Bypassing Censorship of Indian ISPs
In the modern world with encryption all around I was fascinated by how some ISPs are able to censor content on the web. Whether or not censoring is good or bad could be a debate for another day. Today, I will share the technical details around censorship and a technique used by ISPs called Deep packet Inspection (DPI).
It all started when I could not reach raw.githubusercontent.com using my ISP. Being an engineer I was curious to understand how they are able to censor content and how to potentially bypass it (because raw.githubsercontent.com usually hosts GitHub scripts which I was using for home lab automation).
With the help of Wireshark and hacker forums I was able to test and verify the technique used by my ISP, globally different ISPs and Government use different and potentially more complex techniques but I found that most Indian ISPs do the following two things to block the content.
- Blocking DNS queries
- SNI based packet inspection to reset TCP connection
Blocking DNS queries: Fortunately you could by-pass this by changing your DNS provider and or using DNS over TLS (DoT) or DNS over HTTPS (DoH).
SNI filtering: During TLS handshake an extension field called Server Name Indication (SNI) contains the hostname, this is used by Server to identify which domain you would like to connect so that it can share correct certificate. ISPs inspect for these and reset the TCP connection if hostname for this matches one of their blocklist domain.
ESNI (Encrypted SNI) and ECH (Encrypted CLIENT HELLO) were introduced to prevent this but not widely adopted yet. One of the ways to mitigate this with Indian ISPs is to segment the CLIENT HELLO because Indian ISPs don't assemble the segmented packets but our good old TCP does at the server.
With these two things sorted out, I set forth to create a proxy which would use encrypted DNS and CLIENT HELLO segmentation and below is a video demonstrating the proxy at work.
Unlike most of my project this isn't open sourced because I support censoring immorality and that my ISP has finally unblocked the above mentioned domain anyways.