Jump to content

How can regimes 'ban' VPNs?


Disparate Dan

Recommended Posts

We see this week Burma is moving to ban VPNs as everyone rushes to usen them in the wake of the regime telling F'book etc to block in-country.

 

Does anyone know whether it is possible to really ban VPNs locally or regionally? I guess if you didn't have one before the ban, it might be feasible, but surely if you already have one, a "government" would have no way (short of stomping into your home and taking your pooter) to stop you using it. Any teccies know the answers - might soon be very relevant closer to home.....

Link to post
Share on other sites

That is a good question.  I imagine that there are technical solutions to get the ISP for your internet to block VPNs, especially if that provider is a monopoly and government controlled.  I also imagine that, at least here in Thailand, it would be an unacceptable move to do so. 

Link to post
Share on other sites

2 minutes ago, Disparate Dan said:

Does anyone know whether it is possible to really ban VPNs locally or regionally?

 

Yes, to a degree, but a never ending "search and destroy" type endeavour. Think of it as similar to TV stations using geoblocking, you find a VPN that works, a few months later it doesn't (once the TV station techs notice it and block it).

Link to post
Share on other sites

4 minutes ago, Pilotman said:

That is a good question.  I imagine that there are technical solutions to get the ISP for your internet to block VPNs, especially if that provider is a monopoly and government controlled.  I also imagine that, at least here in Thailand, it would be an unacceptable move to do so. 

Impractical more than unacceptable, maybe?  Thais are very internet-savvy and I suspect (obviously there are no numbers) VPN usage here is extremely high - that's largely how it came about that most people now know about the issues that are prohibited from discussion. Probably even the *wit regime here realises the stable door can't be bolted at this stage.

Link to post
Share on other sites

in Burma though it's quicker, cheaper and less techsavvy required, for them soldiers to simply bash down every household front door; for a look-see 

Link to post
Share on other sites

11 minutes ago, najomtiensun said:

It's not difficult - announce a 100,000 baht fine / imprisonment / deportation for using one make a couple of well publicised  arrests job done. 

Maybe, but I doubt younger Thais would be put off and in practice it's possible to hide most of what you have even from an inspection.

If you have Tor (browser, available in Thai) it really does look like you can be totally undetectable. The BIB might be able to see an IP address but they can't go to (eg) Germany and tell them to block it.

But I asked the question precisely becaue I am far from sure...................

Link to post
Share on other sites

2 minutes ago, Disparate Dan said:

The BIB might be able to see an IP address but they can't go to (eg) Germany and tell them to block it.

 

They don't have to go to Germany, they block it at the border.

Link to post
Share on other sites

4 minutes ago, Salerno said:

 

They don't have to go to Germany, they block it at the border.

OK - does that mean telling ISPs to stop it, or is it done by the th*gs themselves?

I believe even in China things like Tor and onion sites beat their system, and Beijing is a whole lot smarter than this lot.

Link to post
Share on other sites

12 minutes ago, Salerno said:

 

They don't have to go to Germany, they block it at the border.

Its quite easy in a way, they just instruct all internet providers to block certain IP addresses. Those IP addresses are those of VPN providers. But it would be a constant battle between new IP addresses for VPNS and the update of the government including those. 

Link to post
Share on other sites

1 minute ago, Disparate Dan said:

OK - does that mean telling ISPs to stop it, or is it done by the th*gs themselves?

 

That'd be the thugs holding a gun to the ISPs heads.

 

2 minutes ago, Disparate Dan said:

I believe even in China things like Tor and onion sites beat their system, and Beijing is a whole lot smarter than this lot.

 

As mentioned above, it's an ongoing search and destroy mission. Yes, motivated people may get around it, but your average Burmese isn't going to be savvy enough nor IMO motivated enough. Certain groups will no doubt keep using tech to it's full advantage as long as they aren't locked up or dead.

Link to post
Share on other sites

its not so easy to block as first they would have to break the encryption.  in more sophisticated VPN's its next to impossible. China's great firewall can't  beat well known VPN's so I doubt Burma can either.  I made a vpn for a friend who worked in a western bank where everything was blocked. my vpn got through easily.

Link to post
Share on other sites

11 minutes ago, uncleP said:

its not so easy to block as first they would have to break the encryption.  in more sophisticated VPN's its next to impossible. China's great firewall can't  beat well known VPN's so I doubt Burma can either.  I made a vpn for a friend who worked in a western bank where everything was blocked. my vpn got through easily.

Once they know what IP adress a VPN uses to connect too. They just put that on the block list and done. The problem is for governments to keep the blocked list updated and for VPN makers to have adresses off the blocked list.

 

NO need to break encryption at all just make sure the connection can never be made.

Link to post
Share on other sites

5 minutes ago, ExpatOilWorker said:

When you use web based proxy,  like croxyproxy.com, you get a seemingly random extension each time, which would be hard to block.

But you seem to forget they can block your connection to croxyproxy.com. So they dont need to block the random numbers that come after that. 

 

Its just an never ending game between the VPN's / Proxies and the rest.

Link to post
Share on other sites

They simply ban IPs of which they know that they offer VPN services, then people can't connect to them anymore.

Identifying which IPs provide VPN services is nothing that can really be done automatically, but requires manual work, and only works for publicly available VPNs.

If you setup your own VPN in some random data center it's basically impossible for them to identify and ban it.

Link to post
Share on other sites

2 hours ago, Disparate Dan said:

We see this week Burma is moving to ban VPNs as everyone rushes to usen them in the wake of the regime telling F'book etc to block in-country.

 

Does anyone know whether it is possible to really ban VPNs locally or regionally? I guess if you didn't have one before the ban, it might be feasible, but surely if you already have one, a "government" would have no way (short of stomping into your home and taking your pooter) to stop you using it. Any teccies know the answers - might soon be very relevant closer to home.....

 

yes, sure it's possible, on an individual basis. the ISP can detect probable VPN connections and then investigate on it.

 

most VPN clients will use ports that aren't used for HTTP or HTTPS, so that will already be a flag. might be online gaming though.

port 443 is often used by VPN services as a default port, and left at that default setting by lazy users.

VPN entry nodes have IP addresses that most of the time don't have name resolution associated to them. game servers usually have name resolution.

then, during the VPN session, the client probably won't make DNS requests.

 

so, from a network monitoring perspective (possible by the ISP), any connection over non-standard port to a naked IP address without name resolution and without DNS requests, with a significant amount of data received (all packets going to and from the same remote IP), has a 90% probability of being a VPN connection.

maybe make that 99%.

 

Link to post
Share on other sites

19 minutes ago, tgw said:

 

yes, sure it's possible, on an individual basis. the ISP can detect probable VPN connections and then investigate on it.

 

most VPN clients will use ports that aren't used for HTTP or HTTPS, so that will already be a flag. might be online gaming though.

port 443 is often used by VPN services as a default port, and left at that default setting by lazy users.

VPN entry nodes have IP addresses that most of the time don't have name resolution associated to them. game servers usually have name resolution.

then, during the VPN session, the client probably won't make DNS requests.

 

so, from a network monitoring perspective (possible by the ISP), any connection over non-standard port to a naked IP address without name resolution and without DNS requests, with a significant amount of data received (all packets going to and from the same remote IP), has a 90% probability of being a VPN connection.

maybe make that 99%.

 

 

 

One user and one connection easy.

 

But they have to monitor and assess how many million connections at any given time, in real time?   And the number of and location of users is constantly churning.

 

 

It is doable but in reality on a nation wide basis not practical.  You would need a facility the size of USA's NSA facility to monitor all traffic in real time, even then the real time analysis of all that data, that is constantly changing, would be inprobable at best.

Link to post
Share on other sites

32 minutes ago, 86Tiger said:

 

 

One user and one connection easy.

 

But they have to monitor and assess how many million connections at any given time, in real time?   And the number of and location of users is constantly churning.

 

 

It is doable but in reality on a nation wide basis not practical.  You would need a facility the size of USA's NSA facility to monitor all traffic in real time, even then the real time analysis of all that data, that is constantly changing, would be inprobable at best.

 

not really

and no need for real time

if the goal is to simply go after VPN, much of the information needed is already contained in the ISP's logs. simply parsing the logs should already yield many VPN users.

 

Link to post
Share on other sites

1 hour ago, tgw said:

 

not really

and no need for real time

if the goal is to simply go after VPN, much of the information needed is already contained in the ISP's logs. simply parsing the logs should already yield many VPN users.

 

 

 

Would the goal be to identify many?  Or eliminate all?  2 differnt puzzles.

 

And premium VPN providers are changing what the world sees regularly.  What was true last week is forgotten and buried this week.

Link to post
Share on other sites

1 hour ago, 86Tiger said:

 

 

Would the goal be to identify many?  Or eliminate all?  2 differnt puzzles.

 

And premium VPN providers are changing what the world sees regularly.  What was true last week is forgotten and buried this week.

 

"all" is theoretical.

many could already just be blocked because users don't have the technical skills to circumvent a block of standard IPs and ports.

I'd say 95-98% of VPN users could be easily identified, if a government puts small resources into it, something like a 20-man network team and 200 police, they would catch hundreds every day, the police team then dispatches arrest orders to the boots.

over hundred people a day arrested for using VPN, just keep that going as well as a headline in the news for a week or two and the job is done, nobody would risk it anymore.

 

 

 

Link to post
Share on other sites

On 2/6/2021 at 12:11 PM, jackdd said:

Identifying which IPs provide VPN services is nothing that can really be done automatically, but requires manual work, and only works for publicly available VPNs.

If you setup your own VPN in some random data center it's basically impossible for them to identify and ban it.

 

Wrong.

A casual VPN traffic such as OpenVPN, IPSec, Wireguard, etc, is detected automatically and blocked with a few mouse clicks.

More sophisticated tunnels such as Shadowsocks or steganography tunnels inside HTTPS, DNS, ICMP traffic are a bit more difficult to detect but still doable and blocked with several extra lines of code for the firewall.

 

google:// deep packet inspection

 

 

On 2/6/2021 at 12:41 PM, 86Tiger said:

But they have to monitor and assess how many million connections at any given time, in real time?   And the number of and location of users is constantly churning.

 

It is doable but in reality on a nation wide basis not practical.  You would need a facility the size of USA's NSA facility to monitor all traffic in real time, even then the real time analysis of all that data, that is constantly changing, would be inprobable at best.

 

Wrong.

All the backbone network equipment from the major suppliers (Cisco, Arista, Juniper) maintain a "source ip - source port - destination ip - destination port - timestamp" database to "fight terrorism" and provide a web interface for authorities to inspect the connections.

By having these connection tables it takes the same few mouse clicks to uncover every VPN users' real IP address.

 

google:// cisco netflow

Link to post
Share on other sites

3 minutes ago, fdsa said:

everything is wrong

"but why governments don't block all VPN traffic if it's that simple?"

- because many companies use VPN and encrypted tunnels for totally legitimate purposes and blocking all VPN traffic will lead to unrest and disturbance. It is safer for governments to just block largest commercial VPN providers' IP ranges rather than to create a white list of users allowed to use VPN.

 

"if my IP address is not safe despite all those VPN providers say the different, what should I do to protect myself online?"

- use a chain of VPN servers located in the different jurisdictions and hosted by the different companies, it will raise the chance that some of the datacenters in between do not allow external access to their backbone routers to the strangers.

Link to post
Share on other sites

15 minutes ago, fdsa said:

google:// deep packet inspection

Good luck doing deep packet inspection for the traffic of a whole country.

I think the only country which has the capacities for this is China (the USA maybe).

Link to post
Share on other sites

6 minutes ago, jackdd said:

Good luck doing deep packet inspection for the traffic of a whole country.

I think the only country which has the capacities for this is China (the USA maybe).

Decrypting and manipulating network packets take much less resources than you think.

google:// blue coat dpi

their servers have similar CPU power & amount of RAM as your smartphone.

Link to post
Share on other sites

If the VPN uses the standard ports then yes it's possible to block from the ISP end.

 

If you run the VPN yourself on a VPS you can easily bypass this. If the VPN is provided by another service then you generally can't change this and they can block you.

 

They can also block specific VPN providers.

Link to post
Share on other sites

On 2/5/2021 at 7:10 PM, Disparate Dan said:

We see this week Burma is moving to ban VPNs as everyone rushes to usen them in the wake of the regime telling F'book etc to block in-country.

 

Does anyone know whether it is possible to really ban VPNs locally or regionally? I guess if you didn't have one before the ban, it might be feasible, but surely if you already have one, a "government" would have no way (short of stomping into your home and taking your pooter) to stop you using it. Any teccies know the answers - might soon be very relevant closer to home.....

If they stop wi-fi?

Link to post
Share on other sites

On 2/6/2021 at 5:15 AM, tgw said:

 

yes, sure it's possible, on an individual basis. the ISP can detect probable VPN connections and then investigate on it.

 

most VPN clients will use ports that aren't used for HTTP or HTTPS, so that will already be a flag. might be online gaming though.

port 443 is often used by VPN services as a default port, and left at that default setting by lazy users.

VPN entry nodes have IP addresses that most of the time don't have name resolution associated to them. game servers usually have name resolution.

then, during the VPN session, the client probably won't make DNS requests.

 

so, from a network monitoring perspective (possible by the ISP), any connection over non-standard port to a naked IP address without name resolution and without DNS requests, with a significant amount of data received (all packets going to and from the same remote IP), has a 90% probability of being a VPN connection.

maybe make that 99%.

 

Port 443 is the default for https traffic i.e. most of it nowadays.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...