[tor-talk] Building a new censorship circumvention tool: what do we need to know?

Mon Feb 20 21:03:07 UTC 2017

Hello!

Very interesting design!

For a censorship circumvention tool to work in China, you need to follow these necessary guidelines:

1. Obfuscation and anti-DPI. Have a look at shadowsocks. ( https://github.com/shadowsocks/shadowsocks/tree/master ) It is an obfuscated proxy. Handshakes and application data are AES encrypted without fixed header. Recently they added fake HTTP header to get around simple DPI rules. This is not enough though.

There is an experimental pluggable transport designed specifically to get around DPI, called Dust ( https://github.com/blanu/Dust ) Unfortunately it became inactive.

2. Simulate Meek design and Collateral Freedom ( https://en.greatfire.org/blog/2015/mar/collateral-freedom-and-not-so-great-firewall ) The Great Firewall agent can't block cloud computing platforms and big VPS providers because of their importance.

3. Peer-to-peer: The getlatern team claims it has integrated peer-to-peer data transfer mechanism to their software. Peer-to-peer makes the IP addresses abundant, and trivial to block.

By the way, the Great Firewall designer claimed to have invented a way to detect meek traffic by looking at packet sizes and timing, a simple, dirty and stupid DPI trick. New censorship circumvention tools MUST NOT send packets with easily detectable DPI features.

References:

> Tor 0.2.7.6 is released | The Tor Blog
> 请tor开发人员关注方滨兴等流氓对混淆插件流量特征的研究!! On December 11th, 2015 Anonymous said: ... They found that, meek, ...
> https://blog.torproject.org/blog/tor-0276-released

> 前北邮校长方滨兴等人在《计算机研究与发展》上发表论文《匿名通信系统不可观测性度量方法》（PDF），报告他们能通过观察Tor混淆插件的流量模式将其识别出来。为了躲避深度包检查，研究人员开发出了协议混淆工具，Tor匿名网络开发的传输层协议混淆插件包括obfsprox（obfsproxy3和obfsproxy4），meek和fte等。研究人员从Tor官网下载软件，对传输流量进行一番研究后很快发现Tor的混淆插件容易受到时间分析攻击。他们发现，meek、网桥和HTTPS的流量数据包内部时间间隔基本相同，但meek的数据包在0.5-2秒附近有一个明显的抖动，原因是meek客户端为了与云平台保持长连接而自动在空闲时发送一个心跳包，心跳包是随机在0.1秒-5秒之间选择一个值。他们还观察到了其它两个数据模式：网桥模式下数据包大小在600B附近比较集中，原因也与Tor的数据包设计有关；meek模式下客户端到服务数据包大小在200B左右，服务器到客户端400B左右。

> The research paper referred to by the OP's post above in Mandarin Chinese has been referenced by an earlier post here: https://blog.torproject.org/comment/reply/1098/137900
> The official name of the research paper in English is "Towards measuring unobservability in anonymous communication systems", Journal of Computer Research and Development, 2015, 52(10): 2373-2381.
> The PDF version can be downloaded from: http://crad.ict.ac.cn/CN/abstract/abstract3031.shtml# The file size is about 6861 KB.

> On December 17th, 2015 dcf said: Thanks, we have seen that paper. It doesn't mean that the censors in China have the capability to do the kind of traffic analysis they describe (yet), but it's something for us to keep in mind for the future. obfs4 and ScrambleSuit  in fact are already capable of obfuscating their traffic patterns, but the capability hasn't been turned on yet because it hasn't been needed.