Twitter Throttling in Russia: Censored Planet Report Summary

By Ava McKinneyOnline Safety

Report: Twitter Throttling in Russia

We present a translation of the report by the international group of internet experts, Censored Planet, who conducted a study on the throttling of traffic to the American social network Twitter in Russia. According to their findings, this marks a new stage of internet censorship in Russia, as a centrally managed intervention system was used for the first time.

The research team includes experts Leonid Evdokimov and ValdikSS, who collaborate with RosKomSvoboda, and the project is led by Roya Ensafi from the University of Michigan.

Background and Initial Findings

Starting March 10, 2021, Russia began restricting several domains associated with Twitter. Early reports published on ntc.party suggested that throttling was triggered by TLS SNI, targeting domains such as t.co, twimg.com, and twitter.com. Connection speeds to these domains were limited to 128 kbps.

Soon after, Russian authorities officially explained the traffic slowdown, stating that measures were taken to protect Russian citizens from illegal content, citing Twitter’s failure to remove information banned in Russia. The incident had a broader impact than intended, partly due to a rule matching t.co that inadvertently affected unrelated high-profile domains like reddit.com and microsoft.com.

Key Findings from the Study

  • This incident represents the first known attempt by Russian authorities to use throttling (instead of outright blocking) to pressure social media sites.
  • It marks a shift from a previously decentralized censorship model, managed by internet providers, to a more centralized system giving authorities significant unilateral control.
  • The report provides current measurement results and new technical details on how the regulation was implemented.

Technical Details of Throttling

The Russian internet consists of thousands of autonomous systems and many ISPs, similar to other countries. Federal Law 139-FZ, adopted in 2012, defined how Russian ISPs could exercise decentralized information control. However, reports now indicate that Twitter is being blocked using a different mechanism, known as TSPU (technical means of countering threats), based on DPI (Deep Packet Inspection) technology. Devices for this purpose were developed for Roskomnadzor by RDP.RU. In a recent interview, Russian parliament member Alexander Khinshtein stated that throttling Twitter was the first mass use of DPI blocks. TSPU is controlled directly and remotely by Roskomnadzor, not by individual ISPs, making the censorship architecture more centralized, similar to China and Iran.

How Throttling Works

  • The throttling device reacts by tracking Twitter domains in the SNI field of the TLS client hello message.
  • Throttling is enforced via traffic control. When the speed limit is reached, data packets in either direction (upload/download) are dropped.
  • Throttling devices are located 1-2 hops closer to end users than blocking devices, suggesting separate administration.
  • Regulation behavior is consistent across different ISPs, indicating widespread deployment of a single censorship method or centralized management.
  • Regulation can be activated only for TCP connections originating from Russia. However, once such a connection is established, throttling can be triggered by a Twitter SNI sent in any direction.
  • Despite previous reports, a relaxed string-matching rule still applies to some domain strings, causing collateral damage, even though t.co and recently twitter.com were fixed. For example, garbage.twimg.com is still regulated, meaning twimg.com remains a matching rule.
  • The throttle tracks connection state and resets inactive connections after about 10 minutes. Each new connection is checked, possibly as a countermeasure against circumvention attempts.
  • Throttling can be bypassed using special session modifications, TCP-level fragmentation, or splitting the TLS client hello across packets.
  • The report recommends browsers and websites implement TLS Encrypted Client Hello (ECH or its predecessor ESNI) to make SNI-based throttling more difficult.
  • Monitoring throttling is challenging, and existing anti-censorship platforms are not equipped to detect or defend against it. This incident, where Russia throttled Twitter, is a warning sign.

Research Process and Observations

The study began on March 12, with Censored Planet collaborating with Russian internet freedom activists to set up seven observation points: three regional landline points (OBIT, Ufanet) and four mobile points (Beeline, MTS, Tele2, Megafon), all of which observed throttling.

After confirming that throttling was indeed occurring, Censored Planet conducted deeper measurements to understand the nuances and underlying technology. The regulated bandwidth converged to 100-150 kbps. Throttling was enforced by dropping packets exceeding the speed limit. The throttle dropped incoming data packets from any direction after the speed limit was exceeded.

Researchers found that some ISPs throttled Twitter traffic differently, but the main principle remained the same. Unlike blocking, which denies access to content, throttling reduces service quality, making it nearly impossible for users to distinguish intentional throttling from issues like server overload or network congestion.

With the spread of dual-use technologies like DPI, internet regulation becomes easier for authorities, while users find it harder to circumvent such censorship.

“Anti-censorship communities fear that the state may use throttling to restrict internet freedom. Unfortunately, existing censorship detection platforms focus on blocking and are not equipped to track throttling. This incident, where Russia restricted Twitter, is a warning for censorship researchers, and we hope it will spur further work on detecting and bypassing this new censorship technology,” the report’s authors summarize.

Broader Context and Implications

Russia is increasing pressure on social networks, seeking greater control over information sources that do not comply with the state, according to Bloomberg. Access to Twitter was slowed for nearly a month as the Moscow regulator demanded the removal of content it deemed illegal—some dating back to 2017. Meanwhile, Facebook, Telegram, TikTok, and Google face fines for posts calling for protests after opposition leader Alexei Navalny was jailed earlier in the year.

The threat to block Twitter arose because Russia invested in equipment that could allow the Kremlin to cut the country off from the global internet, following a failed attempt to block Telegram.

According to cybersecurity researcher Leonid Evdokimov, authorities achieved 30-40% success during the Twitter throttling and fixed issues that initially caused unrelated websites to freeze. He also believes that disconnecting Twitter was never the authorities’ goal:

“Twitter became a kind of ‘lab rat’ for Roskomnadzor, used to test how well the new equipment and [internet censorship] strategy work.”

Leave a Reply