2020-alice-shadowsocks-detection
How China Detects and Blocks Shadowsockscore
canonical link → · doi: 10.1145/3419394.3423644
Abstract
We reveal how the GFW detects and blocks Shadowsocks. Detection uses
the length and entropy of the first data packet in each connection;
suspected flows then receive seven different types of active probes
in stages, sent to the corresponding servers, to confirm before
blocking. Best Paper Award Runner-up, IMC 2020.
Team notes
The seven-stage probe sequence in this paper IS the canonical CN
active-probing threat model for Shadowsocks-style protocols. Anyone
designing a "Shadowsocks but better" defense should be able to
describe how their server responds to each of the seven probe types.
Reflex's design (server-initiated TLS) is one answer; AnyTLS-style
TLS-in-TLS framing is another.