NetSec ◬ est. February 2019.

Acta #010

2021 January 22
(Shadowsocks) (Censorship)

How China Detects and Blocks Shadowsocks
Internet Measurement Conference (IMC) 2020 [PDF, Info]


Shadowsocks is one of the most popular circumvention tools inChina. Since May 2019, there have been numerous anecdotal reportsof the blocking of Shadowsocks from Chinese users. In this study,we reveal how the Great Firewall of China (GFW) detects and blocksShadowsocks and its variants. Using measurement experiments,we find that the GFW uses the length and entropy of the first datapacket in each connection to identify probable Shadowsocks traffic,then sends seven different types of active probes, in different stages,to the corresponding servers to test whether its guess is correct.

We developed a prober simulator to analyze the effect of differ-ent types of probes on various Shadowsocks implementations, andused it to infer what vulnerabilities are exploited by the censor. Wefingerprinted the probers and found differences relative to previ-ous work on active probing. A network-level side channel revealsthat the probers, which use thousands of IP addresses, are likelycontrolled by a set of centralized structures.

Based on our gained understanding, we present a temporaryworkaround that successfully mitigates the traffic analysis attack bythe GFW. We further discuss essential strategies to defend againstactive probing. We responsibly disclosed our findings and sugges-tions to Shadowsocks developers, which has led to more censorship-resistant tools.

Last Updated on 9 Apr 2021 (CC BY-SA 4.0)