Carding 4 Carders
Professional
- Messages
- 2,728
- Reaction score
- 1,536
- Points
- 113
In today's article, I will talk about ways to bypass Tor blockages. But before we get to the Tor blocking methods, let's talk a little bit about how Tor is blocked.
How do they block Tor?
According to Roger Dingledine, there are four basic ways to block Tor.
Bypassing Tor blockages using bridges
The first frontier in the fight against network censorship was the so-called plug-in transport, the first type of which was the obfs3 and obfs4 bridges. The idea is as follows: since the "bad guys" can get a complete list of open relay nodes and block access to these nodes themselves or their public directories, thousands of bridges have been created in the Tor network, the list of addresses of which is not publicly available.
To connect to Tor via a bridge, go to the site https://bridges.Torproject.org, select the transport type and specify whether your network supports IPv6, enter a captcha, get the bridge address, and then specify it in the Tor Browser settings. You can go a simpler way - in the same connection settings, request the address of the bridge from the Torproject site (you will have to enter the captcha again).
If the site Torproject.org blocked, you can send an email with an empty subject to the address bridges@Torproject.orgby writing a string in the message body get transport obfs4. Important point: the email must be sent exclusively from Gmail or Riseup, otherwise it will be ignored. In response, a specially trained bot will send you the addresses of bridges that you can specify in the Tor Browser settings.
Configuring the bridge in Tor Browser.
By and large, Tor bridges use the SOCKS Proxy interface and are similar in architecture to the Chinese project Shadowsocks, aimed at combating censorship. Tor bridges work as obfuscators that mask traffic on the Tor network, making it look like a regular HTTP or random byte stream, which makes it difficult to filter. The obfs3 transport turned out to be unstable to Active probing, a method of searching for bridge addresses in the network in order to block them, so it was replaced by a more advanced obfs4.
Governments have learned to block such connections. For greater efficiency, active sensing can be used in conjunction with deep traffic analysis. For example, using DPI, the government monitors all Tor-like connections.
After detecting a "suspicious" node, the government host itself tries to establish communication with it via the Tor Protocol. If a node supports this Protocol and responds that it is a bridge, it is immediately blocked and its IP address is blacklisted. In China, such filtering is done at the trunk level, which is why blockages work quite effectively.
Roger Dingledine himself called bridges a "shitty arms race" because government censors have learned to filter traffic using the method described above. Tor developers responded by rolling out patches that modify the data in the packets and eliminate the features that were used for filtering, or changing the behavior of bridges.
In turn, governments edited the filter settings, and everything started all over again. This was the case in Iran during the mass protests, in Egypt during the Arab spring, and in Tunisia during the 2010-2011 revolution. Something similar happened in Belarus.
In other words, with proper persistence, the government can block available bridges in a certain region, and then the user may see something like this when trying to connect again.
All bridges are separated, go swimming.
To bypass such locks, Tor developers came up with meek.
Bypassing the Tor lock using Meek
In Tor, there is another plug-in transport called meek, which can work if the bridges are blocked. Its operating principle is also somewhat similar to a proxy, but Amazon, Content delivery network, Google, CloudFront, or Microsoft Azure cloud servers are used as an intermediate link for transmitting traffic.
The calculation is made that the censored government, if it is in its right mind, will never completely block CDN, AWS, Azure and similar services, since these clouds use a huge number of different Internet resources, which in this case will simply stop working.
However, it is rather naive to count on the sanity of some state structures. Sometimes they are able to bring down half of the national segment of the network in pursuit of a single naughty messenger, which in the end still could not be blocked.
Connecting meek is very simple: when starting Tor Browser, click on the Configure button, select the Tor is censored in my country checkbox, and then, setting the radio button to Select a built-in bridge, select the meek transport from the drop-down list
Meek transport - works even in China.
Meek uses a technique called domain fronting. To connect to a target node on the Internet, the meek client generates special HTTPS requests and sends them to an unblocked "external" service, such as CDN or AWS. This "external" name is displayed in the DNS query and data used by the Server Name Indication (SNI) Protocol.
But the real name of the host that the client needs to connect to is hidden in the HTTP Host header. The intermediate cloud service determines this name and forwards the request to the meek server running on one of the Tor network bridges. In turn, the meek server decrypts the request body and forwards it to the Tor network, and from there it gets to the free Internet.
How meek works
In addition to the default configuration using Azure, you can set your own meek transport parameters. here are the detailed instructions. It would seem that everything is simple. But not for everyone.
Bypassing the Tor lock using Snowflake
It is good if you are able to download and configure Tor Browser under Windows. It's good if you can install Linux and type apt-get install obfs4proxyor in the consoleapt-get install Tor. But many millions of Internet users do not know how to do this either.
To solve this problem, the guys from the Tor Project developed a JavaScript browser extension called Snowflake. Just install this plugin (or go to the site with a special JS script), and without downloading additional software, a Tor bridge is raised on your machine, which is launched directly in the browser. It uses webrtc and works correctly behind NAT.
How Snowflake works-illustration from the site Torproject.org
With Snowflake, carpet locks lose their meaning, because no government in the world is able to block all browsers on the Internet. Deep traffic inspection using DPI also loses its meaning, because webrtc technology is used by legitimate software like Google Hangouts and many programs for organizing video conferences. Blocking webrtc streaming data will break this entire infrastructure.
Using Snowflake, the fight against censorship has gained an army of volunteers who provide their hardware resources to bypass the blockages. At the same time, it is not necessary to install a browser plugin — it is enough to open a web page with a Snowflake script in one of the browser tabs or place this script somewhere on your site so that it is executed when viewing a web page in the background.
For their part, Tor developers try to get feedback from network users. There are also independent censorship monitoring projects like Open ObservaTory for Network Interference — which is an application that allows you to scan the user's network environment in search of blocked resources, protocols, and services.
Be that as it may, anti-censorship technologies still have a long way to go before they reach their maximum effectiveness. So, at DEF CON, it was reported that the Tor Project is actively working on the use of Format-Transforming Encryption technology in traffic encryption. It will allow you to make the transmitted traffic as similar as possible to normal unencrypted HTTP and thereby confuse the mechanisms of deep analysis.
Another approach is called "false routing". in this case, when establishing an SSL connection, one of the intermediate nodes looks for a special tag inside the SSL - handshake packet and, if it is detected, redirects traffic to the Tor network. While the local Internet service provider continues to assume that the client is communicating with a fake remote server from the white list, and does not know about the route change.
Conclusions
The fight against censorship is really like an arms race, in which governments with their vast resources and multibillion - dollar international corporations compete on the one hand, and on the other-public organizations and enthusiasts driven by a sense of justice, a desire for freedom and a need for a certain place. At the same time, it is not at all obvious which of them will win.
At DEF CON, Roger Dingledine said:
"Australia censors its Internet, and England has a thing called the Internet Watch Foundation, which is part of their government. Denmark censors the Internet, Sweden censors the Internet. So when we criticize the Chinese government for not allowing its citizens to watch the BBC, it is justifiably saying that it is doing exactly the same thing as everyone else... it is not just about censorship: it is important to draw users ' attention to the fact that they are being watched. And then they will be able to make their own choice."
And in this, the co-founder of the Tor Project is certainly right. As long as the Internet exists, everyone has a choice.
How do they block Tor?
According to Roger Dingledine, there are four basic ways to block Tor.
- The first one looks obvious: there are a total of nine public directories of tor network entry nodes, and if you close access to these directories, users will not be able to establish a connection.
- The second method is to upload a list of about 7000 relay nodes of the Tor network responsible for redirecting traffic, and block them all by IP addresses.
- The third, not very reliable, but effective method is to track the characteristic fingerprints of packages, that is, use fingerprinting. You can set up traffic filtering based on these indirect features that are characteristic of data transmitted in Tor networks. This is roughly how the Iranian government acted during the protests in 2009. For deep traffic inspection, the Iranian authorities used DPI. Tor packets were similar to SSL packets in a number of ways, and the Iranians, using specially purchased equipment for this purpose, simply reduced the bandwidth for encrypted SSL traffic in their networks, temporarily making it impossible to use Tor on the territory of the country.
- Finally, the fourth method is to block access to resources from which end users can download the necessary software for connecting. The combination of these four techniques can produce excellent results — from the point of view of intelligence agencies and governments. But how did the tor developers respond to this?
Bypassing Tor blockages using bridges
The first frontier in the fight against network censorship was the so-called plug-in transport, the first type of which was the obfs3 and obfs4 bridges. The idea is as follows: since the "bad guys" can get a complete list of open relay nodes and block access to these nodes themselves or their public directories, thousands of bridges have been created in the Tor network, the list of addresses of which is not publicly available.
To connect to Tor via a bridge, go to the site https://bridges.Torproject.org, select the transport type and specify whether your network supports IPv6, enter a captcha, get the bridge address, and then specify it in the Tor Browser settings. You can go a simpler way - in the same connection settings, request the address of the bridge from the Torproject site (you will have to enter the captcha again).
If the site Torproject.org blocked, you can send an email with an empty subject to the address bridges@Torproject.orgby writing a string in the message body get transport obfs4. Important point: the email must be sent exclusively from Gmail or Riseup, otherwise it will be ignored. In response, a specially trained bot will send you the addresses of bridges that you can specify in the Tor Browser settings.

Configuring the bridge in Tor Browser.
By and large, Tor bridges use the SOCKS Proxy interface and are similar in architecture to the Chinese project Shadowsocks, aimed at combating censorship. Tor bridges work as obfuscators that mask traffic on the Tor network, making it look like a regular HTTP or random byte stream, which makes it difficult to filter. The obfs3 transport turned out to be unstable to Active probing, a method of searching for bridge addresses in the network in order to block them, so it was replaced by a more advanced obfs4.
Governments have learned to block such connections. For greater efficiency, active sensing can be used in conjunction with deep traffic analysis. For example, using DPI, the government monitors all Tor-like connections.
After detecting a "suspicious" node, the government host itself tries to establish communication with it via the Tor Protocol. If a node supports this Protocol and responds that it is a bridge, it is immediately blocked and its IP address is blacklisted. In China, such filtering is done at the trunk level, which is why blockages work quite effectively.
Roger Dingledine himself called bridges a "shitty arms race" because government censors have learned to filter traffic using the method described above. Tor developers responded by rolling out patches that modify the data in the packets and eliminate the features that were used for filtering, or changing the behavior of bridges.
In turn, governments edited the filter settings, and everything started all over again. This was the case in Iran during the mass protests, in Egypt during the Arab spring, and in Tunisia during the 2010-2011 revolution. Something similar happened in Belarus.
In other words, with proper persistence, the government can block available bridges in a certain region, and then the user may see something like this when trying to connect again.

All bridges are separated, go swimming.
To bypass such locks, Tor developers came up with meek.
Bypassing the Tor lock using Meek
In Tor, there is another plug-in transport called meek, which can work if the bridges are blocked. Its operating principle is also somewhat similar to a proxy, but Amazon, Content delivery network, Google, CloudFront, or Microsoft Azure cloud servers are used as an intermediate link for transmitting traffic.
The calculation is made that the censored government, if it is in its right mind, will never completely block CDN, AWS, Azure and similar services, since these clouds use a huge number of different Internet resources, which in this case will simply stop working.
However, it is rather naive to count on the sanity of some state structures. Sometimes they are able to bring down half of the national segment of the network in pursuit of a single naughty messenger, which in the end still could not be blocked.
Connecting meek is very simple: when starting Tor Browser, click on the Configure button, select the Tor is censored in my country checkbox, and then, setting the radio button to Select a built-in bridge, select the meek transport from the drop-down list

Meek transport - works even in China.
Meek uses a technique called domain fronting. To connect to a target node on the Internet, the meek client generates special HTTPS requests and sends them to an unblocked "external" service, such as CDN or AWS. This "external" name is displayed in the DNS query and data used by the Server Name Indication (SNI) Protocol.
But the real name of the host that the client needs to connect to is hidden in the HTTP Host header. The intermediate cloud service determines this name and forwards the request to the meek server running on one of the Tor network bridges. In turn, the meek server decrypts the request body and forwards it to the Tor network, and from there it gets to the free Internet.

How meek works
In addition to the default configuration using Azure, you can set your own meek transport parameters. here are the detailed instructions. It would seem that everything is simple. But not for everyone.
Bypassing the Tor lock using Snowflake
It is good if you are able to download and configure Tor Browser under Windows. It's good if you can install Linux and type apt-get install obfs4proxyor in the consoleapt-get install Tor. But many millions of Internet users do not know how to do this either.
To solve this problem, the guys from the Tor Project developed a JavaScript browser extension called Snowflake. Just install this plugin (or go to the site with a special JS script), and without downloading additional software, a Tor bridge is raised on your machine, which is launched directly in the browser. It uses webrtc and works correctly behind NAT.

How Snowflake works-illustration from the site Torproject.org
With Snowflake, carpet locks lose their meaning, because no government in the world is able to block all browsers on the Internet. Deep traffic inspection using DPI also loses its meaning, because webrtc technology is used by legitimate software like Google Hangouts and many programs for organizing video conferences. Blocking webrtc streaming data will break this entire infrastructure.
Using Snowflake, the fight against censorship has gained an army of volunteers who provide their hardware resources to bypass the blockages. At the same time, it is not necessary to install a browser plugin — it is enough to open a web page with a Snowflake script in one of the browser tabs or place this script somewhere on your site so that it is executed when viewing a web page in the background.
For their part, Tor developers try to get feedback from network users. There are also independent censorship monitoring projects like Open ObservaTory for Network Interference — which is an application that allows you to scan the user's network environment in search of blocked resources, protocols, and services.
Be that as it may, anti-censorship technologies still have a long way to go before they reach their maximum effectiveness. So, at DEF CON, it was reported that the Tor Project is actively working on the use of Format-Transforming Encryption technology in traffic encryption. It will allow you to make the transmitted traffic as similar as possible to normal unencrypted HTTP and thereby confuse the mechanisms of deep analysis.
Another approach is called "false routing". in this case, when establishing an SSL connection, one of the intermediate nodes looks for a special tag inside the SSL - handshake packet and, if it is detected, redirects traffic to the Tor network. While the local Internet service provider continues to assume that the client is communicating with a fake remote server from the white list, and does not know about the route change.
Conclusions
The fight against censorship is really like an arms race, in which governments with their vast resources and multibillion - dollar international corporations compete on the one hand, and on the other-public organizations and enthusiasts driven by a sense of justice, a desire for freedom and a need for a certain place. At the same time, it is not at all obvious which of them will win.
At DEF CON, Roger Dingledine said:
"Australia censors its Internet, and England has a thing called the Internet Watch Foundation, which is part of their government. Denmark censors the Internet, Sweden censors the Internet. So when we criticize the Chinese government for not allowing its citizens to watch the BBC, it is justifiably saying that it is doing exactly the same thing as everyone else... it is not just about censorship: it is important to draw users ' attention to the fact that they are being watched. And then they will be able to make their own choice."
And in this, the co-founder of the Tor Project is certainly right. As long as the Internet exists, everyone has a choice.