Hello,
I run a private obfuscated Tor bridge for myself and some friends. All in all it has worked fine so far but having recently run some security scans on the bridge host, I now wonder how resistant to active probing my bridge is. Apologies if this has already been asked, I have yet to find a searchable archive of this list.
Anyway, here is my logic. In order to operate properly, my bridge must have its ORPort reachable from the Internet. I have chosen a port to be used for this purpose at random but these days, scanning all 64k TCP ports on a host takes mere minutes. The X.509 server certificate offered on the ORPort is rather suspicious, if only because of the randomly generated name; I suspect there might be other peculiarities as well. Therefore, I strongly suspect that it wouldn't take more than a few minutes for any attacker employing active probing to detect my bridge and block access to it.
Does this make sense? And in any case, is there anything else I could do to protect my bridge against active probing? The best I could come up with is to make the bridge host periodically change the ORPort, I reckon wouldn't really help because if I had to restart tor on the bridge every few minutes the it wouldn't be of much use connectivity-wise. Having the border firewall block or slow down suspected port scans might perhaps make it possible to change the ORPort less frequently but alas, I have no control over the border firewall beyond being able to ask to open or close specific ports on my host.
Thank you in advance for your time.