Massive banking collateral in 2025, YouTube DNS removal in May 2026, nationwide VPN paralysis in June β deep dive into TSPU's three-tier architecture, four generations of AI detection, four Habr-tested vulnerabilities, and anti-censorship evolution.
In June 2025, mobile banking apps of multiple Russian banks suddenly went offline, ATMs stopped working; in March 2025, Moscow experienced two weeks of severe mobile network restrictions, and many blocked foreign platforms briefly became accessible again; from late May to early June 2026, YouTube, Telegram, and Discord suffered severe connection problems nationwide. The force behind these events is the Russian national DPI control system β TSPU.
TSPU (Π’Π΅Ρ Π½ΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΡΠ΅Π΄ΡΡΠ²Π° ΠΏΡΠΎΡΠΈΠ²ΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ³ΡΠΎΠ·Π°ΠΌ, Technical Means of Countering Threats) is legally rooted in Federal Law No. 90-FZ (Sovereign Internet Law) signed by Putin on May 1, 2019. The law took effect in November 2019, granting the Russian communications regulator (RKN, Roskomnadzor) centralized control over domestic internet traffic, including real-time website blocking and traffic filtering.
From 2020 to 2022, RKN launched TSPU pilot deployments in Moscow, St. Petersburg and other major cities, with the three largest operators (MTS, MegaFon, Rostelekom) assisting installation. In 2023, the project fully switched to domestic hardware, replacing foreign components with servers from Signaltek and Yadro. By the end of 2024, TSPU covered about 80% of Russian internet traffic, with over 2.5 million filtering rules.
Event 1: System overload triggered Bypass β nationwide unblock (March 22β23, 2025)
TSPU had to handle about 40,000 new filtering rules in a short period (normal updates are only 10,000β15,000). Insufficient computing power automatically activated Bypass mode β traffic went around DPI and was directly forwarded, causing many blocked foreign platforms to briefly become accessible again. TSPU devices have clear bandwidth limitations; when traffic exceeds processing capacity, the device automatically enters bypass mode and traffic reaches its destination directly. RKN's system cannot fully block prohibited websites at every moment; capacity limits create "leaks."
Event 2: Large-scale banking "friendly fire" (June 30, 2025)
While testing new VPN blocking rules, RKN's TSPU DPI misidentified TLS encrypted communications of Sberbank, Tinkoff, Alfa-Bank and others as VPN traffic, causing banking apps, payment systems, and ATMs to go offline for hours. TSPU's filtering heuristic was too crude β "I see TLS 1.3 and active packet hammering β DROP" β exposing its fundamental technical difficulty in distinguishing legitimate financial traffic from VPN tunnels.
In February 2026, after more than a year of throttling YouTube, RKN went further and removed the youtube.com domain from the national DNS system, making YouTube inaccessible through normal means inside Russia. Experts noted that this decision was related to Telegram slowdowns; TSPU systems installed on operator networks could not handle pressure from two major platforms simultaneously, so RKN chose to simply "turn off" YouTube via DNS.
From late May to early June 2026, Russia experienced a nationwide large-scale VPN failure. Users reported VPN connections disconnecting within one or two minutes, latency spiking, and speeds dropping to minimum. Telegram, YouTube and Discord were all affected. RKN was reported to have discovered new vulnerabilities in MTProto proxies while also strengthening Chrome fingerprinting and TCP-RAW protocol blocking. The agency stated that companies could apply for access to foreign services through VPNs on a technical basis; more than 57,000 addresses and 1,700 organizations (including software developers) had been added to exception lists.
May 25, 2026, TSPU achieved nationwide full deployment β all 85 federal subjects completed hardware upgrades to regional control centers, the three major carriers' backbone nodes reached 100% TSPU inline deployment, and nearly 100% of Russia's fixed and mobile internet traffic now passes through TSPU.
| Budget Item | Amount / Indicator |
|---|---|
| Original federal project budget | 68.8 billion RUB |
| 2026 additional allocation | 14.9 billion RUB |
| 2030 total budget | 83.7 billion RUB |
| National project | "Data Economy and Digital Transformation of the State" β "Cybersecurity Infrastructure" |
| Bandwidth Indicator | Original Plan | 2030 Target | Increase |
|---|---|---|---|
| Peak processing bandwidth | 752.6 Tbit/s | 954 Tbit/s | +26.7% |
| Total system capacity | Base capacity | 2.5Γ current plan | ~150% |
| Russia's average daily traffic (2024) | approx. 30 Tbit/s | ||
954 Tbit/s is more than 30 times current actual traffic, providing strategic redundancy not only for traffic growth but also for expanding block lists and countering new evasion techniques. Power limitations sometimes cause bypass mode; the upgrade aims to match infrastructure to actual load while improving the effectiveness of blocking VPN evasion tools.
Since January 2026, operator compliance fines have taken effect: up to 1 million RUB for first-time legal entity violations, and up to 5 million RUB for repeat violations.
MTS: community feedback suggests it is the most aggressive in TSPU testing with the most noticeable blocking; MegaFon: completed backbone TSPU deployment; Rostelekom: state telecom giant handling much of the infrastructure upgrade and supplying domestic DPI equipment. Hardware suppliers include Signaltek, Yadro (servers), Eltex (switches), Silicom (bypass NICs), etc.
RKN also strengthened compliance oversight. In December 2025, RKN detected several operators that failed to correctly route traffic through TSPU, making YouTube accessible. The court accordingly fined five operators (Trivon Networks, YuL-Kom Media, iHome, AVK-Wellcom, Grand) 250,000 RUB each, fined MSK-IX and Tinko 250,000 RUB each, and fined Avantel 500,000 RUB.
TSPU adopts a centralized, layered architecture with three levels from the highest decision-making layer to the actual execution layer closest to users.
Level 1: Central Management Center (TsMU SSOP)
Located in Moscow, subordinate to the Radio Frequency Center (GRChTs) under RKN, it is the "brain" of the system β formulates global filtering policies; manages four blacklists (IP, SNI, TLS fingerprint, protocol signature); uses AI to automatically cluster abnormal traffic and generate signature databases; distributes rules and receives and analyzes logs from across the country.
Level 2: 85 Federal Subjects Regional Control Centers (LTsU)
Deployed in each state, territory, republic; act as relays receiving central policies, forwarding them to local TSPU, and collecting traffic logs to send back to the central center.
Level 3: TSPU Hardware at BRAS/CGNAT
Physically deployed at operator BRAS (Broadband Remote Access Server) and CGNAT nodes, inline mode β all user traffic must be processed; actions include allow, drop, send TCP RST to terminate connections, rate-limit, HTTP redirect. When overloaded, Bypass mode may be triggered (scheduled to be phased out by 2030). Operators cannot view or modify configurations; devices are remotely controlled by RKN β a true "black box".
DPI (Deep Packet Inspection) is TSPU's core technology. Officially used for DDoS protection, in practice it accomplishes website blocking, traffic filtering, and suppression of circumvention tools like VPNs.
At L3/L4, DPI can see source/destination IPs and ports, TCP flags, packet sizes and frequencies β enabling IP blocking, rate-limiting, and detecting certain VPN/tunnels through patterns.
At L7, for HTTPS/TLS traffic, DPI cannot decrypt but can extract key information from the plaintext handshake: SNI (Server Name Indication) β the domain name transmitted in plaintext in ClientHello, the main basis for blocking websites; JA3/JA4 fingerprints β TLS client handshake parameter sets that can distinguish real browsers from VPN clients; DNS queries β if DNS is not encrypted (UDP 53), the QNAME is directly visible and can be blocked at the resolution stage.
When direct signatures are insufficient, DPI analyzes behavioral features β first packet sizes, send intervals, traffic direction, retransmission patterns β enough to distinguish HTTPS-masqueraded VPN traffic from normal web browsing.
| Generation | Time | Technical Feature | Countermeasure |
|---|---|---|---|
| 1st | 2019-2021 | IP/port blocking | Change IP easily bypasses |
| 2nd | 2021-2023 | SNI domain blocking | SNI obfuscation (Reality) |
| 3rd | 2023-2025 | Protocol fingerprint detection (MTProto/VLESS/WireGuard) | Self-hosted node lifespan drops sharply |
| 4th | 2026 onward | 2.27 billion RUB for AI behavioral analysis | Detects "multi-device shared-IP proxies", dynamically adapts to new circumvention techniques |
In January 2026, RKN announced the development of a machine-learning-based traffic filtering system to be integrated into the TSPU infrastructure, marking a shift from static signature matching to dynamic behavioral recognition.
As of June 2026, after full TSPU deployment, self-hosted proxy survival rates have plummeted. Port 443 VLESS+Reality configurations are instantly dropped or throttled to zero; self-hosted VPS lifespans shorten to days; same-IP shared proxies are accurately targeted by AI clustering; Shadowsocks-2022 (on high ports) and xHTTP direct mode still work; chained proxies (Russian VPS β foreign VPS, TSPU sees a Russian IP and usually leaves it alone) still work.
Community testing also found that high-port rules are much looser than port 443 β moving the same proxy configuration to port 47000+ allows up to 80% of packets through, as TSPU prioritizes deep inspection of standard HTTPS ports to save hardware resources, performing only shallow checks on high ports. Empty SNI settings lift blocks in 100% of test cases because TSPU's blocking strategy relies on SNI blacklist matching.
June 30, 2025 banking outage: multiple bank apps and ATMs offline for hours.
"Whitelist" irony: some mobile operators enabled IP whitelists, but many Russian banks and government services were not on those whitelists, while Cloudflare IP ranges were β forcing users to turn on VPNs just to access domestic banking or Gosuslugi websites.
Local hosting provider throttling: when a browser made many connections to ordinary web pages on Russian hosting provider Selectel, TSPU triggered rate-limiting or drops due to "TLS 1.3 + active packet hammering".
YouTube and multi-platform widespread outage (early June 2026): late May to early June 2026, VPNs failed on a large scale across Russia. RKN was reported to have found new MTProto proxy vulnerabilities and simultaneously strengthened Chrome fingerprinting and TCP-RAW protocol blocking. Telegram, YouTube, and Discord were hit hard, even under functioning VPNs. Experts said TSPU upgrades directly impact VPN stability. Network latency surged, some VPN connections stayed alive for only one or two minutes, and data rates dropped to minimums.
IT industry collateral damage: Russian IT companies rely on overseas resources for software development; the VPN crackdown prevented them from accessing necessary tools.
RKN systematically checks through the GRChTs monitoring center whether each operator's traffic passes through TSPU filtering. If a blocked website has no TSPU interception log and is still accessible, inspectors issue a violation report. In December 2025, RKN detected several operators that failed to route traffic correctly through TSPU, making YouTube accessible. The court fined Trivon Networks, YuL-Kom Media, iHome, AVK-Wellcom, and Grand 250,000 RUB each; fined MSK-IX and Tinko 250,000 RUB each; and fined Avantel 500,000 RUB. This penalty system puts economic pressure on operators to comply.
RKN's GRChTs announced expansion of the National Anti-DDoS System (NSPA), which currently uses 88 cross-border TSPU devices to successfully repel external attacks. Experts recommend adding a new line of defense between backbone carriers and large enterprises to analyze and block internal malicious traffic. Cybersecurity experts emphasize that TSPU efficiency depends not only on bandwidth but also on network architecture, node distribution, and traffic management quality.
In addition, QUIC (HTTP/3) traffic is effectively blocked; UDP port 443 is effectively blocked, forcing all connections to fall back to slower HTTPS (TCP 443), though circumvention tools continue to evolve using traffic modification techniques.
TSPU has gone from a 2019 law to covering 100% of Russian traffic by May 25, 2026, with a budget increased to 83.7 billion rubles and processing capacity planned to reach 954 Tbit/s by 2030 β more than 30 times current actual traffic. Its DPI technology has evolved through four generations from IP blacklists to AI behavioral analysis.
At the same time, communities like Habr keep discovering exploitable vulnerabilities β high ports, empty SNI, Bypass overload fallback. This is an endless arms race: protocol designers pursue stronger privacy (ECH, QUIC, traffic obfuscation), while TSPU keeps evolving with AI and new signatures.
For ordinary users, a clear signal is: the era of a single protocol, a one-click script, and "set and forget" is over. For the TSPU system itself, perhaps the biggest challenge is not technical, but how to achieve regulatory goals without damaging the country's own financial and communications infrastructure β the June 2025 banking incident and the June 2026 massive VPN failure have already sounded the alarm.