Skip to main content

Diagnosing the impact of the TSPU

Last update:

Telecom operators are obliged to install in their networks TSPU - technical complexes for analyzing and filtering the passing traffic, for more details see the subsection What is TSPU. TSPU can affect the speed of traffic flow and cause problems with connectivity for some protocols.

If your traffic flow problems show signs of TCSP impact, you can perform TCSP impact diagnostics and perform some actions based on the results of the diagnostics.

What is TSPU

TSPU, or technical means of countering threats, are DPI complexes that are installed at the request of Roskomnadzor at communication nodes to filter passing traffic. DPIs can block or slow down traffic based on various criteria: IP addresses, SNI (Server Name Indication), QUIC metadata, protocol signatures, and others.

Major mobile, broadband and satellite operators, as well as owners of traffic exchange points, are obliged to install TSPU in their networks. All user traffic must pass through the TSPU. The TSPU equipment is managed by the Public Communications Network Monitoring and Management Center; telecom operators do not have access to it.

TSPU are used within the country, as well as at cross-border communication nodes when traffic enters and leaves Russia. At such points, analysis and filtering can take place both in the operator's network and at the junction of national and international infrastructure, which makes it possible to filter traffic at the border of networks.

In connection with the operation of the TSPU, there may be both permanent and periodic problems with the passage of certain types of traffic within Russia and in cross-border data exchange.

Signs of TSPU impact

TSPU may cause problems with connection via SSH, HTTP/HTTPS, VPN, sometimes RDP. In this case, the server responds to ICMP requests and checks via mtr, telnet utilities are performed successfully. In rare cases, there may be a problem with network speed when connecting using these protocols. The problem with connection and speed can have both permanent and floating character.

Problems are most commonly seen when a public shared IP address is used on a dedicated server. In rare cases, there are also problems with addresses from a dedicated public subnet.

Conduct diagnostics of the impact of the TSPU

To get complete diagnostic data, you need to run diagnostics on two servers that are experiencing a connectivity problem between them. One of the servers must be in the Selectel infrastructure:

  • The destination server is the server you are trying to connect to;
  • source - the server from which you are trying to connect to the target server.

Diagnostics should be run in two directions - from the source server to the target server and from the target server to the source server. If you cannot connect to one of the servers, run diagnostics from the second server only.

  1. Run diagnostics from the source server to the target server.
  2. Run diagnostics from the target server to the source server.
  3. Send us the diagnostic results.
  4. If the diagnostic results suggest that the TSPU is affected, you can perform actions based on the diagnostic results.

1. Run diagnostics from source server to target server

The diagnostic process depends on which protocol the problem is observed.

  1. Connect to the source server. If the server is in the Selectel infrastructure, use the Connect to Server instruction.

  2. Create a text file where you will save the diagnostic results.

  3. Check the availability of the target server:

    3.1 Check the availability of the target server. The check will show whether ICMP packets are passing through:

    ping <destination_ip_address>

    Specify <destination_ip_address> - IP address of the destination server.

    3.2 Save the output to the diagnostic results file you created in step 2.

  4. Check the SSH connection:

    4.1 Connect to the target server via SSH with detailed connection information output:

    ssh -v root@<destination_ip_address>

    Specify <destination_ip_address> - IP address of the destination server.

    4.2 Save the output to the diagnostic results file you created in step 2.

  5. Scan the ports of the target server:

    5.1 Install the nmap utility, more details in the Linux Distributions article of the nmap documentation.

    5.2 Perform a port scan without first checking the availability of the server:

    nmap -Pn <destination_ip_address>

    Specify <destination_ip_address> - IP address of the destination server.

    5.3 Save the output to the diagnostic results file you created in step 2.

  6. Check the TCP connection on port 22:

    6.1 Install the telnet utility, see the Telnet Applications article of the telnet documentation for details.

    6.2 Connect to the target server via TCP:

    telnet <destination_ip_address> 22

    Specify <destination_ip_address> - IP address of the destination server.

    6.3 Save the output to the diagnostic results file you created in step 2.

  7. Perform a route trace to the destination server:

    7.1 Install the mtr utility. Read more on GitHub mtr.

    7.2 Perform route tracing to the destination server:

    mtr --address <destination_ip_address> -bwzrc 100 <source_ip_address>

    Specify:

    • <destination_ip_address> - IP address of the destination server;
    • <source_ip_address> - IP address of the source server.

    7.3 Save the output to the diagnostic results file you created in step 2.

  8. Collect a traffic dump to the target server:

    8.1 Install the tcpdump utility, see the documentation for details tcpdump.

    8.2 Collect a traffic dump. The command will create a file in .pcap format:

    tcpdump --count 1000 -w dump_<source_ip_address>_<destination_ip_address>.pcap host <destination_ip_address>

    Specify:

    • <source_ip_address> - IP address of the source server;
    • <destination_ip_address> - IP address of the destination server.

2. Run diagnostics from the target server to the source server

  1. Connect to the target server. If the server is in the Selectel infrastructure, use the Connect to Server instruction.

  2. Perform a route trace to the source server:

    2.1 Install the mtr utility, more details on GitHub mtr.

    2.2 Perform the trace:

    mtr --address <source_ip_address> -bwzrc 100 <destination_ip_address>

    Specify:

    • <source_ip_address> - IP address of the source server;
    • <destination_ip_address> - IP address of the destination server.

    2.3 Save the output to the diagnostic results file you created in step 1.

  3. Collect a traffic dump to the source server:

    3.1 Install the tcpdump utility, see the documentation for details tcpdump.

    3.2 Collect a traffic dump. The command will create a separate file with data in .pcap format:

    tcpdump --count 1000 -w dump_<destination_ip_address>_<source_ip_address>.pcap host <source_ip_address>

    Specify:

    • <destination_ip_address> - IP address of the destination server;
    • <source_ip_address> - IP address of the source server.

3. Send diagnostic data

  1. Create a ticket specify the following data in the ticket:

    • describe the problem you are experiencing in as much detail as possible;

    • Specify the pair of IP addresses between which you are experiencing connectivity problems and for which you performed troubleshooting;

    • If the problem is observed with HTTP/HTTPS connection - specify whether the VPN server is located at the specified IP addresses;

    • attach the files with the diagnostic results.

  2. Wait for a response from a Selectel employee. We will perform additional diagnostics from our side and inform you about the results.

  3. Optionally: If we confirm the suspected TCPU influence based on the diagnostic results, we can additionally request confirmation from carriers about the presence of TCPUs on the traffic route. Selectel can send a text request only to the carriers (aplinks) that come directly to our data centers. You can contact the carriers yourself from a server outside of Selectel's infrastructure.

    3.1 On the source server, start traffic towards the target server. Do not stop the traffic for at least 7 days, it is necessary for diagnostics by the operator:

    ping <destination_ip_address>
    while true; do <protocol> -o ConnectTimeout=5 user@<destination_ip_address> exit; sleep 60; done

    Specify:

    • <destination_ip_address> - IP address of the destination server;
    • <protocol> - the protocol with which you are experiencing problems: ssh for the SSH protocol, curl for HTTP/HTTPS protocols.

    3.2 In the ticket, inform us that you have launched traffic. We will send a written request to the telecom operator who is directly connected to Selectel infrastructure and through whose channel the launched traffic passes.

    3.3 Optional: contact the service provider to which the server is connected outside the Selectel infrastructure yourself.

4. Perform actions based on the diagnostic results

Selectel cannot influence the operation of the TCPU or the settings of the service provider's networks. If the diagnostic results confirm that the TCPU is affected, you may:

  • If you are a legal entity or an individual entrepreneur, you can justify the exclusion of TSPU filtering for your subnetwork. To do this, submit a request to Roskomnadzor through the personal cabinet of the owner of technological networks, for more details see the official [Help on working in the personal cabinet of the owner of technological networks](https://63613345-f19e-49c7-85ef-6a5ac4d6354c.selstorage.ru/TSPU/ %D 0 %A 1 %D 0 %B F %D 1 %80 %D 0 %B 0 %D 0 %B 2 %D 0 %B A %D 0 %B 0 %20 %D 0 %B F %D 0 %B E %20 %D 1 %80 %D 0 %B 0 %D 0 %B 1 %D 0 %B E %D 1 %82 %D 0 %B 5 %20 %D 0 %B 2 %20 %D 0 %9B %D 0 %9A %20 %D 0 %92 %D 0 %A 2 %D 0 %A 1 %20 v1.11.pdf) from Roskomnadzor;

  • you can also change the IP address on the server in Selectel. Changing the IP address does not guarantee a solution to the traffic problem: