[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] brdgrd: Protecting bridges from the GFC



Hi,

I've been working on a small tool whose purpose is to protect bridges
from the Chinese firewall. The tool runs independently of Tor and
analyzes/rewrites SYNs and SYN/ACKs which it gets with the help of
libnetfilter_queue. It is quick and easy to set up and can be run by
bridge operators.

Basically, the tool achieves two things:
- Evading the Chinese DPI engine by rewriting the TCP window size
  during the TCP handshake. This leads to a fragmented cipher list
  which does not seem to be recognized by the GFC.
- Blocking scanners with two dirty hacks.

I did not have a lot of time to test it yet but I've found the window
size rewriting to be particularly effective (yet ugly). It worked with
Windows {XP, 7} and recent Linux boxes. The scanner blocking strategies
are not that effective since they imply many false positives, i.e.,
legitimate users being locked out.

Before showing this to a broader audience, I need some people looking at
the code, though. The code, just 600 lines of C, is available at:
https://github.com/NullHypothesis/brdgrd/

Cheers,
Philipp
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev