conjure   Conjure / refraction-extension

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 detection

Two Iranian ASes apply a protocol allowlist that drops traffic not matching known application-layer protocol patterns (after ~6 packets), independently of the destination IP. Experiments with fresh /26 phantom subnets showed that prefixing Conjure connections with a plain HTTP GET payload evaded this blocking for four weeks, while TLS Client Hello-prefixed and SSH-prefixed connections were blocked within 72 hours (TLS) or 72 hours after port rotation (SSH). HTTP GET on port 80 was the only tested prefix that survived the full experiment window.

2025-alaraj-iran-refraction §4.4, §5 detection

MCCI (AS197207) blocks proxy IPs proportionally to observed connection volume: the more connections a phantom IP receives, the faster it gets blocked. A controlled experiment with a fresh /27 IPv4 subnet divided into 7 /30 sub-ranges with increasing weights confirmed that higher-weighted subnets were blocked first, demonstrating that the censor infers proxy IP reputation from traffic rate rather than from a static blocklist.

2025-alaraj-iran-refraction §4.2.3 detection

Because Oscur0 starts with 0-RTT data lacking a full handshake, the station-side connection establishment is vulnerable to replay attacks. Oscur0 mitigates this by including a random 10-byte nonce in the encrypted application data of the first packet; the station checks each arriving nonce against a bloom filter of recently-seen IDs and drops duplicate connections, preventing replay without requiring a full round-trip handshake.

2024-chen-extended §3 Design defense

Testing from a VPS in Iran showed that standard DTLS handshakes are blocked at that vantage point, but Oscur0 avoids this blocking by transmitting only Application Data packets (with Connection ID extension per RFC 9146) after the initial one-shot setup packet, never completing a visible DTLS handshake. A proof-of-concept was implemented in approximately 600 lines of Go using the pion/dtls library.

2024-chen-extended §3 Design / Implementation evaluation

Oscur0 eliminates Conjure's separate registration phase by steganographically encoding ECDH public key, phantom IP, and transport parameters into the encrypted application data of the first UDP (DTLS 1.2 with Connection ID) packet sent to the phantom IP, using Elligator encoding to make the public key indistinguishable from random bytes. This removes several round trips — registration, TCP handshake, and application handshake — compared to standard Conjure, and means censors cannot block the scheme by blocking registration alone.

2024-chen-extended §3 Design defense

Registration-dependent Refraction Networking schemes such as Conjure create multiple single points of failure: censors can block registration channels independently of phantom connections. Domain fronting, a primary registration channel, has been progressively banned by major CDNs — Microsoft Azure in 2021 and Fastly in early 2024 — reducing its viability as a covert registration mechanism.

2024-chen-extended §1 Introduction detection

Conjure's initial registration step requires the client to connect to an overt website hosted outside the censor's jurisdiction before deriving the unused IP address for actual decoy routing, but CDN traffic localization means this bootstrap connection frequently terminates at a local front-end and never crosses the border. The paper finds that for India's Alexa top-100 sites, only 23 websites had any parallel (leaf) HTTP connections terminating outside the country, with a median of just 3 such external leaf connections per site.

2021-gosain-too §5.2, §6.2 evaluation

Across tunnelling systems that apply traffic shaping against ML adversaries, a clear throughput cost emerges: Slitheen + OUStral with WebM replacement achieves up to 2.2 Mbps with 4.7x overhead; Protozoa (WebRTC, end-to-end) achieves up to 1.4 Mbps; DeltaShaper (VoIP) achieves only 7 kbps at 2x overhead. By contrast, Conjure (no traffic shaping) reaches 100 Mbps. Additionally, end-to-middle decoy-routing deployments incur a throughput penalty from packet-boundary parsing at the relay station that end-to-end systems (Protozoa, DeltaShaper) avoid.

2021-lorimer-oustralopithecus §5.3.2, Table 2 evaluation

Conjure achieves 20% lower latency, 14% faster download bandwidth, and over 1400 times faster upload bandwidth compared to TapDance on a 20 Gbps ISP testbed. TapDance upload is throttled to approximately 0.1 Mbps because it must reconnect for every 32 KBytes sent; Conjure maintains a single persistent connection. At the 99th percentile, Conjure is 281 ms (92%) faster than TapDance.

2019-frolov-conjure §6.1 evaluation

For IPv4, Conjure derives both the phantom host IP and TCP port from the client's registration seed, making exhaustive scanning infeasible: a censor enumerating from a /10 of potential client source IPs (4 million addresses) against a /16 of phantom IPs (65K addresses) across all 65K ports would require approximately 50 years at 10 Gbps with ZMap. Phantom hosts are additionally firewalled to respond only to the registering client IP, defeating single-vantage-point ZMap scans.

2019-frolov-conjure §6.2.1 defense

IPv6 phantom addresses drawn from an ISP's /32 prefix provide 2^96 potential addresses, making exhaustive enumeration and pre-image attacks computationally infeasible. Analysis of 4013 observed IPv6 addresses in a deployed /32 found approximately 75 bits of entropy (out of a maximum 96), with enough overlap with legitimate address distributions that blocking high-entropy addresses would produce significant collateral damage to real IPv6 services.

2019-frolov-conjure §6.2.2 defense

Conjure phantom hosts resist active probing by requiring knowledge of a per-client registration seed secret before the station responds. A ZMap scan of over 1 billion random IP/port combinations found that 99.4% of responding servers returned no data after a random OSSH-style probe and 7.42% closed with TCP RST — behavior indistinguishable from Conjure's OSSH transport — meaning censors face steep false-positive rates when attempting to identify phantom proxies via active probing.

2019-frolov-conjure §7.1 defense

Conjure registration is unidirectional: the client embeds a steganographic ciphertext tag in a complete HTTPS request payload encrypted under a Diffie-Hellman shared secret, and the station passively observes it without sending any reply or spoofing packets. This design makes registration flows indistinguishable from normal HTTPS traffic and enables 25% more viable registration decoys than TapDance by removing the requirement to exclude decoys with short TCP windows or connection timeouts.

2019-frolov-conjure §4.1 defense