[tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing
David Fifield
david at bamsoftware.com
Sun Aug 19 22:57:08 UTC 2018
A paper from FOCI 2018 by Arun Dunna, CiarĂ¡n O'Brien, and Phillipa Gill
on the subject of Tor bridge blocking in China has this interesting
suggestion (Section 5.2):
https://www.usenix.org/conference/foci18/presentation/dunna
To do this, we write a series specific rules using iptables in
order to drop packets from Chinese scanners. ... We use a rule
to drop incoming Tor packets with an MSS of 1400. Further
investigation would be needed to analyze potential false
positives... We note that this method of dropping scan traffic
successfully keeps our bridge relays from being blocked and
allows our client in China to maintain access to the bridge.
Like https://github.com/NullHypothesis/brdgrd, surely this trick won't
work forever, but if you're setting up a new bridge, it's worth a try?
This is completely untested, but I think the iptables rule would look
something like this:
iptables -A INPUT --protocol tcp --dport [your-bridge-port] -m tcpmss --mss 1400 -j DROP
Then, after a while, check /var/lib/tor/stats/bridge-stats and see if
you have any connections from "cn".
More information about the tor-relays
mailing list