[tor-talk] Blocking GFW probes on the firewall

Marek Majkowski marek at popcount.org
Wed Jul 10 10:18:32 UTC 2013


As you may know the Great Firewall of China (GFW) is actively scanning
TOR relays and bridges [1]. Fortunately blocking those probes seem to
be sufficient to prevent GFW from blocking/censoring the service.

The GFW is evolving and probes that we see today will likely be
different in the future. As for now these iptable rules detect active
GFW scans against TOR a bridge. Probes as seen few weeks ago can be
detected by:

$ iptables -A INPUT -p tcp -m string --hex-string
--algo kmp -j LOG --log-prefix "china_long "

$ iptables -A INPUT -p tcp -m string --hex-string
"|00001400390038003500160013000A00330032002F0005020100|" --algo kmp -j
LOG --log-prefix "china_short "

Probes seen recently:

$ iptables -A INPUT -p tcp -m string --hex-string
--algo kmp -j LOG --log-prefix "china_new "

Active scans detected by these iptable rules were triggered by a TOR
client in China connecting to a TOR bridge in Europe. These rules are
intended to be used on the TOR bridge side.

If you wish not only to detect, but also to actively reject GFW probes
(and hopefully prevent your service from getting censored), consider
replacing "-j LOG ..." with " -j REJECT --reject-with tcp-reset".


[1] http://www.cs.kau.se/philwint/pdf/foci2012.pdf

More information about the tor-talk mailing list