[Russia] Mobile network website whitelist

[its0ka]

There have been mobile network shutdowns in some regions or cities for some time now, a few days ago I noticed that website whitelist have appeared on such networks. It's not clear if these whitelists are enabled by the ISPs or by TSPU. I was testing on beeline and here is what I found: Beeline udp DNS is working fine and not hijacked Google udp 8.8.8.8 is also working and not hijacked (tested with akamai whois) 1.1.1.1, 9.9.9.9 and yandex dns aren't working (ICMP is also blocked)

Ping and curl works on at least these domains https://pastebin.com/raw/Tdv4CtUc (+ a lot of .gov.ru domains which I skipped checking)

But google.com or any other website doesn't ping and curl hangs on client hello (TCP syn is actually delivered remotely but not client hello)

Any SNI work on IP from yandex.ru, but no SNI work when connecting to my own webserver on a vps

ICMP traceroute to 1.1.1.1 (or anything other than the whitelisted websites) is empty

Yandex.ru ICMP/tcp traceroute

TCP traceroute to 1.1.1.1 (looks the same on any IP)

Source: https://ntc.party/t/16325/182

[kzorin52]

Is this IP-list or domain? If so, can it be bypassed via HTTP Injector-like apps to spoof SNI?

[Vauxittt]

Have you found a circumvention method yet?

[Ximerixx]

I did some testing on this week

tele2 is my mobile operator, but more over the same panting with shit by goverment whitelists enabled on tspu for sure, cause the same hosts work and don't work on various mobile networks. if it was only by t2 for example, balance.beeline.ru woudn't work on t2 network and vise versa

there was like 5-6 day gap that i would penetrate the firewall with my stunnel connection, using either barebone console client (my phone is rooted) or just http injector and masking to some whitelist site, but now it doesn't work

i don't know (i hope yet) how it worked and why it now ain't workin no more

[someone2037492034]

Is this IP-list or domain? If so, can it be bypassed via HTTP Injector-like apps to spoof SNI?

No, no matter what SNI you 'spoof', it won't connect to, say, your own server (even spoofing as yandex.ru, for example) because it's an IP whitelist. Regular provider dns works and resolves any domain (probably because it doesn't make a difference, since the IPs are whitelisted). There's no signal jamming, so it literally makes no sense in restricting the networks like that against drones...

[Ximerixx]

No, no matter what SNI you 'spoof', it won't connect to, say, your own server (even spoofing as yandex.ru, for example) because it's an IP whitelist.

well, you're not wrong... i fixed the stunnel stuff and it worked for quite a while, now yes, ip-whitelist

There's no signal jamming, so it literally makes no sense in restricting the networks like that against drones...

There IS. Both the jamming and restrictions. nowadays they just put 4g SIM modem and run drones on telemetry.

i better will be worried about how our precious goverment want to do like in Iran or copy GFW for gods sake terrIble

[someone2037492034]

because it's an IP whitelist.

Actually, I tested it again and first of all, ping packets come through(to not-whitelisted IPs), and also if I chunk https traffic by 64 bytes per request, https clienthello requests sorta come through... So does that mean that it's a most-ips-are-throttled-to-death, but with a few 'whitelisted IPs' without any throttling? I suppose that the internet is unusable at that speed, I think that that's an interesting observation though.

There IS. Both the jamming and restrictions.

Well, there I actually meant that the mobile networks are not being jammed because you can connect to them, the connection to them is normal, the point being that the throttling stuff is happening on the mobile network side, not signal jamming from "jammers". (at least that's from what I know) But are other types of signals affected, too?

nowadays they just put 4g SIM modem and run drones on telemetry.

Do you mean that drones are indeed being run using that method and they use that method to transmit all signals, or did you mean something else? To be honest I don't think it's 100% that hard to bypass this mobile restriction thing for such people. (using various methods, not only using mobile networks, I mean...)

i better will be worried about how our precious goverment want to do like in Iran or copy GFW for gods sake terrIble

ye, ye, you don't even have to mention that...

[Ximerixx]

not only using mobile networks

i guess so... cause there was a time that military found sim modems, and that's why it really probably started. I think nowadays it maybe just getting people to use only "allowed" resources and this is just a preposition i just can't really put my mind around this, why fix stunnel, this shit was workin to get and unlimited internet by masking to a balance.beeline.ru for example, and now fix this after like... 7 yrs or so? i don't think this is a coincidence

ping packets come through.

well... maybe we can cook some solution? if packets drop not for every other ip than the whitelist, i think we can cook something

i thought about other thing, honestly i bet the whilist not the ip, but a range of then, cause like yandex or vk, those services use localized cdn what if we can get our hands on a VPS that lives in moscow in a very similar ip range, and then proxy this connection out to exit node, using another (not that restrictive) network?

if you care enough we can chat over email or something, if you're interested in researching this forward

[someone2037492034]

it maybe just getting people to use only "allowed" resources and this is just a preposition

Definitely: "See? This [VK] platform always works, so use it!!!" They said they'd allow 'necessary for life' stuff, but they didn't ask me what's necessary for me, so I consider it to be fully directed at the people rather than a small minority that may 'abuse' these networks for the stated activities. Like why can't a drone have a super strong antenna and just connect to some пятёрочка wifi to stream at least 720/420p video, if even that's needed, wouldn't it be even easier for someone to mask a radio signal close to some not-jammed radio wave and just operate it directly? The possibilities are countless, + why just now? This wasn't happening for the past few years and everything was mostly fine, this is something new.

well... maybe we can cook some solution?

I have to say that I'm not some network-specialist or dev currently, I just tried to tinker around with the traffic using methods I know, however I can share a few more of my insights on that block, if that's interesting.

if packets drop not for every other ip than the whitelist, i think we can cook something

They seriously come through, like even some 400-500 byte packets And don't you think that if there actually is some workaround, then it wouldn't get blocked? However, I guess it won't hurt to try. There are no dm's on github though...

[Ximerixx]

yeah... about 5ka i actually hacked a couple of networks of thouse... passwords (for internal net) are severely randomized, but not the "TSD" ones

Like why can't a drone have a super strong antenna

there's actually a reason) If transmitting powers aren't about equal, connection will be very fragile. Cause the router indoors won't have enough power (or sensitivity) to adequately establish a proper connection. non-jammed radio is.. more trickier. It can be used and it is. but the thing is - not actually a lot of "ranges" of radio signals can carry much data (if we go meter or decimiter waves) and if we go shorter (cm or maybe 1mm 5g or whatever) it won't carry over long distances very well. that's why sim. it just connect to tower nearby. Wellll that's all just gueses, honestly.

and a word about

They said they'd allow 'necessary for life' stuff

A lot of thing that "normies" use are working, the rage wave won't get into masses anyway, bimbos buying shit from ozon or wb or whatever can now get their parcels or marry over gosuslugi.ru lol No one cares about nerds like us, other than us, nerds So... is this the end of internet? Will we use LAN from 90-s, hosting in someone's garage, like my plapser for schedule or whatever? I hope it will never go that far in the dark if you can, write me at xmpp: [email protected] , use OMEMO and yes, that's fucking nuts using xmpp in 2025 lol

[someone2037492034]

or marry over gosuslugi.ru lol

So true, lol. Idk why, but your xmpp account thing with OMEMO doesn't work (the encryption part of it), it can't find your keys or something...

[Ximerixx]

Reply in jabb.im I managed to get it working with pgp

[someone2037492034]

Reply in jabb.im I managed to get it working with pgp

Oook, I'll try again.

[anon87103946482]

"See? This [VK] platform always works, so use it!!!" They said they'd allow 'necessary for life' stuff, but they didn't ask me what's necessary for me

Remember when they said "no one cares about geek nerds because they pose no threat? That they only gonna censor normies? That no one cares about your super secret 20kbps tunnel?"

[its0ka]

@anon87103946482 please go post such things in other places

[anon87103946482]

@anon87103946482 please go post such things in other places

What FUCKING places when everything is blocked??? There are no "other places." Github one of the few that aren't blocked yet

[Ximerixx]

@anon87103946482 please go post such things in other places

What FUCKING places when everything is blocked??? There are no "other places." Github one of the few that aren't blocked yet

Make new 2ch, lol

[smopro]

@Ximerixx have you some bypass tricks for yota? Last night I came across this whitelist. I have no other internet in the house because Rostelecom is complete crap, and using it is disrespectful. I got the impression that enabling this list has practically nothing to do with drones, and the drones are just an excuse. I also find it really funny that they're disabling everything, but VK and OK can't be used for bad purposes. No one has ever done this, using social media for evil purposes.

[Ximerixx]

@Ximerixx have you some bypass tricks for yota? I don't have yota sadly... Also, IMO rtk isn't AS bad as it was like 7 yrs or so, yes, they're restrictive, but they're THE primary provider, everything is connected to it. And I think cause of this, it's very not that bad to bypass.

Whitelist is a totally different story. I thiiink you'll get away with using stunnel (http injector has public servers) using the mask domain that uses CDN system, because otherwise... I'll explain better

The thing is, with gosuslugi.ru they have a total list of IPs of those servers and they're comparing both Host header and Dest header.

With vk, with rutube, that uses automated enrollment and DNS routing for CDN, I think they check only for Host, and have no way to surely filter out not their IPs.

But this is just a theory, albeit a very coherent one.

[someone2037492034]

I don't think ssh works on all 'whitelisted' mobile internet providers, it doesn't work on mine.

[Applone]

Here are three methods for bypassing a CIDR whitelist:

1. Sometimes, the SNI changes to vk.com or another government service can help, however, this is an outdated method.
2. You can use CDN services from Yandex, VK or EdgeCDN, which will cost about 1 rub per gigabyte of traffic. The listed services are included in the whitelist of almost all operators.
3. You can use VPN over DNS, there are opensource solutions for this - iodine (without encryption) and dnstt (with encryption). Keep in mind that this method has a huge overhead, which is why the speed will be limited in the best conditions to 150-200 kbit/s.

[someone2037492034]

And 4. Sometimes you can just rent a VPS from one of the whitelisted services and since it's IP is whitelisted, it would work at full speed. (no throttling)

[Applone]

And 4. Sometimes you can just rent a VPS from one of the whitelisted services and since it's IP is whitelisted, it would work at full speed. (no throttling)

yeah, but it's pretty random, and you might get banned

[smopro]

you might get banned

and as in case of CDN

[Applone]

and as in case of CDN

the difference is that you won't pay few thousand rubles for an IP that isn't on the whitelist

[SautovAndrey]

Есть те кто может помочь настроить обход через белый список на мобильных операторах? если что пишите https://t.me/joodjoy я в долгу не останусь

Is there anyone who can help set up a whitelist bypass on mobile operators? If so, please write to https://t.me/joodjoy. I will be indebted to you.

[gohoski]

Есть те кто может помочь настроить обход через белый список на мобильных операторах?

Два способа, которые знаю:

1. Сервак с VLESS и REALITY с настроенным SNI (доменом) на один из белого списка (например, api.ok.ru или 80.img.avito.st). Поскольку теперь всё больше и больше операторов внедряют CIDR-блокировки (т. е. подключиться можно только к определённым диапазонам айпишников), этот способ работает 50/50 и не во всех регионах/операторах. То есть, можно подключиться только к тем айпишникам, которые попали в белый список, что вынуждает делать второй способ:
2. Тот же сервак, но на айпи белого списка. Его достаточно сложно получить простым смертным, но, из того, что слышал, люди постоянно перезаказывают VK Cloud/CDN, Yandex Cloud/CDN, EdgeCDN и CDNvideo (на котором держится Ozon и RUTUBE), в надежде получить айпи из белого списка, и это работало, но сейчас шанс получить айпи из белого списка таким путём крайне мал, поскольку далеко не все айпи данных хостингов в белом списке, т. к. это было бы ну уж слишком тупо, а большинство IP белого списка гои уже схавали. Стоит такое поделие либо чуть меньше рубля за гигабайт в случае CDN, либо от 1000 до 5000 руб в месяц, что дорого для IP который может не только просто не быть в белом списке, но и стать заблокированным в любой момент. Обычно полученный таким способом IP тупо не в белом списке, как при CDN так и при VPS. В этом случае действительно легче купить такой сервер у какого-нибудь платного VPN-бота в Telegram который смог его получить(их на самом деле полно и они не редкость, но тут рекламировать не буду и их тоже могут рандомно забанить;стоят около 170-200 руб). Также сами хостинги начали закрывать дыры, например, из того, что слышал, CDNvideo начал закрывать подобный VPN-трафик. И вполне возможно, что в будущем эти IP-диапазоны будут сужать как можно сильнее, чтобы таких VPN не было.

---

Is there anyone who can help bypass the Russian whitelist on mobile networks?

Two ways I know to get away from the whitelist:

1. A server with VLESS and REALITY, configured with an SNI (domain) from the whitelist (for example, api.ok.ru or 80.img.avito.st). Since an increasing number of mobile operators are now implementing CIDR-based blocking (meaning you can connect only to specific IP ranges), this method works about 50% of the time and not in all regions or with all operators. In other words, you can connect only to IPs that are on the whitelist, which brings us to the second method:
2. The same kind of server, but hosted directly on a whitelisted IP address. Such IPs are quite difficult for ordinary users to obtain. From what I've heard, people used to repeatedly order new instances on VK Cloud, Yandex Cloud, EdgeCDN and CDNvideo (the CDN behind Ozon and RUTUBE), hoping to get a whitelisted IP by chance. This occasionally worked in the past, but now the chances are extremely low. Not all IPs from these hosting providers are whitelisted—otherwise, it would be far too easy—and people have already acquired most of the usable IPs from the whitelist. Renting such a setup typically costs between either a little bit less than a ruble per gigabyte in case of CDN, or 1000-5000 rubles per month which is not only expensive, it can also be unexpectedly banned or the IP simply being not in the whitelist. In most times the IP you get isn't in the whitelist with both CDN and VPS. In this case, it's often easier to simply buy access from one of the many paid VPN bots available on Telegram that have been able to get such a server on a whitelisted IP(there are actually plenty and they're not rare, but I won't advertise any here and they can also get unexpectedly banned;they cost about 170-200 rub a month). Moreover, hosting providers themselves have started closing these loopholes. For instance, I've heard that CDNvideo has begun actively blocking such VPN traffic. It's also quite possible that in the future, these whitelisted IP ranges will be reduced as much as possible to prevent such VPNs from existing at all.

[alexunderboots]

Кому-то удалось запустить vpn over dns? пробую iodine, но этап фрагментации не проходит (((

Has anyone managed to launch VPN over DNS? I'm trying iodine, but the fragmentation stage isn't working :(

[someone2037492034]

Кому-то удалось запустить vpn over dns? пробую iodine, но этап фрагментации не проходит (((

Из опыта вроде запросы на зарубежные dns адреса не работает. Если маскировать трафик под пинг пакеты, то максимум разрешённый запрос будет где-то 66 байтов, поэтому может быть очень мучительным процессом... Но это если ваш провайдер блокирует именно айпишники.

From experience, requests to foreign DNS addresses do not work. If you mask traffic as ping packets, the maximum allowed request will be around 66 bytes, so it can be a very painful process... But that's if your provider blocks IP addresses specifically.