How China Detects and Blocks Shadowsockscore

The GFW's passive classifier uses two features of the first data packet to flag probable Shadowsocks traffic: (1) high Shannon entropy (per-byte entropy > ~7 bits strongly correlates with replay probability, which is nearly 4x higher at entropy 7.2 than at 3.0) and (2) packet length in the range 160–700 bytes with specific remainders mod 16. A single data packet after the TCP handshake is sufficient to trigger the downstream active-probing pipeline.

§4.2 detection dpirandom-payload-detecttraffic-shape cn

The GFW's active probers originate from thousands of distinct IP addresses, but a network-level side-channel (shared IP ID counter sequences) reveals they are controlled by a small number of centralized structures. Probe delay from legitimate connection to first active probe can be as short as 0.28 seconds, ruling out any reactive defense that relies on out-of-band blocking before probes arrive.

§3.3, §3.5 detection active-probing cn

Once passive analysis flags a connection, the GFW sends seven distinct active probe types in staged sequence: five replay-based (R1–R5, where R1 is an identical replay and R2–R5 alter specific byte offsets to attack stream vs. AEAD cipher variants) and two non-replay random-length probes (NR1, NR2). The system operates in stages: R3/R4/R5 probes are withheld until the server responds to R1/R2, meaning a server with replay protection (like Shadowsocks-libev ≥ v3.3.1) never receives stage-2 probes, while one without (original OutlineVPN) escalates to full probing.

§3.2, §4.2, §5.3 detection active-probingdpi cn