2024-xue-tspu-russia

Tspu: Russia's decentralized censorship systemcore

Diwen Xue, Roya Ensafi · IMC · 2024

Abstract

We characterize Russia's decentralized censorship infrastructure ("TSPU") deployed across major ISPs after 2021. Findings: blocking is implemented inline at provider edges, with substantial heterogeneity across providers; the system uses both SNI/host filtering and active in-line manipulation; rollouts can be observed and timed.

Team notes

Definitive recent characterization of Russia's TSPU. If anyone on the team is reasoning about RU blocking, start here. Particularly important: TSPU is heterogeneous across ISPs, so test fixtures need per-ISP coverage, not a single "Russia" bucket. This shaped the bandit's per-ASN dimensioning decision.

Tags

censors: ru
techniques: sni-blocking dpi http3-quic-block
defenses: mimicry tunneling domain-fronting vless vmess
method: measurement-study

findings extracted from this paper

TSPU devices perform in-line packet manipulation — they can inject RST packets, drop traffic, and throttle connections — rather than routing traffic to an out-of-band sniffer that votes to block. The inline placement means TSPU can act on the first-packet payload and impose latency on all matching flows, not only on those selected by sampling. Blocking decisions are therefore applied with high recall at the ISP edge, and circumvention tools that rely on short observation windows (e.g. only obfuscating the first N bytes) are vulnerable to continued inline inspection of subsequent traffic.

§3–§4 detection dpirst-injectionthrottlingsni-blocking ru
Russia's TSPU ("Средства противодействия угрозам") system is deployed inline at individual ISP edges rather than at centralized internet exchange points, producing substantial per-ISP heterogeneity: some providers apply layer-7 SNI/Host filtering while others rely primarily on IP-prefix blocklists, and QUIC/HTTP3 is blocked at several major providers. Rollout timing and enforcement depth vary measurably across autonomous systems, meaning a single "Russia passes/fails" test fixture systematically underestimates blocking coverage.

§4–§5 deployment sni-blockingdpihttp3-quic-blockip-blocking ru