Broad blocking of HTTP/3 traffic in Russia (AS31213, AS12389)

[kelmenhorst]

Reports suggest that Russia started to block HTTP/3 traffic nationwide on the 4th of March 2022. With the increasing restrictions of media since the beginning of the invasion of Ukraine, internet censorship in Russia is rapidly changing and getting more restrictive. In this context, people reported that HTTP/3 doesn't work anymore.

• https://ntc.party/t/http-3-quic/1823/
• https://github.com/net4people/bbs/issues/108

We were able to run 2 rounds of HTTP/3 measurements in a mobile (PJSC MegaFon Yota, AS31213), and a landline network (PJSC Rostelecom, AS12389) in Russia, on March 27 and 31. The test list contained 11 websites, i.e. 11 HTTPS endpoints and 11 HTTP/3 endpoints were measured.

---

abbreviation	failure type
QUIC-hs-to	QUIC handshake timeout
conn-reset	connection reset: TCP RST terminated connection during TLS handshake

---

Yota, AS31213

                                  HTTPS                                                   HTTP/3 Figure 1: Failure rates of hosts tried over HTTPS vs. HTTP/3. AS31213.

experiment                                          destination IP                                                            SNI                                          QUIC version	HTTPS target target -	h3 urlgetter target target 1	h3 urlgetter target vk.com 1	h3 urlgetter vk.com target 1	quicping target IP - 0xbabababa
quic.nginx.org, 35.214.218.230	✔️	❌	❌	✔️	✔️
cloudflare-quic.com, 172.67.9.235	✔️	❌	❌	✔️	✔️
cloudflare-quic.com, 104.22.9.38	✔️	❌	❌	✔️	✔️
example.com, 93.184.216.34 (n = 1)	✔️	❌	❌	✔️	✔️
vk.com, 93.186.225.208	✔️	✔️	-	-	✔️
vk.com, 87.240.139.194	✔️	✔️	-	-	✔️
navalny.com, 188.114.97.7	❌	❌	❌	❌	✔️
navalny.com, 188.114.96.7	❌	❌	❌	❌	✔️
www.facebook.com, 157.240.210.35	❌	❌	❌	❌	✔️
censor.net, 104.22.72.106	❌	❌	❌	❌	✔️
censor.net, 172.67.42.195	❌	❌	❌	❌	✔️
www.instagram.com, 157.240.210.174	❌	❌	❌	❌	✔️

Table 1 Summary of the results.

HTTP/3 overblocking

The second column of Table 1 shows that all tested websites, except for vk.com were blocked over HTTP/3. The first column shows that only 4 websites (6 endpoints) were blocked over HTTPS. This observation is consistent with reports saying that all foreign websites would be blocked over HTTP/3.

Immediate timeouts

HTTP/3 blocking appears as timeouts during the QUIC handshake. The timeout always occurs during the very first roundtrip, i.e. the client never receives any response from the server and doesn't read a single byte.

quicping works

quicping works in all measured cases which means that the blocking method is more fine grained than just blocking UDP endpoints (see the fifth column). Explanation: If the UDP endpoint was blocked, quicping (which only elicits one roundtrip) should also be affected by the blocking because the blocking of HTTP/3 traffic happens during the very first roundtrip.

So why is quicping not impaired? Most likely, quicping packets pass the filter because they do not have the most commonly used QUIC version (1). Instead, they carry special version strings which are reserved for version negotiation. Supporting this consideration, users in Russia have experienced that HTTP/3 works in some networks when they disabled QUIC version 1 and used QUIC version draft-29 instead.

SNI blocking (?)

We measured all failed endpoints again, this time with the SNI set to vk.com (see the third column). Blocked endpoints remain blocked when using an allowed SNI. In contrast, users from other networks in Russia have reported that blocked hosts become available when using a fake SNI which shows that HTTP/3 blocking varies between ISPs.

Lastly, we used the domain names of the blocked HTTP/3 hosts as SNI in requests to vk.com (see the fourth column). Unexpectedly, vk.com was suddenly unavailable when using one of the following blocked domain names as SNI: navalny.com, www.instagram.com, censor.net, www.facebook.com - which is precisely the set of hosts that are also blocked over HTTPS. This indicates that certain SNIs trigger blocking and that the censor parses the Initial QUIC packet in order to inspect the SNI. However, since using a fake SNI is not enough to evade blocking in Yota's network, there is probably an additional layer of censorship which drops packets to unwanted destination endpoints regardless of the SNI.

QUIC version filter as an indication for DPI

QUIC uses Initial encryption which means that Initial packets in the handshake are already encrypted. While this is better than no encryption, it is only a weak protection because the keys can be derived from the connection IDs and the used QUIC version, so an observer of the connection can decrypt Initial packets.

It's possible that censors in Russia use a shortcut to decrypt and parse QUIC Initials by assuming that most traffic is using QUIC version 1. When they apply the decryption algorithm to a QUIC packet of version draft-29 rather than version 1, the decryption fails. This would explain the observation that draft-29 packets do not trigger the filter and that quicping works.

Blocking scenario

A possible blocking scenario which would explain the above described observations is the following:

• The ISP manages a blacklist of SNIs. Given the measurements, we assume that at least navalny.com, www.instagram.com, censor.net, www.facebook.com are on the blacklist.
• All HTTP/3 requests with version 1 are null routed. Either, there is a whitelist to this rule, excluding the IP endpoints of at least vk.com from the blocking, or, this null routing is only applied to international network traffic.
• There is a second filter inspecting the SNI which seems to be applied to all HTTP/3 traffic (national and international): If the SNI of a given packet is on the blacklist, it cannot pass the filter.

Rostelecom, AS12389

                                  HTTPS                                                   HTTP/3 Figure 2: Failure rates of hosts tried over HTTPS vs. HTTP/3. AS12389.

[ValdikSS]

As far as I'm aware, blocking QUIC is/was an attempt to completely block Instagram Android and iOS applications, as Deep Packet Inspection systems were not able to decrypt encrypted SNI inside QUIC payloads.

However, SKAT DPI system has already implemented QUIC SNI decryption, although that's not very helpful globally since government-made system still cannot decrypt it and block QUIC protocol entirely (Russia is in the middle of transition from commercial DPI systems to government-made TSPU system, and it's very common to have both on ISP links).

[bassosimone]

@ValdikSS thank you for adding extra context! <3