2020-fifield-turbo
findings extracted from this paper
-
The dnstt DNS-over-HTTPS tunnel, built on a KCP Turbo Tunnel session layer, achieved download speeds of 130 KB/s using Google and Cloudflare DoH resolvers and 30 KB/s using Quad9, compared to iodine's maximum of 2 KB/s over the same operators' UDP DNS resolvers — a 15–65× improvement. DNS-over-HTTPS hides message contents from the censor, removing the two main classical DNS tunnel detection vectors: unusual DNS message structure and plaintext tunnel domain names in queries.
-
In Iran in 2013, censors dropped or throttled certain TCP connections after 60 seconds, severely disrupting circumvention protocols like obfs4 that fuse session state with a single long-lived TCP connection, while short-lived HTTP connections were largely unaffected. obfs4 has no session concept independent of the underlying TCP connection; when that connection is terminated, all end-to-end state is lost and a new session must restart from scratch.
-
Simultaneous upload and download of a 10 MB file took 10.6 s over TCP-encapsulated QUIC, 23.3 s over traditional meek, and 34.9 s over meek with encapsulated QUIC (Table 1), showing that naively adding a QUIC session layer to meek degraded throughput by approximately 50% relative to unmodified meek. Performance was sensitive to HTTP body size limits and request-thread count, but the root cause remained uncertain.
-
Geddes et al. demonstrated that acknowledgement packets in covert-channel circumvention systems can be identified through timing characteristics and selectively interfered with to disrupt the tunnel [§4.3, CCS 2013]. A Turbo Tunnel session layer adds fixed-overhead headers and periodic ACK/keepalive traffic that may produce distinctive timing patterns absent in legitimate flows, potentially increasing susceptibility to traffic-shape classifiers.
-
Turbo Tunnel inserts an interior session/reliability protocol (KCP or QUIC) between the obfuscation layer and user streams, decoupling end-to-end session state from any single transport connection. A session survives TCP termination, proxy rotation, or unreliable carriers by retransmitting lost packets over a new connection bearing the same session identifier. The pattern was implemented in obfs4, meek, and Snowflake, with Turbo Tunnel–enabled Snowflake shipping in Tor Browser alpha releases 9.5a13 (desktop) and 10.0a1 (Android).