There are other protocols based on the same idea of split proxy, such as ShadowsocksR (SSR), VMess (used in V2Ray), or Trojan (proxy through TLS). Traffic between local and remote, which traverses through the GFW, looks like regular TCP and UDP traffic with an unidentifiable payload, thus circumventing the filtering and spoofing by GFW. remote is run outside China and thus able to access blocked websites. Local is run on the local machine originating the traffic or the edge gateway of a LAN that acts as a transparent proxy to your network. AEAD ciphers simultaneously provide confidentiality, integrity, and authenticity. ![]() Traffic between local and remote is encrypted with AEAD Ciphers, which stands for Authenticated Encryption with Associated Data. For UDP traffic, remote performs NAT for local besides encryption/decryption. For TCP traffic, local initiates and maintains a TCP connection to remote, which establishes and maintains anther TCP connection to the true destination. Split proxy means the proxy is broken into two parts, local and remote, and the traffic between local and remote is encrypted. SOCKS5 add strong authentications to proxy servers and capability to proxy UDP traffic. SOCKS protocol operates at the OSI Layer 5 (session layer) and proxy TCP connections to arbitrary destinations via the use of a proxy server. Shadowsocks is a secure split proxy based on SOCKS5. ![]() For example, DPI can easily identify proxied HTTP traffic and IPSec VPN traffic by analyzing packet headers and packet sequences. Obfuscation aims to hide the intent of your network traffic. It is widely used in modern internet traffic with HTTPS/TLS and VPN. Encryption aims to hide the content of your network traffic so that third-parties cannot analyze and hijack it. It includes mainly two parts: encryption and obfuscation. One can circumvent the GFW by hiding the true intention of the traffic and turning the “invalid” network traffic, such as HTTPS requests to a blocked website, into “valid” traffic. Other less well-understood mechanisms include packet forging and TCP reset attacks (effectively arbitrarily terminating TCP connections), and man-in-the-middle attacks with valid certificates. A few simple example is SSH, VPN, or Tor tunneling. ![]() Through Deep Packet Inspection (DPI), GFW is able to detect certain patterns of network traffic that aim to circumvent the GFW. GFW runs transparent proxies that scan the requested URI, the “Host” Header and the content of the web page (for HTTP requests) or the Server Name Indication (for HTTPS requests) for target keywords. In addition, the public IP of a network is often dynamically obtained via DHCP or statically allocated when the connection is purchased, thus ISPs can easily map a public IP to a user and relate HTTP/HTTPS requests to a user. Many websites use well-known IP addresses and the destination IP address field in HTTP/HTTPS requests are plaintext, thus open to traffic pattern analysis. Note, prevention of DNS spoofing does not stop network traffic analysis. Typical circumvention methods include modifying the Hosts file, typing the IP address instead of the domain name in a Web browser or using DNS over TLS/HTTPS. I have written a post on DNS spoofing in the context of ad-blocking. It is not unique to GFW to spoof DNS traffic, as ISPs around the world collect user access information by spoofing DNS as well. DNS requests are analyzed, and the GFW returns an invalid result if a blocked domain name is part of the request. DNS Spoofing, Filtering and Redirectionīecause DNS queries are plaintext, it can be spoofed and filtered. It is largely automated to block frequent IP addresses identified by other methods. It is quite unreliable as IPv4 addresses get very fragmented these days and the prevalence of content-delivery network. The oldest method is to ban and block hole certain IP ranges known to blocked domain names. ![]() GFW mainly have three ways to filter and block network traffic: active filtering, active probing, and proxy distribution, among which active filtering is the most widely-known. This post will not cover any political and ideological topics, but to discuss GFW and technologies to circumvent it from a network security perspective. But it is less known to defend Chinese network infrastructure from foreign cyber attacks. It is widely known to censor and block access to certain foreign websites from inside of China and thus a frequent accusation point by China critics. The Great Firewall (GFW) is the infrastructure that filters and blocks internet traffic to and from China.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |