2012-winter-great
findings extracted from this paper
-
A blocked Tor bridge becomes reachable again after approximately 12 hours if Chinese scanners are unable to reach it continuously. In the authors' experiment, one bridge (port 23941) whitelisted to their Chinese VPS via iptables was unblocked within 12 hours despite remaining actively used, while an unrestricted bridge (port 27418) stayed blocked indefinitely.
-
Of 2819 public Tor relays in the February 2012 consensus, only 47 (1.6%) were reachable via TCP from within China. After three days, only 1 of those 47 remained reachable. The GFC blocks relays by IP:port tuple rather than by IP to minimize collateral damage to co-hosted services.
-
Over 3295 active-probing scans observed across 17 days, 51% (1680) originated from a single IP address (202.108.181.70), while 98% of the remaining 1615 addresses were unique. All scanner IPs belong to three Chinese ASes: AS4837 (65.7%), AS4134 (30.5%), and AS17622 (3.8%). TTL analysis of 85 connections shows the scanner IPs are likely spoofed by the GFC—post-scan ping TTLs differed by +1 from during-scan TTLs.
-
The GFC identifies Tor connections via a unique TLS ClientHello cipher list sent by the Tor client. Once DPI boxes detect this fingerprint on outbound traffic, active scanning is initiated within minutes: scanners connect to the suspected bridge, attempt to build a Tor circuit, and if successful the IP:port tuple is blocked. This two-stage pipeline (fingerprint → confirm → block) allows dynamic bridge blocking without pre-enumeration.
-
Tor DPI fingerprinting by the GFC is applied exclusively to egress traffic (from inside China to the outside world). Simulated Tor connections between domestic Chinese nodes and between external nodes connecting inward to a Chinese VPS attracted zero active scans across multiple experimental runs, indicating the detection infrastructure is positioned on the border for outbound flows only.