[tor-talk] Tor bridges over ICMP or DNS

Ben Tasker ben at bentasker.co.uk
Thu Sep 7 20:47:24 UTC 2017 

On Thu, Sep 7, 2017 at 7:48 PM, Andreas Krey <a.krey at gmx.de> wrote:

> On Thu, 07 Sep 2017 13:32:35 +0000, Roman Mamedov wrote:
> > Hello,
> >
> > Has anyone considered making a Tor bridge protocol with ICMP as
> transport?
>
> Probably.
>
> > Or tunneling over DNS?
>
> Same. Basically, you just need any bridge and a means to tunnel ssh,
> and the you can 'ssh -L port:bridgeip:bridgeport', and configure
> tor to use the bridge at localhost:port. This will work as long
> as not too many people do it.
>

In principle, yes. In practice, not so much. SSH to and from China can be
an absolute pain even for low traffic levels (like, for example, a standard
SSH session). Sometimes it's might be deliberate interference, but most of
the time it's a case of combining the headaches of TCP-over-TCP with a
massively busy (and underpowered for the traffic) system like the GFW.

Things like sshuttle (https://github.com/apenwarr/sshuttle) help a bit (as
it addresses the TCP-over-TCP limitations) but it's still pretty bad
transiting the GFW (I do so pretty regularly).


>
> The problem is that the chinese have enough manpower to
> write detectors for any protocol that is widely deployed,
>

It's worse than that, they also make heavy use of machine learning. So over
time the system realises that a lot of data seems to be going out over port
65532 (or whatever) to a specific subnet, so they start taking a much
closer look (and in some cases just start blocking/interfering
automatically)


> or they simply block IPs that they see widely in use for
> either kind of tunnels and suspect tor usage. Means,
> anything in common use by the tor browser will get blocked.
>
> The only exception is when the blocking would cause
> unacceptable collateral damage as with the meek bridges.
>
> DNS and ICMP particularly stand out.
>
> Andreas
>
> --
> "Totally trivial. Famous last words."
> From: Linus Torvalds <torvalds@*.org>
> Date: Fri, 22 Jan 2010 07:29:21 -0800
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Ben Tasker
https://www.bentasker.co.uk

More information about the tor-talk mailing list