On 2022-12-07, the Governor of the state of Texas, Greg Abbott, ordered that TikTok be blocked by state agencies (archive). On 2023-01-17, the University of Texas at Austin blocked TikTok (archive) on its wired and wireless networks. Some colleagues and I had the opportunity to visit the UT Austin campus, get on the guest wi-fi, and run a few simple network tests to see how the blocking is being done. These tests were done on 2023-01-25.
Summary:
There is no IP address blocking or DNS tampering.
The trigger for blocking is a TikTok-related domain name in an HTTP Host header or TLS SNI.
At least the following domain names are affected: tiktok.com, tiktokcdn.com, tiktokcdn-us.com, tiktokv.com.
Domain names are matched using a simple unanchored substring match. The tiktok.com rule catches also www.tiktok.com, but even names like aaatiktok.com and tiktok.com.example.
Blocking works by dropping packets in the client→server direction. Packets in the server→client direction are not blocked.
The tests started with opening https://www.tiktok.com/ in a web browser, which resulted in a timeout. The TikTok mobile app would run, but not fetch new posts.
An OONI Web Connectivity measurement showed a timeout immediately after writing the TLS client hello, which is typical of SNI-based blocking:
Manual DNS resolution of www.tiktok.com resulted in IP addresses in the network ranges 96.17.166.0/24 (Akamai) and 13.249.59.0/24 (AWS). An ICMP echo (ping www.tiktok.com) test worked, with 5–10 ms round-trip time.
We tried manual HTTP tests, using netcat, to an IP address of www.tiktok.com, with different Host headers. With no Host, the response was 400 Bad Request; with Host: example.com, it was 503 Service Unavailable; and with Host: www.tiktok.com there was a delay of about 15 s, then a 408 Request Timeout. The output samples below are later recreations, because we didn't properly save the output the first time.
$ ncat -v www.tiktok.com 80
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 96.17.166.83:80.
GET / HTTP/1.0
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 209
Expires: Fri, 27 Jan 2023 04:08:33 GMT
Date: Fri, 27 Jan 2023 04:08:33 GMT
Connection: close
<HTML><HEAD>
<TITLE>Invalid URL</TITLE>
</HEAD><BODY>
<H1>Invalid URL</H1>
The requested URL "[no URL]", is invalid.<p>
Reference #9.3f8fd017.1674792513.1ee29fd4
</BODY></HTML>
$ ncat -v www.tiktok.com 80
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 96.17.166.83:80.
GET / HTTP/1.0
Host: example.com
HTTP/1.0 503 Service Unavailable
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 269
Expires: Fri, 27 Jan 2023 04:12:32 GMT
Date: Fri, 27 Jan 2023 04:12:32 GMT
Connection: close
<HTML><HEAD>
<TITLE>Service Unavailable</TITLE>
</HEAD><BODY>
<H1>Service Unavailable - DNS failure</H1>
The server is temporarily unable to service your request. Please try again
later.<P>
Reference #11.578fd017.1674792752.354e7be5
</BODY></HTML>
$ ncat -v www.tiktok.com 80
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 96.17.166.83:80.
GET / HTTP/1.0
Host: www.tiktok.com
HTTP/1.0 408 Request Time-out
Server: AkamaiGHost
Mime-Version: 1.0
Date: Fri, 27 Jan 2023 04:14:44 GMT
Content-Type: text/html
Content-Length: 218
Expires: Fri, 27 Jan 2023 04:14:44 GMT
<HTML><HEAD>
<TITLE>Request Timeout</TITLE>
</HEAD><BODY>
<H1>Request Timeout</H1>
The server timed out while waiting for the browser's request.<P>
Reference #2.378fd017.1674792884.0
</BODY></HTML>
The fact that the last test still received a server response shows that the TCP connection was not terminated, and that server→client packets were still permitted after blocking.
$ ncat -v www.tiktok.com 80
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 96.17.166.83:80.
GET / HTTP/1.0
Host:
www.tiktok.com
HTTP/1.0 408 Request Time-out
Server: AkamaiGHost
Mime-Version: 1.0
Date: Fri, 27 Jan 2023 04:14:44 GMT
Content-Type: text/html
Content-Length: 218
Expires: Fri, 27 Jan 2023 04:14:44 GMT
<HTML><HEAD>
<TITLE>Request Timeout</TITLE>
</HEAD><BODY>
<H1>Request Timeout</H1>
The server timed out while waiting for the browser's request.<P>
Reference #2.378fd017.1674792884.0
</BODY></HTML>
Tests using curl were consistent with the netcat tests. Requests for www.tiktok.com timed out, while other domain names sent to the same IP address resulted in an immediate 503 response (HTTP) or TLS certificate error (HTTPS).
We tested a variety of domain names using curl. This showed that all domain names with tiktok.com anywhere in the string were blocked, even if not separated by a dot character. Some other TikTok-related domains besides tiktok.com were also blocked, but some others once tested by OONI, like byteoversea.com, were not blocked.
domain
result
tiktok.com
BLOCKED
www.tiktok.com
BLOCKED
m.tiktok.com
BLOCKED
aaa.tiktok.com
BLOCKED
tiktok.com.aaa
BLOCKED
aaa.tiktok.com.aaa
BLOCKED
aaatiktok.com
BLOCKED
tiktok.comaaa
BLOCKED
aaatiktok.comaaa
BLOCKED
tiktokcdn.com
BLOCKED
tiktokcdn-us.com
BLOCKED
tiktokv.com
BLOCKED
aaatiktokaaa
not blocked
aaatiktokcdnaaa
not blocked
aaatiktokcdn-usaaa
not blocked
tiktokxcom
not blocked
vmweb-va.byteoversea.com
not blocked
sf16-short-va.bytedapm.com
not blocked
sf16-secsdk.ttwstatic.com
not blocked
The unanchored substring match is obviously a mistake by the firewall administrators, reminiscent of the "t.co" gaffe in 2021 in Russia. The .com part is necessary, though. The negative test result for tiktokxcom shows that the dot in their tiktok.com rule is not being treated as a regular expression wildcard, at least.
On 2022-12-07, the Governor of the state of Texas, Greg Abbott, ordered that TikTok be blocked by state agencies (archive). On 2023-01-17, the University of Texas at Austin blocked TikTok (archive) on its wired and wireless networks. Some colleagues and I had the opportunity to visit the UT Austin campus, get on the guest wi-fi, and run a few simple network tests to see how the blocking is being done. These tests were done on 2023-01-25.
Summary:
The tests started with opening https://www.tiktok.com/ in a web browser, which resulted in a timeout. The TikTok mobile app would run, but not fetch new posts.
An OONI Web Connectivity measurement showed a timeout immediately after writing the TLS client hello, which is typical of SNI-based blocking:
Manual DNS resolution of www.tiktok.com resulted in IP addresses in the network ranges 96.17.166.0/24 (Akamai) and 13.249.59.0/24 (AWS). An ICMP echo (
ping www.tiktok.com
) test worked, with 5–10 ms round-trip time.We tried manual HTTP tests, using netcat, to an IP address of www.tiktok.com, with different Host headers. With no Host, the response was 400 Bad Request; with
Host: example.com
, it was 503 Service Unavailable; and withHost: www.tiktok.com
there was a delay of about 15 s, then a 408 Request Timeout. The output samples below are later recreations, because we didn't properly save the output the first time.The fact that the last test still received a server response shows that the TCP connection was not terminated, and that server→client packets were still permitted after blocking.
We additionally tried obfuscating the Host header by splitting the value onto a different line. That was also blocked by the firewall.
Tests using curl were consistent with the netcat tests. Requests for www.tiktok.com timed out, while other domain names sent to the same IP address resulted in an immediate 503 response (HTTP) or TLS certificate error (HTTPS).
We tested a variety of domain names using curl. This showed that all domain names with
tiktok.com
anywhere in the string were blocked, even if not separated by a dot character. Some other TikTok-related domains besides tiktok.com were also blocked, but some others once tested by OONI, like byteoversea.com, were not blocked.The unanchored substring match is obviously a mistake by the firewall administrators, reminiscent of the "t.co" gaffe in 2021 in Russia. The
.com
part is necessary, though. The negative test result fortiktokxcom
shows that the dot in theirtiktok.com
rule is not being treated as a regular expression wildcard, at least.Related link: