Bridge Testing: Indirect Scans
These need to be further researched and tested. There may also be new methods discovered as time goes on, since some of these methods are pretty obscure.
Summary from [#6414 (closed) the parent ticket]:
- "Nmap stealth scan" style indirect scan: Send a TCP SYN with a forged IP address header to the bridge, the IP should should actually point to some in-country publicly observable service with sequential or otherwise predictable fields.
- Use any website which allows free content upload to give the bridge address as "content" and wait to see if the page times out. This is basically a variant of the vanilla TLS handshake test; however, a downside is that contact with the bridge is measured from wherever the localized server for the content upload site is and may not be in-country.
- Use FTP proxies or some similar weird bounce mechanism in-country to obfuscate the purpose of the connection.
- Use the canary to force probes to check for us, without the probes actually checking. I'm just going to start calling this idea "quis-custodiet-ipsos-custodes-now-f******?!?!?!"
- There were other ideas which were as entertaining as they were ridiculous, and there are probably a lot that I haven't thought of yet.