[tor-project] Proposal: rotate default bridge ports each release

teor teor2345 at gmail.com
Wed Aug 17 00:00:57 UTC 2016

> On 17 Aug 2016, at 00:14, George Kadianakis <desnacked at riseup.net> wrote:
> David Fifield <david at bamsoftware.com> writes:
>> [ text/plain ]
>> Lynn Tsai and I just published a report on the blocking of Tor Browser's
>> default obfs4 bridges.
>> 	https://www.bamsoftware.com/proxy-probe/
>> 	https://www.usenix.org/system/files/conference/foci16/foci16-paper-fifield.pdf
>> One of the things we found is that the Great Firewall of China blocks
>> the default bridges--but it takes a little while after release for them
>> to do it. We saw delays as short as 2 days and as long as 36 days. We
>> also found that when they block a bridge, they don't block the whole IP
>> address; they just block a single port and other ports on the same IP
>> remain accessible.
>> We can take advantage of these peculiarities by opening additional obfs4
>> ports on the default bridges, and changing the port numbers on each
>> release. We'd keep the old ports open for people who haven't upgraded
>> yet, but those who upgrade will start using the new ports. This way, we
>> can make the bridges temporarily reachable after each new release--at
>> least until the censors figure out what we're doing and start blocking
>> more aggressively.
>> This is pretty easy to do on the bridge operators' part. They just need
>> to forward a range of ports to their existing obfs4 port, something like
>> this:
>> 	iptables -A PREROUTING -t nat -i eth0 -p tcp --match multiport --dports 50000:50009 -j REDIRECT --to-port <obfs4port>
>> Then, the Tor Browser developers can choose a fresh port in each new
>> release.
> Hey David,
> sounds like an easy idea worth trying.
> I ran the above iptables command on LeifEricson. Let me know if it doesn't work.
> I wonder why censors are afraid of blocking the whole IP address…

Here's some speculation:

It could be situational: APNIC simply doesn't have that many IP addresses to go around, and Australia/NZ snarfed up a lot of them early on. So they may want to minimise blocking, to avoid impacting other services.

The simplest explanation is that they can identify IP/Port, and so they block IP/Port.


Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
xmpp: teor at torproject dot org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20160817/534d4492/attachment.sig>

More information about the tor-project mailing list