[tor-talk] Pluggable Transports and DPI

David Fifield david at bamsoftware.com
Sun May 8 20:37:47 UTC 2016


On Fri, May 06, 2016 at 06:47:10PM -0500, Justin wrote:
> Hi,
> I have a DPI box that I use to test pluggable transports with.  I also
> test other circumvention tools against it just to see how good it is.
> Manufacturer is Cyberoam.  About 6 or 8 weeks ago, Cyberoam released a
> DPI engine update that could filter normal Tor and the following
> pluggable transports:
> OBFS3
> OBFS4
> Scramblesuit
> About a week ago, Cyberoam released another update to its application
> filter.  This update allows it to filter all Meek connections without
> doing a man in the middle on the TLS or anything.  When I try to load
> www.google.com <http://www.google.com/>, it loads fine in a normal
> Firefox.  When I use Meek, it fails and the Cyberoam logs a Tor Proxy
> attempt.  The only transport that still works is FTE.  I was talking
> with Arma on the Tor IRC channel a wile ago, and he suggested that I
> use Tcpreplay and send in a copy of what Cyberoam is fingerprinting.
> I will have to wait a wile until I do this, because the school year
> hasn?t ended yet.  I?m sending out this message to alert Tor users of
> the new threat and also to see what some solutions may be, E.G new
> transports in the works.

Thanks for this information. With obfs3, obfs4, and scramblesuit, are
you using the default built-in bridges, or are you using custom bridge
lines? If you are using the default bridges, it might just be that
Cyberoam blocked the IP addresses.

Try altering your bridge lines so that instead of "iat-mode=0", it has
"iat-mode=1". That will alter the packet timing signature (only in the
client→server direction) and it would be interesting to know if that
gets through the firewall.

With the meek blocking, it might be that they are doing some kind of
timing analysis, or it might be that we screwed up something simple like
the TLS signature. Could you try it in these configurations?
	Tor Browser 5.5.5 https://blog.torproject.org/blog/tor-browser-555-released
	Tor Browser 6.0a5 https://blog.torproject.org/blog/tor-browser-60a5-released
	meek_lite in obfs4proxy
TB 6.0a5 uses a different version of Firefox than 5.5.5, so the TLS
signature might be different (I haven't checked yet). To run meek_lite,
use a torrc file like this one:
	UseBridges 1
	ClientTransportPlugin meek_lite exec ./obfs4proxy
	Bridge meek_lite 0.0.3.0:5 url=https://meek-reflect.appspot.com/ front=www.google.com


More information about the tor-talk mailing list