Hi, As you may know the Great Firewall of China (GFW) is actively scanning TOR relays and bridges [1]. Fortunately blocking those probes seem to be sufficient to prevent GFW from blocking/censoring the service.
The GFW is evolving and probes that we see today will likely be different in the future. As for now these iptable rules detect active GFW scans against TOR a bridge. Probes as seen few weeks ago can be detected by: $ iptables -A INPUT -p tcp -m string --hex-string "|00001800390038003500160013000A00330032002F0007000500FF0100000400230000|" --algo kmp -j LOG --log-prefix "china_long " $ iptables -A INPUT -p tcp -m string --hex-string "|00001400390038003500160013000A00330032002F0005020100|" --algo kmp -j LOG --log-prefix "china_short " Probes seen recently: $ iptables -A INPUT -p tcp -m string --hex-string "|00002800390038008800870035008400160013000a00330032009a009900450044002f00960041000500ff020100000400230000|" --algo kmp -j LOG --log-prefix "china_new " Active scans detected by these iptable rules were triggered by a TOR client in China connecting to a TOR bridge in Europe. These rules are intended to be used on the TOR bridge side. If you wish not only to detect, but also to actively reject GFW probes (and hopefully prevent your service from getting censored), consider replacing "-j LOG ..." with " -j REJECT --reject-with tcp-reset". Cheers, Marek [1] http://www.cs.kau.se/philwint/pdf/foci2012.pdf _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
