[tor-relays] Dropping packets with TCP MSS=1400 to foil GFW active probing

David Fifield david at bamsoftware.com
Tue Aug 21 15:36:46 UTC 2018


On Mon, Aug 20, 2018 at 02:25:40PM -0400, Nathaniel Suchy wrote:
> Interesting. Is there any reason to not use an obfuscated bridge?

No, not really. obfs4 resists active probing without any special
additional steps. But I can think of one reason why the MSS trick is
worth trying, anyway. Due to a longstanding bug (really more of a design
issue that's hard to repair), you can't run an obfs4 bridge without also
running a vanilla (unobfuscated) bridge on a different port on the same
IP address. So if anyone ever connects to that vanilla port, the bridge
will get probed and the entire IP address blocked, including the obfs4
port.
https://bugs.torproject.org/7349


More information about the tor-relays mailing list