[tor-bugs] #6414 [Ooni]: Automating Bridge Reachability Testing

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sun Jul 22 09:31:04 UTC 2012


#6414: Automating Bridge Reachability Testing
--------------------------------------------------------------------------------+
 Reporter:  isis                                                                |          Owner:  isis    
     Type:  project                                                             |         Status:  accepted
 Priority:  normal                                                              |      Milestone:          
Component:  Ooni                                                                |        Version:          
 Keywords:  bridge-reachability metrics-db automation testing SponsorF20121101  |         Parent:          
   Points:                                                                      |   Actualpoints:          
--------------------------------------------------------------------------------+

Comment(by phw):

 Replying to [comment:10 isis]:

 > Replying to [comment:7 phw]:
 > > * UAE and Ethiopia do not actually block bridges but rather network
 packets. We need to distinguish between blocking Tor by protocol and by
 end points (bridges/relays). Also, Lebanon and Qatar are new to me. It
 would be helpful to add them to the
 [https://trac.torproject.org/projects/tor/wiki/doc/OONI/censorshipwiki
 censorship wiki] in case anybody knows more about that. Apart from China,
 is there any country actually blocking bridges by IP and port at the
 moment?
 > UAE and Ethiopia block all SSL, correct?
 >
 > If so, there seems to be not much that Tor or any bridge tests can do
 about that, at least not until more pluggable transports are deployed.

 It does not look like UAE is blocking Tor at the moment but Ethiopia is
 dropping the Tor TLS client hello and server hello. All the details are in
 the one and only
 [https://trac.torproject.org/projects/tor/wiki/doc/OONI/censorshipwiki
 censorship wiki]! SSL in general is not blocked, though.

 > > 2. I haven't seen any evidence for service enumeration. Is this still
 supposed to happen?
 >
 > This is what I read, and if it is the case, i.e., that China blocks by
 IP:port if there are other services, and elif by IP blackholing, then it
 would make testing easier because, as I mentioned earlier, it would be
 pretty trivial to fake services on a bridge that we set up (that way we
 could just change the port to continue bridge reachability testing). If
 you're not seeing it though, I suppose you've probably got more info on
 this than anyone else, so it might not be happening anymore. Does this
 mean they always dumb block on IP:port? Or are they always blackholing?

 Yes, it looks like bridges (and even relays) are blocked by IP:Port. I
 only saw IP blackholing for the directory authorities. I think that from
 the GFC's point of view that's quite good: It has no collateral damage and
 is still highly effective.

 > > 2. It looks like the old concept of "scanning queues" in 15 minute
 intervals changed a couple of weeks ago. What I am seeing now is real-time
 scans which happen immediately after the GFC detected a potential Tor
 connection. Then, you won't see any scanners for ~20 minutes even though
 you continue initiating Tor connections. After ~20 minutes, there are
 real-time scans again. I have yet to take a closer look at the data. If
 anybody wants to help, drop me an e-mail.
 >
 > I'd take a look at it. Do you think the "twelve hours without a
 successful connection from the probe" still applies to unblocking?

 I reproduced this a couple of weeks ago and was able to unblock bridges
 after just 2-3 hours. The time seems to vary but it should still work,
 yes.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6414#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list