how china detects and blocks shadowsocks
play

How China Detects and Blocks Shadowsocks Alice, Bob, Carol (GFW - PowerPoint PPT Presentation

Jul 07, 2023 •388 likes •593 views

How China Detects and Blocks Shadowsocks Alice, Bob, Carol (GFW Report) Jan Beznazwy Amir Houmansadr (University of Massachusetts Amherst) https://gfw.report/publications/imc20/en/ ACM Internet Measurement Conference 2020 1 Overview The

  1. How China Detects and Blocks Shadowsocks Alice, Bob, Carol (GFW Report) Jan Beznazwy Amir Houmansadr (University of Massachusetts Amherst) https://gfw.report/publications/imc20/en/ ACM Internet Measurement Conference 2020 1

  2. Overview The Great Firewall of China detects and blocks Shadowsocks using a combination of passive traffic analysis and active probing . 2

  3. Shadowsocks Shadowsocks is an encrypted proxy protocol, designed to be difficult to detect. Shadowsocks server Shadowsocks Great Firewall client 3

  4. Active probing 1. Identify possible Shadowsocks connections. 2. Send probes to the server to confirm. Shadowsocks server Shadowsocks Great Firewall client Active prober Active prober 4

  5. Live server experiment ● Run Shadowsocks servers outside China, connect to them from inside. ● Shadowsocks-libev and OutlineVPN. ● September 2019 to January 2020. 5

  6. Server experiment: main observations ● Active probers send a variety of probe types, some using replay and some apparently random. ● Legitimate connections may be stored and replayed days later. ● Non-replay probes have a distinctive distribution of payload lengths. ● Active probes come from thousands of IP addresses. 6

  7. Replay-based probes ● Derived from the first packet in a legitimate connection – perhaps with some bytes changed. 7

  8. 100% Maximum delay: 569.55 h 75% 1 second 10 hours 1 minute 10 days 1 hour 50% 15 minutes 25% First replay All replays Minimum delay: 0.28 s 0% 10 0 10 1 10 2 10 3 10 4 10 5 10 6 8 Delay until replay of legitimate connection (seconds)

  9. Non-replay probes 2000 40 1500 30 Count 1000 20 500 10 0 2210 8 12 16 22 33 41 49 Probe length (bytes) 9

  10. How Shadowsocks servers react to random probes Probe length Implementation & config 1 … 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 … 31 32 33 34 35 … 39 40 41 42 43 … 47 48 49 50 51 … 221 8 TIMEOUT RST TIMEOUT or RST or FIN/ACK Stream 12 TIMEOUT RST TIMEOUT or RST or FIN/ACK Shadowsocks-libev 16 TIMEOUT RST TIMEOUT or RST or FIN/ACK AEAD 16 TIMEOUT RST OutlineVPN AEAD 32 TIMEOUT RST The lengths of non-replay probes align with FIN/ACK thresholds at which servers switch from timing out to closing the connection. 10

  11. Active prober source IP addresses IP address ASN count 175.42.1.21 4837 44 Shadowsocks 223.166.74.207 17621 38 active probes (this work) 113.128.105.20 4134 36 124.235.138.113 4134 36 12128 21721 167 221.213.75.88 4837 33 Various active probes 112.80.138.231 4837 32 (Ensafi et al. 2015) 5 34 895 116.252.2.39 4134 32 Tor active probes 124.235.138.231 4134 32 (Dunna et al. 2018) 221.213.75.126 4837 32 223.166.74.110 17621 31 …12,288 additional rows… 223.166.75.225 17621 1 11 223.166.75.226 17621 1

  12. Shared TCP timestamp sequences 2 32 1000 Hz Replay-based probes Non-replay probes TCP TSval z H 0 2 5 2 31 0 Oct 27 Nov 03 Nov 10 Nov 17 12

  13. Likelihood of replay by entropy Ratio of replay-based probes 0.30% to legitimate connections 0.20% 0.10% 0.00% 0 1 2 3 4 5 6 7 8 Shannon entropy of PSH/ACK packets 13

  14. Active probe length distribution 100% 75% Trigger connections 50% N=942457 Replay-based probes N=3945 25% Non-replay probes N=876 0% 200 400 600 800 1000 Payload length (bytes) 14

  15. Active probe length distribution 100% 16 n + 2 75% 16 n + 9 Trigger connections 50% N=942457 Replay-based probes N=3945 25% Non-replay probes N=876 0% 200 400 600 800 1000 Payload length (bytes) 15

  16. Mitigation and circumvention ● Evade passive traffic analysis (change entropy or packet lengths), or ● Change responses to unauthenticated probes. 16

  17. Brdgrd 25 Prober SYNs per hour Legitimate client connections active 20 15 Brdgrd active 10 5 0 0 50 100 150 200 250 300 350 400 Relative time (hours) 17

  18. How (old) Shadowsocks servers react to random probes Probe length Implementation & config 1 … 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 … 31 32 33 34 35 … 39 40 41 42 43 … 47 48 49 50 51 … 221 8 TIMEOUT RST TIMEOUT or RST or FIN/ACK Stream 12 TIMEOUT RST TIMEOUT or RST or FIN/ACK Shadowsocks-libev 16 TIMEOUT RST TIMEOUT or RST or FIN/ACK AEAD 16 TIMEOUT RST OutlineVPN AEAD 32 TIMEOUT RST FIN/ACK 18

  19. How (new) Shadowsocks servers react to random probes Probe length Implementation & config 1 … 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 … 31 32 33 34 35 … 39 40 41 42 43 … 47 48 49 50 51 … 221 8 TIMEOUT TIMEOUT or RST or FIN/ACK Stream 12 TIMEOUT TIMEOUT or RST or FIN/ACK Shadowsocks-libev 16 TIMEOUT TIMEOUT or RST or FIN/ACK AEAD 16 TIMEOUT OutlineVPN AEAD 32 TIMEOUT 19

  20. Summary ● The Great Firewall of China detects Shadowsocks servers using a combination of passive traffic analysis and active probing. ● Probing is triggered by the first data packet in a TCP connection, and is more likely when the packet has high entropy and certain lengths. ● There are several probe types, some based on replay and some not. ● Probes come from many source IP addresses, but are evidently centrally managed. ● It is possible to mitigate the effects of active probing by altering packet lengths or changing how servers respond to unauthenticated probes. gfw.report@protonmail.com https://gfw.report/publications/imc20/en/ 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Blocks What is syntax (delimiters) Where can blocks be used Scope and blocks Do

Blocks What is syntax (delimiters) Where can blocks be used Scope and blocks Do

Blocks What is syntax (delimiters) Where can blocks be used Scope and blocks Do blocks return a value (use in expressions) Entry point(s) to blocks Exit point(s) from blocks Block syntax and use Typically need start/stop

463 views • 5 slides
Tor and Wikipedia Roger Dingledine The Free Haven Project 1 Motivation China blocks

Tor and Wikipedia Roger Dingledine The Free Haven Project 1 Motivation China blocks

Tor and Wikipedia Roger Dingledine The Free Haven Project 1 Motivation China blocks Wikipedia; Wikipedia blocks Tor edits. Thousands(?) of Tor users would like to edit Wikipedia but can't. (I'm not saying you must allow Tor edits

508 views • 20 slides
The Compiler So Far Scanner Lexical analysis CSC 4181 Detects inputs with illegal

The Compiler So Far Scanner Lexical analysis CSC 4181 Detects inputs with illegal

The Compiler So Far Scanner Lexical analysis CSC 4181 Detects inputs with illegal tokens e.g.: main 5 (); Compiler Construction Parser Syntactic analysis Detects inputs with ill formed parse trees e.g.: missing

577 views • 5 slides
ACTION VERBS FOR INSTRUCTIONAL OBJECTIVES OBSERVING The student detects and records (behaviors)

ACTION VERBS FOR INSTRUCTIONAL OBJECTIVES OBSERVING The student detects and records (behaviors)

ACTION VERBS FOR INSTRUCTIONAL OBJECTIVES OBSERVING The student detects and records (behaviors) attributes (object during experiments) (condition) BEHAVIORS (covert) (covert) detects observes cites records distinguishes perceives

153 views • 4 slides
Ovulona TM predicts & detects ovulation. Showing here AM and PM data in comparison to the

Ovulona TM predicts & detects ovulation. Showing here AM and PM data in comparison to the

Ovulona TM predicts & detects ovulation. Showing here AM and PM data in comparison to the womans BBT. 1 Ovulona TM predicts & detects ovulation accurately 1 st time BBT indicates ovulation has occurred, which needs at least 2 more days

273 views • 3 slides
STARTER PLANT CONCRETE BLOCKS 1 X 8 INCH Quality building blocks are essential in the safe

STARTER PLANT CONCRETE BLOCKS 1 X 8 INCH Quality building blocks are essential in the safe

STARTER PLANT CONCRETE BLOCKS 1 X 8 INCH Quality building blocks are essential in the safe construction process so vibration is used to produce high density solid blocks or hollow blocks with lower water content, high structural strength and

199 views • 3 slides
Ari Strauch Five Blocks Inc. Five Blocks is a technology and digital consulting company

Ari Strauch Five Blocks Inc. Five Blocks is a technology and digital consulting company

Ari Strauch Five Blocks Inc. Five Blocks is a technology and digital consulting company focused on digital reputation management. Ari Strauch Senior Client Manager Five Blocks Inc. Tel: 646.201.9877 Cell: +972.54.632.6896

378 views • 22 slides
Product Overview Detects vehicles in blind spot Wirelessly alerts

Product Overview Detects vehicles in blind spot Wirelessly alerts

Product Overview Detects vehicles in blind spot Wirelessly alerts the rider ( ( Easy installa5on Bicycle: http://www.atlantabike.org/starterbikes Car:

459 views • 11 slides
Similarity Metric Method for Binary Basic Blocks of Cross-Instruction Set Architecture Xiaochuan

Similarity Metric Method for Binary Basic Blocks of Cross-Instruction Set Architecture Xiaochuan

Similarity Metric Method for Binary Basic Blocks of Cross-Instruction Set Architecture Xiaochuan Zhang zhangxiaochuan@outlook.com Artificial Intelligence Research Center, National Innovation Institute of Defense Technology, Beijing, China

635 views • 20 slides
Evaluating Sensitive Question Techniques An Approach that Detects False Positives oglinger 1

Evaluating Sensitive Question Techniques An Approach that Detects False Positives oglinger 1

source: https://doi.org/10.7892/boris.94192 Evaluating Sensitive Question Techniques An Approach that Detects False Positives oglinger 1 Andreas Diekmann 2 Marc H 1 University of Bern, Institute of Sociology, marc.hoeglinger@soz.unibe.ch 2 ETH

482 views • 21 slides
Swift detects only about 5-10 per year. In a few cases, even a prompt slew fails to give an

Swift detects only about 5-10 per year. In a few cases, even a prompt slew fails to give an

Swift detects only about 5-10 per year. In a few cases, even a prompt slew fails to give an X-ray detection, or perhaps a very marginal one (~10-15%; but many of these are amongst the most unambiguously short events!). In cases where

541 views • 17 slides
Tame blocks City, University of London Groups St Andrews, Birmingham August 2017 Blocks G :

Tame blocks City, University of London Groups St Andrews, Birmingham August 2017 Blocks G :

Tame blocks City, University of London Groups St Andrews, Birmingham August 2017 Blocks G : a finite group p : a prime dividing | G | R : a field of characteristic p or a p -adic ring (e.g. the p -adic integers). Blocks G : a

795 views • 41 slides
Blocks Together Peoples Budget Initiative CHICAGO/CENTRAL PARK TIF 1 BLOCKS TOGETHER - PEOPLES

Blocks Together Peoples Budget Initiative CHICAGO/CENTRAL PARK TIF 1 BLOCKS TOGETHER - PEOPLES

Blocks Together Peoples Budget Initiative CHICAGO/CENTRAL PARK TIF 1 BLOCKS TOGETHER - PEOPLES BUDGET INITIATVE | CREATED 08/13/2014 Peoples Budget Initiative The Blocks Together Economic Justice Committee has been working for the past 7

328 views • 11 slides
Cornerstone interlocking blocks for unique childrens forts 6 ? Customer Need No

Cornerstone interlocking blocks for unique childrens forts 6 ? Customer Need No

ORANGE B Cornerstone interlocking blocks for unique childrens forts 6 ? Customer Need No large-scale childrens blocks use a physical interlocking mechanism No current methods to press fit blocks at multiples of 30 degrees

297 views • 7 slides
Qualification Summary for GC/MS Methods DATA QUALIFIER FLAG Detects QUALITY CONTROL Non

Qualification Summary for GC/MS Methods DATA QUALIFIER FLAG Detects QUALITY CONTROL Non

Appendix D ADR Qualification Qualification Summary for GC/MS Methods DATA QUALIFIER FLAG Detects QUALITY CONTROL Non EVALUATION Nondetects SAMPLE(S) QUALIFIED ITEM Biased Biased HOLDING TIMES 1) Holding time exceeded by 2 J J- UJ

184 views • 3 slides
Ancient China Geography China has large mountain ranges. China has large deserts. China has

Ancient China Geography China has large mountain ranges. China has large deserts. China has

Ancient China Geography China has large mountain ranges. China has large deserts. China has large rivers. Natural barriers like mountains, rivers and deserts have isolated China and it has developed without many outside influences. The 1 st

741 views • 37 slides
Project 4: Reliable Networking Slide heritage: Previous TAs Announcements Project 4 has

Project 4: Reliable Networking Slide heritage: Previous TAs Announcements Project 4 has

Project 4: Reliable Networking Slide heritage: Previous TAs Announcements Project 4 has been released I assume youve read the project description Due Friday, April 14th This is a pretty complex project Startearly!

699 views • 26 slides
An Adaptive Window for Stare Processing of Delay Doppler Maps Ben Southwell & Andrew Dempster

An Adaptive Window for Stare Processing of Delay Doppler Maps Ben Southwell & Andrew Dempster

An Adaptive Window for Stare Processing of Delay Doppler Maps Ben Southwell & Andrew Dempster Australian Centre for Space Engineering Research GNSS-R Global Navigation Satellite System Reflectometry (GNSS-R) Bi-static Radar of

271 views • 14 slides
Electrical Properties Influence of Various Parameters Methods of Measurement

Electrical Properties Influence of Various Parameters Methods of Measurement

IIT Bombay 25.10.2018 Lecture No. 23-24 Lecture Name: 26.10.2018 Geomaterial Characterization Sub-topics Electrical Characterization Importance Electrical Properties

692 views • 22 slides
DHP-DHH Interconnect Characterisation Results of Time Domain Reflectometry measurements Philip

DHP-DHH Interconnect Characterisation Results of Time Domain Reflectometry measurements Philip

DHP-DHH Interconnect Characterisation Results of Time Domain Reflectometry measurements Philip Ptsch Interlink Design passive Challenges of Datatransmission 4 Links per Module 1.2 Gbit/s per Link, 8B10B encoded -> 1.6 GHz Clock

332 views • 16 slides
Preparing For a Future Microservices Journey Susanne Kaiser Independent Tech Consultant @suksr

Preparing For a Future Microservices Journey Susanne Kaiser Independent Tech Consultant @suksr

Preparing For a Future Microservices Journey Susanne Kaiser Independent Tech Consultant @suksr @suksr @suksr @suksr Source: http://www.thomasthwaites.com @suksr @suksr Source: http://www.thomasthwaites.com @suksr @suksr Data Store

938 views • 90 slides
Quantum control and semiclassical quantumgravity Lajos Di osi Wigner Centre, Budapest 9 Apr

Quantum control and semiclassical quantumgravity Lajos Di osi Wigner Centre, Budapest 9 Apr

Quantum control and semiclassical quantumgravity Lajos Di osi Wigner Centre, Budapest 9 Apr 2019, Evanston IL National Research Development and Innovation Office Projects 2017-1.2.1-NKP-2017-00001 and K12435 EU COST Action CA15220

617 views • 19 slides
Non-uniqueness of quantization, reality conditions, complex time evolution and coherent state

Non-uniqueness of quantization, reality conditions, complex time evolution and coherent state

Non-uniqueness of quantization, reality conditions, complex time evolution and coherent state transforms Jos e Mour ao Mathematics Department, T ecnico Lisboa Univ Lisboa 9th Mathematical Physics Meeting Belgrade M September

282 views • 26 slides
Quantized cosmological spacetimes and higher spin in the IKKT model Harold Steinacker Department

Quantized cosmological spacetimes and higher spin in the IKKT model Harold Steinacker Department

Quantized cosmological spacetimes and higher spin in the IKKT model Harold Steinacker Department of Physics, University of Vienna ESI Vienna, july 2018 H. Steinacker Quantized cosmological spacetimes and higher spin in the IKKT model Fuzzy S 4

669 views • 44 slides

More recommend