 PM.900 [NOTICE] Delaying directory fetches: DisableNetwork is set. 
12/17/2016 12:21:40 PM.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:21:40 PM.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:21:40 PM.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:21:40 PM.800 [NOTICE] Opening Socks listener on 127.0.0.1:9150 
12/17/2016 12:21:55 PM.900 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection 
12/17/2016 12:21:57 PM.500 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus 
12/17/2016 12:22:00 PM.600 [NOTICE] new bridge descriptor 'LeifEricson' (fresh): $A09D536DD1752D542E1FBB3C9CE4449D51298239~LeifEricson at 83.212.101.3 
12/17/2016 12:22:00 PM.600 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus. 
12/17/2016 12:22:03 PM.200 [NOTICE] Bootstrapped 25%: Loading networkstatus consensus 
12/17/2016 12:22:03 PM.900 [NOTICE] Bridge 'NX01' has both an IPv4 and an IPv6 address.  Will prefer using its IPv4 address (85.17.30.79:443) based on the configured Bridge address. 
12/17/2016 12:22:03 PM.900 [NOTICE] new bridge descriptor 'NX01' (fresh): $FC259A04A328A07FED1413E9FC6526530D9FD87A~NX01 at 85.17.30.79 
12/17/2016 12:22:03 PM.900 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus. 
12/17/2016 12:22:08 PM.700 [WARN] Proxy Client: unable to connect to 154.35.22.9:12166 ("general SOCKS server failure") 
12/17/2016 12:22:08 PM.800 [WARN] Proxy Client: unable to connect to 154.35.22.13:16815 ("general SOCKS server failure") 
12/17/2016 12:22:11 PM.200 [NOTICE] new bridge descriptor 'noether' (fresh): $7B126FAB960E5AC6A629C729434FF84FB5074EC2~noether at 122.99.11.54 
12/17/2016 12:22:11 PM.200 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus. 
12/17/2016 12:22:17 PM.700 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus. 
12/17/2016 12:22:19 PM.800 [NOTICE] Bootstrapped 40%: Loading authority key certs 
12/17/2016 12:22:21 PM.800 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no recent usable consensus. 
12/17/2016 12:22:53 PM.100 [WARN] Problem bootstrapping. Stuck at 40%: Loading authority key certs. (DONE; DONE; count 10; recommendation warn; host 752CF7825B3B9EA6A98C83AC41F7099D67007EA5 at 128.245.60.50:443) 
12/17/2016 12:22:53 PM.100 [WARN] 12 connections have failed: 
12/17/2016 12:22:53 PM.100 [WARN]  8 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE 
12/17/2016 12:22:53 PM.100 [WARN]  2 connections died in state handshaking (proxy) with SSL state (No SSL object) 
12/17/2016 12:22:53 PM.100 [WARN]  1 connections died in state handshaking (Tor, v3 handshake) with SSL state SSL negotiation finished successfully in OPEN 
12/17/2016 12:22:53 PM.100 [WARN]  1 connections died in state connect()ing with SSL state (No SSL object) 
12/17/2016 12:28:40 PM.300 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150 
12/17/2016 12:28:40 PM.300 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:28:40 PM.300 [NOTICE] Closing old Socks listener on 127.0.0.1:9150 
12/17/2016 12:28:40 PM.300 [WARN] Problem bootstrapping. Stuck at 40%: Loading authority key certs. (DONE; DONE; count 11; recommendation warn; host 00DC6C4FA49A65BD1472993CF6730D54F11E0DBB at 154.35.22.12:4304) 
12/17/2016 12:28:40 PM.300 [WARN] 13 connections have failed: 
12/17/2016 12:28:40 PM.300 [WARN]  9 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE 
12/17/2016 12:28:40 PM.300 [WARN]  2 connections died in state handshaking (proxy) with SSL state (No SSL object) 
12/17/2016 12:28:40 PM.300 [WARN]  1 connections died in state handshaking (Tor, v3 handshake) with SSL state SSL negotiation finished successfully in OPEN 
12/17/2016 12:28:40 PM.300 [WARN]  1 connections died in state connect()ing with SSL state (No SSL object) 
12/17/2016 12:28:40 PM.300 [WARN] Problem bootstrapping. Stuck at 40%: Loading authority key certs. (DONE; DONE; count 12; recommendation warn; host 8FB9F4312E89E5C6223052AA525A122AFBC85D55 at 154.35.22.10:15937) 
12/17/2016 12:28:40 PM.300 [WARN] 14 connections have failed: 
12/17/2016 12:28:40 PM.300 [WARN]  10 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE 
12/17/2016 12:28:40 PM.300 [WARN]  2 connections died in state handshaking (proxy) with SSL state (No SSL object) 
12/17/2016 12:28:40 PM.300 [WARN]  1 connections died in state handshaking (Tor, v3 handshake) with SSL state SSL negotiation finished successfully in OPEN 
12/17/2016 12:28:40 PM.300 [WARN]  1 connections died in state connect()ing with SSL state (No SSL object) 
12/17/2016 12:28:40 PM.300 [WARN] Problem bootstrapping. Stuck at 40%: Loading authority key certs. (DONE; DONE; count 13; recommendation warn; host A832D176ECD5C7C6B58825AE22FC4C90FA249637 at 154.35.22.11:80) 
12/17/2016 12:28:40 PM.300 [WARN] 15 connections have failed: 
12/17/2016 12:28:40 PM.300 [WARN]  10 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE 
12/17/2016 12:28:40 PM.300 [WARN]  2 connections died in state handshaking (proxy) with SSL state (No SSL object) 
12/17/2016 12:28:40 PM.300 [WARN]  1 connections died in state handshaking (TLS) with SSL state SSLv3 read finished A in HANDSHAKE 
12/17/2016 12:28:40 PM.300 [WARN]  1 connections died in state handshaking (Tor, v3 handshake) with SSL state SSL negotiation finished successfully in OPEN 
12/17/2016 12:28:40 PM.300 [WARN]  1 connections died in state connect()ing with SSL state (No SSL object) 
12/17/2016 12:28:40 PM.300 [NOTICE] Delaying directory fetches: DisableNetwork is set. 

After switching to obfs3

12/17/2016 12:29:44 PM.100 [WARN]  2 connections died in state handshaking (TLS) with SSL state SSLv3 read finished A in HANDSHAKE 
12/17/2016 12:29:44 PM.100 [WARN]  1 connections died in state handshaking (Tor, v3 handshake) with SSL state SSL negotiation finished successfully in OPEN 
12/17/2016 12:29:44 PM.100 [WARN]  1 connections died in state connect()ing with SSL state (No SSL object) 
12/17/2016 12:29:44 PM.100 [WARN] Problem bootstrapping. Stuck at 40%: Loading authority key certs. (DONE; DONE; count 16; recommendation warn; host 7B126FAB960E5AC6A629C729434FF84FB5074EC2 at 122.99.11.54:443) 
12/17/2016 12:29:44 PM.100 [WARN] 27 connections have failed: 
12/17/2016 12:29:44 PM.100 [WARN]  11 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE 
12/17/2016 12:29:44 PM.100 [WARN]  11 connections died in state handshaking (proxy) with SSL state (No SSL object) 
12/17/2016 12:29:44 PM.100 [WARN]  3 connections died in state handshaking (TLS) with SSL state SSLv3 read finished A in HANDSHAKE 
12/17/2016 12:29:44 PM.100 [WARN]  1 connections died in state handshaking (Tor, v3 handshake) with SSL state SSL negotiation finished successfully in OPEN 
12/17/2016 12:29:44 PM.100 [WARN]  1 connections died in state connect()ing with SSL state (No SSL object) 
12/17/2016 12:29:44 PM.100 [NOTICE] Delaying directory fetches: DisableNetwork is set. 
12/17/2016 12:48:55 PM.400 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:48:55 PM.400 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:48:55 PM.400 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:48:55 PM.400 [NOTICE] Opening Socks listener on 127.0.0.1:9150 
12/17/2016 12:49:06 PM.500 [NOTICE] new bridge descriptor 'ndnop0' (fresh): $1E05F577A0EC0213F971D81BF4D86A9E4E8229ED~ndnop0 at 109.105.109.163 
12/17/2016 12:49:06 PM.500 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no recent usable consensus. 
12/17/2016 12:49:07 PM.000 [NOTICE] new bridge descriptor 'ndnop2' (fresh): $4C331FA9B3D1D6D8FB0D8FBBF0C259C360D97E6A~ndnop2 at 109.105.109.163 
12/17/2016 12:49:07 PM.000 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no recent usable consensus. 
12/17/2016 12:49:08 PM.000 [NOTICE] new bridge descriptor 'Unnamed' (fresh): $AF9F66B7B04F8FF6F32D455F05135250A16543C9~Unnamed at 169.229.59.75 
12/17/2016 12:49:08 PM.000 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no recent usable consensus. 
12/17/2016 12:49:15 PM.700 [NOTICE] Bootstrapped 45%: Asking for relay descriptors 
12/17/2016 12:49:15 PM.700 [NOTICE] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/7221, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.) 
12/17/2016 12:49:18 PM.100 [NOTICE] Bootstrapped 50%: Loading relay descriptors 
12/17/2016 12:49:45 PM.200 [WARN] Problem bootstrapping. Stuck at 50%: Loading relay descriptors. (DONE; DONE; count 17; recommendation warn; host A09D536DD1752D542E1FBB3C9CE4449D51298239 at 83.212.101.3:50002) 
12/17/2016 12:49:45 PM.200 [WARN] 28 connections have failed: 
12/17/2016 12:49:45 PM.200 [WARN]  12 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE 
12/17/2016 12:49:45 PM.200 [WARN]  11 connections died in state handshaking (proxy) with SSL state (No SSL object) 
12/17/2016 12:49:45 PM.200 [WARN]  3 connections died in state handshaking (TLS) with SSL state SSLv3 read finished A in HANDSHAKE 
12/17/2016 12:49:45 PM.200 [WARN]  1 connections died in state handshaking (Tor, v3 handshake) with SSL state SSL negotiation finished successfully in OPEN 
12/17/2016 12:49:45 PM.200 [WARN]  1 connections died in state connect()ing with SSL state (No SSL object) 
12/17/2016 12:50:11 PM.700 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150 
12/17/2016 12:50:11 PM.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/17/2016 12:50:11 PM.700 [NOTICE] Closing old Socks listener on 127.0.0.1:9150 
12/17/2016 12:50:11 PM.700 [NOTICE] Delaying directory fetches: DisableNetwork is set.