[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Blocking GFW probes on the firewall

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Blocking GFW probes on the firewall
From: Marek Majkowski <marek@xxxxxxxxxxxx>
Date: Wed, 10 Jul 2013 11:18:32 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 10 Jul 2013 06:18:47 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=bWSpbnZV6nDU5IXhC+L7uj37vmMuBQ3197ACpLIEcaE=; b=KthVXe2Zd/zZhXwu0HD5mhHg1hC2f+h/UGwxOhflit2gHQhuWtoJgb4TkN2tpJU5t+ lRtsItjX7YV2uAuRgj9o12T4u/Bh3K/XUYOsotRm8tX1NGHkQbt/KfHs96qAHV5ZssPS TQnDaKqYuxgfgpVgTvAPZ6TvuU23d9BtCNs9xS9lWRRRry8lA+P0Nzh911AC0nifIqOz ubX+TbBdm6tWcarWjg2wgAwl0EnHKqdIM1aY9u03zZHYqUTnlvsBeNDA2u0yVXizbde/ nHzDzFegt3z99htzQnWxRJXpJHGv5infcdVV9fBCFFT9d6ShBmrsHIGOJOBCFPsZam5G 50Ng==
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi,

As you may know the Great Firewall of China (GFW) is actively scanning
TOR relays and bridges [1]. Fortunately blocking those probes seem to
be sufficient to prevent GFW from blocking/censoring the service.

The GFW is evolving and probes that we see today will likely be
different in the future. As for now these iptable rules detect active
GFW scans against TOR a bridge. Probes as seen few weeks ago can be
detected by:

$ iptables -A INPUT -p tcp -m string --hex-string
"|00001800390038003500160013000A00330032002F0007000500FF0100000400230000|"
--algo kmp -j LOG --log-prefix "china_long "

$ iptables -A INPUT -p tcp -m string --hex-string
"|00001400390038003500160013000A00330032002F0005020100|" --algo kmp -j
LOG --log-prefix "china_short "

Probes seen recently:

$ iptables -A INPUT -p tcp -m string --hex-string
"|00002800390038008800870035008400160013000a00330032009a009900450044002f00960041000500ff020100000400230000|"
--algo kmp -j LOG --log-prefix "china_new "

Active scans detected by these iptable rules were triggered by a TOR
client in China connecting to a TOR bridge in Europe. These rules are
intended to be used on the TOR bridge side.

If you wish not only to detect, but also to actively reject GFW probes
(and hopefully prevent your service from getting censored), consider
replacing "-j LOG ..." with " -j REJECT --reject-with tcp-reset".

Cheers,
  Marek

[1] http://www.cs.kau.se/philwint/pdf/foci2012.pdf
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Prev by Author: Re: [tor-talk] Will Tor affect Internet Explorer? (newbie question)
Next by Author: [tor-talk] Webpage autorefresh weakens onion routing
Previous by thread: Re: [tor-talk] No free Hushmail account if signing up using TBB
Next by thread: [tor-talk] Tor Weekly News â July, 10th 2013
Index(es):
- Author
- Thread