
Examining How the Great Firewall Discovers Hidden Circumvention Servers (2015) - garrincha
http://fermatslibrary.com/s/examining-how-the-great-firewall-discovers-hidden-circumvention-servers
======
kbmajor
Readable version without extraneous nonsense:

[http://conferences.sigcomm.org/imc/2015/papers/p445.pdf](http://conferences.sigcomm.org/imc/2015/papers/p445.pdf)

~~~
Animats
Thanks. That page has so much popup junk that I opened Inspect Element and
deleted the popup nodes just to read the thing.

------
nbevans
Tor stopped working (with bridge) when I was there last month. It worked for a
day or two then stopped working. It didn't matter how many times I refreshed
my bridges list, it just wouldn't work. Luckily I provisioned an Azure VM in
Hong Kong which I could access via RDP to keep access to GMail, Facebook etc.

~~~
sbensu
Did you provisioned an Azure VM while you were in Hong Kong or an Azure VM
that was hosted in Hong Kong?

~~~
nbevans
The VM was in Hong Kong. I was in Mainland China.

HK is not affected by the GFW, as far as I know.

------
gerdesj
I've never been anywhere near the GFW but I do find OpenVPN listening on
443/tcp and a few other ports (tcp and udp) on the outside quite handy for
drilling through firewalls. It supports basic auth proxies but CNTLM is in the
toolbox as well. Add in NAT and a few routing entries on other hosts.

It also provides a simple way to detect a transparent MitM proxy. If OVPN
fails to connect but an "unprotected" https connection gets through then the
alarm bells go off and the presented SSL cert gets a serious examination. I
keep a couple of thumbprints of known certs handy for this - the discipline of
proper checking rather than a cursory glance at an image that the GUI throws
up.

I use readily available stuff but looking into the description of how the obfs
protocols work in Tor I'm impressed and rather glad that my life or liberty
doesn't depend on my efforts. When I get it wrong I simply lose access to BBC
iPlayer or whatever. When someone who is having to take this rather more
seriously gets it wrong, they might not get a chance to repeat their mistake.

~~~
mikeash
This sort of thing used to work, but doesn't anymore. The GFW is now smart
enough to detect VPNs based only on the traffic they generate, not port
numbers or other easily changed things. It's currently an arms race between
VPN providers trying to mask their traffic and the firewall trying to uncover
it, and the firewall is winning so far.

~~~
pixl97
Whelp, that's pretty much it for the internet. Won't be long before many more
governments are licensing and using this technology. The question is how long
before supposedly 'free' governments start.

~~~
lisivka
It's easy to fix by mirroring their behavior: drop incoming connections from
China until they drop their firewall.

------
phw
Here's a summary that's a bit easier to digest:
[https://blog.torproject.org/blog/learning-more-about-gfws-
ac...](https://blog.torproject.org/blog/learning-more-about-gfws-active-
probing-system)

------
bdz
Here is the presentation from CCC 2015

[https://www.youtube.com/watch?v=NgYdmRR7JtY](https://www.youtube.com/watch?v=NgYdmRR7JtY)

------
KayEss
We have a client's system that seems to get probed for this sort of thing. We
keep seeing URLs like the following being requested:

    
    
        htttps://www.example.com/http://www.baidu.com/cache/global/img/gs.gif
    

There are a number of variations including plain IP numbers and other URLs,
like www.google.com being used.

I guess at some point somebody accessed the site from China.

EDIT: Just got another probe from 94.102.49.174 owned by Quasi Networks Ltd in
the Seychelles.

~~~
dylz
Quasi (aka Ecatel) is basically a den of ddos for hire, ddos, malware, botnet
C&C, abuse reports ignored. Servers are in NL.

Probably not China.

------
Scoundreller
A good time to TLS fingerprint your connections and get an idea of which
client is probing your server.

Probers might have their own unique TLS fingerprint.

[https://blog.squarelemon.com/tls-
fingerprinting/](https://blog.squarelemon.com/tls-fingerprinting/)

------
schoen
(2015)

