[tor-project] Proposal: rotate default bridge ports each release

David Fifield david at bamsoftware.com
Tue Aug 16 04:45:05 UTC 2016

Lynn Tsai and I just published a report on the blocking of Tor Browser's
default obfs4 bridges.
One of the things we found is that the Great Firewall of China blocks
the default bridges--but it takes a little while after release for them
to do it. We saw delays as short as 2 days and as long as 36 days. We
also found that when they block a bridge, they don't block the whole IP
address; they just block a single port and other ports on the same IP
remain accessible.

We can take advantage of these peculiarities by opening additional obfs4
ports on the default bridges, and changing the port numbers on each
release. We'd keep the old ports open for people who haven't upgraded
yet, but those who upgrade will start using the new ports. This way, we
can make the bridges temporarily reachable after each new release--at
least until the censors figure out what we're doing and start blocking
more aggressively.

This is pretty easy to do on the bridge operators' part. They just need
to forward a range of ports to their existing obfs4 port, something like
	iptables -A PREROUTING -t nat -i eth0 -p tcp --match multiport --dports 50000:50009 -j REDIRECT --to-port <obfs4port>
Then, the Tor Browser developers can choose a fresh port in each new

More information about the tor-project mailing list