Inside the Great Firewall of China's Tor Blocking 160
Trailrunner7 writes with an article at Threat Post about China's ability to block Tor. From the article: "The much-discussed Great Firewall of China is meant to prevent Chinese citizens from getting to Web sites and content that the country's government doesn't approve of, and it's been endowed with some near-mythical powers by observers over the years. But it's somewhat rare to get a look at the way that the system actually works in practice. Researchers at Team Cymru got just that recently when they were asked by the folks at the Tor Project to help investigate why a user in China was having his connections to a bridge relay outside of China terminated so quickly. Not only is China able to identify Tor sessions, it can do so in near real-time and then probe the Tor bridge relay and terminate the session within a couple of minutes."
My college did it easier (Score:5, Informative)
Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks.
At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.
Re:My college did it easier (Score:5, Informative)
Tor has changed since you read last... "Bridges" were added to Tor and are not listed in any central directory.
Tor bridges [torproject.org]
Re:My college did it easier (Score:5, Informative)
Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks. At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.
This was the situation. Countries did download the entire Tor directory and block all the nodes listed in it. This is why bridge relays were invented, and there is no public list off all bridge relays. It works like this: You get a bridge address, you connect to a bridge and the bridge then connects to the Tor network. This changed the arms-race. GFW is now able to detect the Tor bridges and this is a set-back for the Tor-project. They will find a solution which fools the GFW and the Chinese will lose face.
Re:SSH (Score:5, Informative)
Bugged planet indeed, I wonder if any of our lovely "free world" companies like Amesys or Siemens are selling the DPI gear, or if China is using a fully homebaked solution.
If you watch the 28c3 Torproject presentation available at http://tinyurl.com/7c893sl [tinyurl.com] then you will learn that western corporations like Intel, Nokia and Cisco are heavily involved in Internet surveillance and censorship around the world.
Re:My college did it easier (Score:5, Informative)
Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks.
At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.
We have to remember though what Tor was designed to do and what it was not designed to do. Tor was designed to protect the privacy of individuals who don't want their browsing habits revealed. It does this by preventing your IP address from being available to the web server you connect to, and additionally it encrypts traffic so intermediaries, such as your ISP can't snoop on your traffic. It was NOT designed as a means of bypassing firewalls that are actively try to block Tor. That was never its purpose.
Re:ssh tunnel on nonstandard port (Score:4, Informative)
It works, though it stands out like a sore-thumb.
Re:Not that much new here... (Score:2, Informative)
I've used the previous method on my own IRC network, not to block Tor outright, but to prevent people from clicking 'refresh' to get a new IP and avoid channel bans or client side /ignores placed on them after spamming, harassing others, and generally trying to go where their behavior makes them unwanted.
With a daemon linked to tor, my server can send some info to the tor network to ask if this is a tor connection. It needs my servers IP and port, as well as the users IP and source port.
Upon a successful reply, services changes that users vhost to @tor
It's fully up to each channels ops how to handle it, if at all.
Some channels do +b *!*@tor while others have the same ban but add exceptions for registered nicks using +e nick!*@tor while yet other channels are nothing BUT tor users.
I've never seen someone refresh their Tor IP and reconnect from a node that wasn't also detected by this method.
I haven't heard of tor bridges until just today, however their use doesn't seem to aid with harassment or spamming from what I can tell.
We also do bayesian filtering where if the IP is on 4 or more of the 8 DNS blacklists checked, they get a temporary 10 minute gline with a URL showing which blacklists failed, and links to each for figuring out exactly why one is listed, and after cleaning up any infections they can request a delisting.
As that process usually takes more than 10 minutes, this filtering method only stops bots and other automations, while a human can easily fix the problem and not be denied their chatting.
It's pretty hard these days to find a decent balance between allowing privacy while at the same time preventing obvious abuses like spamming, harassment, and bots trying to DCC trojans to not-so-net-savvy newbies.
I had absolutely no issues with Tor when their goal was only to provide privacy and anonymity. But if their new goals are to provide an easy and one-click way to avoid bans set on a particular user with bad behavior through their service, then it will only serve to harm their reputation (for good reason this time)