by NullHypothesis

NullHypothesis / brdgrd

Protects Tor bridges from being scanned (and as a result blocked) by GFW probes.

156 Stars 37 Forks Last release: Not found GNU General Public License v3.0 38 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

brdgrd (Bridge Guard)

UPDATE: Rumour has it that brdgrd is no longer working because the GFW seems to do TCP stream reassembly now.

Brdgrd is short for "bridge guard": A small tool that is meant to protect Tor bridges from being scanned (and as a result blocked) by the Great Firewall of China.

Brdgrd runs in user space and makes use of the libnetfilter_queue mechanism (and hence only runs on Linux) to move packets from kernel into user space. Only TCP SYN/ACK segments are passed into user space because brdgrd is only interested in TCP handshakes and not in established connections. Hence, there are virtually no performance implications.

Brdgrd intercepts the SYN/ACK segment that a Tor bridge sends to its client. It then rewrites the TCP window size announced in this segment. The window size is rewritten to a smaller, randomly chosen value. That way, the client "fragments" its cipher list inside the TLS client hello. The GFW will not recognize the cipher list and as a result will not scan the bridge.

Brdgrd needs iptables rules to feed it with data. The following script passes all Tor-related SYN/ACKs to brdgrd:

iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK --sport $TORPORT -j NFQUEUE --queue-num 0

You can compile brdgrd by running

and then start it by running
. Keep in mind that the above iptables rule tries to push SYN/ACKs to userspace. If brdgrd is not running, Tor cannot handle new connections because there is no userspace program to process the SYN/ACK segments.

It is possible to set the

capability for the brdgrd executable so that you do not need root privileges to run the binary:
sudo setcap cap_net_admin=ep ./brdgrd

Please send patches, suggestions, and comments to [email protected]
My OpenPGP fingerprint is:

B369 E7A2 18FE CEAD EB96  8C73 CF70 89E3 D7FD C0D0

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.