Nathaniel Suchy
2018-10-13 04:07:15 UTC
Currently tor traffic uses an TLS handshake hostname like the following:
$ sudo tcpdump -An "tcp" | grep "www"
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
.............".
...www.odezz26nvv7jeqz1xghzs.com......................#.!...www.bxbko3qi7vacgwyk4ggulh.com..........6....m.....>...:.........|../* Z....W....X=..6...C../....................................0...0..0.......'....F./0.. *.H........0%1#0!..U....www.b6zazzahl3h3faf4x2.com0...160402000000Z..170317000000Z0'1%0#..U....www.tm3ddrghe22wgqna5u8g.net0..0..
A network observer could run a DNS lookup on the hostnames and see if they
are real or not. So my idea would be to register a set of random hostnames
which are legitimate and point the IPs somewhere to avoid looking for an NX
Domain response and dropping the stream. You could even give each relay a
unique subdomain and rotate these every few weeks. This may be expensive to
implement but could make blocking Tor traffic with this method harder.
Thoughts?
Cordially,
Nathaniel Suchy
$ sudo tcpdump -An "tcp" | grep "www"
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
.............".
...www.odezz26nvv7jeqz1xghzs.com......................#.!...www.bxbko3qi7vacgwyk4ggulh.com..........6....m.....>...:.........|../* Z....W....X=..6...C../....................................0...0..0.......'....F./0.. *.H........0%1#0!..U....www.b6zazzahl3h3faf4x2.com0...160402000000Z..170317000000Z0'1%0#..U....www.tm3ddrghe22wgqna5u8g.net0..0..
A network observer could run a DNS lookup on the hostnames and see if they
are real or not. So my idea would be to register a set of random hostnames
which are legitimate and point the IPs somewhere to avoid looking for an NX
Domain response and dropping the stream. You could even give each relay a
unique subdomain and rotate these every few weeks. This may be expensive to
implement but could make blocking Tor traffic with this method harder.
Thoughts?
Cordially,
Nathaniel Suchy