Russia, Kremlin

Academics: Russia deployed new technology to throttle Twitter's traffic

The Russian government appears to be using new technology to censor internet traffic inside its borders, a group of academics studying internet censorship across the globe said in a report published today.

The new system is built on TSPUs (ТСПУ, технические средства противодействия угрозам, "technical solution for threat countermeasures''), a new type of networking devices built by Russian company RDP.

These devices were deployed for the first time last month when Russia's internet watchdog —the Roskomnadzor (Russian Authority on Information Control)— throttled Twitter's traffic speed after the social network refused to remove several tweets about anti-Putin/pro-Navalny protests.

Since March 10, Twitter mobile data transfers have been throttled by 100%, while desktop traffic was cut to 50%, according to the agency.

First instance of a country using traffic throttling as censorship

Censored Planet, an internet censorship observatory at the University of Michigan, said today that this is the first known instance of a government across the globe censoring internet content by throttling a company's traffic rather than blocking access to its service.

The Censored Planet team claims this was possible because of Russia's new TSPU system that replaced the Roskomnadzor's previous SORM (Система оперативно-разыскных мероприятий, "System for Operative Investigative Activities") censorship solution.

SORM, which consisted of special networking devices installed in ISP data centers, allowed the Roskomnadzor to issue rulings (backed by legal orders) to add certain web domains to a national blocklist. Once a legal order and Roskomnadzor decision were out, Russian ISPs would add blacklisted domains to the SORM's firewall rules, and the device would block traffic going to those services.

But across the years, Russian users discovered that by using proxies or VPN services, they could bypass any SORM block and access the sites they wanted. Furthermore, companies like Telegram also pioneered technical solutions like domain-fronting to make their domains available in countries like Russia, where national firewall-like systems were in place.

The new TSPU solution is different in many ways, Censored Planet analysts said today. First, TSPU devices are not under the ISPs' control but appear to be managed by the Roskomnadzor itself.

Second, the devices sit two network steps closer to consumers compared to the previous SORM solution.

Third, these devices don't work like classic firewalls but more like network filters, performing deep packet inspection (DPI) on raw internet traffic.

A DPI-based solution allows Russian authorities to look inside network packets for the traffic's real destination, even if the connection is encrypted using TLS as HTTPS.

According to Censored Planet, TSPUs work by inspecting the SNI extension of the TLS "client hello" record, which allows the Roskomnadzor to determine to what domain a user is connecting before the connection gets encrypted.

Throttling to remain in place until May 15, 2021

Citing a recent media interview where a member of the Russian Parliament admitted that the Twitter incident was the first time when authorities deployed their new internet traffic blocking system, the research team said this also explains why Russia's first use its TSPU-based system failed after a broad filtering rule ended up blocking other legitimate domains, and not just Twitter traffic.

The Censored Planet team says that based on their third-party observations, Russia appears to have fixed its initial mistake and is currently still throttling Twitter domains like **, and

"Throttling throughput converges to a value between 100kbps and 150kbps," the researchers said.

In a press release this week, the Roskomnadzor said they plan to keep the Twitter traffic throttling decision in place until May 15, 2021, after Twitter did not cave in to pressure to remove all the tweets reported by Russian authorities.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.