How Operators Track International Traffic: Technical Aspects of Limits and VPN Blocking
Russian mobile operators are preparing to introduce limits on international traffic and tighten VPN blocking. We break down how these measures are technically implemented and what consequences they may have for users and businesses.
What the Provider Sees in Encrypted Traffic
Modern encryption standards like TLS 1.3 and HTTPS make traffic content inaccessible to operators for analysis. When using HTTPS, the provider only logs the server's IP address, connection port, data volume transferred, and session duration. The SNI (Server Name Indication) extension in the TLS handshake reveals the target server's domain name, but not the specific content. For example, the operator will see a request to youtube.com, but won't know which exact video the user is watching. With Encrypted Client Hello (ECH), even this information becomes unavailable, significantly complicating traffic identification.
VPN connections create an encrypted tunnel between the client and server. The provider logs the VPN server's IP address, data volume transferred, and traffic patterns, but can't decrypt the content. The typical chain is: user → encrypted tunnel → VPN server → target resource. Traffic to known VPN providers (NordVPN, Mullvad) is easily identified by their IP pools, but the content remains hidden.
Sources of "Foreign" Traffic in the Russian Segment
The concept of "foreign traffic" in the context of Russian regulations often doesn't match the real infrastructure. Key factors:
- CDN and caching servers: Until 2022, Google Global Cache hosted servers with Russian providers, delivering YouTube and other services from local data centers. Google's exit by the end of 2025 has rerouted traffic through Warsaw and Frankfurt, formally increasing the volume of "international" traffic.
- Hybrid infrastructure: Russian services (for example, Ozon) may use AWS in the Netherlands, while Twitch and Samsung host nodes in St. Petersburg data centers.
- Dynamic routing: Delivery point selection depends on DNS settings, local cache availability, and international link conditions.
These features make geographic traffic classification technically inaccurate. MSK-IX data confirms: the departure of major CDNs increased international traffic volume by 30–60% without changes in user habits.
Methods for Detecting VPN Traffic
Regulators use a multi-level identification system:
- Basic methods:
- Matching IPs against VPN provider registries
- Analyzing standard ports (OpenVPN: UDP 1194, WireGuard: UDP 51820)
- Checking TLS fingerprints (fingerprinting)
- Deep Packet Inspection (DPI):
- Statistical analysis of packet sizes and intervals
- Detecting traffic patterns (steady flow for VPN vs. asymmetric for web browsers)
- Comparing against reference protocol profiles
- Adaptive technologies:
- Detecting masquerading as HTTPS (port 443)
- Identifying new protocols (VLESS + XTLS)
However, DPI systems face critical limitations:
- High equipment load when processing tens of thousands of rules
- False positives on legitimate traffic (App Store, torrent clients)
- Inability to achieve 100% accuracy due to protocol evolution
Challenges in Implementing International Traffic Limits
CGNAT and Multiple Users
IPv4 address shortages have led to widespread CGNAT (Carrier-Grade NAT) deployment. One public IP can serve hundreds of users via a chain: router (192.168.0.0/24) → provider NAT (100.64.0.0/10). This makes precise traffic allocation per subscriber impossible. With a 15 GB limit, operators face a dilemma: how to charge for "excess" gigabytes when traffic comes from a shared IP?
Corporate VPNs and Business Risks
Restrictions affect not just consumer segments. Remote employees use corporate VPNs to access internal systems. The Ministry of Digital Development suggests "whitelists," but:
- No technical way to distinguish corporate VPNs from public ones
- False blocks paralyze business processes
- No guarantees against errors in official documents
Real Impact on Users
A 15 GB monthly limit equates to:
- 2 hours of 4K video on YouTube
- 3–5 Steam game updates
- 50–70 hours of audio streaming
Meanwhile, traffic to the same service might count as local (via Moscow CDN) one moment and international (via Frankfurt) the next, creating unpredictable usage for users.
Key Points
- Technical Flaws: Geographic traffic classification ignores CDN features and hybrid infrastructure.
- Systemic Errors: DPI systems inevitably block legitimate traffic due to false positives.
- Business Risks: Corporate VPNs and remote work are threatened by imprecise identification.
- Economic Motive: Charging for "international" traffic shifts operator costs to users.
- Legal Uncertainty: Lack of regulatory framework creates risks of sudden rule changes.
Economic and Infrastructure Consequences
Piter-IX analytics shows international traffic makes up about 20%, but rising VPN use forces operators to expand links. Since international lines are paid in foreign currency, this adds cost pressure. Deploying DPI systems requires major hardware investments, which operators offset with new tariffs.
However, the economic model overlooks a key factor: limits push users to local services not through quality, but artificial barriers. RuTube's experience shows forced monopolization without UX improvements leads to low loyalty. A more effective approach would be building domestic CDN infrastructure and improving local services.
Technical Recommendations for Developers
- CDN Optimization: Use geotracking via provider APIs to route traffic through local nodes.
- SNI Encryption: Implement ECH to protect domain names from analysis.
- CGNAT Testing: Verify service operation under Carrier-Grade NAT conditions.
- Traffic Monitoring: Analyze geographic request distribution to predict routing changes.
- DPI Preparation: Test traffic compatibility with deep packet inspection.
Conclusion
Attempts to regulate via technical restrictions ignore fundamental internet infrastructure traits. Traffic boundaries are blurred by CDNs, hybrid architectures, and dynamic routing. VPN blocking doesn't solve access to prohibited content but risks business and legitimate users. A more promising path is developing local infrastructure and enhancing domestic services, rather than artificially limiting international interactions.
— Editorial Team
No comments yet.