[tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing
Nathaniel Suchy
me at lunorian.is
Sun Aug 19 23:41:26 UTC 2018
Is China successfully probing OBFS4 bridges? Or does this apply more to non
obfs bridges?
On Sun, Aug 19, 2018 at 6:57 PM David Fifield <david at bamsoftware.com> wrote:
> A paper from FOCI 2018 by Arun Dunna, CiarĂ¡n O'Brien, and Phillipa Gill
> on the subject of Tor bridge blocking in China has this interesting
> suggestion (Section 5.2):
>
> https://www.usenix.org/conference/foci18/presentation/dunna
> To do this, we write a series specific rules using iptables in
> order to drop packets from Chinese scanners. ... We use a rule
> to drop incoming Tor packets with an MSS of 1400. Further
> investigation would be needed to analyze potential false
> positives... We note that this method of dropping scan traffic
> successfully keeps our bridge relays from being blocked and
> allows our client in China to maintain access to the bridge.
>
> Like https://github.com/NullHypothesis/brdgrd, surely this trick won't
> work forever, but if you're setting up a new bridge, it's worth a try?
>
> This is completely untested, but I think the iptables rule would look
> something like this:
> iptables -A INPUT --protocol tcp --dport [your-bridge-port] -m tcpmss
> --mss 1400 -j DROP
>
> Then, after a while, check /var/lib/tor/stats/bridge-stats and see if
> you have any connections from "cn".
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180819/4a433444/attachment-0001.html>
More information about the tor-relays
mailing list