[tor-project] Proposal: rotate default bridge ports each release

Tor Dev bentordev at gmail.com
Wed Aug 31 11:57:45 UTC 2016 

I can apply this on my bridge. My own bridge isn’t included in the default TBB, so does it make sense to open more ports? What would be the correct way to distribute the newly opened ports to the Bride Authorities?

> Op 31 aug. 2016, om 00:44 heeft David Fifield <david at bamsoftware.com> het volgende geschreven:
> 
> On Mon, Aug 15, 2016 at 09:45:05PM -0700, David Fifield wrote:
>> Lynn Tsai and I just published a report on the blocking of Tor Browser's
>> default obfs4 bridges.
>> 	https://www.bamsoftware.com/proxy-probe/
>> 	https://www.usenix.org/system/files/conference/foci16/foci16-paper-fifield.pdf
>> One of the things we found is that the Great Firewall of China blocks
>> the default bridges--but it takes a little while after release for them
>> to do it. We saw delays as short as 2 days and as long as 36 days. We
>> also found that when they block a bridge, they don't block the whole IP
>> address; they just block a single port and other ports on the same IP
>> remain accessible.
>> 
>> We can take advantage of these peculiarities by opening additional obfs4
>> ports on the default bridges, and changing the port numbers on each
>> release. We'd keep the old ports open for people who haven't upgraded
>> yet, but those who upgrade will start using the new ports. This way, we
>> can make the bridges temporarily reachable after each new release--at
>> least until the censors figure out what we're doing and start blocking
>> more aggressively.
>> 
>> This is pretty easy to do on the bridge operators' part. They just need
>> to forward a range of ports to their existing obfs4 port, something like
>> this:
>> 	iptables -A PREROUTING -t nat -i eth0 -p tcp --match multiport --dports 50000:50009 -j REDIRECT --to-port <obfs4port>
>> Then, the Tor Browser developers can choose a fresh port in each new
>> release.
> 
> The following bridges have each opened up 10 additional obfs4 ports,
> through which we can begin rotating in the next release:
> 	LeifEricson
> 	GreenBelt
> 	MaBishomarim
> 	JonbesheSabz
> 	Azadi
> 
> Do any other bridge operators want to help by opening additional ports
> before they are needed?
> 
> Here is a recipe to generate 10 random ports and forward them using
> iptables:
> 
> $ python2 -c 'import random; print ",".join("%d"%x for x in sorted([random.randrange(1024,65536) for _ in range(10)]))'
> 5585,13960,20045,30354,32413,34676,40455,40471,53993,60403
> 
> iptables -A PREROUTING -t nat -i eth0 -p tcp --match multiport --dports 5585,13960,20045,30354,32413,34676,40455,40471,53993,60403 -j REDIRECT --to-port <obfs4port>
> _______________________________________________
> tor-project mailing list
> tor-project at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

More information about the tor-project mailing list