[tor-dev] brdgrd: Protecting bridges from the GFC

Philipp Winter identity.function at gmail.com
Tue Apr 3 10:00:46 UTC 2012


I've been working on a small tool whose purpose is to protect bridges
from the Chinese firewall. The tool runs independently of Tor and
analyzes/rewrites SYNs and SYN/ACKs which it gets with the help of
libnetfilter_queue. It is quick and easy to set up and can be run by
bridge operators.

Basically, the tool achieves two things:
- Evading the Chinese DPI engine by rewriting the TCP window size
  during the TCP handshake. This leads to a fragmented cipher list
  which does not seem to be recognized by the GFC.
- Blocking scanners with two dirty hacks.

I did not have a lot of time to test it yet but I've found the window
size rewriting to be particularly effective (yet ugly). It worked with
Windows {XP, 7} and recent Linux boxes. The scanner blocking strategies
are not that effective since they imply many false positives, i.e.,
legitimate users being locked out.

Before showing this to a broader audience, I need some people looking at
the code, though. The code, just 600 lines of C, is available at:


More information about the tor-dev mailing list