[tor-bugs] #8591 [Censorship analysis]: GFW actively probes obfs2 bridges

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Apr 19 15:42:40 UTC 2015 

#8591: GFW actively probes obfs2 bridges
-------------------------+-------------------------------------------------
     Reporter:  phw      |      Owner:  phw
         Type:  task     |     Status:  new
     Priority:  normal   |  Milestone:
    Component:           |    Version:
  Censorship analysis    |   Keywords:  obfs2, gfw, active probing,
   Resolution:           |  censorship, china
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by dcf):

 Replying to [comment:11 phw]:
 > David has even seen probes targeting telnet and plain-text HTTP.

 I received my first obfs2 probes on 2013-01-23, about two months before
 the opening of this ticket. On that day, probes were sent to port 25
 (smtp) and port 80 (http). Here are the first few probes and their
 timestamps.
 {{{
 2013-01-23 00:36:35     smtp    obfs2
 2013-01-23 00:37:35     smtp    obfs2
 2013-01-23 04:47:16     http    obfs2
 2013-01-23 05:04:02     http    obfs2
 2013-01-24 00:40:27     smtp    obfs2
 2013-01-24 05:21:39     http    obfs2
 2013-01-24 16:02:25     http    obfs2
 2013-01-24 16:02:28     http    obfs2
 2013-01-29 01:28:45     smtp    obfs2
 2013-01-29 08:03:05     http    obfs2
 2013-02-01 03:51:34     smtp    obfs2
 2013-02-01 03:51:36     smtp    obfs2
 }}}
 I now know that obfs2 probes have also been sent to (at least) port 22
 (ssh), port 23 (telnet), and port 443 (https). My ssh logs do not go back
 that far, port 23 was not open at the time, and obfs2 sent to the https
 port would not survive the TLS handshake to be logged.

 Shortly after that, the server started receiving dozens of probes daily.
 {{{
 2013-01-23     4
 2013-01-24     4
 2013-01-25     0
 2013-01-26     0
 2013-01-27     0
 2013-01-28     0
 2013-01-29     2
 2013-01-30     0
 2013-01-31     0
 2013-02-01     6
 2013-02-02     0
 2013-02-03     2
 2013-02-04    33
 2013-02-05    34
 2013-02-06    27
 2013-02-07    25
 2013-02-08    16
 2013-02-09    21
 2013-02-10    22
 }}}

 The server did not then, nor has ever run obfs2. It has been a vanilla
 bridge since January 2011.
 https://globe.torproject.org/#/bridge/272EB44C8992B8088BD8E8A12DB23B56478EB885
 obfs2 probing continues to the present.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8591#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list