Procera-Sandvine blocks eltuz.com in Uzbekistan


February 14, 2020

Eltuz is a satirical web-magazine in Uzbekistan, featuring articles, cartoons, polemics and jokes. According to the website, it serves as platform for liberal democratic values and freedom of speech and expression.

Eltuz is blocked inside Uzbekistan, and we have therefore analyzed how the blocking is taking place.

When placing connections to eltuz.com to both ports 80 (HTTP) and 443 (HTTPS), we could see that the connections were terminated (FIN,ACK) by a deep packet inspection (DPI) device. Further analysis of traffic signatures indicates that the DPI device is from Procera-Sandvine, a Canadian company that both Qurium and CitizenLab previously have reported to provide Internet blocking capabilities in countries like Azerbaijan, Turkey and Egypt.

Signature 1 – TTL values are different

The packets coming from the original website comes with TTL value 48, while packets coming from the deep packet inspection device arrives with value 58.

TTL 48: 95.154.196.75.80 > 192.168.1.103.61639: Flags [S.]
TTL: 58 95.154.196.75.80 > 192.168.1.103.61638: Flags [F.]

Signature 2 – FIN-ACK contains payload

The FIN-ACK packets sent by the DPI device contains the payload “Object not found”.

4f:62:6a:65:63:74:20:6e:6f:74:20:66:6f:75:6e:64:0d:0a:0d:0a

Signature 3 – ID of IP packet is 13330

The ID field of the packets send by the DPI device is 0x3412 (13330). This value is common in Procera-Sandvine devices.

The signatures recorded in this study strongly indicates the presence of a Procera-Sandvine DPI device inside of Uztelecom core infrastructure AS8193.