There are some anomalies in OONI Tor Snowflake tests from various ASes in Russia since earlier this year. The suddenness of the failures makes it look like Snowflake has been blocked.
- AS20632 (MegaFon PJSC) suddenly started failing all tests starting 2023-02 to now:
- AS25530 (SFT Company) suddenly started failing all tests starting 2023-05 to now:
- AS31200 (Novotelecom) worked better between 2023-03 and 2023-05 but fails almost all tests since:
- AS51645 (CJSC ER-telecom Irkutsk) suddenly starting failing all tests starting 2023-07 to now:
Блокируют входящий ClientHello, генерируемый pion/dtls, в рамках WebRTC сессии (определяется по Binding Request).
В WebRTC ClientHello всегда входящий, а число браузерных прокси меньше чем standalone. Поэтому тесты чаще показывают ошибку, а на практике может работать, зависит от типа NAT (ошибки определения).
В тестах OONI есть особенность, там некоторое время использовалась старая версия snowflake (c HelloVerify) которую новое правило уже не блокировало (тесты от 03/23), но при этом обновление ТСПУ могло где-то застрять. Поэтому в общей картине непонятно.
ClientHello иногда исходящий, зависит от STUN negotiation.
В тестах OONI есть особенность, там некоторое время использовалась старая версия snowflake (c
HelloVerify) которую новое правило уже не блокировало (тесты от 03/23), но при этом обновление ТСПУ могло где-то застрять. Поэтому в общей картине непонятно.
спасибо, I wasn’t aware it was so out of date. I will follow up with OONI about the version of Snowflake and try to get it updated.
2023/09/11 15:56:24 Warning: NAT checking failed for server at stun.l.google.com:19302: NAT discovery feature not supported: attribute not found
2023/09/11 15:56:25 NAT Type: unrestricted
2023/09/11 16:09:33 Warning: NAT checking failed for server at stun.dus.net:3478: NAT discovery feature not supported: attribute not found
2023/09/11 16:09:33 NAT Type: unrestricted
2023/09/11 16:09:43 NAT Type: unrestricted
2023/09/11 16:09:43 Warning: NAT checking failed for server at stun.antisip.com:3478: Error retrieveing server response: timed out waiting for response
2023/09/11 16:09:43 Warning: NAT checking failed for server at stun.voys.nl:3478: NAT discovery feature not supported: attribute not found
2023/09/11 16:09:43 NAT Type: unrestricted
Ростелеком с их роутером и PPPoE
I see.
It was “outdated” in March/April 2023 (while snowflake updated in Feb)
I didn’t follow code changes since then.
I took a look at some of the recent anomalies, and it does look like they were the result of an out-of-date probe-engine (v 3.16.5), that did not yet have the HelloVerify fix . The current version of OONI does have this fix, but there are many clients that have not updated to newer versions.
I was following up on a tip that Snowflake was being blocked by DTLS fingerprint but it’s possible this was just based on OONI test results. I haven’t seen any direct reports of recent blocking since the HelloVerify fix.
Соотношение (предположительно) рабочих прокси к блокируемым 1:10
I see, I wasn’t aware that some proxies were being blocked still. Do you have packet captures of the DTLS handshake for blocked proxies? If it is due to the differences between browser proxies and standalone proxies, we should be able to fix that.
del
Роль DTLS у Pion выбирается еще сложнее
То есть по факту фиксирован ClientHello от прокси
Вот такой баг еще есть для прокси
Если много блокируемых прокси будут ложно restricted именно они будут чаще подключаться к unrestricted клиенту. Шанс выбрать рабочий прокси будет выше с уменьшением ложных restricted.
C:\TOR\_arti\_target_release>connection-checker.exe --snowflake-path snowflake-client-2.6.1.exe
Testing Snowflake Tor connection...
Node: [ .4:80 via snowflake ed25519:tO9nYvNCAdAh9lPoEEv2pZ9BJq+YzmPAMY6pxoFrLuk $8838024498816a039fcbbab14e6f40a0843051fa]
Node: [ .194:9001+ ed25519:ZSKs1RfmtYhKXlxP24AZhJdmyZFFLNMKRkX0vrUSBXM $6e1cedc61f3707c549b88fb9380e4a750621fcb8]
Node: [ .202:9002+ ed25519:Ac+cEMHL0bwEq5UgB2cPO352OyDbPuVsd2eDZ0JVdPI $1a1eb9bcd6ba1d9bad65d6909fd127663c107bf1]
Snowflake Tor connection successful!
2.6.0 dont work at same ARTI build + ISP
Проверки в разные моменты времени? Сделайте серию с двумя версиями в случайном порядке.
в разное время. “одновременно”
как увидел 2.6.1 snowflake собрал+пробовал и так и так == пока работает только 2.6.1
C:\TOR_arti_target_release>connection-checker.exe --snowflake-path snowflake-client-2.6.0.exe
Testing Snowflake Tor connection...
error: tor: error connecting to Tor: Failed to obtain exit circuit for ports [scrubbed]: Tried to find or build a circuit 5 times, but all attempts failed
Attempt 1: Unable to select a guard relay: No usable guards. Rejected 20/21 as down, then 0/1 as pending, then 1/1 as unsuitable to purpose, then 0/0 with filter.
Attempt 2: Problem opening a channel to [scrubbed]: Channel for [scrubbed] timed out
Attempt 3: Circuit we were waiting for failed to complete: Problem opening a channel to [scrubbed]: Channel for [scrubbed] timed out
Attempt 4: Unable to select a guard relay: No usable guards. Rejected 21/21 as down, then 0/0 as pending, then 0/0 as unsuitable to purpose, then 0/0 with filter.
Attempt 5: Spent too long trying to construct circuits for this request
Snowflake Tor connection FAILED
2023-09-13T14:42:51Z WARN tor_guardmgr::guard: Could not connect to guard [192.0.2.4:80 via snowflake ed25519:tO9nYvNCAdAh9lPoEEv2pZ9BJq+YzmPAMY6pxoFrLuk $8838024498816a039fcbbab14e6f40a0843051fa]. We'll retry later, and let you know if it succeeds.
2023-09-13T14:42:52Z INFO tor_ptmgr::ipc::sealed: [pt snowflake-client] offer created
2023-09-13T14:42:52Z INFO tor_ptmgr::ipc::sealed: [pt snowflake-client] trying a new proxy: timeout waiting for DataChannel.OnOpen
2023-09-13T14:42:52Z INFO tor_ptmgr::ipc::sealed: [pt snowflake-client] trying a new proxy: timeout waiting for DataChannel.OnOpen
2023-09-13T14:42:52Z INFO tor_ptmgr::ipc::sealed: [pt snowflake-client] broker rendezvous peer received
2023-09-13T14:43:02Z INFO tor_ptmgr::ipc::sealed: [pt snowflake-client] offer created
2023-09-13T14:43:02Z INFO tor_ptmgr::ipc::sealed: [pt snowflake-client] trying a new proxy: timeout waiting for DataChannel.OnOpen
2023-09-13T14:43:02Z INFO tor_ptmgr::ipc::sealed: [pt snowflake-client] broker rendezvous peer received
2023-09-13T14:43:12Z INFO tor_ptmgr::ipc::sealed: [pt snowflake-client] trying a new proxy: timeout waiting for DataChannel.OnOpen
В 2.6.1 регрессия, клиент опять шлет Hello Verify Request. Но работает не поэтому. Действующее правило блокирует раньше, если может в ожидание DTLS. Там что-то еще сломано. Что у вас с NAT по версии 2.6.1?
тут ошибка закралась. у меня несколько АРТИ билдов
работает == соединяется и открываются интернет сайты.
using runtime: Tokio Rustls Runtime { … }
optional features: static-sqlite
вроде как “работает” == соединяется судя по логам с snowflake. но curl то таймаут выдает то другие ошибки
using runtime: Tokio NativeTls Runtime { … }
optional features: static-sqlite, static-native-tls
2.6.1 + rustls == открываются сайты через ТОР
2023/09/13 20:37:02 Warning: NAT checking failed for server at stun.sonetel.com:3478: Error retrieveing server response: timed out waiting for response
2023/09/13 20:37:12 Warning: NAT checking failed for server at stun.altar.com.pl:3478: Error completing roundtrip map test: timed out waiting for response
2023/09/13 20:37:12 NAT Type: unrestricted
2023/09/13 20:37:22 Warning: NAT checking failed for server at stun.l.google.com:19302: NAT discovery feature not supported: attribute not found
2023/09/13 20:37:22 Warning: NAT checking failed for server at stun.sonetel.net:3478: Error retrieveing server response: timed out waiting for response
2023/09/13 20:37:23 NAT Type: unrestricted
2.6.1 + native-tls (windows10) иногда пишет что якобы находит мосты. но сайты через АРТИ не работают
2023/09/13 20:44:26 NAT Type: unrestricted
2023/09/13 20:44:26 NAT Type: unrestricted
2023/09/13 20:44:36 Warning: NAT checking failed for server at stun.dus.net:3478: NAT discovery feature not supported: attribute not found
2023/09/13 20:44:36 Warning: NAT checking failed for server at stun.voys.nl:3478: NAT discovery feature not supported: attribute not found
2023/09/13 20:44:36 NAT Type: unrestricted
2023/09/13 20:44:37 NAT Type: unrestricted
2023/09/13 20:44:46 NAT Type: unrestricted
2023/09/13 20:44:56 Warning: NAT checking failed for server at stun.l.google.com:19302: NAT discovery feature not supported: attribute not found
2023/09/13 20:45:06 Warning: NAT checking failed for server at stun.voipgate.com:3478: Error retrieveing server response: timed out waiting for response
2023/09/13 20:45:06 NAT Type: unrestricted
Три последних, известных, правила блокировки (финальное условие)
Feb, Hello Verify Request (в обе стороны?)
Mar, Server Hello (исходящий)
May, Client Hello (входящий)
Проверить применяемое правило (если это не новое и не трансграничный гибрид) можно, наблюдая за своим UDP трафиком в Wireshark.
Берете 2.6.0 и смотрите. Если прилетел Client Hello (137 байт, важно) это скорей всего НЕ 3 вариант, или ошибка блокиратора, лучше наблюдать подольше. Если связь с пиром застряла на посылаемых и принимаемых Binding Request, Binding Success Response это 3 вариант. Если видно много (больше трех) посылаемых Server Hello это 2 вариант. 1 вариант в 2.6.0 не случается.
Пиры могут сбоить сами по себе и напоминать 3 вариант. Диагностируется длительным наблюдением с выявлением повторяющихся сценариев.
В стабильной версии браузера (12.5.4) поставляют 2.5.1 версию snowflake. Начинать нужно оттуда.
https://archive.torproject.org/tor-package-archive/torbrowser/13.0a3/tor-expert-bundle-windows-x86_64-13.0a3.tar.gz
2.6.0 snowflake
Это alpha.
Ваши логи содержат таймаут WebRTC сессии.
Между 2.6.0 и 2.6.1 нет различий в пакетах STUN, DTLS. Обе посылают Hello Verify Request, Server Hello идентичны.
arti и native-tls (windows10) и rustls на данный момент на РТ/Калуга соединяются
через все клиенты что у меня есть 2.5.1 / 2.6.0 / 2.6.1
хотя по тестам через rustls сайты открываются. а вот native-tls все таки часто ругается на таймаут
тор.ехе с 2.6.1 всё еще пытается соединтся…
Sep 16 19:54:22.000 [notice] Bootstrapped 25% (requesting_status): Asking for networkstatus consens»
Sep 16 19:54:22.000 [notice] new bridge descriptor 'crusty7' (fresh): $8838024498816A039FCBBAB14E6F»
Sep 16 19:54:22.000 [notice] Bootstrapped 45% (requesting_descriptors): Asking for relay descriptors
Sep 16 19:54:22.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Sep 16 19:54:22.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Sep 16 19:54:22.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Sep 16 19:54:22.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Sep 16 19:54:22.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Sep 16 19:54:22.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Sep 16 19:54:22.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Sep 16 19:54:22.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Sep 16 19:54:22.000 [notice] Bootstrapped 54% (loading_descriptors): Loading relay descriptors
Sep 16 19:54:25.000 [notice] Managed proxy "C:\Tor\client.exe": offer created
Sep 16 19:54:25.000 [notice] Managed proxy "C:\Tor\client.exe": broker rendezvous peer received
Sep 16 19:54:26.000 [notice] Managed proxy "C:\Tor\client.exe": connected
Sep 16 19:54:27.000 [notice] new bridge descriptor 'flakey8' (fresh): $2B280B23E1107BB62ABFC40DDCC8»
Sep 16 19:54:50.000 [notice] Managed proxy "C:\Tor\client.exe": trying a new proxy: no messages rec»
Sep 16 19:55:00.000 [notice] Managed proxy "C:\Tor\client.exe": offer created
Sep 16 19:55:05.000 [notice] Managed proxy "C:\Tor\client.exe": broker rendezvous peer received
Sep 16 19:55:15.000 [notice] Managed proxy "C:\Tor\client.exe": trying a new proxy: timeout waiting»
Sep 16 19:55:15.000 [notice] Managed proxy "C:\Tor\client.exe": offer created
Sep 16 19:55:15.000 [notice] Managed proxy "C:\Tor\client.exe": broker rendezvous peer received
Sep 16 19:55:16.000 [notice] Managed proxy "C:\Tor\client.exe": connected
Sep 16 19:55:43.000 [notice] Managed proxy "C:\Tor\client.exe": trying a new proxy: no messages rec»
Sep 16 19:55:45.000 [notice] Managed proxy "C:\Tor\client.exe": offer created
Sep 16 19:55:55.000 [notice] Managed proxy "C:\Tor\client.exe": broker failure timed out waiting fo»
Sep 16 19:55:56.000 [notice] Managed proxy "C:\Tor\client.exe": offer created
Sep 16 19:55:57.000 [notice] Managed proxy "C:\Tor\client.exe": broker rendezvous peer received
Sep 16 19:56:00.000 [notice] Managed proxy "C:\Tor\client.exe": connected
Sep 16 19:56:28.000 [notice] Bootstrapped 60% (loading_descriptors): Loading relay descriptors
Sep 16 19:56:33.000 [notice] No circuits are opened. Relaxed timeout for circuit 4 (a General-purpo»
Sep 16 19:56:35.000 [notice] Bootstrapped 66% (loading_descriptors): Loading relay descriptors
Sep 16 20:01:08.000 [warn] Bad element "$367D0FAA87" while parsing a node family.
Sep 16 20:01:08.000 [warn] Bad element "$F852A2A2EE6EA00BDE63893AE9B8E85C23F728" while parsing a no»
Sep 16 20:01:08.000 [notice] Bootstrapped 72% (loading_descriptors): Loading relay descriptors
Sep 16 20:01:08.000 [warn] Bad element "$62823CA61A9C5282" while parsing a node family.
Sep 16 20:01:08.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to bui»
Sep 16 20:01:08.000 [warn] parse error: Malformed object: missing object end line
Sep 16 20:01:08.000 [warn] Unparseable microdescriptor found in download or generated string
Sep 16 20:01:09.000 [warn] Bad element "$EE2ABD66DDF85DA2" while parsing a node family.
Sep 16 20:01:09.000 [notice] Bootstrapped 76% (ap_conn_pt): Connecting to pluggable transport to bu»
Sep 16 20:01:09.000 [notice] Bootstrapped 77% (ap_conn_done_pt): Connected to pluggable transport t»
Sep 16 20:01:09.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits
Sep 16 20:01:09.000 [notice] Managed proxy "C:\Tor\client.exe": offer created
Sep 16 20:01:10.000 [notice] Managed proxy "C:\Tor\client.exe": broker rendezvous peer received
Sep 16 20:01:10.000 [notice] Managed proxy "C:\Tor\client.exe": connected
Sep 16 20:01:11.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay »
Sep 16 20:01:11.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Sep 16 20:01:12.000 [notice] Bootstrapped 100% (done): Done
2023/09/16 16:54:19 Warning: NAT checking failed for server at stun.dus.net:3478: NAT discovery feature not supported: attribute not found
2023/09/16 16:54:20 NAT Type: unrestricted
2023/09/16 16:54:30 Warning: NAT checking failed for server at stun.altar.com.pl:3478: Error completing roundtrip map test: timed out waiting for response
2023/09/16 16:54:40 Warning: NAT checking failed for server at stun.stunprotocol.org:3478: Error completing roundtrip map test: timed out waiting for response
2023/09/16 16:54:40 NAT Type: unrestricted
2023/09/16 17:01:09 Warning: NAT checking failed for server at stun.dus.net:3478: NAT discovery feature not supported: attribute not found
2023/09/16 17:01:19 Warning: NAT checking failed for server at stun.antisip.com:3478: Error retrieveing server response: timed out waiting for response
2023/09/16 17:01:19 NAT Type: unrestricted