Hello Tor people, just me chipping in about recent event.
Today, I discovered that somewhere around Dec, 22, all three of my recently launched bridges have been censored on at least one network (MegaFon Moscow AS25159). Metrics show a drastic traffic drop in the range of Dec, 21-23 for all three bridges.
Investigating further, I discovered (using tcptraceroute/nc) that all three hosts started responding with RSTs to all of their open ports (not only bridge ports but SSH and other recently opened ports too). NATd source IP address was unchanged from my usual one in every case.
One of the bridges had distribution method set to HTTPS, and the other two were distributed via Moat. All ran recent Tor 0.4.6.8 Docker image.
NB: One of the bridges has incorrect 'First seen' date on the metrics portal - it displays '2021-12-25' despite being launched several days prior.
To summarize:
1. Bridge blocking happens via the common 'fast RST' method 2. It happened relatively quickly (all bridges are less than 10 days uptime by now). 3. Somehow, all three of my recently launched bridges were blacklisted despite using different ASs/hosters/countries for each. Is it a coincidence, or it's because Moat prefers to hand out newer bridges first, or due to something else entirely?
Also, I can not rule out that some step in my distribution chain was compromised -- I gave out these bridges privately to a few friends.
-- Best regards, Space Oddity.
On 12/29/21 15:37, Space Oddity via tor-relays wrote:
Also, I can not rule out that some step in my distribution chain was compromised -- I gave out these bridges privately to a few friends.
IMO you should not mix private brtdges with those where you delegate the to distribute the connection info eg to the torproject. Said that you should set "PublishServerDescriptor 0" at bridges where you distribute the connection info yourself.
It wasn't a problem for us :) but thanks for the tip.
Also, can confirm Beeline (AS16345) blocks them too. Seems like the blocking is mostly deployed in mobile carriers atm -- makes sense to me. Haven't tested with much except these two though.
December 29, 2021 8:53 PM, "Toralf Förster" toralf.foerster@gmx.de wrote:
On 12/29/21 18:45, Toralf Förster wrote:
Said that you should set "PublishServerDescriptor 0" at bridges where you distribute the connection info yourself.
Or maybe set it to
BridgeDistribution none
to have bridge stats at metrics.org.
-- Toralf
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi,
Thanks for running bridges!
On Wed, Dec 29, 2021 at 02:37:48PM +0000, Space Oddity via tor-relays wrote:
Hello Tor people, just me chipping in about recent event.
Today, I discovered that somewhere around Dec, 22, all three of my recently launched bridges have been censored on at least one network (MegaFon Moscow AS25159). Metrics show a drastic traffic drop in the range of Dec, 21-23 for all three bridges.
Investigating further, I discovered (using tcptraceroute/nc) that all three hosts started responding with RSTs to all of their open ports (not only bridge ports but SSH and other recently opened ports too). NATd source IP address was unchanged from my usual one in every case.
One of the bridges had distribution method set to HTTPS, and the other two were distributed via Moat. All ran recent Tor 0.4.6.8 Docker image.
NB: One of the bridges has incorrect 'First seen' date on the metrics portal - it displays '2021-12-25' despite being launched several days prior.
To summarize:
- Bridge blocking happens via the common 'fast RST' method
- It happened relatively quickly (all bridges are less than 10 days uptime by now).
- Somehow, all three of my recently launched bridges were blacklisted despite using different ASs/hosters/countries for each. Is it a coincidence, or it's because Moat prefers to hand out newer bridges first, or due to something else entirely?
Russia is enumerating and blocking Tor bridges. They've enumerated and blocked bridges twice: Dec 1st and during xmas (Dec 22-24). It's not clear how and how many bridges they've enumerated. Perhaps they're bypassing BridgeDB captcha[1].
I recommend following up this thread: https://ntc.party/t/ooni-reports-of-tor-blocking-in-certain-isps-since-2021-...
And if possible, please rotate your bridge IP address.
Also, I can not rule out that some step in my distribution chain was compromised -- I gave out these bridges privately to a few friends.
I don't think so as I also saw my new bridges getting blocked during xmas too.
-- Best regards, Space Oddity.
cheers, Gus
[1] https://lists.torproject.org/pipermail/anti-censorship-team/2021-December/00...
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
gus -
spaceoddity@disroot.org -
Toralf Förster