SLIDE 1 How the Great Firewall of China is Blocking Tor
Philipp Winter and Stefan Lindskog Karlstad University
SLIDE 2 In a nutshell
- 1. Investigated how Tor is being blocked
- 2. Speculated about the blocking infrastructure
- 3. Looked at countermeasures
Significant prior work done by Tim Wilde from Team Cymru!
SLIDE 3 What Tim found out
T
T L S C l i e n t H e l l
SLIDE 4 Experimental setup
◮ China
◮ VPS (full root access) ◮ Found 32 open SOCKS proxies via Google ◮ PlanetLab
◮ Russia
◮ Middle relay
◮ Singapore
◮ Bridge in Amazon EC2 cloud
◮ Sweden
◮ Several bridges
SLIDE 5
Meet Alice!
SLIDE 6
Alice wants to use Tor!
SLIDE 7
HTTP mostly does not work
H T T P
torproject.org
T C P R S T TCP RST
SLIDE 8
But HTTPS is fine!
H T T P S
torproject.org
?
SLIDE 9
Now, Alice needs the consensus
7/8 directory authorities were blocked
DROP
SLIDE 10
SYN/ACK from relays and bridges swallowed
S Y N
Tor relay
S Y N / A C K
SLIDE 11
Most public relays in consensus blocked
◮ Downloaded consensus containing 2819 relays at the time ◮ Could establish TCP connection to only 1.6% of all relays ◮ After three days: Only one of them still reachable
SLIDE 12 Where does the fingerprinting happen?
VPS PlanetLab Open SOCKS Outside China
Tor TLS Client Hello
SLIDE 13 Bridges can be unblocked!
◮ Made GFC block 2 private bridges:
◮ 1st bridge: Blocked Chinese address space but whitelisted
VPS in China
◮ 2nd bridge: Unmodified
◮ After ∼12 hours: First bridge became reachable again
SLIDE 14 So what about the scanners?
T
T L S C l i e n t H e l l
Singapore
SLIDE 15
We now have our data!
◮ After 2.5 weeks: 3295 scans! ◮ Have a look yourself:
http://www.cs.kau.se/philwint/ static/gfc/
SLIDE 16 When are the scanners connecting?
Minutes Mar 06 Mar 11 Mar 16 Mar 21 0m 10m 15m 25m 30m 40m 45m 55m
SLIDE 17
There is a daily pattern!
Time Minutes Mar 17 Mar 21 1m 2m 3m Time Minutes Mar 17 Mar 21 18m 19m 20m Time Minutes Mar 17 Mar 21 33m 34m Time Minutes Mar 17 Mar 21 47m 48m 49m 50m
SLIDE 18
Where are the scanners coming from?
◮ 50% from 202.108.181.70. ◮ 50% from random IP addresses. ◮ All IP addresses part of AS{4837, 4134, 17622}.
SLIDE 19
What about 202.108.181.70?
inetnum: 202.108.181.0 - 202.108.181.255 netname: BJ-GD-TECH-CO descr: Beijing Guanda Technology Co.Ltd country: CN admin-c: CH455-AP tech-c: SY21-AP mnt-by: MAINT-CNCGROUP-BJ changed: suny@publicf.bta.net.cn 20020524 status: ASSIGNED NON-PORTABLE source: APNIC [...]
SLIDE 20
IP spoofing?
◮ No communication with scanners possible ◮ Sometimes, several minutes after scan, host starts replying to
pings
◮ Suspicious: TTL differs! ◮ Conjecture: GFC is spoofing random IP addresses for
scanning
SLIDE 21
So how can we help Alice?
SLIDE 22 Two dimensions to the problem
Censorship devices can identify Tor by:
- 1. Protocol — ”the TLS client hello looks like Tor!”
- 2. Destination — ”that guy is connecting to a bridge!”
China is currently breaking both dimensions.
SLIDE 23
Protocol obfuscation
◮ Makes it hard to break the first dimension of the problem ◮ Most censorship devices recognize Tor by looking at the TLS
client/server hello
◮ Solution: Wildly obfuscate the entire protocol or make it look
like smth. else
◮ https:
//www.torproject.org/docs/pluggable-transports
SLIDE 24
Packet fragmentation
◮ Experiments with fragroute showed that the GFC does no
packet reassembly
◮ Developed small tool for server-side packet fragmentation
https://github.com/NullHypothesis/brdgrd
◮ Transparently rewrites first announced TCP window size ◮ Makes Tor client split its cipher list into two parts
SLIDE 25
It’s looking better for us
◮ Flash proxies to tackle bridge distribution problem
(Fifield et al., PETS’12)
◮ Many pluggable transports (SkypeMorph, Stegotorus, ...) ◮ https://bridges.torproject.org asks for CAPTCHA
now
SLIDE 26
Thanks to
◮ Anonymous reviewers ◮ Tor developers ◮ Fabio Pietrosanti ◮ Simone Fischer-H¨
ubner
◮ Rose-Mharie ˚
Ahlfeldt
◮ Harald Lampesberger
Contact: philipp.winter@kau.se (4096R/2D081E16) Code/Data/Paper: http://www.cs.kau.se/philwint/static/gfc/
