On average, it takes only half a second after a bridge connection for an active probe to show up. These days, it seems to be able to scan bridges in real-time. Back in 2012, the system worked in 15-minute-queues.This is unlikely to be a sustainable circumvention technique, though. We were also able to resist active probes by modifying a bridge of ours to ignore old VERSIONS Tor cells. Interestingly, node-Tor-a JavaScript implementation of the Tor protocol-is immune to active probing because it implements the Tor protocol differently, which seems to confuse active probes. The GFW is able to (partially) speak the vanilla Tor protocol, obfs2, and obfs3 to probe bridges.It appears to be easy for GFW engineers to add new probing modules to react to emerging, proxy-based circumvention tools. This highlights the modular nature of the active probing system. We discovered that Tor is not the only victim of active probing attacks the GFW is targeting other circumvention systems, namely SoftEther and GoAgent.We believe that active probes derive their ISN from the current time. Instead, we see a clear linear pattern across IP addresses. That's because ISNs are typically chosen randomly to protect against off-path attackers. If all probing connections would have come from independent computers, we would have expected a random distribution of points. Every point in the graph represents the SYN segment of one active probing connection. It shows the value of ISNs (y-axis) over time (x-axis). Check out the initial sequence number (ISN) pattern in the diagram below. We were able to find patterns in the TCP headers of active probes that suggest that all these thousands of IP addresses are, in fact, controlled by a single source.Sometimes, network security equipment goes into "fail open" mode while it updates its rule set, but it is not clear if this is happening here. Note the curious periodic availability pattern for both Unicom and CERNET (the two ISPs in China we measured from). Every point represents one connection attempt, meaning that our client in China was trying to connect to our bridge outside of China. This is illustrated in the diagram shown below. We found that every 25 hours, for a short period of time, our Tor clients in China were able to connect to our bridges. But does this mean that the bridge is entirely unreachable? We measured the blocking effectiveness by continuously making a set of virtual private systems in China connect to a set of bridges under our control. Generally, once a bridge is detected and blocked by the GFW, it remains blocked.We now want to give you an overview of our most interesting findings. We are able to share two of our datasets, so you are very welcome to reproduce our work, or do your own analysis. Together, these datasets allow us to look at the GFW's active probing system from different angles, illuminating aspects we wouldn't be able to observe with just a single dataset. We created three datasets, comprising hours (a Sybil-like experiment to attract many probes), months (an experiment to measure reachability for clients in China), and even years (log files of a long-established server) worth of active probing data. As a result, we teamed up and set out to answer these, and other questions.īecause this was a network measurement project, we started by compiling datasets. Is the GFW using dedicated machines behind their thousands of probing IP addresses? Does the GFW even "own" all these IP addresses? Rumour had it that the GFW was hijacking IP addresses for a short period of time, but there was no conclusive proof. For example, we were left wondering what the system's physical infrastructure looked like.
You might remember an earlier blog post that gave us some first insight into how the active probing system works. This system was brought to life several years ago to reactively probe and block circumvention proxies, including Tor. Roya, David, Nick, nweaver, Vern, and I just finished a research project in which we revisited the Great Firewall of China's (GFW) active probing system. This blog post is also available in Chinese, translated by our friends from.
0 kommentar(er)
