[tor-project] Proposal: rotate default bridge ports each release

David Fifield david at bamsoftware.com
Tue Aug 30 22:44:39 UTC 2016

On Mon, Aug 15, 2016 at 09:45:05PM -0700, David Fifield wrote:
> Lynn Tsai and I just published a report on the blocking of Tor Browser's
> default obfs4 bridges.
> 	https://www.bamsoftware.com/proxy-probe/
> 	https://www.usenix.org/system/files/conference/foci16/foci16-paper-fifield.pdf
> One of the things we found is that the Great Firewall of China blocks
> the default bridges--but it takes a little while after release for them
> to do it. We saw delays as short as 2 days and as long as 36 days. We
> also found that when they block a bridge, they don't block the whole IP
> address; they just block a single port and other ports on the same IP
> remain accessible.
> We can take advantage of these peculiarities by opening additional obfs4
> ports on the default bridges, and changing the port numbers on each
> release. We'd keep the old ports open for people who haven't upgraded
> yet, but those who upgrade will start using the new ports. This way, we
> can make the bridges temporarily reachable after each new release--at
> least until the censors figure out what we're doing and start blocking
> more aggressively.
> This is pretty easy to do on the bridge operators' part. They just need
> to forward a range of ports to their existing obfs4 port, something like
> this:
> 	iptables -A PREROUTING -t nat -i eth0 -p tcp --match multiport --dports 50000:50009 -j REDIRECT --to-port <obfs4port>
> Then, the Tor Browser developers can choose a fresh port in each new
> release.

The following bridges have each opened up 10 additional obfs4 ports,
through which we can begin rotating in the next release:

Do any other bridge operators want to help by opening additional ports
before they are needed?

Here is a recipe to generate 10 random ports and forward them using

$ python2 -c 'import random; print ",".join("%d"%x for x in sorted([random.randrange(1024,65536) for _ in range(10)]))'

iptables -A PREROUTING -t nat -i eth0 -p tcp --match multiport --dports 5585,13960,20045,30354,32413,34676,40455,40471,53993,60403 -j REDIRECT --to-port <obfs4port>

More information about the tor-project mailing list