|
|
----
|
|
|
== China (#4744, #4185, #8591) ==
|
|
|
=== Summary of the current situation ===
|
|
|
## China (#4744, #4185, #8591)
|
|
|
### Summary of the current situation
|
|
|
Most of the time, the directory authorities as well as the public relays are blocked. Besides, the Great Firewall of China is blocking most bridges. This is done by looking for new Tor connection and if a connection is detected by the firewall, it tries to establish a TCP connection to the destination. It then tries to establish a Tor connection to the destination and if it succeeds, it is blocked. This happens for vanilla Tor bridges as well as obfs2 bridges (#8591). An analysis of the active probing strategy can be found at: http://www.cs.kau.se/philwint/static/gfc/ and at https://gist.github.com/da3c7a9af01d74cd7de7 .
|
|
|
|
|
|
=== First witnessed ===
|
|
|
### First witnessed
|
|
|
The active probing strategy to block Tor bridges became known in October 2011 (#4185). According to other reports, this type of active probing might even date back to 2010: http://www.nsc.liu.se/~nixon/sshprobes.html .
|
|
|
|
|
|
=== Last witnessed ===
|
|
|
### Last witnessed
|
|
|
The block is still ongoing despite blocking outages occurring every now and then.
|
|
|
|
|
|
== Tor censorship ==
|
|
|
=== Tor detection ===
|
|
|
* '''Deep packet inspection''': #4744
|
|
|
* '''Fingerprint''': The cipher list inside the TLS client hello sent by the Tor client (for versions < 0.2.3.17-beta. Newer versions make use of a different, as yet undetected, cipher list.) to the bridge. Possibly, there is more. The cipher list contains 29 ciphers and is 58 bytes long. The raw cipher list can be downloaded from http://files.7c0.org/tor/Tor-TLS-Cipher-List.bin . The tool `tcis` can be used as "bait" to make the Great Firewall of China scan a specific target: https://github.com/NullHypothesis/tcis
|
|
|
* '''Active probing''':
|
|
|
## Tor censorship
|
|
|
### Tor detection
|
|
|
* **Deep packet inspection**: #4744
|
|
|
* **Fingerprint**: The cipher list inside the TLS client hello sent by the Tor client (for versions < 0.2.3.17-beta. Newer versions make use of a different, as yet undetected, cipher list.) to the bridge. Possibly, there is more. The cipher list contains 29 ciphers and is 58 bytes long. The raw cipher list can be downloaded from http://files.7c0.org/tor/Tor-TLS-Cipher-List.bin . The tool `tcis` can be used as "bait" to make the Great Firewall of China scan a specific target: https://github.com/NullHypothesis/tcis
|
|
|
* **Active probing**:
|
|
|
* After DPI boxes detected the Tor cipher list, seemingly random machines connect to the suspected bridge and try to start a Tor connection. If this probing succeeds, the bridge is blocked. There is reason to believe, that the IP addresses of these machines is spoofed.
|
|
|
|
|
|
=== Tor blocking ===
|
|
|
* '''IP blocking''':
|
|
|
### Tor blocking
|
|
|
* **IP blocking**:
|
|
|
* All 8 directory authorities seem to be blocked on the IP layer. They respond neither to TCP, nor to ICMP requests.
|
|
|
* '''IP:port blocking''':
|
|
|
* **IP:port blocking**:
|
|
|
* Public relays as well as bridges are usually blocked by IP:port. Presumably, to limit collateral damage. The block is done by dropping the SYN/ACK segment which is sent by the bridge to the Tor client.
|
|
|
* '''Spoofed RST segments''':
|
|
|
* **Spoofed RST segments**:
|
|
|
* Spoofed RST segments to terminate TCP connections to bridges have been observed. However, the IP:port blocking seems to be more common.
|
|
|
* '''Web site block''':
|
|
|
* **Web site block**:
|
|
|
* All web sites containing the string "torproject.org" in the `Host` field are blocked when accessed over HTTP. The connection is terminated by spoofed RST segments.
|
|
|
{{{
|
|
|
```
|
|
|
$ telnet 38.229.72.14 80
|
|
|
Trying 38.229.72.14...
|
|
|
Connected to 38.229.72.14.
|
... | ... | @@ -34,18 +34,18 @@ GET / HTTP/1.1 |
|
|
Host: www.torproject.org
|
|
|
Connection closed by foreign host.
|
|
|
$
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
=== Types of non-Tor censorship ===
|
|
|
### Types of non-Tor censorship
|
|
|
* The GFW seems to also block VPNs by making use of active probing
|
|
|
=== Ways to bypass censorship ===
|
|
|
* [https://www.torproject.org/projects/obfsproxy.html.en Obfsproxy] when used with obfs3 was found to evade the DPI boxes. However, the hard-coded bridges in the obfsproxy bundle are blocked so a private obfsproxy bridge is necessary. obfs2 is actively probed and typically blocked.
|
|
|
### Ways to bypass censorship
|
|
|
* [Obfsproxy](https://www.torproject.org/projects/obfsproxy.html.en) when used with obfs3 was found to evade the DPI boxes. However, the hard-coded bridges in the obfsproxy bundle are blocked so a private obfsproxy bridge is necessary. obfs2 is actively probed and typically blocked.
|
|
|
* https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/198-restore-clienthello-semantics.txt
|
|
|
|
|
|
=== Type of firewall ===
|
|
|
### Type of firewall
|
|
|
* The Great Firewall Of China
|
|
|
* '''Manufacturer''': China. There are probably no off-the-shelf products.
|
|
|
* **Manufacturer**: China. There are probably no off-the-shelf products.
|
|
|
|
|
|
=== Reproducing the blocking ===
|
|
|
### Reproducing the blocking
|
|
|
* Active probing can be triggered with the tool `tcis`: https://github.com/NullHypothesis/tcis . The tool sends a Tor TLS client hello to a given machine, the DPI boxes will detect it and start probing it.
|
|
|
* Open SOCKS proxies in China can be used to send the "bait". |
|
|
\ No newline at end of file |