[tor-talk] Vodafone DE throttles connections to the Tor network

aka akademiker1 at googlemail.com
Sat Aug 1 14:02:02 UTC 2015

Doesn't Vodafone use NAT for customers? If you use mobile internet you
get a 10.x.x.x IPv4 behind NAT and a regular IPv6 with your MAC embedded
in it.
Also, don't overestimate ISPs network design, a few years ago you could
get free unlimited mobile internet via VPN because they only redirected
TCP traffic to their payment page and let UDP pass. A vendorless MAC in
their NAT could very likely trigger a DPI exception and disable traffic

Dan Snow:
> some_guy123 at Safe-mail.net:
>>> Working were and are only connections without the Tor network, with unpublished bridges, and with Tails (changing the MAC address)
>> That doesn't make sense. Vodafone doesn't see your Tails MAC at all. I think it's unlikely that Vodafone is throttling on purpose.
>> Most likely, there is some broken/misconfigured router or IDS in the path to the directory servers/bridges you used. You should try to manually pick a few different entry guards with different routing (check with traceroute).
>> Assuming you have a network consensus (e.g. from connecting with working bridges; there should be 'Browser/TorBrowser/Data/Tor/cached-microdescs' and 'cached-microdesc-consensus' files), add the following to your 'Browser/TorBrowser/Data/Tor/torrc':
>> ----------------------------
>> UseEntryGuards 1
>> NumEntryGuards 1
>> UseEntryGuardsAsDirGuards 1
>> NumDirectoryGuards 1
>> EntryNodes 47B8A2122B924B0E54B3BDEE48DFB86E054BEB36
>> -----------------------------
>> Remove any bridge-related entries from the config.
>> Some fast entry guards in Germany that should have different routing:
>> darkit ( 47B8A2122B924B0E54B3BDEE48DFB86E054BEB36
>> chaoscomputerclub5 ( 0E22366D0EB12CA0CDD3693452F43BA0A1D9D515
>> becks ( E9C8154418544764619D2CCD0596B355D7DFF236
>> With this configuration, you only need to connect to the the guard node and don't need to connect to the directory servers (where something seems to be hanging).
> Thank you for these advises. But, I think to concentrate on one entry guard only could lessen the anonymity. Although the entry guards are not changed very often (after 30–60 days) in the standard configuration, there seems to be a little random selection [1]. I will have a look at this. 
> As we all know, the IP address is no reliable identifier, but the MAC address identifies the device and probably its user. Otherwise it would be needless to disguise the MAC address in Tails. As far as I know the MAC address can be coded in the IP within the ipv6 protocol. So, this makes sense. 
> As terrorists and torrorists are per se under suspicion, like criminals and readers of some Linux Journal [1a], they should be hindered to communicate in anonymity. Secret services and police agents around the world see anonymity and encryption as a menace of their work. And ISPs, especially the big players and former telcos of the state, are executing their needs [2]. 
> To me it doesn't seem deviously that ISPs are trying to block or impede the use of the Tor network ("Tor stinks" [2a]). Vodafone is advertising "Secure Net" which uses DPI (Deep Packet Inspection) for filtering - to make the net more secure [3].
> I am very content with the performance of the Tor network using three different unpublished bridges. 
> [1] T. Elahi et al., Changing of the Guards: A Framework for Understanding and Improving Entry Guard Selection in Tor, WPES’12, October 15, 2012. [http://freehaven.net/~arma/cogs-wpes.pdf]
> [1a] http://daserste.ndr.de/panorama/aktuell/NSA-targets-the-privacy-conscious,nsa230.html
> [1a] http://daserste.ndr.de/panorama/xkeyscorerules100.txt
> [1a] http://www.linuxjournal.com/content/nsa-linux-journal-extremist-forum-and-its-readers-get-flagged-extra-surveillance
> [2] http://www.theguardian.com/business/2013/aug/02/telecoms-bt-vodafone-cables-gchq
> [2] http://www.heise.de/newsticker/meldung/Snowden-Dokumente-Britische-Geheimdienste-koennten-ueber-Vodafone-deutsche-Kunden-abhoeren-2461441.html [2014]
> [2] http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html
> [2] https://firstlook.org/theintercept/2014/11/20/vodafone-surveillance-gchq-snowden/ [2014]
> [2] https://blog.torproject.org/blog/tale-new-censors-vodafone-uk-t-mobile-uk-o2-uk-and-t-mobile-usa [2012-01-17]
> [2a] http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document
> [2a] https://edwardsnowden.com/wp-content/uploads/2013/10/tor-stinks-presentation.pdf
> [2a] http://www.heise.de/newsticker/meldung/Neues-von-der-NSA-Tor-stinkt-1972983.html
> [3] https://netzpolitik.org/2014/waschmaschine-im-netz-wie-telekom-und-vodafone-deep-packet-inspection-als-feature-verkaufen/
> [3] http://securenet.vodafone.com/index.html
> [3] https://twitter.com/usefulthink/status/590817159351242752
> [3] http://www.webscalenetworking.com/topics/webscalenetworking/articles/404274-vodafone-germany-offers-new-secure-net-service.htm [2015-06-01]: "Allot Service Gateways, which are high-performance DPI-based platforms that enable deployment of new digital services in fixed, mobile and cloud networks" 
> [3] http://www.allot.com/press-release/vodafone-germany-makes-web-surfing-secure-with-allot-websafe-personal/ [2015-05-26]
> [3] http://www.iptegrity.com/index.php/net-neutrality/600-how-vodafone-censors-your-internet [2011-01-06]
> [3] http://www.rawstory.com/2011/01/vodafone-confirms-role-egypts-cellular-internet-blackout/ [2011-01-28]
> [3] http://broabandtrafficmanagement.blogspot.com/2010/11/dpi-deployment-41-vodafone-uses-dpi-and.html [2010-11-18]
> C. Fuchs, Implications of Deep Packet Inspection (DPI) Internet Surveillance for Society, The Privacy & Security - Research Paper Series 1, 2012 (2013) [http://www.projectpact.eu/privacy-security-research-paper-series/%231_Privacy_and_Security_Research_Paper_Series.pdf]

More information about the tor-talk mailing list