Snowflake domain front blocked in some ISPs in Iran; suggested workarounds

[wkrp]

The number of Snowflake users has decreased by about 20% since 2023-01-16, five days ago. The cause has been determined to be the blocking of the domain name cdn.sstatic.net, which is the default for one of Snowflake's rendezvous methods.

Snowflake currently supports two rendezvous methods: domain fronting and AMP cache. Accordingly, there are two ways to work around the blocking of the default front domain: change to a different front domain, or use the AMP cache rendezvous.

AMP cache rendezvous is easier to activate, so I suggest trying that first.

AMP cache rendezvous

On Orbot and Onion Browser, you just have to select a menu option. On Tor Browser (desktop and Android), you have to enter a custom bridge line. More information about changing bridges (فارسی).

Orbot for Android

1. From the home screen, tap the Use Bridges toggle.
2. Select the option Connect through other Tor users using Snowflake (Method 2 - AMP).
3. Go back to the home screen and tap Start.

Orbot for iOS

1. Tap the ⚙️ icon (top right).
2. From the dropdown, select Bridge Configuration, then Built-in snowflake (AMP). Then tap Save.
3. Go back to the home screen and tap Start.

Onion Browser for iOS

1. Tap the onion icon.
2. From the dropdown, select Bridge Configuration, then Built-in snowflake (AMP).
3. Tap Connect.

Tor Browser for Android

1. Tap the ⚙️ icon.
2. Tap Config Bridge. Toggle Use a Bridge to "on", then tap Provide a Bridge I know.
3. Copy and paste this entire bridge address:
   snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net/ ampcache=https://cdn.ampproject.org/ front=www.google.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
4. Go back to the home screen and tap Connect.

You can experiment with different Google-related domain names for front=www.google.com. For example, front=cdn.ampproject.org.

Tor Browser for desktop

1. Click ≡ (hamburger menu) in the toolbar and then click Settings.
2. Click Connection in the sidebar, find the Bridges section, then click the Add a Bridge Manually... button.
3. Copy and paste this entire bridge address:
   snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net/ ampcache=https://cdn.ampproject.org/ front=www.google.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
4. It will start to connect automatically. Browse to a web page. Click the View Logs... button under Advanced to troubleshoot the connection if needed.

You can experiment with different Google-related domain names for front=www.google.com. For example, front=cdn.ampproject.org.

Change the domain front

You can edit an existing bridge line that has url=https://snowflake-broker.torproject.net.global.prod.fastly.net/, and change front=cdn.sstatic.net to something else. Here is a list of possible alternatives:

front=fastly.jsdelivr.net
front=foursquare.com
front=www.shazam.com
front=www.jimdo.com
front=www.rvu.co.uk
front=js.sentry-cdn.com
front=www.drupal.org
front=www.1stdibs.com
front=www.filestack.com

For example, a complete bridge line would be
snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=fastly.jsdelivr.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn

More information about changing bridges (فارسی).

Evidence of blocking

This graph shows the top 6 countries by Snowflake users. You can see a decrease in IR and US since 2023-01-16. We suspect many of the users that are being attributed to US are actually from IR, because of geolocation errors.

From OONI MAT charts, we see an increase in anomalies when attempting to use Snowflake, since 2023-01-16:

https://explorer.ooni.org/chart/mat?probe_cc=IR&test_name=torsf&since=2023-01-06&until=2023-01-22&axis_x=measurement_start_day

Checking the Web Connectivity results for cdn.sstatic.net, we see anomalies starting 2023-01-16. Examination of the specific measurements shows a timeout after TLS Client Hello in certain ISPs.

https://explorer.ooni.org/chart/mat?probe_cc=IR&test_name=web_connectivity&domain=cdn.sstatic.net&since=2023-01-06&until=2023-01-22&axis_x=measurement_start_day

[mehdifirefox]

The moon has no problem with the settings.

Please make it easier to settings.
All things are done automatically for ordinary people

[free-the-internet]

@n8fr8 @wkrp
I think in this situation, it's best to have the option to select the country or you can use GPS/IP range to determine the location automatically. Then apply the settings based on the country.
I'm afraid the ordinary user have any motivation or enough knowledge to change the settings.
BTW, thanks for information.

[wkrp]

@free-the-internet you are correct, of course. It is a matter of ongoing development to reduce the difficulty of finding working settings. In fact, Tor Browser has a feature to automatically suggest custom circumvention settings for certain countries; it is called Connection Assist and it was added in Tor Browser 11.5. The problem, in this case, is that Connection Assist uses the same front domain as Snowflake, so if the domain is already blocked, Connection Assist will not be able to download the new settings.

[mehdifirefox]

@free-the-internetشما درست می گویید البته برای کاهش دشواری یافتن تنظیمات کاری، موضوع توسعه مداوم است. در واقع، مرورگر Tor دارای قابلیتی است که به طور خودکار تنظیمات دور زدن سفارشی را برای برخی کشورها پیشنهاد می کند. به آن Connection Assist می گویند و در مرورگر Tor 11.5 اضافه شده است. مشکل، در این مورد، این است که Connection Assist از همان دامنه جلویی Snowflake استفاده می‌کند ، بنابراین اگر دامنه از قبل مسدود شده باشد، Connection Assist نمی‌تواند تنظیمات جدید را دانلود کند.

Everything Tor is blocked and cannot automatically detect anything
Why don't you use Google or Amazon servers

I think you should have 2 Tor versions
A regular version
A copy for countries with limited internet and specific settings
Get help from the psiphon team also has a lot of experience

The Iranian people's protests were over
This time Tor did not help
As always V2RAY good answered

[free-the-internet]

@free-the-internetشما درست می گویید البته برای کاهش دشواری یافتن تنظیمات کاری، موضوع توسعه مداوم است. در واقع، مرورگر Tor دارای قابلیتی است که به طور خودکار تنظیمات دور زدن سفارشی را برای برخی کشورها پیشنهاد می کند. به آن Connection Assist می گویند و در مرورگر Tor 11.5 اضافه شده است. مشکل، در این مورد، این است که Connection Assist از همان دامنه جلویی Snowflake استفاده می‌کند ، بنابراین اگر دامنه از قبل مسدود شده باشد، Connection Assist نمی‌تواند تنظیمات جدید را دانلود کند.

Everything Tor is blocked and cannot automatically detect anything Why don't you use Google or Amazon servers

I think you should have 2 Tor versions A regular version A copy for countries with limited internet and specific settings Get help from the psiphon team also has a lot of experience

The Iranian people's protests were over This time Tor did not help As always V2RAY good answered

Well, we can not compare Tor which is a public tool that helps millions with v2ray and derivatives that are private.

@wkrp I think connection assist can be disabled and by showing the user to select the country, you can set the broker to the working one. After one is blocked, since the new version releases are fast enough, users can get the update with the new urls set for broker.
Also, maybe there is the possibility to test the different brokers connectivity before starting the connection, and switch to the next if first and predefined one is blocked. (Call it auto mode?)

[wkrp]

I think connection assist can be disabled and by showing the user to select the country, you can set the broker to the working one. After one is blocked, since the new version releases are fast enough, users can get the update with the new urls set for broker.
Also, maybe there is the possibility to test the different brokers connectivity before starting the connection, and switch to the next if first and predefined one is blocked. (Call it auto mode?)

There is a discussion happening about this idea, see https://bugs.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/40250.

[wkrp]

It looks like the blocking of cdn.sstatic.net ended on 2023-01-24.

https://explorer.ooni.org/chart/mat?probe_cc=IR&test_name=torsf&since=2023-01-06&until=2023-01-29&axis_x=measurement_start_day

https://explorer.ooni.org/chart/mat?probe_cc=IR&test_name=web_connectivity&domain=cdn.sstatic.net&since=2023-01-06&until=2023-01-29&axis_x=measurement_start_day

[wkrp]

Looks like cdn.sstatic.net was again partially blocked between 2023-01-31 and 2023-02-02.

https://explorer.ooni.org/chart/mat?probe_cc=IR&test_name=web_connectivity&domain=cdn.sstatic.net&since=2023-01-08&until=2023-02-08&axis_x=measurement_start_day

[wkrp]

There have been a few other instances of scattered anomalies lasting no more than a day in certain networks, through March 2023.

https://bugs.torproject.org/tpo/anti-censorship/team/115#note_2892825

https://explorer.ooni.org/chart/mat?probe_cc=IR&since=2023-02-24&until=2023-04-04&time_grain=day&axis_x=measurement_start_day&test_name=web_connectivity&domain=cdn.sstatic.net

begin date	end date	measurement	AS	summary
2023-03-03	2023-03-03	Confirmed	AS50810	DNS 10.10.34.35
2023-03-08	2023-03-08	Confirmed	AS58224	DNS 10.10.34.35
2023-03-13	2023-03-13	Anomaly	AS50810	DNS 198.18.0.147
2023-03-19	2023-03-19	Anomaly Anomaly	AS44244	TCP RST

I want to call out specifically the 2023-03-13 12:32:37 measurement in AS 50810.
It is anomalous because the DNS response contains the wrong IP address.
It's an IP address I haven't seen used for blocking before, 198.18.0.147.

The 198.18.0.0/15 address range is reserved for benchmarking by RFC 2544. The whois record says:

Addresses starting with "198.18." or "198.19." are set aside for use in isolated laboratory networks used for benchmarking and performance testing. They should never appear on the Internet and if you see Internet traffic using these addresses, they are being used without permission.

All other recent measurements of cdn.sstatic.net from AS 50810 look normal.

Has anyone seen 198.18.0.0/15 IP addresses being used in DNS injection before?