• This repository has been archived on 10/Jul/2021
  • Stars
    star
    227
  • Rank 175,900 (Top 4 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created over 10 years ago
  • Updated about 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Protects Tor bridges from being scanned (and as a result blocked) by GFW probes.

brdgrd (Bridge Guard)

UPDATE: Rumour has it that brdgrd is no longer working because the GFW seems to do TCP stream reassembly now.

Brdgrd is short for "bridge guard": A small tool that is meant to protect Tor bridges from being scanned (and as a result blocked) by the Great Firewall of China.

Brdgrd runs in user space and makes use of the libnetfilter_queue mechanism (and hence only runs on Linux) to move packets from kernel into user space. Only TCP SYN/ACK segments are passed into user space because brdgrd is only interested in TCP handshakes and not in established connections. Hence, there are virtually no performance implications.

Brdgrd intercepts the SYN/ACK segment that a Tor bridge sends to its client. It then rewrites the TCP window size announced in this segment. The window size is rewritten to a smaller, randomly chosen value. That way, the client "fragments" its cipher list inside the TLS client hello. The GFW will not recognize the cipher list and as a result will not scan the bridge.

Brdgrd needs iptables rules to feed it with data. The following script passes all Tor-related SYN/ACKs to brdgrd:

iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK --sport $TORPORT -j NFQUEUE --queue-num 0

You can compile brdgrd by running make and then start it by running sudo ./brdgrd. Keep in mind that the above iptables rule tries to push SYN/ACKs to userspace. If brdgrd is not running, Tor cannot handle new connections because there is no userspace program to process the SYN/ACK segments.

It is possible to set the CAP_NET_ADMIN capability for the brdgrd executable so that you do not need root privileges to run the binary:

sudo setcap cap_net_admin=ep ./brdgrd

Please send patches, suggestions, and comments to [email protected]
My OpenPGP fingerprint is: B369 E7A2 18FE CEAD EB96 8C73 CF70 89E3 D7FD C0D0

More Repositories

1

exitmap

A fast and modular scanner for Tor exit relays. The canonical repository (including issue tracker) is at https://gitlab.torproject.org/tpo/network-health/exitmap
Python
454
star
2

censorbib

The Internet censorship bibliography.
TeX
132
star
3

scramblesuit

The ScrambleSuit traffic obfuscation protocol.
Python
91
star
4

zoossh

Parsing library for Tor-specific data formats.
Go
44
star
5

sybilhunter

Hunting for Sybils and anomalies in archived Tor network data.
Go
43
star
6

hping3

Forks git://git.debian.org/collab-maint/hping3.git
C
36
star
7

tor-dns

Repository for Tor's DNS-related issues.
TeX
17
star
8

backlogscans

Side channel-based network measurement tools.
Python
17
star
9

blockpages

Block pages hosted on censorship sites all around the world.
HTML
13
star
10

active-probing-tools

Python tools for targeted pcap analysis.
Python
13
star
11

tcis

Simulates the initiation of a Tor connection.
C
12
star
12

ddptr

DNS delegation path traceroute
Python
12
star
13

atlas_tools

Tools to use RIPE Atlas from the command line.
Python
11
star
14

trnnr

Tor relay nearest neighbour ranking
Python
10
star
15

bibliograpy

Converts BibTeX files to HTML bibliographies.
Python
8
star
16

internet-freedom-jobs

Jobs in the space of Internet freedom.
6
star
17

torbutton

Forks https://gitweb.torproject.org/torbutton.git
JavaScript
6
star
18

mlgo

Automatically exported from code.google.com/p/mlgo
Go
5
star
19

obfsproxy

Forked from https://gitweb.torproject.org/pluggable-transports/obfsproxy.git
Python
5
star
20

docker-obfs4-bridge

This repository implements a Docker image that provides an obfs4 bridge.
Shell
4
star
21

genpwd

A simple and pure-Python password generator with safe defaults.
Python
3
star
22

obfs4PortScan

Tests if a Tor bridge's obfs4 port is publicly reachable.
Go
2
star
23

exit-pinning

Exit relay pinning for network services.
2
star
24

emma

Go
2
star
25

tor-dns-tools

Data processing tools for a research project.
Python
2
star
26

tor-android-service

C
1
star
27

onionperf

Fork of https://gitweb.torproject.org/onionperf.git/
Python
1
star
28

snmp_kraken

Downloads MIB of multiple SNMP-enabled devices.
Shell
1
star
29

bridgeauth-obfs4-scanner

Scans the TCP port of obfs4 bridges known to the bridge authority.
Python
1
star
30

bfi

A lightweight brainfuck interpreter.
C
1
star
31

tracemap

Visualises and runs traceroutes to a given set of IP addresses.
Python
1
star
32

otel-example

Example application for distributed tracing using OpenTelemetry
Go
1
star
33

torspec

Fork of https://gitweb.torproject.org/torspec.git/
Python
1
star
34

relayfilter

Filters a Tor network consensus.
Go
1
star
35

sybil-paper

Source for the paper "Identifying and characterizing Sybils in the Tor network"
TeX
1
star
36

rdsys

Resource distribution system for censorship circumvention proxies.
Go
1
star