[tor-talk] Tor bridges over ICMP or DNS

Ben Tasker ben at bentasker.co.uk
Thu Sep 7 20:47:24 UTC 2017

On Thu, Sep 7, 2017 at 7:48 PM, Andreas Krey <a.krey at gmx.de> wrote:

> On Thu, 07 Sep 2017 13:32:35 +0000, Roman Mamedov wrote:
> > Hello,
> >
> > Has anyone considered making a Tor bridge protocol with ICMP as
> transport?
> Probably.
> > Or tunneling over DNS?
> Same. Basically, you just need any bridge and a means to tunnel ssh,
> and the you can 'ssh -L port:bridgeip:bridgeport', and configure
> tor to use the bridge at localhost:port. This will work as long
> as not too many people do it.

In principle, yes. In practice, not so much. SSH to and from China can be
an absolute pain even for low traffic levels (like, for example, a standard
SSH session). Sometimes it's might be deliberate interference, but most of
the time it's a case of combining the headaches of TCP-over-TCP with a
massively busy (and underpowered for the traffic) system like the GFW.

Things like sshuttle (https://github.com/apenwarr/sshuttle) help a bit (as
it addresses the TCP-over-TCP limitations) but it's still pretty bad
transiting the GFW (I do so pretty regularly).

> The problem is that the chinese have enough manpower to
> write detectors for any protocol that is widely deployed,

It's worse than that, they also make heavy use of machine learning. So over
time the system realises that a lot of data seems to be going out over port
65532 (or whatever) to a specific subnet, so they start taking a much
closer look (and in some cases just start blocking/interfering

> or they simply block IPs that they see widely in use for
> either kind of tunnels and suspect tor usage. Means,
> anything in common use by the tor browser will get blocked.
> The only exception is when the blocking would cause
> unacceptable collateral damage as with the meek bridges.
> DNS and ICMP particularly stand out.
> Andreas
> --
> "Totally trivial. Famous last words."
> From: Linus Torvalds <torvalds@*.org>
> Date: Fri, 22 Jan 2010 07:29:21 -0800
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Ben Tasker

More information about the tor-talk mailing list