[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing



Is China successfully probing OBFS4 bridges? Or does this apply more to non obfs bridges?
On Sun, Aug 19, 2018 at 6:57 PM David Fifield <david@xxxxxxxxxxxxxxx> wrote:
A paper from FOCI 2018 by Arun Dunna, Ciarán O'Brien, and Phillipa Gill
on the subject of Tor bridge blocking in China has this interesting
suggestion (Section 5.2):

https://www.usenix.org/conference/foci18/presentation/dunna
        To do this, we write a series specific rules using iptables in
        order to drop packets from Chinese scanners. ... We use a rule
        to drop incoming Tor packets with an MSS of 1400. Further
        investigation would be needed to analyze potential false
        positives... We note that this method of dropping scan traffic
        successfully keeps our bridge relays from being blocked and
        allows our client in China to maintain access to the bridge.

Like https://github.com/NullHypothesis/brdgrd, surely this trick won't
work forever, but if you're setting up a new bridge, it's worth a try?

This is completely untested, but I think the iptables rule would look
something like this:
iptables -A INPUT --protocol tcp --dport [your-bridge-port] -m tcpmss --mss 1400 -j DROP

Then, after a while, check /var/lib/tor/stats/bridge-stats and see if
you have any connections from "cn".
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays