We have observed 5 types of active probes:
Probe payload types and censors’ intentions Both modes are susceptible to replay of previously seen authenticated packets, unless separate measures to prevent replay are taken.
#SHADOWSOCKS PROTOCOL PASSWORD#
Both modes are meant to require the client to know the master password before using the server however in Stream mode the client is only weakly authenticated. It has two main operating modes, both keyed by a master password: Stream (deprecated) and AEAD (recommended). Shadowsocks is an encrypted protocol, designed not to have any static patterns in packet contents. We tested servers running both Stream ciphers and AEAD ciphers. Shadowsocks can be configured with different encryption settings. Unless explicitly specified, all clients and servers were used without any modification to their network functions, for example firewall rules. We believe the vulnerabilities we discovered applies to many Shadowsocks implementations and its variants, including OutlineVPN. In most of the experiments, we used shadowsocks-libev v3.3.1 as both client and server, since it is an actively maintained and representative Shadowsocks implementation. Most of the experiments were conducted since the reported large-scale blocking of Shadowsocks starting September 16, 2019. All experiments were conducted between Jand November 11, 2019. We set up our own Shadowsocks servers and connected to them from inside China, while capturing traffic on both sides for analysis. Modifying packet sizes, for example by installing brdgrd on the Shadowsocks server, significantly mitigates active probing by disrupting the first step of classification. The firewall’s initial passive monitoring for suspicious connections is at least partially based on network packet sizes.The degree of blocking of Shadowsocks servers is likely controlled by some human factors during politically sensitive periods of time. Or a server may not be immediately blocked, despite being probed.
Once active probing has identified a Shadowsocks server, the GFW may block it by dropping future packets sent by the server-either from a specific port or from all ports on the server’s IP address. The first replay probes usually arrive within seconds of a genuine client connection. The server will continue to be probed as long as legitimate clients attempt to connect to it. Only a small number of genuine client connections (more than 13) suffice to trigger active probing against a Shadowsocks server. Also as in previous research, network side-channel evidence suggests that these thousands of apparent probers are not independent but are centrally controlled. Just as in previous research, active probes come from diverse source IP addresses in China, making them hard to filter out. Some are based on replay of previously recorded, genuine Shadowsocks connections, while others bear no apparent relation to previous connections. The active probing system sends a variety of probe types. The GFW is known to use active probing against various circumvention tools, and now Shadowsocks is a member of that group as well. The GFW combines passive and active detection: first it monitors the network for connections that may be Shadowsocks, then sends its own probes to the server (as if it were another user) to confirm its guess. The Great Firewall (GFW) has started to identify Shadowsocks servers using active probing. We will continue collaborating with developers to make Shadowsocks and related tools more resistant to blocking. We suggest a workaround-changing the sizes of network packets during the Shadowsocks handshake-that (for now) effectively mitigates active probing of Shadowsocks servers. The blocking of Shadowsocks is likely controlled by human factors that increase the severity of blocking during politically sensitive times. Using measurement experiments, we find that the GFW passively monitors the network for suspicious connections that may be Shadowsocks, then actively probes the corresponding servers to test whether its guess is correct. This report contains preliminary results of research into how the Great Firewall of China (GFW) detects and blocks Shadowsocks and its variants. Since May 2019, there have been numerous anecdotal reports of the blocking of Shadowsocks from Chinese users. Shadowsocks is one of the most popular circumvention tools in China.
0 kommentar(er)
