2016-khattak-sok
findings extracted from this paper
-
A naive active-probing resistance scheme that embeds a fixed-length token in the initial request is vulnerable to flow fingerprinting because the censor can detect connections that always begin with a fixed byte count; pseudo-random padding removes this length-based signature. Separately, obfuscating-service schemes that reveal server aliveness by completing TCP expose the server IP to enumeration even before the application-layer challenge fires.
-
Of 73 censorship resistance systems surveyed through February 2016, only 11 address the Communication Establishment phase versus 62 for Conversation, even though Tschantz et al. document that real censorship attacks concentrate on Communication Establishment rather than on the Conversation tunnel.
-
Wiley's Bayesian classifier against obfuscated protocols (Dust, SSL, obfs-openssh) found that entropy detection achieved 94% accuracy using only the first packet, timing-based detection achieved 89% accuracy over entire packet streams, and length-based detection achieved only 16% accuracy.
-
The Great Firewall detects Tor bridges through a two-stage active-probing pipeline: GFW DPI first flags a flow as a potential Tor connection, then random Chinese IP addresses initiate Tor handshakes to the suspected bridge; if the handshake succeeds, the bridge IP:port combination is blocked.
-
Anderson's analysis of Iran's network connectivity from January 2010 to 2013 uncovered two extended throttling periods with 77% and 69% decreases in download throughput respectively, plus eight to nine shorter periods; these often coincided with holidays, protest events, international political turmoils, and important anniversaries.