One of the Tor wiki pages references a Bro IDS/IPS script that attempts to fingerprint the TLS handshake of a standard (non-obfuscated) Tor connection.[1] This might be useful in that it looks at connections over time and tries to average out the connections to guess whether or not a connection fits an expected value or range of values. When you start looking at more DPI attacks such as trying to fingerprint based on the polling interval of Meek or something else that requires a longer term analysis, this might be the way to go.
[1] https://github.com/sethhall/bro-junk-drawer/blob/007b3a833206770bc4b85b12c39e0e01b7b998a0/detect-tor.bro @ On Tue, Sep 2, 2014 at 11:41 AM, Nathan of Guardian < [email protected]> wrote: > > > > -------- Forwarded Message -------- > Subject: [tor-talk] Better testing through filternets > Date: Tue, 02 Sep 2014 11:40:01 -0400 > From: Nathan Freitas <[email protected]> > Reply-To: [email protected] > To: [email protected] > > > I am working on improving our ability to do more thorough and > standardized testing of Orbot, etc. As part of this, I am trying to > come up with a simple filternet configuration based on OpenWRT, running > on a TP Link MR3020. > > Currently, I have this working: > > - Use Dnsmasq to block high profile target domains (torproject.org, > google, facebook, twitter, whatsapp, etc) > - Block all HTTPS traffic (port 443) > > This simulates most of the common DNS poisoning and port blocking types > attacks, though Tor can still easily connect at this point. > > I would like the ability to simulate a more severe environment, where > for instance, Tor itself is targeted, and bridges are required. Any > thoughts or experience doing this? > > - Block IPs/domains for known Tor Authority nodes > > - block based on Tor protocol characteristics: ssl certs, common ports, etc > > Thanks for any feedback, pointers, links, etc. > > +n > > > -- > tor-talk mailing list - [email protected] > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > > _______________________________________________ > Guardian-dev mailing list > > Post: [email protected] > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe > Send email to: [email protected] > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/antitree%40gmail.com > > You are subscribed as: [email protected] >
_______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
