[tor-bugs] #15198 [Censorship analysis]: Cyberoam blocking connections to Tor

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Mar 9 22:20:37 UTC 2015 

#15198: Cyberoam blocking connections to Tor
-------------------------------------+----------------------
     Reporter:  ioerror              |      Owner:
         Type:  defect               |     Status:  new
     Priority:  normal               |  Milestone:
    Component:  Censorship analysis  |    Version:
   Resolution:                       |   Keywords:  cyberoam
Actual Points:                       |  Parent ID:
       Points:                       |
-------------------------------------+----------------------

Comment (by yawning):

 With what I believe to be an uncensored residential connection, one of the
 3 scramblesuit bridges is down (`194.xxx.xxx.xxx:8455`), the rest
 bootstrap fully.  For the record, it's not a great idea to paste full
 bridge configs like that but oh well, at least I can test them.  If the
 bad guys follow all of our track, that's a bunch of bridges burnt....

 > it filters conections by protocol, ip address and port number - I
 haven't yet fingerprinted the device upstream but I'll add information as
 I find it.

 Looking at the pcap file:

  * `tcp.stream eq 0` (<-> `198.xxx.xxx.xxx:32784), SYN and 4 SYN
 retransmissions.  No SYN/ACK.
  * `tcp.stream eq 1` (<-> `194.xxx.xxx.xxx:8455`), SYN and 4 SYN
 retransmissions.  No SYN/ACK.  This is to be expected as the bridge
 appears to be down, or at least not accepting any scramblesuit traffic.
  * `tcp.stream eq 2` (<-> `95.xxx.xxx.xxx:57584`), SYN and 4 SYN
 retransmissions.  No SYN/ACK.

 So, yes.  All the PTs are getting caught either by a destination IP or
 destination port filter, and no DPI is involved.  You could try
 scramblesuit, obfs3 and obfs4 to bridges that are running on 443, but all
 of those protocols are clearly identifiable as "not TLS" so I would be
 doubtful as if that would work unless the box is terrible.

 Meek should work if the box doesn't do TLS MITM.  You could also try using
 meek without the domain fronting if they do do HTTPS MITM (as in all your
 traffic just gets jammed into HTTP requests).  It's blatantly obvious,
 trivial to block, and if your threat model includes "thugs at the door for
 using Tor", it would be a really bad idea, but it's an option.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15198#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list