Pita Tunnels: A Pain in the Ass for Censors

Wallpunch gets around internet censorship with PITA tunnels: connections that are Parallel, Independent, Transient, and Active. This article explains how PITA tunnels work, what makes them different from existing solutions, and why they are better.

Parallel

Most tools get around censorship by creating a single point-to-point tunnel connection between the user’s device and a server outside the censorship zone. All of the user’s internet traffic is sent through that one tunnel.

Wallpunch uses a battery of parallel tunnels. Client devices make multiple connections to multiple servers, and split the outgoing traffic stream across all of them simultaneously. Incoming traffic from the different connections is recombined to form the original stream.

Advantages of parallel tunnels:

• Resilient: With most tools, if the original connection fails the entire tunnel must be rebuilt, causing major traffic disruptions. With parallel tunnels, if one (or even several) of the connections fail, traffic can continue to be sent with minimal disruption via the remaining connections.
• Inconspicuous: Normal traffic patterns (i.e. when not using a VPN) consist of dozens or even hundreds of simultaneous connections. Tools that send all of their traffic through a single connection stand out as unusual, and anything unusual is bad when the goal is not to be detected.

Independent

Most tools are built around a particular communications protocol. All tunnel connections created by that tool share similar characteristics inherent to that protocol.

The tunnels in a Wallpunch battery are completely independent. A single battery can simultaneously send traffic through HTTPS connections using spoofed SNIs, TLS connections using raw IPv6 addresses, and encrypted UDP connections. Each battery determines empirically the best connection types to use. For example, if IPv6 connections provide lower latency on one network the battery will use them preferentially. If another network has no IPv6 connectivity at all the battery will stick to IPv4.

Advantages of independent tunnels:

• Flexible: The same tool can use different protocols for different network environments.
• Extensible: New protocols can be added relatively easily. Currently Wallpunch has implementations for only a small number of distinct protocols, but an additional protocol (i.e. VoIP) can be implemented and dropped in as a new option without having to change any other code.
• Hard to identify: Censors block most tools by watching individual connections for certain identifying traits. With independent tunnels, censors must watch entire groups of connections.

Transient

Most tools use their current tunnel connection until it dies, since each switch to a new connection will disrupt traffic to some extent. They also use the same server IPs as long as possible, and develop strategies to prevent their IPs from being identified and blocked.

Wallpunch is designed so that both connections and servers are transient. Client batteries track the throughput and latency of their connections, killing off poor performers and replacing them with new ones. Servers are arranged in a two-hop architecture. Clients connect to multiple entry servers, who forward their tunnel traffic to a single exit server where traffic from the different tunnels is recombined. Exit servers track the aggregated throughput and latency of entry servers, removing poor performers from the pool and replacing them with new servers (with fresh IPs).

Advantages of transient tunnels:

• Elusive: Censors often observe traffic patterns for a period of time before deciding if a connection (or IP) should be blocked. Transient tunnels can be created, utilized, and destroyed before a decision is made.
• Robust: Even if a censor is able to identify and block a particular connection (or IP), the battery will be unaffected since it is already in a state of constant flux.

Active

Most tools rely on passive tunnels, which send data passively in response to user activity. Data is only sent through the tunnel connection when the user is generating internet traffic. When the user’s internet activity is idle, so is the tunnel.

Active tunnels, in contrast, actively send data as a means of disguise. Most protocols have relatively consistent patterns for when and how much data they send. Passive tunnels can be distinguished from their “cover” protocol because they don’t follow these patterns, whereas active tunnels mimic the patterns closely, making them harder to detect.

When using only a single tunnel connection, active sending provides better camouflage but reduces efficiency. Internet traffic generated by the user is first placed in a queue. When the active tunnel’s protocol is ready to send data, it takes a specified amount from the queue (or generates dummy “padding” data if the user does not have enough real traffic to send). This queueing delay increases the latency of the tunnel.

Wallpunch achieves the improved camouflage of active sending without the latency hit by joining multiple, independent active connections into a battery. Each individual tunnel waits to send data according to its protocol traffic pattern, but all tunnels draw data from a single shared queue. This means that new data added to the queue can be sent as soon as any tunnel is ready. The more tunnels in the battery, the less time is spent waiting.

Putting it all together

These parallel, independent, transient, and active characteristics combine synergistically. Together they form a solution for evading censorship that is harder to detect and more resistant to disruption than any single-connection tunnel. A censor that wants to interrupt a user’s activity must identify and block the entire battery simultaneously. That makes PITA tunnels a real “Pain In The Ass” for censors!