On 17 Aug 2016, at 00:14, George Kadianakis desnacked@riseup.net wrote:
David Fifield david@bamsoftware.com writes:
[ text/plain ] Lynn Tsai and I just published a report on the blocking of Tor Browser's default obfs4 bridges. https://www.bamsoftware.com/proxy-probe/ https://www.usenix.org/system/files/conference/foci16/foci16-paper-fifield.p... One of the things we found is that the Great Firewall of China blocks the default bridges--but it takes a little while after release for them to do it. We saw delays as short as 2 days and as long as 36 days. We also found that when they block a bridge, they don't block the whole IP address; they just block a single port and other ports on the same IP remain accessible.
We can take advantage of these peculiarities by opening additional obfs4 ports on the default bridges, and changing the port numbers on each release. We'd keep the old ports open for people who haven't upgraded yet, but those who upgrade will start using the new ports. This way, we can make the bridges temporarily reachable after each new release--at least until the censors figure out what we're doing and start blocking more aggressively.
This is pretty easy to do on the bridge operators' part. They just need to forward a range of ports to their existing obfs4 port, something like this: iptables -A PREROUTING -t nat -i eth0 -p tcp --match multiport --dports 50000:50009 -j REDIRECT --to-port <obfs4port> Then, the Tor Browser developers can choose a fresh port in each new release.
Hey David,
sounds like an easy idea worth trying.
I ran the above iptables command on LeifEricson. Let me know if it doesn't work.
I wonder why censors are afraid of blocking the whole IP address…
Here's some speculation:
It could be situational: APNIC simply doesn't have that many IP addresses to go around, and Australia/NZ snarfed up a lot of them early on. So they may want to minimise blocking, to avoid impacting other services.
The simplest explanation is that they can identify IP/Port, and so they block IP/Port.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org