[tor-bugs] #4185 [Tor Bridge]: Bridge easily detected by GFW

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Jan 3 10:48:54 UTC 2012 

#4185: Bridge easily detected by GFW
------------------------+---------------------------------------------------
 Reporter:  hrimfaxi    |          Owner:                    
     Type:  defect      |         Status:  new               
 Priority:  normal      |      Milestone:  Tor: unspecified  
Component:  Tor Bridge  |        Version:  Tor: 0.2.3.5-alpha
 Keywords:  blocking    |         Parent:                    
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by asn):

 > Checked several IP of them, it seems that most of them are dynamic IP
 addresses of DSL and PPP running variety of OS, from Windows 2003 with
 Terminal Service, Linux with Mysql, cheap home router.
 >

 Seems so, indeed. Fucked up, isn't it?
 It seems like none of their probers is an actual dedicated server probing
 box...

 > Some questions:
 > a) After the SSL negotiation, does the GFW probes also send an HTTP
 request or just finish the SSL handshake and close it?
 >

 There are two kinds of probes: 'Garbage probing' and 'Tor probing'.

 In 'Garbage probing', the prober connects and spits a "random" blob of
 data to the host, a la: http://www.nsc.liu.se/~nixon/sshprobes.html

 In 'Tor probing', the prober connects, does an SSL handshake, does an
 SSL renegotiation and then speaks the Tor protocol. Specifically, the
 Tor probers we managed to capture, build an one-hop circuit and send a
 BEGIN_DIR cell, like Tor clients are supposed to do. When the bridge
 replies with its descriptor, the prober hangs up.

 > b) Does the prober announce a specific/detectable set of SSL/TLS
 version/ciphers?
 >

 The SSL handshakes of probers seem similar to the SSL handshake of Tor
 clients.

 The cipher list (also, see #4744) is the same, and they both have the
 same fake 'server_name' extension. What is different is that probers
 don't seem to have the ECC TLS extensions, which I '''think''' are
 added automatically by new versions of OpenSSL (still, probers seem to
 have the RI ciphersuite, which is also added automatically by new
 versions of OpenSSL).

 > c) Does anyone checked actively with OS fingerprinting tools if the
 "prober's OS" can be recognized?

 We did some checks. There seems to be a mixture of Windows and Linux
 machines.

 I've noticed that some of the machines had IIS running.

 Also, some probers [1] are using a source port that is not in the
 ephemeral port range of modern OSes (usually higher than TCP port
 20000), which hints to Windows XP [2].

 > Would it possible that the detection come from some predictable guessing
 of the Common Name and Certificate Chain?
 >
 > Connecting via OpenSSL to a Tor Server i see:
 > Certificate chain
 >
 >     0 s:/CN=www.zb42yfn4kbhtd.net
 >
 >         i:/CN=www.noyz3wih.com
 >
 > Are the way those fields get generated guessable by Active Probing
 and/or passive analysis?
 >

 Sure. Although, it seems like the current probes are caused by the
 cipher list (see #4744).  Also, see proposal 179.

 [0]:
 This is an example prober SSL handshake:
 {{{
     TLSv1 Record Layer: Handshake Protocol: Client Hello
         Content Type: Handshake (22)
         Version: TLS 1.0 (0x0301)
         Length: 139
         Handshake Protocol: Client Hello
             Handshake Type: Client Hello (1)
             Length: 135
             Version: TLS 1.0 (0x0301)
             Random
                 gmt_unix_time: Dec  9, 2011 07:18:12.000000000 CET
                 random_bytes:
 2ade076693d5ecf217d0fc3cfb0e6d1c9cb03f81358b2534...
             Session ID Length: 0
             Cipher Suites Length: 58
             Cipher Suites (29 suites)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 (0xc00a)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                 Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
                 Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 (0xc009)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                 Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
                 Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                 Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
 (0xc008)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                 Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                 Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                 Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
 (0xc003)
                 Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                 Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                 Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
             Compression Methods Length: 1
             Compression Methods (1 method)
                 Compression Method: null (0)
             Extensions Length: 36
             Extension: server_name
                 Type: server_name (0x0000)
                 Length: 28
                 Data (28 bytes)
             Extension: SessionTicket TLS
                 Type: SessionTicket TLS (0x0023)
                 Length: 0
                 Data (0 bytes)
 }}}

 [1]:
 2011-12-05 18:26:58.839414 : 218.10.51.83:1629
 2011-12-05 18:26:58.839469 |
 '\xd7s\x10\x05\x95\x86\xe6\x89ok\x07\xd2\x95\xab}\x16\x10\xc4\xc8F\xac|ax\x86d\xc6\x03\x19_=\xd1\x13W\x14\x8dG\x0e;Y.\'\xd2\x90\xa3\xab
 X\xb1w\x97\xe4e\xd8A=\xc7\xd0\xe4S\xc46\xcb\x86\xea9\x9bIz\xe0\xa8\xe7\xb7\x1b\x8c\xa8H\x1aK\xfdl\t\xdf\xa0\xb4\xd3\xcd\xe8r~\xd5\\u\xfa\xdb\xab\xad\xf5s\'U\x9a\x0e\x0c4\x993|3\xfc\xf8\x1e\x85\xd8\xbd9\xab\n!\x9d\x87vx\xfbp\xd2&\x9c\xc7\x18\xc2\x1c\xb1O\xa6eg\xd8`\x99UX\xb6\xd90s\x12[|\xb2\xf7\x83(\xee~\x17\xc0$\xb2\x87;\xf3"lB\xc7\xd0\xa8\x1f\xaf\xc1s\x07wL\xb6j\xdd\x11e\x8f\x87\xe76u\xe5\xcb5\t};C\xef\\\xae1\xa2\xfdX\xc0\xac\x19\xb33\x90\xfe\xe8y[\xf8]\xe9\xfeE\x9es\xa9i\'\xb1easT<\xa1\x84]\x9e\xdc\x9c\xcatO\xfc\x04\xcdd\xfb(\xdbY\x91\xd9\x1d/L\xc5\x98\xf1\xf5|Rh\xd0\r\t\xd3i\'/\x84p\xa3\xd3l&\xa0\xcf"G*\xf9\xd7\x03\x16\x07\xcdZ\x1e'

 [2]:
 http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html#Windows

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4185#comment:27>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list