Hello Tor people, just me chipping in about recent event.
Today, I discovered that somewhere around Dec, 22, all three of my recently
launched bridges have been censored on at least one network (MegaFon Moscow
AS25159). Metrics show a drastic traffic drop in the range of Dec, 21-23 for
all three bridges.
Investigating further, I discovered (using tcptraceroute/nc) that all three hosts
started responding with RSTs to all of their open ports (not only bridge ports
but SSH and other recently opened ports too). NATd source IP address was
unchanged from my usual one in every case.
One of the bridges had distribution method set to HTTPS, and the other two
were distributed via Moat. All ran recent Tor 0.4.6.8 Docker image.
NB: One of the bridges has incorrect 'First seen' date on the metrics portal -
it displays '2021-12-25' despite being launched several days prior.
To summarize:
1. Bridge blocking happens via the common 'fast RST' method
2. It happened relatively quickly (all bridges are less than 10 days uptime
by now).
3. Somehow, all three of my recently launched bridges were blacklisted despite
using different ASs/hosters/countries for each. Is it a coincidence, or
it's because Moat prefers to hand out newer bridges first, or due to
something else entirely?
Also, I can not rule out that some step in my distribution chain was
compromised -- I gave out these bridges privately to a few friends.
IMO you should not mix private brtdges with those where you delegate the to distribute the connection info eg to the torproject.
Said that you should set "PublishServerDescriptor 0" at bridges where you distribute the connection info yourself.
···
On 12/29/21 15:37, Space Oddity via tor-relays wrote:
Also, I can not rule out that some step in my distribution chain was
compromised -- I gave out these bridges privately to a few friends.
Hello Tor people, just me chipping in about recent event.
Today, I discovered that somewhere around Dec, 22, all three of my recently
launched bridges have been censored on at least one network (MegaFon Moscow
AS25159). Metrics show a drastic traffic drop in the range of Dec, 21-23 for
all three bridges.
Investigating further, I discovered (using tcptraceroute/nc) that all three hosts
started responding with RSTs to all of their open ports (not only bridge ports
but SSH and other recently opened ports too). NATd source IP address was
unchanged from my usual one in every case.
One of the bridges had distribution method set to HTTPS, and the other two
were distributed via Moat. All ran recent Tor 0.4.6.8 Docker image.
NB: One of the bridges has incorrect 'First seen' date on the metrics portal -
it displays '2021-12-25' despite being launched several days prior.
To summarize:
1. Bridge blocking happens via the common 'fast RST' method
2. It happened relatively quickly (all bridges are less than 10 days uptime
by now).
3. Somehow, all three of my recently launched bridges were blacklisted despite
using different ASs/hosters/countries for each. Is it a coincidence, or
it's because Moat prefers to hand out newer bridges first, or due to
something else entirely?
Russia is enumerating and blocking Tor bridges. They've enumerated and
blocked bridges twice: Dec 1st and during xmas (Dec 22-24). It's not
clear how and how many bridges they've enumerated. Perhaps they're
bypassing BridgeDB captcha[1].
I recommend following up this thread:
And if possible, please rotate your bridge IP address.
Also, I can not rule out that some step in my distribution chain was
compromised -- I gave out these bridges privately to a few friends.
I don't think so as I also saw my new bridges getting blocked during
xmas too.
It wasn't a problem for us but thanks for the tip.
Also, can confirm Beeline (AS16345) blocks them too. Seems like the
blocking is mostly deployed in mobile carriers atm -- makes sense
to me. Haven't tested with much except these two though.
but thanks for the tip.