Blocking of *.pages.dev in Russia

[nyuuzyou]

From 09.05 between 17:52 and 18:53, all websites with the mask *.pages.dev (Cloudflare pages) became unavailable on the AS52207 (Er-telecom) network. According to measurements using RIPE Atlas and GlobalCheck, this problem is observed throughout the country: RIPE Atlas - https://atlas.ripe.net/measurementdetail/71407947

I also checked the history for .workers.dev (Cloudflare workers) and .cloudflarestorage.com (Cloudflare R2), but found no anomalies.

When I finished writing this post, I decided to go to the registry and the situation became a little clearer: an unspecified government agency decided to ban *.pages.dev for "rebellion and fakes". However, I could not find a single site in the registry on the pages.dev subdomain with "fakes".

[wkrp]

Do you think the blocking of pages.dev is related to the apparent use of pages.dev by VPN services in Iran? Maybe the same thing happens in Russia?

Weird SNIs being requested from REALITY server in Iran, possible abuse?

So I wanted to understand whether this specific dest is targeted by the GFW, so I patched xray to log all client IPs who reach the fallback dest.

On both servers, besides the regular security scanning, I see very strange requests with SNIs that resolve to cloudflare, such as:

• <randomstring>.pages.dev
• <username>.pages.dev, where <username> is the name of a popular VPN config provider in Iran, and where I found configs from that VPN provider using the same pages.dev domain.
• other domains that resolve to cloudflare

I found that those requests are not just normal HTTP requests, they are fully blown vless+ws connections, going through REALITY fallback! Based on response size, I think it's only urltest, not a long-lived connection.

REALITY servers in Iran being abused as sort-of SNI proxies

SNIs contain the name of the VPN vendor, and they attempt to exploit case-sensitivity bugs in GFW around SNI (for example mYtElegRamChannelNAME.pages.dev). VLESS-without-TLS (and so, without encryption) is very popular, because it is slightly more performant.

[nyuuzyou]

I doubt it, but right now it's the only theory that seems real to me.

[mmmray]

when testing with the methods found in #80, it seems workers.dev and pages.dev are also blocked in TKM. so it's not just Iran. I feel that it is reasonable to assume that proxies are the reason, after all cloudflare workers are a documented method in xray to bypass GFW. I am only a bit surprised that they tolerate this amount of collateral damage, given that they just started blocking vmess.

[nyuuzyou]

https://atlas.ripe.net/measurementdetail/71581413

I can confirm the blocking of *.workers.dev in Russia, but there are no records related to workers.dev in the RKN list.