So it looks like America is going to ban Tiktok. That sounds familiar.
Gents, let me tell you about the greatest war you've never known. On the one side is the entirety of the Chinese communist party, wielding the force of the world's #2 economy. On the other side - a bunch of Chinese nerds who just wanted to watch porn.
----------The Enemy-------------
So one of the "greatest" things China has created is arguably the largest IT infrastructure project in the world - the Great Firewall of China.
No joke - China's probably spent more money and manpower on it than any other infrastructure project in the world.
And it's a $#@!ing banger. It basically walled off every single internet routing node going in and out of China, with a sophisticated series of traffic analyzers and packet-level screeners.
So at first it was a non-issue because every Chinese person just installed or setup their own openvpn.
Then the firewall banned openvpn, which was like, whatever. OpenVPN traffic is easy to identify anyway.
So the Chinese started obfuscating headers in OpenVPN traffic, which made it difficult to identify. And that was fine, for like 6 months.
----------The Opening Salvo-------------
Then the firewall banned obfuscated openvpn traffic. That raised a few eyebrows. Team Nerd thought maybe they were just banning traffic based on ports, since OpenVPN uses a few non-standard ports. So they shifted ports to 443 and 80. Still banned. That was weird, said one of the nerds known only as "Clowwindy". Took a few days, but he theorized the firewall must be capable of deciphering openvpn traffic from the TLS handshake. This had implications - it meant the firewall was capable of pattern matching. Clowwindy created a program to deliberately mock a series of well designed packets to try to reverse engineer the firewall's pattern matcher. He found a problem - the firewall was capable of identifying all known encryption algos. It wasn't able to decrypt them - but somehow it knew what they were. So he put out a hiring call looking for volunteers who were well versed in cryptography.
Turns out if you drew a venn diagram of Chinese math wizards and Chinese porn addicts, you get a circle. So he put together a team.
They used PPTP protocol as a basis and began to experiment. First, they tried creating cocktails of known encryption. This would work initially, but it never took the firewall more than a week to adapt and block whatever cocktail they created. And they were running out of ingredients.
Independently, a separate team of Chinese nerds were working on a different approach - by interlacing normal website traffic between encrypted payloads, they hoped to confuse the firewall. It didn't work. The firewall was able to identify which segments were VPN traffic, and killed those. If it couldn't - sometimes it would just cut off the entire session altogether, putting the client into a timeout period. But it was an interesting approach.
The two teams met, and decided to combine their forces for the good of mankind.
They created something wonderful.
----------The First Victory-------------
By using a socks server as an accomplice outside of the firewall, they were able to obfucsate traffic over SSH. The thing is - they found that if you spend too much effort to encrypt the traffic, it became counter productive. Turns out the more you encrypt the traffic, the easier it was for the firewall to find out you're up to something nefarious.
This came at a harsh lesson.
There was another effort spearheaded by like-minded comrades to the west to stick it to the censors called "The TOR Project". TOR had a protocol called "Pluggable Transport" (PT). It used a patented method called Obfs4 to encrypt and in effect hide its true intentions.
TOR traffic was identified and banned within a few days by the firewall.
Chinese nerds studied TOR's banning like an autopsy. Combined with previous data, they figured out what the firewall was doing, and more importantly, what it was NOT doing. A few months later, they created an open source monster called Shadowsocks.
This was a clever transport mechanism that basically hid vpn traffic in plain sight - mixing in traffic patterns you'd see from a routine SSH remote access session. The bet was the firewall would:
A. Not be able to tell with precision what the payload is
and
B. Not risk banning legitimate SSH remote access which a lot of legitimate businessed relied on.
He won that bet - for FOUR YEARS.
Project Shadowsocks came out on 2012. It pwned the great firewall all the way up to 2016. In 2015, the man, the legend, Clowwindy, was contacted by the Chinese police and was forced to abandon the project. Clowwindy is still active today on Twitter, so he's still alive, but many have theorized he has now defected to the enemy.
Others took up the mantle, however, and work continued.
----------The Setback -------------
In 2016 Shadowsocks stopped working. Tunnels began to die and become blocked. New tunnels became banned anywhere from a few days to a few hours.
The conclave of wise nerds theorized the firewall was using some sort of machine learning to train its traffic analyzers, and after four years, they finally had enough training data to accurately pick out Shadowsocks traffic from a police lineup.
Part of the initial bet was that the firewall would not do active probing - or randomly initiate tcp/ip connections to map out potential nodes receiving questionable traffic and banning those nodes outright. The reasoning was - the chances of friendly fire - killing legitimate nodes which businesses relied on - was too high. But four years later, there was no friendly fire. The Firewall was able to precisely identify shadowsocks endpoints.
The war was on again.
Other VPN protocols have also tried to have a crack at the firewall. A western protocol called Wireguard saw some use in 2017. It was identified and banned after a few months.
This failure was again studied with clinical precision.
Two lessons were learned - rotation and diversification. There was no more point in trying to fool the firewall. It wasn't a stealth mission. It was a timed mission. You had a limited amount of time to do whatever you needed to do before the firewall adapted and caught up. You needed a protocol that was stateless and preferably without a handshake so as to not tip the firewall off on when to start analyzing your traffic.
----------The Comeback -------------
This created a monster called Vmess.
This thing was fierce.
It was:
1. Stateless. It transfers data directly between the client and the server without handshaking. Each transmission has no effect on the transmission of other datas before and after.
2. Asymmetric. The request from the client and the response from the server can be in different formats.
And it works.
The firewall was blind again. It had no handshake to determine the start or the nature of the traffic, and it wasn't able to match requests to responses since the two were asymmetrical.
Vmess was integrated into a larger project called Project V - which is a comprehensive toolkit composed of a variety of harnesses and variations to support protocols like Vmess - the most popular of which is V2Ray, which is the foundational module for most modern VPN services operating in China.
Project V itself is a self-sustaining opensource framework with a healthy group of contributors constantly improving and enhancing its codebase.
----------The War Goes On -------------
As of now, 2023, Vmess + V2ray is still working. Occasionally, the firewall will throw a curveball, but the team will adapt and typically come out with zero day updates to beat it back again.
There are other methods and protocols besides Vmess, like the Trojan Protocol, which focuses more on obfuscation, showing that the scene is more active today than ever before.
But the firewall is also evolving.
It was recently theorized that the firewall was capable of identifying ChaCha20-Poly1305, a robust encryption algorithm created by Google. The firewall has also demonstrated some ability to identify different types of streaming data even when obfuscated. It's suspected the Firewall is a testing ground for quantum cryptography - as there have been some alarming proof presented demonstrating the firewall's capability of reverse engineering ciphertext and lift certain information from key exchanges.
The war continues.
----------Reading Material -------------
en.wikipedia.org
Shadowsocks - Wikipedia
en.wikipedia.org en.wikipedia.org
VMess | V2Ray Beginner's Guide
Step-by-step guide for first-timers' using V2Ray.
guide.v2fly.org
github.com
GitHub - v2fly/v2ray-core: A platform for building proxies to bypass network restrictions.
A platform for building proxies to bypass network restrictions. - GitHub - v2fly/v2ray-core: A platform for building proxies to bypass network restrictions.
github.com github.com
Trojan Documentation
An unidentifiable mechanism that helps you bypass GFW.
Originally Posted by Brian4Liberty
Reply With Quote
Connect With Us