- Network
- A
Why is Russia Following the Path of North Korea? Whitelists, How They Work, and Solutions
Many are accustomed to thinking that internet censorship is when Roskomnadzor adds another IP to the ban list. We have been playing a game of cat and mouse for years: they block, we raise proxies. But what if the rules of the game change fundamentally?
The paradigm of network censorship in Russia is transforming. For the last ten years, we lived under the logic of "blacklists," fighting against the blocking of specific IPs and domains, but today, the developed architecture of the TSPU allows us to talk about the technical possibility of transitioning to a whitelist model.
This is not about an instantaneous switch-off of a switch, but about a gradual implementation of a concept where priority is given only to trusted traffic.
This is a world where everything that is not explicitly permitted is forbidden. A popular example of such a world is North Korea...
Isolation in North Korea
Where is Russia heading?
What countermeasures are available now?
Working options
Origins: Why did they choose isolation?
North Korea has not always been a digital GULAG. In the early 2000s, there even began to develop a regular 2G business (the Sunnet network). But in 2004, there was an explosion at the Ryongchon railway station. According to one version, the detonation was triggered by a mobile phone (an assassination attempt on Kim Jong Il). The result: mobile communication in the country was completely banned for several years.
Kwanymyon: The internet that is not the internet
Instead of a global network, North Korea created "Kwanmyon." Technically, this is a giant national-scale intranet network (LAN).
DNS vacuum: There are no external DNS records in Kwanmyon. You cannot type in google.com not because it is blocked, but because it does not exist in nature for this network.
IP numbering: The network is built on internal addresses (like 10.x.x.x), which are physically not routed to the world.
Attempts to create a "national domain name system" in Russia and the law on "sovereign RuNet" are the first steps toward creating a similarly isolated space, where external nodes will be cut off at the level of backbone protocols.
Wi-Fi via SIM card: Mirae
One of the most recent cases from North Korea is the Wi-Fi network "Mirae". To connect to it in Pyongyang, simply knowing the password is not enough. You need a SIM card. The system authorizes the device in the Wi-Fi network only through a mobile ID
This is the perfect system of total surveillance: the state knows who, where, and from which device has accessed the network. In Russia, we already have mandatory identification in public Wi-Fi by phone number, but North Korea has gone further, integrating Wi-Fi and the cellular network into a single controlled circuit
The death of anonymity through eSIM and biometrics:
In North Korea, you cannot just buy a SIM card from a kiosk — it is a strictly controlled device. In Russia, the market for gray SIM cards is currently being actively "cleared" and mandatory biometrics for foreigners (and eventually for citizens) is being introduced, in order to link eSIMs to State Services
Technical similarity with Mirae:
If in North Korea, Wi-Fi Mirae requires a physical SIM card for authorization, then in Russia, eSIM is becoming the very "embedded" chip in the phone that informs the TSPU system: "This is not just some anonymous traffic, this is the traffic of a specific person"
Why is this needed?
Without linking to a person's identity, white lists work poorly. If the system knows who is online, it can provide different levels of access: a "teacher" can access Wikipedia, a "civil servant" can access closed databases, and a "regular user" can access only State Services and VK. This is the dynamic white list
Red Star OS: Files that "snitch"
The national OS of North Korea (Red Star OS) is Linux, into which a supervisor is embedded
The main feature is automatic watermarking
The system marks every file (image or document) opened on the computer with a hidden serial number of the device. This allows the North Korean intelligence services to trace the path of prohibited content from the first person who downloaded the file to the last viewer
Part 2. Russian TSPU: Dynamic white list in action
If in North Korea the network was originally built as a closed garden, then in Russia they are trying to corral it while on the move. TSPU are no longer limited to blocking domains. They have moved on to carpet bombing infrastructure
Blocking Data Centers and Hosting
As users of Hetzner, OVH, DigitalOcean, and Oracle note, the TSPU has started to cut off access to entire subnets of foreign VPS providers
Subnets of Oracle Cloud (129.151.192.0 - 129.151.223.0, 130.61.0.0/16, etc.) are blocked using the SYN protocol. Packets simply vanish into thin air without receiving a response
This is the mechanics of the whitelist: if your IP is not on the list of "approved Russian clouds," your connectivity to the outside world approaches zero
Death of CDNs and Gaming Collapse
Blockages of Cloudflare, CDN77, and Fastly cause the internet to break even in places where it hasn't been touched. Users of CS2 and Faceit complain about wild ping and packet loss. Why? Because gaming servers often share the same CDNs as the disfavored resources. The TSPU doesn't sort it out; it simply shuts down parts of the highways
Protocol Discrimination
The TSPU has learned to recognize Shadowsocks, WireGuard, and OpenVPN. Blocking occurs based on signatures. If DPI detects the characteristic handwriting of a VPN protocol, the connection is dropped within a few seconds
Part 3. What countermeasures are available now?
TCP Desynchronization (Zapret and ByeDPI)
Instead of using a third-party server, utilities like zapret and ByeDPI modify packets directly on your device.
How it works: The utility fragments packets, changes their order, or inserts junk data (TCP fragmentation, TTL trickery)
Result: The TSPU goes crazy. It cannot reassemble the packet to read the SNI and lets it pass by to be on the safe side
2. VLESS + Reality: Masking as Legitimate
This is a method of disguising VPN traffic as regular HTTPS traffic to allowed sites (for example, Microsoft or Apple). The traffic control system sees a perfect TLS handshake leading to a white address and does not block it.
An important nuance: under the conditions of the whitelist Reality, it is necessary to configure using SNI from the allowed list (vk.com, mail.ru, ya.ru). If your packet pretends to be a request to VK, the traffic control system will likely let it pass even during the strictest curfew, but recently there have been complaints about these SNI as well, and many users experiment and set something not very popular.
We won't talk long about this, as it is a separate topic that already has articles on tekkix and elsewhere.
3. Tor and "Snowflakes"
Tor is discussed in the use of obfs4 bridges and the technology Snowflake. Even when the traffic control system blocks entries into the Tor network, bridges allow it to seep through non-standard ports. However, the RKN is actively hunting for bridge IP addresses, so users have to use B-Checker for automatic selection of a working configuration.
Part 4: Ready Solutions
What is currently being discussed in general about ready solutions and methods.
1. hynet.space
This service is currently most often mentioned in communities as the most universal solution; there is also the development of its own protocol VLESS3 Hynet.
Unlike classic VPNs, this one focuses on a huge pool of protocols (VLESS, Shadowsocks-2022, Trojan, xHTTP, VLESS3 Hynet).
It is noted for its stability on heavy providers in regions where whitelists are already being tested extensively; in some cases it may not work, as this varies individually. Essentially, it is an aggregator that takes care of all the hassle of finding working configs, allowing you to switch between them in seconds if your ISP stumbles on one of the directions.
2. Amnezia VPN
A popular open-source solution for those who want full control.
Amnezia is quite a heavy and closed system. It doesn't work well with other services on the same VPS and often throws errors when trying to configure something more complex than the standard config.
It's great if you have a clean server, but if your VPS IP gets banned (and Oracle and Hetzner subnets are currently getting cut off in batches), moving will turn into your personal headache.
3. VoxiProxy
If your goal is Faceit or CS2 without packet loss or gaming on a smartphone.
Optimized for mobile traffic. Discussions mention that they often use combinations with Russian cloud providers as entry gateways.
4. Cloudflare WARP and Mullvad
Due to its honest policy and lack of disguising as HTTPS, it has become an easy target. It currently works extremely unstably in Russia.
WARP is discussed in endless attempts to find working endpoints. Yes, through B-Checker or custom WireGuard configs it can still be set up, but for the average worker, it turns into a survival quest.
5. DuckVPN
Their struggle with MTU/MSS clamping is often discussed on forums. On MTS and MegaFon networks, ISPs frequently drop packets if their size seems suspicious. Duck's developers are trying to dynamically change the TCP segment size to slip through filters, though under strict whitelisting conditions, this works but not for everyone.
At the moment, there is no single solution for all regions and providers, because the TSPU and the level of filtering differ
Therefore, something works for one person, while for another, the same thing does not work, so to speak, it's like dancing with a tambourine, I tested it personally (
On one side are the TSPUs, which are trying to turn the global network into a tight "intranet" following the example of North Korea. On the other side are freedom enthusiasts who find loopholes in the very architecture of TCP/IP
The path of whitelists is a path to degradation, problems with clouds, and constant crutches in the infrastructure. But the experiences of Iran and North Korea show: it is impossible to completely cement information flows while people have tools for desynchronization and masking in their hands
Write comment