Back to Home

DPI, TSPU and bypassing blocks: Internet censorship technologies

Deep packet inspection (DPI) and TSPU — key mechanisms of modern internet censorship. Study their operation, L7 blocking methods and advanced bypassing strategies for techies.

DPI, TSPU and bypassing blocks: Internet censorship technologies and strategies for techies
Advertisement 728x90

Deep Packet Inspection: Internet Censorship Mechanisms and Bypass Strategies for Tech Professionals

In today's world, internet censorship is becoming increasingly sophisticated, with its methods growing technologically advanced. Governments are actively implementing Deep Packet Inspection (DPI) systems and other infrastructure solutions to control traffic, slow down, or completely block undesirable resources. This article will delve into the architecture of such systems, their evolution from primitive IP blocking to intelligent L7 analysis, and the arsenal of technical tools that users and developers employ to circumvent these restrictions, offering a deep dive for specialists.

The Evolution of State Internet Censorship

Historically, internet blocking began with relatively simple methods. Early attempts at state traffic control were limited to blocking by IP address or DNS records. When Roskomnadzor (RKN), Russia's internet watchdog, added an IP address to its registry, internet service providers (ISPs) were obligated to drop all traffic directed to that address. This approach, operating at the L3 network layer, was cheap and quick to implement but suffered from extreme inaccuracy. Blocking entire subnets, such as CIDR ranges, led to so-called collateral blocking: thousands, or even millions, of legitimate resources hosted on the same IP addresses or within the same cloud infrastructures as the target object, were inadvertently blocked. A prominent example was the blocking of Amazon AWS in 2018 in an attempt to block Telegram, which resulted in widespread disruptions for numerous third-party services.

As technology advanced and the demand for more precise blocking increased, government agencies transitioned to more complex tools. A key stage was the implementation of Technical Means of Threat Counteraction (TMTAC) — specialized equipment equipped with Deep Packet Inspection (DPI) modules. These "hardware boxes," installed on the networks of all ISPs, allow not just dropping packets by address, but inspecting and analyzing their content. While previously an ISP only saw the "envelope" (IP address), DPI now enables them to "read the letter" — analyzing protocols, application signatures, and even specific domains hidden behind encryption. This granted RKN unprecedented control over traffic, allowing resources to be blocked or throttled in real-time, without direct ISP involvement.

Google AdInline article slot

Deep Packet Inspection (DPI) Technologies and Their Application

DPI systems operate at the seventh layer of the OSI network model — the application layer (L7), significantly expanding their capabilities compared to L3 blocking. They can analyze not only IP addresses but also protocol headers, specific application signatures, and traffic patterns. For instance, when establishing an encrypted HTTPS connection, your browser sends the first packet — the TLS ClientHello. This packet contains the Server Name Indication (SNI) — the domain name you are connecting to. Although the content of the traffic itself is encrypted thereafter, the SNI in the ClientHello packet is transmitted in plain text, allowing DPI systems to intercept it and decide whether to block or allow the connection. Technologies like ESNI (Encrypted SNI) and ECH (Encrypted ClientHello) were developed precisely to encrypt this indicator and deprive DPI of the ability to read it.

Beyond blocking, DPI can be used for throttling — artificially slowing down traffic to specific resources. This is particularly relevant for large platforms like YouTube, where outright blocking is undesirable, but limiting content availability is sought. DPI systems are trained to recognize the signatures of popular VPN protocols, such as OpenVPN and WireGuard, making them vulnerable to detection and blocking. This stimulates the development of more complex and obfuscated censorship circumvention methods.

It's crucial to understand that DPI is not the only tool for state control. Alongside it, systems for Operative Investigative Activities (SORM) are in place, which ISPs are obligated to install on their networks. Unlike TMTAC with DPI, SORM does not block traffic but copies and transmits it to special services for analysis. SORM-3, the most advanced generation, is capable of deeply analyzing all traffic, including messages in instant messengers and social networks, if the service does not use end-to-end encryption (E2E encryption).

Google AdInline article slot

Methods of Circumventing Blocks and Their Development

In response to tightening censorship and the evolution of DPI systems, users and developers are constantly refining methods to bypass blocks. Traditional VPN services, which create an encrypted tunnel between the user's device and a remote server, remain one of the most common tools. However, as mentioned, DPI systems have learned to recognize the signatures of standard VPN protocols, leading to their blocking.

This has led to the emergence and popularization of more advanced and obfuscated protocols and tools:

  • Shadowsocks, VLESS, XRay: These protocols are designed to masquerade traffic as regular HTTPS connections. They lack easily recognizable signatures, and to DPI, the encrypted traffic appears as ordinary web browsing. For example, VLESS combined with XTLS-Reality can mimic a connection to a real, legitimate website so convincingly that distinguishing it from normal HTTPS traffic becomes extremely difficult. These tools became the primary means of bypassing blocks after TMTAC began effectively blocking OpenVPN and WireGuard.
  • Tor (The Onion Router): The Tor network provides anonymity by routing traffic through multiple intermediary nodes worldwide. This makes user tracking virtually impossible. However, using Tor carries certain risks for exit node operators, as traffic originating from their IP address may lead to legal liability.
  • Proxies/Anonymizers: Simple intermediary servers that download content on behalf of the user. They are less secure than VPNs or Tor but can be effective for accessing simple blocked websites.
  • Domain Fronting: Historically used by Telegram in 2018. This method masks the target service's traffic as requests to large, legitimate CDN providers (e.g., Google, Amazon). Externally, the traffic appears as a normal request to an allowed service, but internally, it is redirected to the blocked resource. The effectiveness of this method has decreased as major CDN providers have actively combated its use.
  • goodbyedpi / zapret: These are open-source utilities that run locally on the user's device. They do not encrypt traffic and do not require external servers, but they manipulate TCP packets in a way that deceives DPI. For example, they can intentionally split the TLS ClientHello into multiple TCP segments, preventing DPI from assembling a complete signature and making a blocking decision. These tools became massively popular when TMTAC began throttling access to YouTube.

This arms race between censors and circumvention developers demonstrates the continuous technological advancement on both sides.

Google AdInline article slot

Legal and Infrastructural Aspects of Control

Beyond purely technical means, the Russian internet control system relies on a complex legal and infrastructural framework. The so-called "Yarovaya Law" (Federal Laws 374-FZ and 375-FZ) obligated telecom operators to store vast amounts of user data and provide encryption keys to special services, which served as the formal pretext for blocking Telegram in 2018. The "Lugovoy Law" (Federal Law 398-FZ) granted the Prosecutor General's Office the right to extrajudicial website blocking.

In terms of infrastructure, the concept of a "sovereign internet," enshrined in a 2019 law, provides for the creation of a National Domain Name System (NDNS) — a Russian analogue to the global DNS. This allows the state to control domain names within the Russian visibility zone autonomously, without recourse to international root servers. In conjunction with TMTAC, NDNS enables the effective "disconnection" of internet segments or individual resources for Russian users. The effectiveness of control is also enhanced by automated monitoring systems, such as the hardware-software complex "Revisor." This probe, installed at ISPs, continuously simulates user actions, checking the availability of blocked resources and automatically recording violations, thereby eliminating the human factor and improving blocking discipline.

Under conditions of total control, the state also forms "whitelists" — lists of websites and services that are guaranteed to work even in the event of global outages or tightened blocks. Inclusion on such a list typically requires servers to be located in Russia and full compliance with local legislation, which effectively means consent to state regulation and data access.

Key Takeaways

  • Internet censorship has evolved from simple IP blocking to sophisticated Deep Packet Inspection (DPI) systems operating at L7.
  • DPI systems, such as TMTAC, analyze protocol headers and application signatures, including SNI in TLS ClientHello, for targeted blocking.
  • Advanced techniques that mask traffic as regular HTTPS (Shadowsocks, VLESS, XRay) or manipulate packets (goodbyedpi) are used to bypass modern censorship.
  • Alongside blocking, monitoring systems (SORM) and the infrastructure of a "sovereign internet" (NDNS) are developing, strengthening state control.
  • The arms race between censors and circumvention tool developers is constant, requiring continuous technological advancement on both sides.

— Editorial Team

Advertisement 728x90

Read Next