<div dir="ltr"><div>One of the Tor wiki pages references a Bro IDS/IPS script that attempts to fingerprint the TLS handshake of a standard (non-obfuscated) Tor connection.[1] This might be useful in that it looks at connections over time and tries to average out the connections to guess whether or not a connection fits an expected value or range of values. When you start looking at more DPI attacks such as trying to fingerprint based on the polling interval of Meek or something else that requires a longer term analysis, this might be the way to go. </div>
<div><br></div>[1] <a href="https://github.com/sethhall/bro-junk-drawer/blob/007b3a833206770bc4b85b12c39e0e01b7b998a0/detect-tor.bro">https://github.com/sethhall/bro-junk-drawer/blob/007b3a833206770bc4b85b12c39e0e01b7b998a0/detect-tor.bro</a><br>
<div><br></div><div>@</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Sep 2, 2014 at 11:41 AM, Nathan of Guardian <span dir="ltr"><<a href="mailto:nathan@guardianproject.info" target="_blank">nathan@guardianproject.info</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><br>
<br>
<br>
-------- Forwarded Message --------<br>
Subject: [tor-talk] Better testing through filternets<br>
Date: Tue, 02 Sep 2014 11:40:01 -0400<br>
From: Nathan Freitas <<a href="mailto:nathan@freitas.net">nathan@freitas.net</a>><br>
Reply-To: <a href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a><br>
To: <a href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a><br>
<br>
<br>
I am working on improving our ability to do more thorough and<br>
standardized testing of Orbot, etc. As part of this, I am trying to<br>
come up with a simple filternet configuration based on OpenWRT, running<br>
on a TP Link MR3020.<br>
<br>
Currently, I have this working:<br>
<br>
- Use Dnsmasq to block high profile target domains (<a href="http://torproject.org" target="_blank">torproject.org</a>,<br>
google, facebook, twitter, whatsapp, etc)<br>
- Block all HTTPS traffic (port 443)<br>
<br>
This simulates most of the common DNS poisoning and port blocking types<br>
attacks, though Tor can still easily connect at this point.<br>
<br>
I would like the ability to simulate a more severe environment, where<br>
for instance, Tor itself is targeted, and bridges are required. Any<br>
thoughts or experience doing this?<br>
<br>
- Block IPs/domains for known Tor Authority nodes<br>
<br>
- block based on Tor protocol characteristics: ssl certs, common ports, etc<br>
<br>
Thanks for any feedback, pointers, links, etc.<br>
<br>
+n<br>
<br>
<br>
--<br>
tor-talk mailing list - <a href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a><br>
To unsubscribe or change other settings go to<br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk</a><br>
<br>
<br>
</div></div>_______________________________________________<br>
Guardian-dev mailing list<br>
<br>
Post: <a href="mailto:Guardian-dev@lists.mayfirst.org">Guardian-dev@lists.mayfirst.org</a><br>
List info: <a href="https://lists.mayfirst.org/mailman/listinfo/guardian-dev" target="_blank">https://lists.mayfirst.org/mailman/listinfo/guardian-dev</a><br>
<br>
To Unsubscribe<br>
Send email to: <a href="mailto:Guardian-dev-unsubscribe@lists.mayfirst.org">Guardian-dev-unsubscribe@lists.mayfirst.org</a><br>
Or visit: <a href="https://lists.mayfirst.org/mailman/options/guardian-dev/antitree%40gmail.com" target="_blank">https://lists.mayfirst.org/mailman/options/guardian-dev/antitree%40gmail.com</a><br>
<br>
You are subscribed as: <a href="mailto:antitree@gmail.com">antitree@gmail.com</a><br>
</blockquote></div><br></div>