2020-10-17T00:16:33.0146275642020-10-26T18:44:59.035284151PT7H51M2S78LibreOffice/6.1.5.2$Linux_X86_64 LibreOffice_project/10$Build-2
-12810
1355
31221
42399
view1
false
false
true
true
true
true
false
false
false
1500
false
//////////////////////////////////////////8=
//////////////////////////////////////////8=
false
true
false
0
6
false
true
true
4
0
-11976
-2646
33701
39689
2540
2540
254
254
254
1
254
1
false
1500
false
false
true
$(brandbaseurl)/share/palette%3B$(user)/config/standard.sob
0
$(brandbaseurl)/share/palette%3B$(user)/config/html.soc
$(brandbaseurl)/share/palette%3B$(user)/config/standard.sod
1270
false
en
US
$(brandbaseurl)/share/palette%3B$(user)/config/standard.sog
true
$(brandbaseurl)/share/palette%3B$(user)/config/standard.soh
false
false
true
true
false
true
false
false
true
false
false
false
false
false
$(brandbaseurl)/share/palette%3B$(user)/config/standard.soe
false
4
false
0
low-resolution
Generic Printer
false
lQH+/0dlbmVyaWMgUHJpbnRlcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAU0dFTlBSVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWAAMAtgAAAAAAAAAIAFZUAAAkbQAASm9iRGF0YSAxCnByaW50ZXI9R2VuZXJpYyBQcmludGVyCm9yaWVudGF0aW9uPVBvcnRyYWl0CmNvcGllcz0xCm1hcmdpbmRhanVzdG1lbnQ9MCwwLDAsMApjb2xvcmRlcHRoPTI0CnBzbGV2ZWw9MApwZGZkZXZpY2U9MApjb2xvcmRldmljZT0wClBQRENvbnRleERhdGEKRHVwbGV4Ok5vbmUAUGFnZVNpemU6TGV0dGVyAAASAENPTVBBVF9EVVBMRVhfTU9ERQ8ARHVwbGV4TW9kZTo6T2Zm
false
6
true
<number>
<number>
<number>
How China Detects andBlocks Shadowsocks
Alice, Bob, Carol (GFW Report)Jan BeznazwyAmir Houmansadr (University of Massachusetts Amherst)
https://gfw.report/publications/imc20/en/
ACM Internet Measurement Conference 2020
Overview
The Great Firewall of China detects and blocks Shadowsocks using a combination of passive traffic analysis and active probing.
Shadowsocks
Shadowsocksis an encrypted proxy protocol, designed to be difficult to detect.
Great Firewall
Shadowsocksclient
Shadowsocksserver
Active probing
Great Firewall
Shadowsocksclient
Shadowsocksserver
Identify possible Shadowsocks connections.
Send probes to the server to confirm.
Active prober
Active prober
Live server experiment
Run Shadowsocks servers outside China, connect to them from inside.
Shadowsocks-libevand OutlineVPN.
September 2019 to January 2020.
Summary of results
Probing is triggered by the first data packet in a TCP connection, and is more likely when the packet has high entropy and certain lengths.
There are several probe types, some based on replay and some not.
Probes come from many source IP addresses, but are evidently centrally managed.
It is possible to mitigate the effects of active probing by altering packet lengths or changing how servers respond to unauthenticated probes.
Code, data, and contact:https://gfw.report/publications/imc20/en/
Presentation video with transcriptsin English and Chinese:https://gfw.report/talks/imc20/en/https://gfw.report/talks/imc20/zh/
Anonymous pad for questions:https://pad.riseup.net/p/imc20-shadowsocks-keep