![]() Once active probing has identified a Shadowsocks server, the GFW may block it by dropping future packets sent by the server-either from a specific port or from all ports on the server’s IP address.The first replay probes usually arrive within seconds of a genuine client connection. The server will continue to be probed as long as legitimate clients attempt to connect to it. Only a small number of genuine client connections (more than 13) suffice to trigger active probing against a Shadowsocks server.Also as in previous research, network side-channel evidence suggests that these thousands of apparent probers are not independent but are centrally controlled. Just as in previous research, active probes come from diverse source IP addresses in China, making them hard to filter out.Some are based on replay of previously recorded, genuine Shadowsocks connections, while others bear no apparent relation to previous connections. The active probing system sends a variety of probe types.The GFW is known to use active probing against various circumvention tools, and now Shadowsocks is a member of that group as well. The GFW combines passive and active detection: first it monitors the network for connections that may be Shadowsocks, then sends its own probes to the server (as if it were another user) to confirm its guess. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |