Swedish researchers uncover key to China's Tor-blocking system

Swedish researchers have discovered that Chinese officials have updated the country's 'Great Firewall' to make it harder for citizens to use the Tor network that provides a means of surfing the web anonymously.

It has been long-known that the 'Great Firewall Wall of China' has attempted to block citizens from using the Tor network, by blocking access to some IP addresses or using HTTP header filters to weed out suspect traffic.

But Philipp Winter and Stefan Lindskog of Karlstad University in Sweden have discovered that Chinese authorities have recently increased the sophistication of their filtering tools, making it more difficult for citizens to browse the web freely, by blocking so-called Tor bridges.

Tor bridges serve as entry points to the Tor network – if these are unreachable, a user cannot access the Tor network. While many of these bridges were once published, making it relatively simple to block, users had started to use unpublished bridges.

Last December, Tim Wilde, of security group, Team Cymru, used virtual proxy servers in China to establish that these unpublished bridges were being blocked.

The Karlstad researchers have now established how that blocking is being done and suggested ways in which it may be circumvented.

They discovered that the firewall searches internet traffic that indicate a network connection as Tor and initiate a scan of the host. This scan effectively attempts to “speak Tor” to the host and if successful, the bridge is blocked.

"The scanners are mostly random IP addresses originating from address pools of ISPs. Therefore it is very hard for a bridge to differentiate between a legitimate user from China and a scanner," Winter told V3.

Tor fingerprinting and active scanning is effective for the firewall because Tor traffic can be distinguished from other forms of traffic, allowing the Chinese authorities to block Tor networks, the researchers said.

“Since Tor is being used more and more as censorship circumvention tool, it is crucial that this distinguishability is minimised,” added Winter.

Tools such as "obfsproxy" can help defeat the Great Firewall, he added. This obfuscates the Tor traffic between the user and the bridge, making it appear as Skype traffic, for example.

"Unfortunately, China is blocking the few publicly available obfsproxy bridges at the moment but non-public obfsproxy bridges work," said Winter.

The researchers were able to show that by using so-called packet fragmentation tools, which split TCP streams in to small segments, it is possible to disguise Tor traffic, making it harder to detect.

While Tor networks are commonly associated with hackers and groups such as Anonymous where internet users aim to mask their identity, the network has played a crucial role in promoting online freedoms in many countries.