I’ve done so much experimentation with GFW pre pandemic while staying in China for extended period of times. I was always amazed at how quickly they would catch up on my shadowsocks, random ssh tunnels…etc. 48 hours top before I had to rotate IPs. This report seems to indicate this is now instant?
Fwiw My most reliable trick ended up piggie-backing off of a physical line going into Hong Kong from Shenzhen, and when roaming around China, using a vpn to get to that shenzhen gateway. As far as I can recall, that always worked. This led me to believe that most of the vpn traffic analysis (and blocking)was done at the edge of the GFW and not inside of it. Again, this could be outdated by now.
I remember having to deal with the early GFW about 20 years ago when I was working for a company that had some employees on a site in Shanghai.
Every morning, our colleagues in China would open their mail client and it would connect to our server abroad.
The first person would usually be OK, but for everyone else, the connection would fail.
At the time, almost nothing was known of the GFW and it wasn't as clever as it is now. I found out that the POP connection was quickly blocked after a few minutes, probably triggering some slow firewall rules along the way (it seemed a bit random, so I assumed the firewall setup wasn't unified).
Moving to POPS/SMTPS seemed to improve things for a while, but the connection would still be randomly blocked.
What worked in the end was to use a bunch of random ports instead of the well known ones to accept POP/SMTP connections on the server, and we never had any issues after that, at least until we changed system a couple of years later.
Interesting that it's cracking down on Shadowsocks with obfuscation plugins. SS w/ v2ray was more or less the gold standard when I was going there from 2017 to 2019.
Back then, certain times (early June, big government meetings) would see a crackdown on VPNs where, so far as I could tell, they just threw down crude blanket blocks on anything they sorta-kinda knew was a VPN but couldn't procedurally target-block. It would (usually) still connect but be rate-limited to essentially nothingness.
I always got the vibe that they sort of informally tolerated VPNs above a certain threshold of sophistication, figuring that they were more interested in blocking the low-hanging fruit that the unwashed masses could easily use, rather than something more sophisticated that only a few techno-nerds could utilise. As other posters have said, they'd know who was doing it and preferred to come knocking with a rubber hose if those people caused too much in the way of issues.
China doesn't realize how much they are being held back by meaningless investments of time and expertise on this. They spend almost the same %GDP as the US does on the US military as on their internal suppression forces.
Maybe it's good for the world that they burn so much talent and wealth on adding inefficiency to their internal information exchange.
Limited use cases but for moving info in and out of a system like this you should be able to use this https://en.m.wikipedia.org/wiki/Chaffing_and_winnowing
The comments from people obviously never having been into a restricted country are hilarious. There are a few, most likely shadow approved, VPN providers that work. I refuse to believe they are just smarter than the GFW. I am convinced they are sanctioned and monitored. Which is fine if you never have any beef with the government. Which you never know you do until you do.
Stuff like socks5/shadowsocks and wireguard have long been useless. Imagine being in your house, and you want to go out, without anyone seeing you. No matter how well you try, just the attempt itself reveals you are trying - thus you are caught. Same for escaping GFW. A sanctioned VPN or RDP that stays alive without metering, is your best option.
This paper is nice, but it goes over some finer technical things. So, not about the great wall, but there's projects out there, like this one https://github.com/salesforce/ja3 , which talk about how you can fingerprint fully encrypted traffic(TLS/HTPS). There's a great section in the Readme "How it works" that goes over it. Would be surprising if the great wall doesn't do this, when some open source firewall will.
The algorithm found seems so unintuitive that I wonder if it was not found by the AI.
"Allow a connection to continue if the first TCP payload (pkt) sent by the client satisfies any of the following exemptions:
Ex1: popcount(pkt) len(pkt) ≤ 3.4 or popcount(pkt) len(pkt) ≥ 4.6.
Ex2: The first six (or more) bytes of pkt are [0x20,0x7e].
Ex3: More than 50% of pkt’s bytes are [0x20,0x7e].
Ex4: More than 20 contiguous bytes of pkt are [0x20,0x7e].
Ex5: It matches the protocol fingerprint for TLS or HTTP.
Block if none of the above hold."
Yeah already 10-12 years ago was clear.
My university vpn only worked for a few days while studying in China.
But there is this tiny little vpn software being spread around. Not sure if it's true but I remember it's falun gong teaming up with the CIA. Which at the time was able to go undetected, I think they keep rotating the IPS or something.
Was interesting how fast that tool spread "offline" between international students. Also Chinese have it but its less known among them.
Not sure if it still works:https://en.m.wikipedia.org/wiki/Freegate
[Edit] Here is an old hn comment saying it doesn't work anymore and other options that are also hard;
https://en.wikipedia.org/wiki/Domain_fronting was a workaround for a while.
https://signal.org/blog/looking-back-on-the-front/ (2018) https://news.ycombinator.com/item?id=16970199
The exact reverse engineered algorithm of the GFW is on page 4. It looks very reasonable (given what they are trying to achieve with it).
The easiest bypass I can think of would be to tunnel your connections via TLS. For example socks server tunneled via SSH which in turn is tuneled via TLS to your gateway.
Or perhaps you can somehow get your SSH client to transmit "GET " at the beginning of the connection, have the server ignore those 4 bytes, then proceed as usual.
I am a total obfuscation noob. How far does their DPI go? I am guessing Tor and stuff have tried hiding it inside lots of different protocols and file types (I think I read something about that at some point). Is it to the point of hiding it as part of a html doc (like under a specific tag or something). At what point do we move towards having executable Javascript generate the encrypted text which then is decrypted?
i recall a chinese guy telling me he got around it on his PC by setting up a streaming webtop on a VPS on a foreign network that he didn't have issues accessing https://docs.linuxserver.io/images/docker-webtop
This is such an own goal by China. All this useless work done suppressing the human spirit.
Can you bring a Starlink and then just don't really care?
Seems like UDP is completely exempt, which would allow UDP-based VPNs, like Wireguard through.
SSH is also exempt...
They say UDP is never blocked, so would Wireguard work?
I mentioned this a few years ago (maybe 7-8 years ago) on HN when I was told everyone just uses a VPN. Even back then, the cat and mouse game was annoying. You would purchase a VPN (plenty offered), pay a year subscription, and then it would go dark a couple of weeks later (sort of like a membership at a gym that closes down a week after you renew a year subscription). I gave up quickly on outside access, though we had a line out at work so it wasn’t that bad.
But does the paper imply that something like chunked encoding smuggled HTTP requests with an encrypted payload after the second chunk would work?
That is, assuming entry nodes are available as e.g. nginx proxies inside the Chinese ASNs and are allowed to operate serving websites to ASNs from foreign countries.
I'm mentioning nginx because there were some related bypass vulnerabilities in the past, and one could argue that they just missed updating them.
I always wondered where the talent and technical expertise inside China for manning and refining the GFW comes from and how many people it feeds - it seems at this point like family planning, an agency so big it exists simply to perpetuate and provide livelihood to a host of people. Also how much truth is there to the statement that Cisco helped setup the GFW for China in the 90's?
Would a steganographic hiding of payloads be possible and usably efficient inside permissible content/protocols? Has it been tried?
Given HTTPS traffic is mostly permitted, could one obfuscate VPN traffic over http/3 (which I believe is UDP)?
> 1 security vendor flagged this URL as malicious
https://www.virustotal.com/gui/url/f530591ff939e09c1cf8bc534...
Deeply unethical stuff. Why are Chinese people not currently trying to overthrow this garbage?
GFW always been a big issue, first with github, you only can clone repo at ~20kb/s, then apt yum homebrew, some is ultra slow,some just blocked Nowadays, I already put a lot of effort on how to bypass it
As a result of such blocking, I suspect steganographic techniques are only going to become more popular over time.
I wonder what can be done about detecting data hidden within video streams in a steganographic way.
So now we have to embed encrypted traffic in innocuous plaintext envelopes?
It's like the cold war.
With Youtube blocked, the Chinese are not being bombarded with VPN advertisements
What kind of websites does China block?
How long do you figure until the first public execution for using starlink?
And yet we can never cut them off because it would be economic suicide.
https://news.ycombinator.com/ need vpn https://hckrnews.com/ no need vpn i use vpn write this comment. my vpn 90$/year, pay use usdt. it is good, watch netflix/youtube fast.
On the other hand, this shows GFW authors are more, and more considerate of the collateral damage, which is a surprise. It seems GFW has indeed became good enough to frustrate casual users to trigger uproar when windows update, or AWS ip ranges go belly up, or something.
VPN authors should chose the maximum collateral damage strategy to frustrate GFW authors, make China as close as possible to completely cutting off outside internet. No need to completely evade fingerprinting, instead, do the complete opposite, and try to mimic common protocols, and critical applications as much as possible.
I was wondering about simply using VPNs, which is not mentioned in the article at all, but checking GFW on Wikipedia, it tells:
> The use of VPNs in China can provide individuals access to the international internet, but in China, it can be a potential legal risk. In 2017, the Chinese government declared all unauthorized VPN services to be illegal.[94] An example of the use of this punishment is Vera Zhou, a student at the University of Washington, who, when visiting her Hui parents in Xinjiang, China, used a VPN to access her school homework. She was arrested and sent to a Xinjiang internment camp from October 2017 until March 2018, followed by house arrest after her release. She was not able to return to the US until September 2019.[95][96]