Hi,
I've been working on a small tool whose purpose is to protect bridges from the Chinese firewall. The tool runs independently of Tor and analyzes/rewrites SYNs and SYN/ACKs which it gets with the help of libnetfilter_queue. It is quick and easy to set up and can be run by bridge operators.
Basically, the tool achieves two things: - Evading the Chinese DPI engine by rewriting the TCP window size during the TCP handshake. This leads to a fragmented cipher list which does not seem to be recognized by the GFC. - Blocking scanners with two dirty hacks.
I did not have a lot of time to test it yet but I've found the window size rewriting to be particularly effective (yet ugly). It worked with Windows {XP, 7} and recent Linux boxes. The scanner blocking strategies are not that effective since they imply many false positives, i.e., legitimate users being locked out.
Before showing this to a broader audience, I need some people looking at the code, though. The code, just 600 lines of C, is available at: https://github.com/NullHypothesis/brdgrd/
Cheers, Philipp
Basically, the tool achieves two things:
- Evading the Chinese DPI engine by rewriting the TCP window size during the TCP handshake. This leads to a fragmented cipher list which does not seem to be recognized by the GFC.
- Blocking scanners with two dirty hacks.
I removed the "two dirty hacks" because they sometimes made a bridge unusable - especially if there is lots of packet loss between client and bridge. So the tool only conducts window size rewriting now.
I've been testing it for several days on my EC2 bridge. The bridge has seen many Chinese users and still remains unblocked.
Cheers, Philipp
-
Philipp Winter