Is China successfully probing OBFS4 bridges? Or does this apply more to non obfs bridges?<br><div class="gmail_quote"><div dir="ltr">On Sun, Aug 19, 2018 at 6:57 PM David Fifield <<a href="mailto:david@bamsoftware.com">david@bamsoftware.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">A paper from FOCI 2018 by Arun Dunna, Ciarán O'Brien, and Phillipa Gill<br>
on the subject of Tor bridge blocking in China has this interesting<br>
suggestion (Section 5.2):<br>
<br>
<a href="https://www.usenix.org/conference/foci18/presentation/dunna" rel="noreferrer" target="_blank">https://www.usenix.org/conference/foci18/presentation/dunna</a><br>
        To do this, we write a series specific rules using iptables in<br>
        order to drop packets from Chinese scanners. ... We use a rule<br>
        to drop incoming Tor packets with an MSS of 1400. Further<br>
        investigation would be needed to analyze potential false<br>
        positives... We note that this method of dropping scan traffic<br>
        successfully keeps our bridge relays from being blocked and<br>
        allows our client in China to maintain access to the bridge.<br>
<br>
Like <a href="https://github.com/NullHypothesis/brdgrd" rel="noreferrer" target="_blank">https://github.com/NullHypothesis/brdgrd</a>, surely this trick won't<br>
work forever, but if you're setting up a new bridge, it's worth a try?<br>
<br>
This is completely untested, but I think the iptables rule would look<br>
something like this:<br>
iptables -A INPUT --protocol tcp --dport [your-bridge-port] -m tcpmss --mss 1400 -j DROP<br>
<br>
Then, after a while, check /var/lib/tor/stats/bridge-stats and see if<br>
you have any connections from "cn".<br>
_______________________________________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org" target="_blank">tor-relays@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br>
</blockquote></div>