[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #4185 [Tor Bridge]: Bridge easily detected by GFW

#4185: Bridge easily detected by GFW
------------------------+---------------------------------------------------
 Reporter:  hrimfaxi    |          Owner:                    
     Type:  defect      |         Status:  new               
 Priority:  normal      |      Milestone:                    
Component:  Tor Bridge  |        Version:  Tor: 0.2.3.5-alpha
 Keywords:              |         Parent:                    
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by aagbsn):

 I took a look at tor_traffic_server.pcap. There's a lot of noise, but I
 eliminated most of the other traffic by exonerator
 (https://metrics.torproject.org/exonerator.html). That might not be a good
 assumption, after all, China could control relays in other countries. But
 here we go:

 Stream 15 (same host as Stream 32) looks like the legitimate client.
 Stream 44 is not a relay, and the TLSv1 Client Hello handshakes are
 slightly different: (The client in Stream 15 supports more extensions:
 ec_points_formats, elliptic_curves) than the client in  Stream 44.
 {{{
 wireshark filters:
 (tcp.stream == 15) || (tcp.stream eq 44)
 or
 (ip.addr == *****)
 it also helps to tell wireshark to decode packets with
 tcp.dst_port==10000 as SSL.
 }}}

 A possible attack:
 1. create a list of IPs that have connected to Tor or anything else
 that wound up in the GFW
 2. actively monitor those IPs and actively connect to destinations.
 3. block anything that doesn't look like a webpage/looks like a Tor
 bridge.

 Some possible counter-attacks/tests
 1. block IPs other than hrimfaxi's, see if the bridge still gets blocked
 2. redirect IPs other than hrimfaxi's to a https webpage, see if the
 bridge still gets blocked

 e.g.
 {{{
 iptables -t nat -I PREROUTING --src $hrimfaxi_ip --dst $bridge_host -p
 tcp --dport $listening_port -j REDIRECT --to-ports $bridge_port
 iptables -t nat -I PREROUTING  --dst $bridge_host -p tcp --dport
 $listening_port -j REDIRECT --to-ports $https_service
 }}}

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4185#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs