⛔️ Bypassing Internet censorship
In light of the recent events taking place in 🇧🇷, I decided to compile a list of state-wide Internet censorship bypass methods. Let's get ready to connect in the upcoming fragmented world!
🔻 DPI Bypass. A VPN might be unnecessary! While a virtual private network may be a solution, state restrictions are commonly implemented via DPI (Deep Packet Inspection). The software on the ISP's routing devices filters out packets based on certain conditions, and most of the time they are hardcoded. Which means there's room to contest it.
There are two kinds of Deep Packet Inspection:
▪️ Passive DPI cannot block the packets, but can inject them. Usually a TCP RST (connection reset) packet. If it is being injected on the client side, it's possible to configure the iptables to drop it, but RST might also be sent directly to the server, rendering the iptables method pointless.
▪️ Active DPI (used in 🇷🇺 and 🇨🇳) is an upgrade — it's a physical box, and it is capable of blocking the packets. The only way to bypass it is to break its detection algorithm. The algorithm is possible to break by sending data the inspection software doesn't expect to encounter and process.
For instance, by spec, you can split the application-layer HTTP request into TCP segments:
There is a myriad of ways to break the DPI algorithm aside from the ones I've mentioned. That's the optimal way to avoid state censorship. Naturally, it doesn't work for direct IP set blocks, but it's destructive and not all too common (at least in 🇷🇺). Luckily, there's open-source software that already does it for you!
▪️ zapret 🐧
▪️ GoodbyeDPI🪟
▪️ ByeDPI 📱
As time goes on, the states will eventually fix their DPI software to account for all the edge cases, so it's preferrable to know how the bypass strategies work to cook up fresh combinations they haven't defeated yet. It may quite literally be considered hacking, so it's not guaranteed to work, but if it does — it's significantly faster than any VPN, so give it a whirl.
🔻 Simple VPNs. If the above does not work for you, your next best option is a VPN. The VPNs aren't magic, they're virtual networks that coincidentally allow delegating sending packets to a different gateway. The problem with a VPN is that it adds a whole bunch of hops and overhead that comes with them for your packets to overcome. Almost 100% of the time it slows the connection down.
Personally, I have network-wide split tunnelling set up with the VPN interface used solely to bypass regional blocks. That's extremely advanced, and I suggest you starting by simply setting up a client and a server. Speaking of it, which one should you use? Well. Forget the free VPNs. These sell your data, show you ads, install malware and do other unspeakable things to keep their service free. The best way out is to host a VPN server yourself. The client and server always go in conjunction.
The biggest problem with hosting a VPN server yourself is that it costs money to rent a server. However, you can find a cheap VPS ($3-5/mo range) with a 100Mbit/s throughput practically anywhere right now. If you can't afford it, unfortunately, you have to resort to using a free VPN. I morally cannot recommend any free VPN, as you're being the product, but a decent pick would be ProtonVPN.
In light of the recent events taking place in 🇧🇷, I decided to compile a list of state-wide Internet censorship bypass methods. Let's get ready to connect in the upcoming fragmented world!
🔻 DPI Bypass. A VPN might be unnecessary! While a virtual private network may be a solution, state restrictions are commonly implemented via DPI (Deep Packet Inspection). The software on the ISP's routing devices filters out packets based on certain conditions, and most of the time they are hardcoded. Which means there's room to contest it.
There are two kinds of Deep Packet Inspection:
▪️ Passive DPI cannot block the packets, but can inject them. Usually a TCP RST (connection reset) packet. If it is being injected on the client side, it's possible to configure the iptables to drop it, but RST might also be sent directly to the server, rendering the iptables method pointless.
▪️ Active DPI (used in 🇷🇺 and 🇨🇳) is an upgrade — it's a physical box, and it is capable of blocking the packets. The only way to bypass it is to break its detection algorithm. The algorithm is possible to break by sending data the inspection software doesn't expect to encounter and process.
For instance, by spec, you can split the application-layer HTTP request into TCP segments:
GET / HTTP/1.1\r\nHost: google.com ... → GET / + HTTP/1.1\r\nHost: google.com .... It's also possible to alter the case of the header keys, as the header is case insensitive: Host: → hOst:. As a final example, a «DNS root» dot after the hostname is also allowed by spec, but may break the algorithm: Host: google.com..There is a myriad of ways to break the DPI algorithm aside from the ones I've mentioned. That's the optimal way to avoid state censorship. Naturally, it doesn't work for direct IP set blocks, but it's destructive and not all too common (at least in 🇷🇺). Luckily, there's open-source software that already does it for you!
▪️ zapret 🐧
▪️ GoodbyeDPI
▪️ ByeDPI 📱
As time goes on, the states will eventually fix their DPI software to account for all the edge cases, so it's preferrable to know how the bypass strategies work to cook up fresh combinations they haven't defeated yet. It may quite literally be considered hacking, so it's not guaranteed to work, but if it does — it's significantly faster than any VPN, so give it a whirl.
🔻 Simple VPNs. If the above does not work for you, your next best option is a VPN. The VPNs aren't magic, they're virtual networks that coincidentally allow delegating sending packets to a different gateway. The problem with a VPN is that it adds a whole bunch of hops and overhead that comes with them for your packets to overcome. Almost 100% of the time it slows the connection down.
Personally, I have network-wide split tunnelling set up with the VPN interface used solely to bypass regional blocks. That's extremely advanced, and I suggest you starting by simply setting up a client and a server. Speaking of it, which one should you use? Well. Forget the free VPNs. These sell your data, show you ads, install malware and do other unspeakable things to keep their service free. The best way out is to host a VPN server yourself. The client and server always go in conjunction.
The biggest problem with hosting a VPN server yourself is that it costs money to rent a server. However, you can find a cheap VPS ($3-5/mo range) with a 100Mbit/s throughput practically anywhere right now. If you can't afford it, unfortunately, you have to resort to using a free VPN. I morally cannot recommend any free VPN, as you're being the product, but a decent pick would be ProtonVPN.
Please open Telegram to view this post
VIEW IN TELEGRAM
👍74❤6😢2🤬1
The VPN servers only differ by their protocol. So, the suggestions off the top of my head are WireGuard, OpenVPN, Outline. You'll need to read a lot and understand the UNIX terminal basics. There's a single one-click automated option I know of right now — AmneziaVPN. It's completely free, open-source and based on WireGuard. It uses Docker to completely automate the process, which allows even your grandma to set it up quickly and painlessly. It also offers options for when the state goes hog wild and blocks connections per protocol. (It's a thing in 🇷🇺 / 🇨🇳)
🔻 Advanced VPNs. When the state goes rogue as described above, the protocols separate out into three categories:
▪️ Easily detectable: all common VPN tunnel protocols — WireGuard, OpenVPN, and so forth... They can be easily regulated by the state.
▪️ Detectable: commonly obfuscated versions of the common VPN tunnel protocols, e.g. AmneziaWG (WG + garbage packet spam during handshake initiation), OpenVPN over Cloak, Shadowsocks. They require much more scrutiny to be sifted out by the censorship systems.
▪️ Undetectable: while in reality not 100% safe, they're state-of-art as of September 2024 and make it past the Great Firewall of China. Most of these protocols aren't documented in English. If you live outside 🇷🇺, 🇨🇳 or 🇮🇷, you likely won't need those for at least the next decade.
Let's go over them anyway. There's no nomenclature for them, but I'll try my best to sort them:
▪️ VMess
▪️ VLess
▪️ Naive
▪️ Trojan
▪️ Hysteria
The whole idea behind those «undetectable» protocols is to mask your VPN traffic as HTTPS (aka browsing a random web page). It is considerably slower than any of the VPN solutions shown before, but if there isn't any other option, that's what you're left with. Recent advancements include Xray + XTLS-REALITY, which has an ability to defeat Active Probing — previously uncontested state censorship method.
The bottom of the barrel, where everything above fails:
▪️ KCP
▪️ Meiru
▪️ TUIC
▪️ Brook
▪️ Pingtunnel — masks your traffic under ICMP! (pretty promising)
Umm, yea. You probably won't ever need those. But keep that in mind, there's no way to censor the internet.
🔻 DNS. It's a very important subject, because a DNS (Domain Name System) server is what resolves domain names into IP addresses for you, and censorship can also be applied to it.
That's what DNS does, and you can manually resolve domains using the
DNS is just like a hash-table, a dictionary of the Internet:
Chances are you are using a DNS server provided by your ISP free of charge. Let's say the state asked the ISP to block
In the best case scenario you can directly set custom DNS servers (
The solution to both of these digital rape cases is DNS over HTTPS or DNS over TLS. Now the idea is strikingly similar to that in the «undetectable» VPNs. The tools are also open-source and freely available, I'll list them here (OpenWRT packages as an example):
▪️ HTTPS-DNS-proxy
▪️ DNSCrypt-proxy
▪️ Stubby
🔻 Advanced VPNs. When the state goes rogue as described above, the protocols separate out into three categories:
▪️ Easily detectable: all common VPN tunnel protocols — WireGuard, OpenVPN, and so forth... They can be easily regulated by the state.
▪️ Detectable: commonly obfuscated versions of the common VPN tunnel protocols, e.g. AmneziaWG (WG + garbage packet spam during handshake initiation), OpenVPN over Cloak, Shadowsocks. They require much more scrutiny to be sifted out by the censorship systems.
▪️ Undetectable: while in reality not 100% safe, they're state-of-art as of September 2024 and make it past the Great Firewall of China. Most of these protocols aren't documented in English. If you live outside 🇷🇺, 🇨🇳 or 🇮🇷, you likely won't need those for at least the next decade.
Let's go over them anyway. There's no nomenclature for them, but I'll try my best to sort them:
▪️ VMess
▪️ VLess
▪️ Naive
▪️ Trojan
▪️ Hysteria
The whole idea behind those «undetectable» protocols is to mask your VPN traffic as HTTPS (aka browsing a random web page). It is considerably slower than any of the VPN solutions shown before, but if there isn't any other option, that's what you're left with. Recent advancements include Xray + XTLS-REALITY, which has an ability to defeat Active Probing — previously uncontested state censorship method.
The bottom of the barrel, where everything above fails:
▪️ KCP
▪️ Meiru
▪️ TUIC
▪️ Brook
▪️ Pingtunnel — masks your traffic under ICMP! (pretty promising)
Umm, yea. You probably won't ever need those. But keep that in mind, there's no way to censor the internet.
🔻 DNS. It's a very important subject, because a DNS (Domain Name System) server is what resolves domain names into IP addresses for you, and censorship can also be applied to it.
That's what DNS does, and you can manually resolve domains using the
nslookup utility, for instance:C:\Windows\System32>nslookup google.com
Server: AX4200.lan
Address: fd21:4bd3:61a3::1
Non-authoritative answer:
Name: google.com
Addresses: 2a00:1450:4010:c0a::8b
2a00:1450:4010:c0a::66
2a00:1450:4010:c0a::65
2a00:1450:4010:c0a::8a
173.194.221.138
173.194.221.113
173.194.221.100
173.194.221.101
173.194.221.102
173.194.221.139
DNS is just like a hash-table, a dictionary of the Internet:
x.com → 104.244.42.129 Agoogle.com → 108.177.14.139 AChances are you are using a DNS server provided by your ISP free of charge. Let's say the state asked the ISP to block
shitter.com. The ISP might restrict access to that resource via DPI, but it also might resolve the domain name to localhost, or some RFC-private IPv4, 10.0.0.0/8 for instance.In the best case scenario you can directly set custom DNS servers (
1.1.1.1, 1.0.0.1 — CloudFlare; 8.8.8.8, 8.4.4.8 — Google) either network-wide or per device. Problem solved. However, this might not work! An ISP may very well hijack your DNS requests server-side and redirect them to their DNS server. Or, they could just block any outgoing UDP traffic on the port 53 when their servers aren't listed as an endpoint.The solution to both of these digital rape cases is DNS over HTTPS or DNS over TLS. Now the idea is strikingly similar to that in the «undetectable» VPNs. The tools are also open-source and freely available, I'll list them here (OpenWRT packages as an example):
▪️ HTTPS-DNS-proxy
▪️ DNSCrypt-proxy
▪️ Stubby
👍56👎2🤔2❤1
Please ask your questions in the comments if you have any. Also just in case, I am not suicidal.
🇷🇺🤝 🇧🇷
🇷🇺
Please open Telegram to view this post
VIEW IN TELEGRAM
👍76❤9😱5👎2
The changes took effect on my side ~5 minutes ago. Here is the block list, insert the following domains into your split tunneling setup in order to continue using the platform:
discord.com
gateway.discord.gg
cdn.discordapp.com
discordapp.net
googleapis.com
discord-attachments-uploads-prd.storage.googleapis.com
dis.gd
discord.co
discord.design
discord.dev
discord.gg
discord.gift
discord.gifts
discord.media
discord.new
discord.store
discord.tools
discordapp.com
discordmerch.com
discordpartygames.com
discord-activities.com
discordactivities.com
discordsays.com
discordstatus.com
Please open Telegram to view this post
VIEW IN TELEGRAM
😢134🤬43👍9🎉8😱5❤4👎3
Forwarded from ТАСС
Please open Telegram to view this post
VIEW IN TELEGRAM
🤬110😱9😢6👎4👍2🎉1
Enderman
🚨 DPI bypass for Discord RTC found
This bypass in form of a zapret config chunk will unblock the voice channels for you (🇷🇺) in no time! Confirmed working for me and a bunch of my friends.
This bypass in form of a zapret config chunk will unblock the voice channels for you (🇷🇺) in no time! Confirmed working for me and a bunch of my friends.
QUIC_PORTS=50000-65535
MODE_QUIC=1
NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake,tamper --dpi-desync-any-protocol"
👍85❤20🤔10👎4
📚 Archive.org has just been hacked
It's offline as of right now, but the message speaks for itself...
It's offline as of right now, but the message speaks for itself...
😢193😱21🤬15🤔5👍3
Let me preface this by saying yes, I do own YouAreAnIdiot for many years now.
A couple days ago some actual living breathing human reported the infamous joke website for phishing. This is an attack on Internet history and can be sort of compared to the Internet Archive breach. We all get attacked this often for... preserving history, but this is kind of the first time it went through for both projects.
Due to the modern nature of any and all requests being processed by AI, this caused some insignificant downtime and automatically made the service display a false scare warning about phishing.
And obviously we're left with a rhetorical question of where any kind of phishing could occur on a page with a bunch of flashing shapes and not a single POST request...
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
🤬148😢14👍13🤔6😱3
🌍 Presumption of guilt
We're living in an Internet era where you get censored and banned by AI algorithms being forced to prove your innocence in an appeal with a hopefully real human being. In case with YouTube appeals are reviewed by AI as well.
It's called the presumption of guilt. Digital tyranny.
We're living in an Internet era where you get censored and banned by AI algorithms being forced to prove your innocence in an appeal with a hopefully real human being. In case with YouTube appeals are reviewed by AI as well.
It's called the presumption of guilt. Digital tyranny.
12🤬125😢11👍7👎5😱4❤3🤔1🎉1
Please open Telegram to view this post
VIEW IN TELEGRAM
🤔62😱14❤9👍7
Please open Telegram to view this post
VIEW IN TELEGRAM
😱87❤13👍6😢3
I had an account there for quite some time. Recently I finally found time to install an actually usable application to try to consume, understand and maybe publish some content. All the previous times have been rather sporadic and happened solely because someone reminded me I actually have a TikTok account.
Now I wonder, do you guys even watch TikTok? Would you even care to watch my content there? I'm quite intrigued to explore the «short» niche, as I myself have serious troubles being concise and condensing the content to be digestible even when talking in real life. So it looks like a worthwhile venture for my sake.
Now if you would like to see me upload on TikTok, please tell me what kind of content you generally watch on the platform that happens to coincide with technology and maybe, just maybe, with what I do.
Thank you!
Please open Telegram to view this post
VIEW IN TELEGRAM
👎89❤16👍9🤔6
🤔33😱5👎4❤2🎉2
Please open Telegram to view this post
VIEW IN TELEGRAM
❤52😱28🤔3👍1