Examining how the Great Firewall discovers hidden circumvention serverscore

GFW probes originate from a dedicated /16 subnet of Chinese IP addresses distinct from ordinary client traffic, and a single suspicious connection can trigger dozens of independent probe connections from different source IPs within the same subnet. Blocking this probe-source range does not prevent blocking — the GFW blocks at a separate decision point — but it does make probe traffic distinguishable from legitimate users.

§4.2 detection active-probing cn

The GFW's active-probing system launches probes at suspected circumvention servers within seconds (typically under 3 minutes) of observing a suspicious connection, making reactive defenses (e.g., delaying or rate-limiting probe responses) insufficient on their own to avoid detection and blocking.

§4 detection active-probingdpi cn

The GFW sends protocol-specific probe payloads tailored to each circumvention tool: Tor bridges receive a TLS ClientHello mimicking Tor's own; obfs2/obfs3 servers receive random-looking payloads; Shadowsocks servers receive random bytes. A server that responds differently to these crafted probes versus innocent traffic (e.g., by sending a valid protocol handshake in response to a probe) reveals itself and is subsequently blocked.

§5 detection active-probingdpi cn