[tor-bugs] #33666 [Circumvention/Snowflake]: Investigate Snowflake proxy failures

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 31 18:20:30 UTC 2020 

#33666: Investigate Snowflake proxy failures
-------------------------------------+------------------------
 Reporter:  cohosh                   |          Owner:  (none)
     Type:  defect                   |         Status:  new
 Priority:  High                     |      Milestone:
Component:  Circumvention/Snowflake  |        Version:
 Severity:  Normal                   |     Resolution:
 Keywords:                           |  Actual Points:
Parent ID:  #19001                   |         Points:
 Reviewer:                           |        Sponsor:
-------------------------------------+------------------------

Comment (by cohosh):

 I wrote the attached stun.lua script to parse pcap files collected from
 some old snowflake network health measurements from #32545.

 These capture files were generated by trying to bootstrap a Tor connection
 through snowflake 100 times. Each time the broker will hand the client a
 different snowflake to connect through. The lua script attempts to figure
 out the ip address of the snowflake and records whether or not NAT
 punching succeeded.

 For all of the snowflakes that the client fails to connect to, I noticed
 the following:
 - the client successfully receives an answer from the broker, meaning ICE
 candidate gathering succeeded at the snowflake
 - snowflakes always produce a non-local address. A geolocation of these IP
 addresses show they aren't necessarily in countries that practice
 censorship (I checked this after noticing we have stats that show
 snowflakes in e.g., China). In fact some of the failing snowflakes were in
 Germany, the US, and the UK.
 - the client successfully sent a Binding Request to the snowflake, but
 never receives a Binding Request from the snowflake or a Binding Success
 Response.

 This is a bit suspicious. If it was a firewall issue at the snowflake
 proxy's end, I would expect their firewall to allow outgoing STUN Binding
 Request packets to the client, since presumably it already allowed
 outgoing STUN packets to the STUN server in order to perform the ICE
 candidate collection. If it was a firewall issue on the client side, I
 would expect all snowflakes to fail.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33666#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list