how china detects and blocks shadowsocks
play

How China Detects and Blocks Shadowsocks Alice, Bob, Carol (GFW - PowerPoint PPT Presentation

How China Detects and Blocks Shadowsocks Alice, Bob, Carol (GFW Report) Jan Beznazwy Amir Houmansadr (University of Massachusetts Amherst) https://gfw.report/publications/imc20/en/ ACM Internet Measurement Conference 2020 1 Overview The


  1. How China Detects and Blocks Shadowsocks Alice, Bob, Carol (GFW Report) Jan Beznazwy Amir Houmansadr (University of Massachusetts Amherst) https://gfw.report/publications/imc20/en/ ACM Internet Measurement Conference 2020 1

  2. Overview The Great Firewall of China detects and blocks Shadowsocks using a combination of passive traffic analysis and active probing . 2

  3. Shadowsocks Shadowsocks is an encrypted proxy protocol, designed to be difficult to detect. Shadowsocks server Shadowsocks Great Firewall client 3

  4. Active probing 1. Identify possible Shadowsocks connections. 2. Send probes to the server to confirm. Shadowsocks server Shadowsocks Great Firewall client Active prober Active prober 4

  5. Live server experiment ● Run Shadowsocks servers outside China, connect to them from inside. ● Shadowsocks-libev and OutlineVPN. ● September 2019 to January 2020. 5

  6. Server experiment: main observations ● Active probers send a variety of probe types, some using replay and some apparently random. ● Legitimate connections may be stored and replayed days later. ● Non-replay probes have a distinctive distribution of payload lengths. ● Active probes come from thousands of IP addresses. 6

  7. Replay-based probes ● Derived from the first packet in a legitimate connection – perhaps with some bytes changed. 7

  8. 100% Maximum delay: 569.55 h 75% 1 second 10 hours 1 minute 10 days 1 hour 50% 15 minutes 25% First replay All replays Minimum delay: 0.28 s 0% 10 0 10 1 10 2 10 3 10 4 10 5 10 6 8 Delay until replay of legitimate connection (seconds)

  9. Non-replay probes 2000 40 1500 30 Count 1000 20 500 10 0 2210 8 12 16 22 33 41 49 Probe length (bytes) 9

  10. How Shadowsocks servers react to random probes Probe length Implementation & config 1 … 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 … 31 32 33 34 35 … 39 40 41 42 43 … 47 48 49 50 51 … 221 8 TIMEOUT RST TIMEOUT or RST or FIN/ACK Stream 12 TIMEOUT RST TIMEOUT or RST or FIN/ACK Shadowsocks-libev 16 TIMEOUT RST TIMEOUT or RST or FIN/ACK AEAD 16 TIMEOUT RST OutlineVPN AEAD 32 TIMEOUT RST The lengths of non-replay probes align with FIN/ACK thresholds at which servers switch from timing out to closing the connection. 10

  11. Active prober source IP addresses IP address ASN count 175.42.1.21 4837 44 Shadowsocks 223.166.74.207 17621 38 active probes (this work) 113.128.105.20 4134 36 124.235.138.113 4134 36 12128 21721 167 221.213.75.88 4837 33 Various active probes 112.80.138.231 4837 32 (Ensafi et al. 2015) 5 34 895 116.252.2.39 4134 32 Tor active probes 124.235.138.231 4134 32 (Dunna et al. 2018) 221.213.75.126 4837 32 223.166.74.110 17621 31 …12,288 additional rows… 223.166.75.225 17621 1 11 223.166.75.226 17621 1

  12. Shared TCP timestamp sequences 2 32 1000 Hz Replay-based probes Non-replay probes TCP TSval z H 0 2 5 2 31 0 Oct 27 Nov 03 Nov 10 Nov 17 12

  13. Likelihood of replay by entropy Ratio of replay-based probes 0.30% to legitimate connections 0.20% 0.10% 0.00% 0 1 2 3 4 5 6 7 8 Shannon entropy of PSH/ACK packets 13

  14. Active probe length distribution 100% 75% Trigger connections 50% N=942457 Replay-based probes N=3945 25% Non-replay probes N=876 0% 200 400 600 800 1000 Payload length (bytes) 14

  15. Active probe length distribution 100% 16 n + 2 75% 16 n + 9 Trigger connections 50% N=942457 Replay-based probes N=3945 25% Non-replay probes N=876 0% 200 400 600 800 1000 Payload length (bytes) 15

  16. Mitigation and circumvention ● Evade passive traffic analysis (change entropy or packet lengths), or ● Change responses to unauthenticated probes. 16

  17. Brdgrd 25 Prober SYNs per hour Legitimate client connections active 20 15 Brdgrd active 10 5 0 0 50 100 150 200 250 300 350 400 Relative time (hours) 17

  18. How (old) Shadowsocks servers react to random probes Probe length Implementation & config 1 … 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 … 31 32 33 34 35 … 39 40 41 42 43 … 47 48 49 50 51 … 221 8 TIMEOUT RST TIMEOUT or RST or FIN/ACK Stream 12 TIMEOUT RST TIMEOUT or RST or FIN/ACK Shadowsocks-libev 16 TIMEOUT RST TIMEOUT or RST or FIN/ACK AEAD 16 TIMEOUT RST OutlineVPN AEAD 32 TIMEOUT RST FIN/ACK 18

  19. How (new) Shadowsocks servers react to random probes Probe length Implementation & config 1 … 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 … 31 32 33 34 35 … 39 40 41 42 43 … 47 48 49 50 51 … 221 8 TIMEOUT TIMEOUT or RST or FIN/ACK Stream 12 TIMEOUT TIMEOUT or RST or FIN/ACK Shadowsocks-libev 16 TIMEOUT TIMEOUT or RST or FIN/ACK AEAD 16 TIMEOUT OutlineVPN AEAD 32 TIMEOUT 19

  20. Summary ● The Great Firewall of China detects Shadowsocks servers using a combination of passive traffic analysis and active probing. ● Probing is triggered by the first data packet in a TCP connection, and is more likely when the packet has high entropy and certain lengths. ● There are several probe types, some based on replay and some not. ● Probes come from many source IP addresses, but are evidently centrally managed. ● It is possible to mitigate the effects of active probing by altering packet lengths or changing how servers respond to unauthenticated probes. gfw.report@protonmail.com https://gfw.report/publications/imc20/en/ 20

Recommend


More recommend