![]() The data stream possesses high entropy, homogeneously throughout the entire connection, starting from the bytes of the first data packets.One may therefore refer to it as (seemingly) random traffic. Fully encrypted traffic is indistinguishable from random.In fact, such traffic does have many characteristics: In comparison, most of the protocols that offer encryption, such as TLS, still leave various framing fields unencrypted and therefore can be easily identified circumvention tools encrypt or otherwise obfuscate these fields.įully encrypted traffic is often referred to as “looks like nothing”, or misunderstood as “having no characteristics” however, a more accurate description would be “looks like random”. This is the approach used by Shadowsocks, VMess, Obfs4 and many other censorship circumvention tools. The goal of steganography is to make circumvention traffic look like allowed traffic the goal of polymorphism is to make circumvention traffic not look like forbidden traffic.Ī common way to achieve polymorphism is to fully encrypt the traffic: since fully encrypted traffic presents no plaintext or fixed structures at all, the censor cannot simply identify such traffic with regular expression rules. divide approaches to censorship circumvention traffic into two types: steganograpic and polymorphic (see Section V and Table 3). The censor also allows a connection if its first six bytes are non-whitespace printable characters.The censor uses protocol fingerprinting to exempt connections from blocking if the first several bytes of the payload match common protocols (including TLS, HTTP, and SSH).GFW seems to censor connections whose payload contains less than 70% printable characters.While the traffic classification appears to be deterministic, the blocking is probabilistic.The blocking can happen on any port from 1 to 65535.S2C (server-to-client) packets are not dropped. Once triggered, the GFW drops all C2S (client-to-server) TCP packets having the same (client IP, server IP, server port) for 120 to 180 seconds.UDP traffic cannot trigger and is not affected by the blocking. Only TCP traffic can trigger and is affected by the blocking.In many cases, after the TCP handshake, a single data packet containing only 1 byte of payload from client to server is sufficient to trigger blocking. ![]() Amazon Lightsail, EC2, and Oracle Cloud are reportedly not affected. The blocking only targets connections from China to a few popular VPS providers outside of China, including Vultr, AlibabaCloud (Hong Kong and Singapore), and Digital Ocean (San Francisco, New York City).The GFW can now dynamically block any seemingly random data in real-time, merely based on passive traffic analysis, without relying on its well-known active probing infrastructure.Note that this code is explicitly designed to trigger (or subvert) this new censorship system, so understand the risks before trying any of the below examples yourself. We also include code in-line throughout this article to help other researchers to reproduce our findings. To maintain reproducibility and promote transparency, we release all the code we used to come to these findings on Github. We then discuss the implication of this blocking incident. We also offer an effective way to temporarily circumvent the censorship. In this report, we demonstrate how the GFW identifies and blocks seemingly random traffic and share code that led to our conclusions. The censor strategically applies this censorship only against connections from China to certain popular VPS providers, possibly to mitigate over-blocking caused by false positives in traffic classification. This capability potentially affects many censorship circumvention protocols that use encryption to appear random, including (but not limited to) VMess+TCP, Obfs4, and the many variants of Shadowsocks. ![]() ![]() On November 14, 2021, we confirmed that the Great Firewall (GFW) of China has now been able to inspect and dynamically block any seemingly random traffic in real time. The start of this blocking coincides with the Sixth Plenary Session of the 19th CPC Central Committee (中国共产党第十九届中央委员会第六次全体会议), which was held from Novemto November 11, 2021. Outline lead developer Vinicius also reported “a drop in the opt-in Outline usage metrics in China starting on November 8”. Since at least as early as November 6, 2021, numerous users reported the blocking of their servers running Shadowsocks and VMess+TCP.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |