Hi,
I've been working on a small tool whose purpose is to protect bridges from the Chinese firewall. The tool runs independently of Tor and analyzes/rewrites SYNs and SYN/ACKs which it gets with the help of libnetfilter_queue. It is quick and easy to set up and can be run by bridge operators.
Basically, the tool achieves two things: - Evading the Chinese DPI engine by rewriting the TCP window size during the TCP handshake. This leads to a fragmented cipher list which does not seem to be recognized by the GFC. - Blocking scanners with two dirty hacks.
I did not have a lot of time to test it yet but I've found the window size rewriting to be particularly effective (yet ugly). It worked with Windows {XP, 7} and recent Linux boxes. The scanner blocking strategies are not that effective since they imply many false positives, i.e., legitimate users being locked out.
Before showing this to a broader audience, I need some people looking at the code, though. The code, just 600 lines of C, is available at: https://github.com/NullHypothesis/brdgrd/
Cheers, Philipp