How China Detects and Blocks Shadowsocks Alice, Bob, Carol (GFW - - PowerPoint PPT Presentation

how china detects and blocks shadowsocks
SMART_READER_LITE
LIVE PREVIEW

How China Detects and Blocks Shadowsocks Alice, Bob, Carol (GFW - - PowerPoint PPT Presentation

Jul 07, 2023 388 likes •598 views

How China Detects and Blocks Shadowsocks Alice, Bob, Carol (GFW Report) Jan Beznazwy Amir Houmansadr (University of Massachusetts Amherst) https://gfw.report/publications/imc20/en/ ACM Internet Measurement Conference 2020 1 Overview The

slide-1
SLIDE 1

1

How China Detects and Blocks Shadowsocks

Alice, Bob, Carol (GFW Report) Jan Beznazwy Amir Houmansadr (University of Massachusetts Amherst) https://gfw.report/publications/imc20/en/

ACM Internet Measurement Conference 2020

slide-2
SLIDE 2

2

Overview

The Great Firewall of China detects and blocks Shadowsocks using a combination of passive traffic analysis and active probing.

slide-3
SLIDE 3

3

Shadowsocks

Shadowsocks is an encrypted proxy protocol, designed to be difficult to detect.

Great Firewall Shadowsocks client Shadowsocks server

slide-4
SLIDE 4

4

Active probing

Great Firewall Shadowsocks client Shadowsocks server

  • 1. Identify possible Shadowsocks connections.
  • 2. Send probes to the server to confirm.

Active prober Active prober

slide-5
SLIDE 5

5

Live server experiment

  • Run Shadowsocks servers outside China,

connect to them from inside.

  • Shadowsocks-libev and OutlineVPN.
  • September 2019 to January 2020.
slide-6
SLIDE 6

6

Server experiment: main observations

  • Active probers send a variety of probe types, some using

replay and some apparently random.

  • Legitimate connections may be stored and replayed days later.
  • Non-replay probes have a distinctive distribution of payload

lengths.

  • Active probes come from thousands of

IP addresses.

slide-7
SLIDE 7

7

Replay-based probes

  • Derived from the first packet in a legitimate

connection – perhaps with some bytes changed.

slide-8
SLIDE 8

8

100 101 102 103 104 105 106 Delay until replay of legitimate connection (seconds) 0% 25% 50% 75% 100% 1 second 1 minute 15 minutes 1 hour 10 hours 10 days Minimum delay: 0.28 s Maximum delay: 569.55 h First replay All replays

slide-9
SLIDE 9

9

Non-replay probes

8 12 16 22 33 41 49 Probe length (bytes) 10 20 30 40 Count 2210 500 1000 1500 2000

slide-10
SLIDE 10

10 Implementation & config Probe length

1 … 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 … 31 32 33 34 35 … 39 40 41 42 43 … 47 48 49 50 51 … 221

Shadowsocks-libev Stream 8 TIMEOUT RST TIMEOUT or RST or FIN/ACK 12 TIMEOUT RST TIMEOUT or RST or FIN/ACK 16 TIMEOUT RST TIMEOUT or RST or FIN/ACK AEAD 16 TIMEOUT RST OutlineVPN AEAD 32 TIMEOUT RST

How Shadowsocks servers react to random probes

FIN/ACK

The lengths of non-replay probes align with thresholds at which servers switch from timing out to closing the connection.

slide-11
SLIDE 11

11

Active prober source IP addresses

IP address ASN count 175.42.1.21 4837 44 223.166.74.207 17621 38 113.128.105.20 4134 36 124.235.138.113 4134 36 221.213.75.88 4837 33 112.80.138.231 4837 32 116.252.2.39 4134 32 124.235.138.231 4134 32 221.213.75.126 4837 32 223.166.74.110 17621 31 …12,288 additional rows… 223.166.75.225 17621 1 223.166.75.226 17621 1

12128 21721 167 895 5 34

Tor active probes (Dunna et al. 2018) Shadowsocks active probes (this work) Various active probes (Ensafi et al. 2015)

slide-12
SLIDE 12

12

Shared TCP timestamp sequences

Oct 27 Nov 03 Nov 10 Nov 17 231 232 TCP TSval 2 5 H z 1000 Hz Replay-based probes Non-replay probes

slide-13
SLIDE 13

13

Likelihood of replay by entropy

1 2 3 4 5 6 7 8 Shannon entropy of PSH/ACK packets 0.00% 0.10% 0.20% 0.30% Ratio of replay-based probes to legitimate connections

slide-14
SLIDE 14

14

Active probe length distribution

200 400 600 800 1000 Payload length (bytes) 0% 25% 50% 75% 100% Trigger connections N=942457 Replay-based probes N=3945 Non-replay probes N=876

slide-15
SLIDE 15

15

Active probe length distribution

200 400 600 800 1000 Payload length (bytes) 0% 25% 50% 75% 100% Trigger connections N=942457 Replay-based probes N=3945 Non-replay probes N=876

16 n + 9 16 n + 2

slide-16
SLIDE 16

16

Mitigation and circumvention

  • Evade passive traffic analysis

(change entropy or packet lengths), or

  • Change responses to unauthenticated probes.
slide-17
SLIDE 17

17

Brdgrd

50 100 150 200 250 300 350 400 Relative time (hours) 5 10 15 20 25 Prober SYNs per hour

Brdgrd active Legitimate client connections active

slide-18
SLIDE 18

18

Implementation & config Probe length

1 … 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 … 31 32 33 34 35 … 39 40 41 42 43 … 47 48 49 50 51 … 221

Shadowsocks-libev Stream 8 TIMEOUT RST TIMEOUT or RST or FIN/ACK 12 TIMEOUT RST TIMEOUT or RST or FIN/ACK 16 TIMEOUT RST TIMEOUT or RST or FIN/ACK AEAD 16 TIMEOUT RST OutlineVPN AEAD 32 TIMEOUT RST

How (old) Shadowsocks servers react to random probes

FIN/ACK

slide-19
SLIDE 19

19

Implementation & config Probe length

1 … 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 … 31 32 33 34 35 … 39 40 41 42 43 … 47 48 49 50 51 … 221

Shadowsocks-libev Stream 8 TIMEOUT TIMEOUT or RST or FIN/ACK 12 TIMEOUT TIMEOUT or RST or FIN/ACK 16 TIMEOUT TIMEOUT or RST or FIN/ACK AEAD 16 TIMEOUT OutlineVPN AEAD 32 TIMEOUT

How (new) Shadowsocks servers react to random probes

slide-20
SLIDE 20

20

Summary

  • The Great Firewall of China detects Shadowsocks servers using a combination of

passive traffic analysis and active probing.

  • Probing is triggered by the first data packet in a TCP connection, and is more likely

when the packet has high entropy and certain lengths.

  • There are several probe types, some based on replay and some not.
  • Probes come from many source IP addresses, but are evidently centrally managed.
  • It is possible to mitigate the effects of active probing by altering packet lengths or

changing how servers respond to unauthenticated probes.

gfw.report@protonmail.com https://gfw.report/publications/imc20/en/