[tor-project] Proposal: rotate default bridge ports each release
George Kadianakis
desnacked at riseup.net
Tue Aug 16 14:14:49 UTC 2016
David Fifield <david at bamsoftware.com> writes:
> [ text/plain ]
> Lynn Tsai and I just published a report on the blocking of Tor Browser's
> default obfs4 bridges.
> https://www.bamsoftware.com/proxy-probe/
> https://www.usenix.org/system/files/conference/foci16/foci16-paper-fifield.pdf
> One of the things we found is that the Great Firewall of China blocks
> the default bridges--but it takes a little while after release for them
> to do it. We saw delays as short as 2 days and as long as 36 days. We
> also found that when they block a bridge, they don't block the whole IP
> address; they just block a single port and other ports on the same IP
> remain accessible.
>
> We can take advantage of these peculiarities by opening additional obfs4
> ports on the default bridges, and changing the port numbers on each
> release. We'd keep the old ports open for people who haven't upgraded
> yet, but those who upgrade will start using the new ports. This way, we
> can make the bridges temporarily reachable after each new release--at
> least until the censors figure out what we're doing and start blocking
> more aggressively.
>
> This is pretty easy to do on the bridge operators' part. They just need
> to forward a range of ports to their existing obfs4 port, something like
> this:
> iptables -A PREROUTING -t nat -i eth0 -p tcp --match multiport --dports 50000:50009 -j REDIRECT --to-port <obfs4port>
> Then, the Tor Browser developers can choose a fresh port in each new
> release.
Hey David,
sounds like an easy idea worth trying.
I ran the above iptables command on LeifEricson. Let me know if it doesn't work.
I wonder why censors are afraid of blocking the whole IP address...
More information about the tor-project
mailing list