[tor-talk] Building a new censorship circumvention tool: what do we need to know?
ivan at equalit.ie
Tue Feb 21 09:42:25 UTC 2017
Hi, thanks for cheking CENO and for the advice and many links, they may
come in very handy regarding the obfuscation and DPI avoidance parts of
our next system. The experiences you mention about real life blocking
are very informative.
m.ajiao at tuta.io (2017-02-20 22:03:07 +0100) wrote:
> Very interesting design!
> For a censorship circumvention tool to work in China, you need to
> follow these necessary guidelines:
> 1. Obfuscation and anti-DPI. Have a look at shadowsocks. (
> https://github.com/shadowsocks/shadowsocks/tree/master ) It is an
> obfuscated proxy. Handshakes and application data are AES encrypted
> without fixed header. Recently they added fake HTTP header to get
> around simple DPI rules. This is not enough though.
> There is an experimental pluggable transport designed specifically to
> get around DPI, called Dust ( https://github.com/blanu/Dust )
> Unfortunately it became inactive.
> 2. Simulate Meek design and Collateral Freedom (
> ) The Great Firewall agent can't block cloud computing platforms and
> big VPS providers because of their importance.
> 3. Peer-to-peer: The getlatern team claims it has integrated
> peer-to-peer data transfer mechanism to their software. Peer-to-peer
> makes the IP addresses abundant, and trivial to block.
> By the way, the Great Firewall designer claimed to have invented a way
> to detect meek traffic by looking at packet sizes and timing, a
> simple, dirty and stupid DPI trick. New censorship circumvention tools
> MUST NOT send packets with easily detectable DPI features.
> > Tor 0.2.7.6 is released | The Tor Blog
> > 请tor开发人员关注方滨兴等流氓对混淆插件流量特征的研究!! On December
> > 11th, 2015 Anonymous said: ... They found that, meek, ...
> > https://blog.torproject.org/blog/tor-0276-released
> > 前北邮校长方滨兴等人在《计算机研究与发展》上发表论文《匿名通信系统不
> > 可观测性度量方法》（PDF），报告他们能通过观察Tor混淆插件的流量模式将
> > 其识别出来。为了躲避深度包检查，研究人员开发出了协议混淆工具，Tor匿
> > 名网络开发的传输层协议混淆插件包括obfsprox（obfsproxy3和obfsproxy4），
> > meek和fte等。研究人员从Tor官网下载软件，对传输流量进行一番研究后很快
> > 发现Tor的混淆插件容易受到时间分析攻击。他们发现，meek、网桥和HTTPS的
> > 流量数据包内部时间间隔基本相同，但meek的数据包在0.5-2秒附近有一个明
> > 显的抖动，原因是meek客户端为了与云平台保持长连接而自动在空闲时发送一
> > 个心跳包，心跳包是随机在0.1秒-5秒之间选择一个值。他们还观察到了其它
> > 两个数据模式：网桥模式下数据包大小在600B附近比较集中，原因也与Tor的
> > 数据包设计有关；meek模式下客户端到服务数据包大小在200B左右，服务器到
> > 客户端400B左右。
> > The research paper referred to by the OP's post above in Mandarin
> > Chinese has been referenced by an earlier post here:
> > https://blog.torproject.org/comment/reply/1098/137900 The official
> > name of the research paper in English is "Towards measuring
> > unobservability in anonymous communication systems", Journal of
> > Computer Research and Development, 2015, 52(10): 2373-2381. The PDF
> > version can be downloaded from:
> > http://crad.ict.ac.cn/CN/abstract/abstract3031.shtml# The file size
> > is about 6861 KB.
> > On December 17th, 2015 dcf said: Thanks, we have seen that paper. It
> > doesn't mean that the censors in China have the capability to do the
> > kind of traffic analysis they describe (yet), but it's something for
> > us to keep in mind for the future. obfs4 and ScrambleSuit in fact
> > are already capable of obfuscating their traffic patterns, but the
> > capability hasn't been turned on yet because it hasn't been needed.
Ivan Vilata i Balaguer
More information about the tor-talk