Great Russian Firewall, what will happen when the curtain falls?

As we all see, the situation with Internet freedom in Russia is deteriorating, which was unimaginable yesterday, is already causing laughter today.
The stick has already entered the router by half a meter , creating a restriction , but there is still the same half meter, before the shutdown button .

In this post I will try to objectively describe from a technical point of view different scenarios and consequences after the introduction of the Great Russian Firewall.

')

Blocking methods

There are not so many ways in the world to block, and as you guess, to block something, you first need to choose what we are blocking.

Methods can be:
- ACL: based on Ports / IP addresses
- DPI: based on traffic type
- Whitelists

Consider each one of them.

ACL

In the first case (ACL), access is usually blocked by blacklist policies (everything that is not prohibited is allowed) in such a way that it can be blocked:
- Application ports (for example, block all traffic to all ports except 80, 443), but there is a loophole, you can let any traffic through these ports, even torrents, although TOR and no one can block it with this type of blocking.

There may be more flexible situations, for example, on the basis of blocking external IP addresses that do not want to cooperate (and options are possible both for sites and simply for any network resources)
How to get around?
Connect through the allowed port to the allowed IP address and transfer any data you need

DPI

DPI is a really scary thing, it’s scary because it can detect traffic and tag it or route it to a specific interface depending on the policy.

The main thing is to consider the DPI itself does not block anything, but only determines the traffic.

DPI can determine traffic based on:
- Ports
- Incoming / outgoing address (for example, if skype is always authorized on 10 servers with 10 IP addresses)
- By signatures
- Advanced Connection

The definition of traffic by signatures works as follows: Any company that sells DPI usually provides support for its equipment, and the support includes an up-to-date signature database update.

In other words, if you have bittorrent, bitcoin, litecoin, twister works (in turn) on the same port communicates with the same node, and uses the DHT network (all technologies are the same), the DPI can still determine when and which traffic from you is based on packet analysis down to the latest level of the OSI model.

The support of the main vendors of the DPI equipment usually works on the 10% principle, as soon as a new traffic appears on the operator’s network which the DPI cannot determine and 10% or more - the traffic is sent to the company for analysis, which creates a token that allows it to be identified.

This method of analyzing traffic can be defeated by dynamically changing the protocol on the fly; few programs can boast a little, Tor, I2P. In other words, as soon as the application notices that the traffic does not pass (or just after N minutes), the packet generation algorithm changes, which does not allow identifying the traffic.

How to get around?
If there are a lot of algorithms, or infinitely many, especially without an obvious pattern, then DPI producers will not analyze such traffic, because it will be necessary to develop infinitely many rules that should always be loaded into the memory of the device, which is not economically justified or not at all possible.

A forward connection is a method that is very popular in China and works as follows:
When you make a GET request, suppose to yandex.ru, the DPI intercepts it and makes the same request (yours is hanging on hold, or the destination IP is changed to the DPI address), the response is analyzed, and black / white list policies are used, depending on the settings dictator equipment.

How to get around?
Practically nothing, only very serious steganography. (if blacklists are used)

Whitelists

I want to put the whitelisting policy in a separate item for one simple reason: with whitelisting, everything that is not allowed is prohibited.

In other words, with the introduction of white lists and the use of any method of restrictions, you can block everything you need at all.

For example, you can block all IP addresses except the address of the first channel, NTV and Russian Post, and only 80 port.
With such an ACL, all connections will be immediately cut off and it will be impossible to bypass this blocking by any means of encryption.

What method will be used in Russia?

Now let's think: The largest trunk operators in Russia are:
1) Rostelecom
2) VimpelCom
3) Transtelecom
4) Central Telegraph
5) MTS / MGTS
6) Comcor / Acado

DPI equipment is only available at Vimpelcom, Transtelecom, and MGTS.
Yes, yes, Rostelecom does not have DPI.

How to check if my provider has DPI?
Call and ask
If your provider blocks links from the registry of prohibited resources by IP - no, if the URL - is.

In other words, the state monopolist does not have a DPI - it means that two variants of events are possible:
1) Purchase DPI for millions of dollars
2) Using ACL

Unfortunately, both options are equally possible for different reasons , but with an operational solution, blocking can be done only through the ACL policy.

What will happen on day X?

Assuming that the blocking is done through the ACL and all incorrect and suspicious resources are blocked, then:
- From social networks only VKontakte will work / Classmates
- From instant messengers only Skype / ICQ
- Mail will not reach external mailboxes

What about P2P?

But it will work, and all.
In order to block P2P networks, it is necessary to lower the DPI directly to users. This will be worth a huge amount of money.

= (

In other words, in order for us to stay in touch with you without wiretapping, you need:
- Actively use any P2P tools
- Do NOT use any domestic services (even if the company is registered abroad - it is still managed by someone from here), an example is Yandex and the golden share.
- Install software that will work locally within the operator / country of the network WITHOUT external servers

Unfortunately, such optimistic things as Mesh to promote does not make sense, at this stage, for obvious reasons.

Appeal to habras-users:
Please, I ask you, let's refrain from politics, we do not want Habr to suffer the fate of blocked resources, each of us already knows everything for ourselves what to do, but you shouldn’t read it either here or in ANY network which is logging IP addresses

PS About months ago, there was a post telling about the free, decentralized analogue of Twitter - Twister.
Most users had questions about the fact that the installer is missing and no one will use it, now it has an installer.
As well as a completely new design, until he got into the lock, you have a chance to try it.
github.com/iShift/twister-webkit/releases/tag/0.9.19.16
Yes, it is cozy there, there are Russians and it really works.
To search for Russians in Twister, write / search with #ru tag
You can read about the twister here habrahabr.ru/post/213165