Clients embed HMAC-derived, time-varying sentinels into the 28-byte random field of the TLS ClientHello message, which decoy routers can scan at line rate. Sentinels are keyed to the current hour and a per-hour sequence number, providing freshness. This covert channel requires no out-of-band signaling and is invisible to passive observers who see only a normal TLS handshake toward the decoy destination.

Decoy routing places the circumvention service at transit routers rather than fixed-IP edge proxies, so the client addresses packets to any reachable decoy destination and the router hijacks the flow on the client's behalf. A single well-placed router may lie on paths to millions of destinations, making circumvention proxies appear ubiquitously deployed from an adversary's perspective. Blocking such a router requires disrupting ordinary traffic for large fractions of the Internet, qualitatively raising the cost of IP-address-based censorship.

§1.2 defense

An adversary aware of a decoy router's location can force decoy-routed flows to be unprocessable by fragmenting all packets below the size of a complete TCP header in the first fragment, preventing flow assignment and forcing the router into expensive reassembly. Alternatively, the adversary can use small-fragment attacks to grow the router's state table, analogous to NAT resource exhaustion. The paper identifies fragmentation-based denial as a harder-to-mitigate attack class than sentinel replay.

§4.2 detection

A preplay attack defeats the TLS-sentinel covert channel: the adversary intercepts each ClientHello, immediately sends a copy to the decoy destination before the client's copy arrives, causing the sentinel to be consumed and poisoned. The client can never establish a decoy routing session while ordinary TLS to the decoy destination continues to work normally, giving the adversary both blocking capability and forensic confirmation that decoy routing was attempted. The paper notes this vulnerability is specific to the TLS sentinel and that alternatives such as port-knocking sentinels may not share it.

§4.1 detection

TCP flow hijacking by the decoy proxy is practical under an asymmetric routing assumption: expected sequence numbers are recoverable from ACK values in client-originated packets alone, so the decoy router need not observe return traffic. The proxy forges a TCP RST to the decoy destination and mimics its TCP options (timestamp, window scale, SACK) to reduce detectability; these options are conveyed encrypted inside the sentinel's 28-byte TLS random field.

§3.3 defense

AnyTLS is a TLS-based proxy protocol maintained by the sing-box team, designed in 2024 and first released in the sing-box dev-next branch. Its core mechanism wraps arbitrary proxy traffic in standard TLS and applies a configurable padding scheme (Padding Scheme) to enhance traffic concealment while maintaining compatibility with standard TLS infrastructure.

2026-anon-anytls-anytls-sing-box-2026 §1.1–1.3 tls-fingerprinttraffic-shapedpi

Obscura's browser-to-browser (B-B) WebRTC connections produce DTLS ClientHello and ServerHello messages indistinguishable from genuine browser traffic: across 100 captured handshakes compared against Facebook Messenger, Google Meet, Discord, and a reference WebRTC app using the dfind tool, no unique identifiers were found in C-C connections, and the sole Firefox-specific fingerprint (ServerHello length 86 bytes, cipher TLS_AES_128_GCM_SHA256, extension field length 46 bytes) matches the default Firefox WebRTC profile — meaning blocking it would also block all legitimate Firefox WebRTC users.

2026-vilalonga-obscura-enabling-ephemeral §5.2 tls-fingerprintdpi

Authoritarian regimes blocked Snowflake primarily through DPI targeting fingerprints in Pion's DTLS handshake and TLS fingerprints in complementary WebRTC protocols, not through ML-based traffic analysis — confirming that cost-effective censors consistently favor simple, deterministic methods over computationally expensive classifiers.

2026-vilalonga-obscura-enabling-ephemeral §1 dpitls-fingerprintactive-probing

The DTLS ClientHello extensions field is the most prominent feature for fingerprinting Snowflake's Pion WebRTC stack. A passive DPI tool (dfind) validated against the MacMillan et al. dataset of 6,500 DTLS handshakes reliably identifies Pion-based implementations via unique extension byte patterns. Chrome randomized its extension list order starting with version 129.0.6668.58 (September 2024), yielding 6! = 720 unique permutations and hardening it against deterministic matching. Firefox adopted DTLS 1.3 by default from version 127 (May 2024), which changes the extension structure entirely and renders DTLS 1.2 mimicry obsolete for Firefox traffic.

2025-midtlien-fingerprint-resistant §3, §4.1 tls-fingerprintdpi

Beyond business-filing cross-references, the paper introduces a method of linking VPN provider families by showing they share VPN server cryptographic credentials (Shadowsocks passwords, server TLS fingerprints) across distinct app identities. This extends prior ownership-attribution methods that relied solely on corporate registry data and code similarity, adding shared live infrastructure as a linkage signal that is harder for operators to obscure.

2025-mixon-baca-hidden §3 (Methodology), §4 tls-fingerprintdpi

MinecruftPT encodes circumvention traffic steganographically inside the Minecraft Java Edition network protocol, making a censored connection appear to a network observer as an ordinary online Minecraft game session. The cover channel is a high-volume, varied-packet-size TCP protocol with a large and active user population, making statistical fingerprinting harder than for lower-volume cover protocols.

2025-tusing-minecraft-tunnels §1, §3 dpitraffic-shapetls-fingerprint