Disparate Dan Posted February 6, 2021 Share Posted February 6, 2021 We see this week Burma is moving to ban VPNs as everyone rushes to usen them in the wake of the regime telling F'book etc to block in-country. Does anyone know whether it is possible to really ban VPNs locally or regionally? I guess if you didn't have one before the ban, it might be feasible, but surely if you already have one, a "government" would have no way (short of stomping into your home and taking your pooter) to stop you using it. Any teccies know the answers - might soon be very relevant closer to home..... 1 1 Link to comment Share on other sites More sharing options...
Pilotman Posted February 6, 2021 Share Posted February 6, 2021 That is a good question. I imagine that there are technical solutions to get the ISP for your internet to block VPNs, especially if that provider is a monopoly and government controlled. I also imagine that, at least here in Thailand, it would be an unacceptable move to do so. 1 Link to comment Share on other sites More sharing options...
Popular Post Salerno Posted February 6, 2021 Popular Post Share Posted February 6, 2021 2 minutes ago, Disparate Dan said: Does anyone know whether it is possible to really ban VPNs locally or regionally? Yes, to a degree, but a never ending "search and destroy" type endeavour. Think of it as similar to TV stations using geoblocking, you find a VPN that works, a few months later it doesn't (once the TV station techs notice it and block it). 8 Link to comment Share on other sites More sharing options...
Disparate Dan Posted February 6, 2021 Author Share Posted February 6, 2021 4 minutes ago, Pilotman said: That is a good question. I imagine that there are technical solutions to get the ISP for your internet to block VPNs, especially if that provider is a monopoly and government controlled. I also imagine that, at least here in Thailand, it would be an unacceptable move to do so. Impractical more than unacceptable, maybe? Thais are very internet-savvy and I suspect (obviously there are no numbers) VPN usage here is extremely high - that's largely how it came about that most people now know about the issues that are prohibited from discussion. Probably even the *wit regime here realises the stable door can't be bolted at this stage. 1 Link to comment Share on other sites More sharing options...
tifino Posted February 6, 2021 Share Posted February 6, 2021 in Burma though it's quicker, cheaper and less techsavvy required, for them soldiers to simply bash down every household front door; for a look-see Link to comment Share on other sites More sharing options...
najomtiensun Posted February 6, 2021 Share Posted February 6, 2021 It's not difficult - announce a 100,000 baht fine / imprisonment / deportation for using one make a couple of well publicised arrests job done. Link to comment Share on other sites More sharing options...
Popular Post Disparate Dan Posted February 6, 2021 Author Popular Post Share Posted February 6, 2021 11 minutes ago, najomtiensun said: It's not difficult - announce a 100,000 baht fine / imprisonment / deportation for using one make a couple of well publicised arrests job done. Maybe, but I doubt younger Thais would be put off and in practice it's possible to hide most of what you have even from an inspection. If you have Tor (browser, available in Thai) it really does look like you can be totally undetectable. The BIB might be able to see an IP address but they can't go to (eg) Germany and tell them to block it. But I asked the question precisely becaue I am far from sure................... 4 Link to comment Share on other sites More sharing options...
Salerno Posted February 6, 2021 Share Posted February 6, 2021 2 minutes ago, Disparate Dan said: The BIB might be able to see an IP address but they can't go to (eg) Germany and tell them to block it. They don't have to go to Germany, they block it at the border. Link to comment Share on other sites More sharing options...
Disparate Dan Posted February 6, 2021 Author Share Posted February 6, 2021 4 minutes ago, Salerno said: They don't have to go to Germany, they block it at the border. OK - does that mean telling ISPs to stop it, or is it done by the th*gs themselves? I believe even in China things like Tor and onion sites beat their system, and Beijing is a whole lot smarter than this lot. Link to comment Share on other sites More sharing options...
Popular Post robblok Posted February 6, 2021 Popular Post Share Posted February 6, 2021 12 minutes ago, Salerno said: They don't have to go to Germany, they block it at the border. Its quite easy in a way, they just instruct all internet providers to block certain IP addresses. Those IP addresses are those of VPN providers. But it would be a constant battle between new IP addresses for VPNS and the update of the government including those. 3 Link to comment Share on other sites More sharing options...
Salerno Posted February 6, 2021 Share Posted February 6, 2021 1 minute ago, Disparate Dan said: OK - does that mean telling ISPs to stop it, or is it done by the th*gs themselves? That'd be the thugs holding a gun to the ISPs heads. 2 minutes ago, Disparate Dan said: I believe even in China things like Tor and onion sites beat their system, and Beijing is a whole lot smarter than this lot. As mentioned above, it's an ongoing search and destroy mission. Yes, motivated people may get around it, but your average Burmese isn't going to be savvy enough nor IMO motivated enough. Certain groups will no doubt keep using tech to it's full advantage as long as they aren't locked up or dead. 1 Link to comment Share on other sites More sharing options...
uncleP Posted February 6, 2021 Share Posted February 6, 2021 (edited) its not so easy to block as first they would have to break the encryption. in more sophisticated VPN's its next to impossible. China's great firewall can't beat well known VPN's so I doubt Burma can either. I made a vpn for a friend who worked in a western bank where everything was blocked. my vpn got through easily. Edited February 6, 2021 by uncleP ùhu Link to comment Share on other sites More sharing options...
robblok Posted February 6, 2021 Share Posted February 6, 2021 11 minutes ago, uncleP said: its not so easy to block as first they would have to break the encryption. in more sophisticated VPN's its next to impossible. China's great firewall can't beat well known VPN's so I doubt Burma can either. I made a vpn for a friend who worked in a western bank where everything was blocked. my vpn got through easily. Once they know what IP adress a VPN uses to connect too. They just put that on the block list and done. The problem is for governments to keep the blocked list updated and for VPN makers to have adresses off the blocked list. NO need to break encryption at all just make sure the connection can never be made. 1 Link to comment Share on other sites More sharing options...
ExpatOilWorker Posted February 6, 2021 Share Posted February 6, 2021 When you use web based proxy, like croxyproxy.com, you get a seemingly random extension each time, which would be hard to block. Link to comment Share on other sites More sharing options...
robblok Posted February 6, 2021 Share Posted February 6, 2021 5 minutes ago, ExpatOilWorker said: When you use web based proxy, like croxyproxy.com, you get a seemingly random extension each time, which would be hard to block. But you seem to forget they can block your connection to croxyproxy.com. So they dont need to block the random numbers that come after that. Its just an never ending game between the VPN's / Proxies and the rest. 2 Link to comment Share on other sites More sharing options...
jackdd Posted February 6, 2021 Share Posted February 6, 2021 They simply ban IPs of which they know that they offer VPN services, then people can't connect to them anymore. Identifying which IPs provide VPN services is nothing that can really be done automatically, but requires manual work, and only works for publicly available VPNs. If you setup your own VPN in some random data center it's basically impossible for them to identify and ban it. 2 Link to comment Share on other sites More sharing options...
Popular Post tgw Posted February 6, 2021 Popular Post Share Posted February 6, 2021 (edited) 2 hours ago, Disparate Dan said: We see this week Burma is moving to ban VPNs as everyone rushes to usen them in the wake of the regime telling F'book etc to block in-country. Does anyone know whether it is possible to really ban VPNs locally or regionally? I guess if you didn't have one before the ban, it might be feasible, but surely if you already have one, a "government" would have no way (short of stomping into your home and taking your pooter) to stop you using it. Any teccies know the answers - might soon be very relevant closer to home..... yes, sure it's possible, on an individual basis. the ISP can detect probable VPN connections and then investigate on it. most VPN clients will use ports that aren't used for HTTP or HTTPS, so that will already be a flag. might be online gaming though. port 443 is often used by VPN services as a default port, and left at that default setting by lazy users. VPN entry nodes have IP addresses that most of the time don't have name resolution associated to them. game servers usually have name resolution. then, during the VPN session, the client probably won't make DNS requests. so, from a network monitoring perspective (possible by the ISP), any connection over non-standard port to a naked IP address without name resolution and without DNS requests, with a significant amount of data received (all packets going to and from the same remote IP), has a 90% probability of being a VPN connection. maybe make that 99%. Edited February 6, 2021 by tgw 3 Link to comment Share on other sites More sharing options...
86Tiger Posted February 6, 2021 Share Posted February 6, 2021 19 minutes ago, tgw said: yes, sure it's possible, on an individual basis. the ISP can detect probable VPN connections and then investigate on it. most VPN clients will use ports that aren't used for HTTP or HTTPS, so that will already be a flag. might be online gaming though. port 443 is often used by VPN services as a default port, and left at that default setting by lazy users. VPN entry nodes have IP addresses that most of the time don't have name resolution associated to them. game servers usually have name resolution. then, during the VPN session, the client probably won't make DNS requests. so, from a network monitoring perspective (possible by the ISP), any connection over non-standard port to a naked IP address without name resolution and without DNS requests, with a significant amount of data received (all packets going to and from the same remote IP), has a 90% probability of being a VPN connection. maybe make that 99%. One user and one connection easy. But they have to monitor and assess how many million connections at any given time, in real time? And the number of and location of users is constantly churning. It is doable but in reality on a nation wide basis not practical. You would need a facility the size of USA's NSA facility to monitor all traffic in real time, even then the real time analysis of all that data, that is constantly changing, would be inprobable at best. Link to comment Share on other sites More sharing options...
tgw Posted February 6, 2021 Share Posted February 6, 2021 32 minutes ago, 86Tiger said: One user and one connection easy. But they have to monitor and assess how many million connections at any given time, in real time? And the number of and location of users is constantly churning. It is doable but in reality on a nation wide basis not practical. You would need a facility the size of USA's NSA facility to monitor all traffic in real time, even then the real time analysis of all that data, that is constantly changing, would be inprobable at best. not really and no need for real time if the goal is to simply go after VPN, much of the information needed is already contained in the ISP's logs. simply parsing the logs should already yield many VPN users. 1 Link to comment Share on other sites More sharing options...
86Tiger Posted February 6, 2021 Share Posted February 6, 2021 1 hour ago, tgw said: not really and no need for real time if the goal is to simply go after VPN, much of the information needed is already contained in the ISP's logs. simply parsing the logs should already yield many VPN users. Would the goal be to identify many? Or eliminate all? 2 differnt puzzles. And premium VPN providers are changing what the world sees regularly. What was true last week is forgotten and buried this week. 1 Link to comment Share on other sites More sharing options...
tgw Posted February 6, 2021 Share Posted February 6, 2021 (edited) 1 hour ago, 86Tiger said: Would the goal be to identify many? Or eliminate all? 2 differnt puzzles. And premium VPN providers are changing what the world sees regularly. What was true last week is forgotten and buried this week. "all" is theoretical. many could already just be blocked because users don't have the technical skills to circumvent a block of standard IPs and ports. I'd say 95-98% of VPN users could be easily identified, if a government puts small resources into it, something like a 20-man network team and 200 police, they would catch hundreds every day, the police team then dispatches arrest orders to the boots. over hundred people a day arrested for using VPN, just keep that going as well as a headline in the news for a week or two and the job is done, nobody would risk it anymore. Edited February 6, 2021 by tgw 1 Link to comment Share on other sites More sharing options...
Crossy Posted February 6, 2021 Share Posted February 6, 2021 A short article, worth a read for an idea just how safe your VPN isn't. https://www.dealarious.com/blog/deep-packet-inspection-dpi-blocks-vpn 2 Link to comment Share on other sites More sharing options...
carlyai Posted February 7, 2021 Share Posted February 7, 2021 15 hours ago, Crossy said: A short article, worth a read for an idea just how safe your VPN isn't. https://www.dealarious.com/blog/deep-packet-inspection-dpi-blocks-vpn Yes, evidently even the latest Android update has security issues and advice to me was not to use an Android system VPN. Link to comment Share on other sites More sharing options...
fdsa Posted February 7, 2021 Share Posted February 7, 2021 (edited) On 2/6/2021 at 12:11 PM, jackdd said: Identifying which IPs provide VPN services is nothing that can really be done automatically, but requires manual work, and only works for publicly available VPNs. If you setup your own VPN in some random data center it's basically impossible for them to identify and ban it. Wrong. A casual VPN traffic such as OpenVPN, IPSec, Wireguard, etc, is detected automatically and blocked with a few mouse clicks. More sophisticated tunnels such as Shadowsocks or steganography tunnels inside HTTPS, DNS, ICMP traffic are a bit more difficult to detect but still doable and blocked with several extra lines of code for the firewall. google:// deep packet inspection On 2/6/2021 at 12:41 PM, 86Tiger said: But they have to monitor and assess how many million connections at any given time, in real time? And the number of and location of users is constantly churning. It is doable but in reality on a nation wide basis not practical. You would need a facility the size of USA's NSA facility to monitor all traffic in real time, even then the real time analysis of all that data, that is constantly changing, would be inprobable at best. Wrong. All the backbone network equipment from the major suppliers (Cisco, Arista, Juniper) maintain a "source ip - source port - destination ip - destination port - timestamp" database to "fight terrorism" and provide a web interface for authorities to inspect the connections. By having these connection tables it takes the same few mouse clicks to uncover every VPN users' real IP address. google:// cisco netflow Edited February 7, 2021 by fdsa Link to comment Share on other sites More sharing options...
fdsa Posted February 7, 2021 Share Posted February 7, 2021 3 minutes ago, fdsa said: everything is wrong "but why governments don't block all VPN traffic if it's that simple?" - because many companies use VPN and encrypted tunnels for totally legitimate purposes and blocking all VPN traffic will lead to unrest and disturbance. It is safer for governments to just block largest commercial VPN providers' IP ranges rather than to create a white list of users allowed to use VPN. "if my IP address is not safe despite all those VPN providers say the different, what should I do to protect myself online?" - use a chain of VPN servers located in the different jurisdictions and hosted by the different companies, it will raise the chance that some of the datacenters in between do not allow external access to their backbone routers to the strangers. Link to comment Share on other sites More sharing options...
jackdd Posted February 7, 2021 Share Posted February 7, 2021 15 minutes ago, fdsa said: google:// deep packet inspection Good luck doing deep packet inspection for the traffic of a whole country. I think the only country which has the capacities for this is China (the USA maybe). Link to comment Share on other sites More sharing options...
fdsa Posted February 7, 2021 Share Posted February 7, 2021 6 minutes ago, jackdd said: Good luck doing deep packet inspection for the traffic of a whole country. I think the only country which has the capacities for this is China (the USA maybe). Decrypting and manipulating network packets take much less resources than you think. google:// blue coat dpi their servers have similar CPU power & amount of RAM as your smartphone. Link to comment Share on other sites More sharing options...
wprime Posted February 7, 2021 Share Posted February 7, 2021 If the VPN uses the standard ports then yes it's possible to block from the ISP end. If you run the VPN yourself on a VPS you can easily bypass this. If the VPN is provided by another service then you generally can't change this and they can block you. They can also block specific VPN providers. Link to comment Share on other sites More sharing options...
elgenon Posted February 7, 2021 Share Posted February 7, 2021 On 2/5/2021 at 7:10 PM, Disparate Dan said: We see this week Burma is moving to ban VPNs as everyone rushes to usen them in the wake of the regime telling F'book etc to block in-country. Does anyone know whether it is possible to really ban VPNs locally or regionally? I guess if you didn't have one before the ban, it might be feasible, but surely if you already have one, a "government" would have no way (short of stomping into your home and taking your pooter) to stop you using it. Any teccies know the answers - might soon be very relevant closer to home..... If they stop wi-fi? Link to comment Share on other sites More sharing options...
mrfill Posted February 8, 2021 Share Posted February 8, 2021 On 2/6/2021 at 5:15 AM, tgw said: yes, sure it's possible, on an individual basis. the ISP can detect probable VPN connections and then investigate on it. most VPN clients will use ports that aren't used for HTTP or HTTPS, so that will already be a flag. might be online gaming though. port 443 is often used by VPN services as a default port, and left at that default setting by lazy users. VPN entry nodes have IP addresses that most of the time don't have name resolution associated to them. game servers usually have name resolution. then, during the VPN session, the client probably won't make DNS requests. so, from a network monitoring perspective (possible by the ISP), any connection over non-standard port to a naked IP address without name resolution and without DNS requests, with a significant amount of data received (all packets going to and from the same remote IP), has a 90% probability of being a VPN connection. maybe make that 99%. Port 443 is the default for https traffic i.e. most of it nowadays. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now