One of the Tor wiki pages references a Bro IDS/IPS script that attempts to
fingerprint the TLS handshake of a standard (non-obfuscated) Tor
connection.[1] This might be useful in that it looks at connections over
time and tries to average out the connections to guess whether or not a
connection fits an expected value or range of values. When you start
looking at more DPI attacks such as trying to fingerprint based on the
polling interval of Meek or something else that requires a longer term
analysis, this might be the way to go.

[1]
https://github.com/sethhall/bro-junk-drawer/blob/007b3a833206770bc4b85b12c39e0e01b7b998a0/detect-tor.bro

@


On Tue, Sep 2, 2014 at 11:41 AM, Nathan of Guardian <
[email protected]> wrote:

>
>
>
> -------- Forwarded Message --------
> Subject: [tor-talk] Better testing through filternets
> Date: Tue, 02 Sep 2014 11:40:01 -0400
> From: Nathan Freitas <[email protected]>
> Reply-To: [email protected]
> To: [email protected]
>
>
> I am working on improving our ability to do more thorough and
> standardized testing of Orbot, etc. As part of this, I am trying to
> come up with a simple filternet configuration based on OpenWRT, running
> on a TP Link MR3020.
>
> Currently, I have this working:
>
> - Use Dnsmasq to block high profile target domains (torproject.org,
> google, facebook, twitter, whatsapp, etc)
> - Block all HTTPS traffic (port 443)
>
> This simulates most of the common DNS poisoning and port blocking types
> attacks, though Tor can still easily connect at this point.
>
> I would like the ability to simulate a more severe environment, where
> for instance, Tor itself is targeted, and bridges are required. Any
> thoughts or experience doing this?
>
> - Block IPs/domains for known Tor Authority nodes
>
> - block based on Tor protocol characteristics: ssl certs, common ports, etc
>
> Thanks for any feedback, pointers, links, etc.
>
> +n
>
>
> --
> tor-talk mailing list - [email protected]
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: [email protected]
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  [email protected]
>         Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/antitree%40gmail.com
>
> You are subscribed as: [email protected]
>
_______________________________________________
Guardian-dev mailing list

Post: [email protected]
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev

To Unsubscribe
        Send email to:  [email protected]
        Or visit: 
https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com

You are subscribed as: [email protected]

Reply via email to