[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing
From: Nathaniel Suchy <me@xxxxxxxxxxx>
Date: Tue, 21 Aug 2018 12:16:10 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 21 Aug 2018 12:16:35 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lunorian.is; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=yR7d0MMdg4jvNmjPc+tzskPU4tmXcq3qVpGUmwkGHTM=; b=ZURt3WtGKXv4q8tMpNdWGUqj3L5WmgxRtOTi8kbEhEuqam4OYkpCqjfCQ/uznGy695 FVVztvJFBnfTBsNZKL1/YYsyELiKpKyE9al7U172ZM7VweUygS9fHiDbEZkbKjBc85qH nPUVIJbCVzQxmu1VfnUS4whOPGFbVkxyk1r7bWjgpoLZQwJOkCZ9HwEINazUvilVkcKd Q9S/2YfvExXNIfSHY3EZj4y26QarhEU2BzWDL5WQD9RVLVOiNP5Qqk3+Qz4fv/WEP6Ic jGow4yrMmcO24EHWzn8YROP3ju1Y62PyGNReYb4AjaWKEYWVexNsHglBPT4/UPkkSyli Q+LA==
In-reply-to: <20180821153646.3ysxpr663ehnir2g@bamsoftware.com>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <20180819225708.7somazpgjr7y63sv@bamsoftware.com> <CAKNc95Fq0iH5p88EH9QzvT7CyOTJv5f32LhPQR1PkMUkB3mO0A@mail.gmail.com> <20180820181553.kqgqm6hsguuw7wcy@bamsoftware.com> <CAKNc95GGtH+iM5SrJy-Nt5z5AsL9fYKba7iqr7zLnh2OCXz2Ow@mail.gmail.com> <20180821153646.3ysxpr663ehnir2g@bamsoftware.com>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi David,

Couldn't I firewall the non-obfs port so only looback addresses may access it?

Cordially,

Nathaniel Suchy

On Tue, Aug 21, 2018 at 11:37 AM David Fifield <david@xxxxxxxxxxxxxxx> wrote:

On Mon, Aug 20, 2018 at 02:25:40PM -0400, Nathaniel Suchy wrote:
> Interesting. Is there any reason to not use an obfuscated bridge?

No, not really. obfs4 resists active probing without any special
additional steps. But I can think of one reason why the MSS trick is
worth trying, anyway. Due to a longstanding bug (really more of a design
issue that's hard to repair), you can't run an obfs4 bridge without also
running a vanilla (unobfuscated) bridge on a different port on the same
IP address. So if anyone ever connects to that vanilla port, the bridge
will get probed and the entire IP address blocked, including the obfs4
port.
https://bugs.torproject.org/7349
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing
  - From: teor

References:
- [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing
  - From: David Fifield
- Re: [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing
  - From: Nathaniel Suchy
- Re: [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing
  - From: David Fifield
- Re: [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing
  - From: Nathaniel Suchy
- Re: [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing
  - From: David Fifield

Prev by Author: Re: [tor-relays] Exit in Turkey blocking torproject (komm EA93C), BadExit, Node Subscription Services, Censorship
Next by Author: [tor-relays] Snowflake PT
Previous by thread: Re: [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing
Next by thread: Re: [tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing
Index(es):
- Author
- Thread