[tor-project] Proposal: rotate default bridge ports each release

isis agora lovecruft isis at torproject.org
Thu Sep 1 00:32:11 UTC 2016

David Fifield transcribed 3.1K bytes:
> On Mon, Aug 15, 2016 at 09:45:05PM -0700, David Fifield wrote:
> > Lynn Tsai and I just published a report on the blocking of Tor Browser's
> > default obfs4 bridges.
> > 	https://www.bamsoftware.com/proxy-probe/
> > 	https://www.usenix.org/system/files/conference/foci16/foci16-paper-fifield.pdf
> > One of the things we found is that the Great Firewall of China blocks
> > the default bridges--but it takes a little while after release for them
> > to do it. We saw delays as short as 2 days and as long as 36 days. We
> > also found that when they block a bridge, they don't block the whole IP
> > address; they just block a single port and other ports on the same IP
> > remain accessible.
> > 
> > We can take advantage of these peculiarities by opening additional obfs4
> > ports on the default bridges, and changing the port numbers on each
> > release. We'd keep the old ports open for people who haven't upgraded
> > yet, but those who upgrade will start using the new ports. This way, we
> > can make the bridges temporarily reachable after each new release--at
> > least until the censors figure out what we're doing and start blocking
> > more aggressively.
> > 
> > This is pretty easy to do on the bridge operators' part. They just need
> > to forward a range of ports to their existing obfs4 port, something like
> > this:
> > 	iptables -A PREROUTING -t nat -i eth0 -p tcp --match multiport --dports 50000:50009 -j REDIRECT --to-port <obfs4port>
> > Then, the Tor Browser developers can choose a fresh port in each new
> > release.
> The following bridges have each opened up 10 additional obfs4 ports,
> through which we can begin rotating in the next release:
> 	LeifEricson
> 	GreenBelt
> 	MaBishomarim
> 	JonbesheSabz
> 	Azadi
> Do any other bridge operators want to help by opening additional ports
> before they are needed?
> Here is a recipe to generate 10 random ports and forward them using
> iptables:
> $ python2 -c 'import random; print ",".join("%d"%x for x in sorted([random.randrange(1024,65536) for _ in range(10)]))'
> 5585,13960,20045,30354,32413,34676,40455,40471,53993,60403
> iptables -A PREROUTING -t nat -i eth0 -p tcp --match multiport --dports 5585,13960,20045,30354,32413,34676,40455,40471,53993,60403 -j REDIRECT --to-port <obfs4port>

I've forwarded this to the operators of some of the remaining default bridges,
who I believe are not on this list.

 ♥Ⓐ isis agora lovecruft
OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
Current Keys: https://fyb.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1240 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20160901/725dc23d/attachment-0001.sig>

More information about the tor-project mailing list