Blocking of Twitter, VKontake, Skype, and others in Uzbekistan

[wkrp]

Частичные и полные блокировки сервисов Twitter, Tik-Tok, ВКонтакте, Skype в Узбекистане
Partial and complete blocking of Twitter, Tik-Tok, VKontakte, Skype in Uzbekistan

On 2021-07-02, a user at NTC reported new blocking of domains twitter.com, vk.com, and skype.com in Uzbekistan (AS8193 Uzbektelekom). The blocking of these domains differs from that of other domains that have been known to be blocked for years (see below). @fortuna had the user run Jigsaw's measure.sh tool to test the new domains.

A summary of the characteristics of the new blocking:

• Blocking is unidirectional: to experience blocking, you need a vantage point inside the country.
  • This is in contrast to other domains, that had already been blocked, which can be tested from outside.
• Blocking is on TLS SNI only, and results in a timeout retrieving the Server Hello.
  • This is in contrast to existing blocked domains that receive an injection of Object not found\r\n for both TLS and HTTP.
  • There is no sign of DNS interference, and plain HTTP requests worked in most cases.

Other domains that had already been blocked

The above observations apply to newly blocked domains including twitter.com, vk.com, and skype.com. @fortuna also looked at Censored Planet data and found a number of other blocked domains whose blocking can, unlike the previously mentioned domains', be measured from outside the country. According to the NTC user, these existing blocks are well-known and have been in place as far back as 2010.

The old domains, whether accessed over HTTP or HTTPS, receive an injected TCP FIN packet with the 20-byte payload Object not found\r\n\r\n. You can easily test these domains yourself using curl, by forcing it to connect to an address in Uzbektelekom. For example, one of the blocked domains is www.jmarshall.com (home of CGIProxy, a long-established circumvention tool):

$ dig +short uztelecom.uz
185.74.5.99

$ curl --connect-to ::185.74.5.99: http://www.jmarshall.com/ -D - --trace -
== Info: Expire in 0 ms for 6 (transfer 0x5560862c8c20)
== Info: Connecting to hostname: 185.74.5.99
== Info:   Trying 185.74.5.99...
== Info: TCP_NODELAY set
== Info: Expire in 200 ms for 4 (transfer 0x5560862c8c20)
== Info: Connected to 185.74.5.99 (185.74.5.99) port 80 (#0)
=> Send header, 81 bytes (0x51)
0000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1..
0010: 48 6f 73 74 3a 20 77 77 77 2e 6a 6d 61 72 73 68 Host: www.jmarsh
0020: 61 6c 6c 2e 63 6f 6d 0d 0a 55 73 65 72 2d 41 67 all.com..User-Ag
0030: 65 6e 74 3a 20 63 75 72 6c 2f 37 2e 36 34 2e 30 ent: curl/7.64.0
0040: 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d ..Accept: */*...
0050: 0a                                              .
<= Recv data, 18 bytes (0x12)
0000: 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 Object not found
0010: 0d 0a                                           ..
<= Recv data, 2 bytes (0x2)
0000: 0d 0a                                           ..
Object not found

== Info: Closing connection 0

See Objec at the beginning of the TLS response:

$ curl --connect-to ::185.74.5.99: https://www.jmarshall.com/ -D - --trace -
== Info: Expire in 0 ms for 6 (transfer 0x565285bfcc20)
== Info: Connecting to hostname: 84.54.113.66
== Info: Connecting to port: 443
== Info:   Trying 84.54.113.66...
== Info: TCP_NODELAY set
== Info: Expire in 200 ms for 4 (transfer 0x565285bfcc20)
== Info: Connected to 84.54.113.66 (84.54.113.66) port 443 (#0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: successfully set certificate verify locations:
== Info:   CAfile: none
  CApath: /etc/ssl/certs
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 01 02 00                                  .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
0000: 01 00 01 fc 03 03 49 01 07 89 ea 2e 1b 91 a4 12 ......I.........
0010: 02 72 bc 5f 86 8f f1 f8 0c 7d 18 e0 da fe 0f 03 .r._.....}......
0020: df 7c 76 75 e9 8a 20 a4 7b 38 11 9b dd 77 02 85 .|vu.. .{8...w..
0030: 13 10 05 21 b3 02 d9 89 cd d1 f4 bd 54 d7 c2 f8 ...!........T...
0040: a0 5f 2c 4f 51 83 95 00 3e 13 02 13 03 13 01 c0 ._,OQ...>.......
0050: 2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00 ,.0.........+./.
0060: 9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0 ..$.(.k.#.'.g...
0070: 14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00 ..9.....3.....=.
0080: 3c 00 35 00 2f 00 ff 01 00 01 75 00 00 00 16 00 <.5./.....u.....
0090: 14 00 00 11 77 77 77 2e 6a 6d 61 72 73 68 61 6c ....www.jmarshal
00a0: 6c 2e 63 6f 6d 00 0b 00 04 03 00 01 02 00 0a 00 l.com...........
00b0: 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 33 74 00 .............3t.
00c0: 00 00 10 00 0e 00 0c 02 68 32 08 68 74 74 70 2f ........h2.http/
00d0: 31 2e 31 00 16 00 00 00 17 00 00 00 31 00 00 00 1.1.........1...
00e0: 0d 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 ..0.............
00f0: 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 ................
0100: 01 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 ................
0110: 02 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 ....+...........
0120: 00 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 .-.....3.&.$...
0130: 79 22 96 06 4f 48 93 38 f6 ac a4 e4 73 fc 0b b0 y"..OH.8....s...
0140: ca 17 3d 21 11 db ed fd 4c 14 c5 1d 98 18 14 43 ..=!....L......C
0150: 00 15 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
<= Recv SSL data, 5 bytes (0x5)
0000: 4f 62 6a 65 63                                  Objec
== Info: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
== Info: Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

The newly blocked domains unfortunately cannot be tested in this way, apparently. The requests make it all the way to the server in Uzbekistan, which responds as it would to any unknown domain.

In OONI measurements, the Object not found\r\n injection often manifests as a malformed HTTP status code "not" error.