bbs copied to clipboard
Large scale blocking of TLS-based censorship circumvention tools in China
Starting from October 3, 2022 (Beijing Time), more than 100 users reported that at least one of their TLS-based censorship circumvention servers had been blocked. The TLS-based circumvention protocols that are reportedly blocked include trojan, Xray, V2Ray TLS+Websocket, VLESS, and gRPC. We have not received any report of the blocking of naiveproxy though.
Below are a summary of this blocking event and our conjuncture.
The blocking is done by blocking the specific port that the circumvention services listen on. When the user change the blocked port to a non-blocked port and keep using the circumvention tools, the entire IP addresses may get blocked. It is worth noting that their domain names are not added to GFW's DNS or SNI blacklists.
While most of the users report their port 443 got blocked, a few users reported that their non-443 port on which circumvention services listen got blocked as well. While most of the blocked servers are in some popular VPSes providers' datacenters (for example, the bandwagonhost), at least one user reported the blocking of a server in residential network in Europe.
In a few cases (not all cases), the blocking seems to be dynamic because the web browser could still access their circumvention ports but not the circumvention tools did not work.
All these observations above strongly indicate that the GFW can indeed accurately identify and block the circumvention services, rather than simply block the port 443, or block the popular VPS providers.
Based on the information collected above, we suspect, without empirical measurement yet, that the blocking is possibly related to the TLS fingerprints of those circumvention tools. Perhaps developers want to look into uTLS. One may also find this paper reading group, this summary, and this post on TLS fingerprint helpful.
We will investigate if the GFW indeed uses the TLS fingerprints sent by these clients to identify circumvention protocols. At the same time, if you have any server being blocked, or if you have any evidence that can corroborate or falsify our hypothesis, we courage you to share your comments publicly or privately. Our private contact information can be found at the footer of GFW Report.
自北京时间2022年10月3日起,超过一百名用户报告他们至少有一台基于TLS的翻墙服务器被封锁了。被封锁的服务器使用的协议包括了trojan,Xray,V2Ray TLS+Websocket,VLESS,以及gRPC。我们还未收到任何naiveproxy被封锁的消息。
下一步,我们将调查GFW是否真的使用了客户端发出的TLS指纹来识别这些协议。与此同时,如果您有任何翻墙服务器被封锁,或者有任何可以证实或反驳我们的推测的例子,我们都欢迎您或公开地或私下地与我们分享。因为这会帮助我们快速定位许多问题的根源。我们私下的联系方式可见GFW Report的页脚。
I never used port 443, my non-443 port still got blocked, but sometimes I can still access it (lagging, sometimes with interruptions)
The ladder [circumvention tool] gets disrupted intermittently, but fortunately the server is not banned by the GFW.
Is it possible to argue that the current behavior pattern of GFW has evolved based on Occam's Razor to the point of "being able to identify TLS-based wall protocols" or "Ban any protocol as long as there is a long period of heavy traffic with multiple IP connections from outside the country"?
It's true that since yesterday the airport I use has been dropping connections frequently and needs to be reconnected
My server has ngnix as a frontend application but it still got blocked, which is enough to show that TLS fingerprints are not the key. Do not embarrassingly boast about naiveproxy. If you need stability, you'd better use a CDN to relay the traffic; if you need speed, you'd better use hy. BTW, VPSes that uses tuic and hy have not been observed to be banned.
TLS 指纹识别的是客户端,即 TLS 会话是否是由翻墙软件作为客户端发起的,而非看连接到的是什么服务器。
My server has ngnix as a frontend application but it still got blocked, which is enough to show that TLS fingerprints are not the key.
TLS fingerprinting identifies the client, i.e. whether the TLS session was initiated by the wall-jumping software as a client, rather than looking at what server is connected to.
我的翻墙服务器(用的trojan + fallback 443端口被封禁,但是浏览器同时也无法访问443端口
My wall server ( with trojan + fallback port 443 is blocked, but the browser can't access port 443 at the same time
I think this is an indiscriminate 443 port blocking, offshore servers with high traffic and long connection durations are in this range
I base this on:
In this year, I often encounter a phenomenon: a long time (4 or 5 hours) using port 22 ssh to connect to their own server without building any wall tools, the next day this server's IP is banned
So I now use ssh protocol to access the server will use a proxy to avoid the server is misunderstood
I have 5 servers (vless+tls), only two Tencent Lightweight Cloud was spared, also to some extent explains what
Can we assume that GFW has entered the 2.0 era, no longer analyzing specific protocols, but rather conducting data statistics through some kind of self-learning AI to cut across the most likely part of imported traffic that is wall traffic, while domestic servers like Tencent Lightweight Cloud are spared because they do not meet the condition of overseas servers
Even if my guess is wrong, this kind of intelligent analysis of traffic procedures can be achieved, only need to keep scoring the results manually to train (as far as I understand, many tls-based servers that have deployed wall-jumping programs will place a disguised web page, because many users will use github ready-made scripts to build, and the disguised web page deployed through these scripts can be completely manually recognized)
When using ssh, if the domain name is encrypted at the same time, the stability is greatly improved.
Very interesting finding, thanks for sharing.
If naiveproxy is indeed not blocked, it would be consistent with the theory that it may be TLS fingerprinting, as it uses the Chrome stack and doesn't have a distinguishable fingerprint.
我的翻墙服务器(用的trojan + fallback 443端口被封禁,但是浏览器同时也无法访问443端口
My wall server ( with trojan + fallback port 443 is blocked, but the browser can't access port 443 at the same time
我前置nginx stream分流trojan回落到9100端口,node_exporter的端口,但是只能http+443在浏览器访问到9100内容,https则是ERR_CONNECTION_CLOSED(因为前置分流的nginx没有监听443 ssl,使用了sni_preread缘故),担心迟早被封,能否让回落的http网站upgrade到https连接
I front nginx stream shunt for trojan fallback to port 9100--node_exporter port, but only http + 443 in the browser can access the 9100 content, https is ERR_CONNECTION_CLOSED (because the front shunt nginx does not listen ssl protocol for port 443, cause using the sni_preread reason), worried about sooner or later blocked, how to fallback http site upgrade to https connection
BTW: 顺带给GFW的贡献者送上一个fuck!
Is it possible to focus on all those data centers and providers are identified, theoretically mass filtering TLS/HTTPS is not very realistic.
BTW: Incidentally, send a "fuck" to GFW contributors!
It may be unrelated to port number: the ports used by my airports are all above 20000. Approximately one third of them got banned, and the ones that were not banned experienced high rates of packet drops.
I don't know, I installed an apache, then enabled the h2c module, and then let 443 fallback to 80 on it
Greetings, Lumière Élevé here. We have recently got into contact with some Chinese TLS-based proxy operators (VMess, VLESS, Trojan, etc), who have recently had their servers blocked in China only on IPv4. The tiny open-source community I'm in operates a small custom CDN (HTTPS enforced), recently receiving a similar ban as well, but without having any proxy ever run on them. We decided to investigate ourselves by cooperating with the proxy operators in China, while also running tests from said CDN servers. The blocks we received didn't match your description, which says the same ports are only inaccessible when connecting from a proxy client. But rather, all connections to our specific IPv4 addresses get dropped on all of our tested ISPs (China Mobile, China Unicom and China Telecom), regardless of port number or underlying protocol used (TCP, UDP, ICMP); meanwhile, all IPv6 addresses of the same servers remained untouched. Knowing the protocol doesn't affect the resulting behaviour, we first staged a test sending UDP packets back and forth. UDP packets sent to the blocked IPv4 address could be received as normal, while the replies were all dropped. Then we got on route tracing, confirming that the packets sent back to China were only dropped when exiting their global Internet exchange. If we didn't have our CDN servers blocked, we may never look into this problem, seek help and cooperate with the proxy operators. The Chinese proxy operators got their servers from popular cloud providers like Vultr, while the CDN servers we maintain are directly leased from server dealers, most of them had no connection with popular cloud providers. We didn't know precisely how the servers got blocked in the first place, the only resemblance is that we all have enabled TLS. If GFW specifically targets proxy operators by fingerprint, why the heck did a small CDN running only web servers, get caught in the crossfire???
Greetings, Lumière Élevé here. We have recently got into contact with some Chinese TLS-based proxy operators (VMess, VLESS, Trojan, etc), who have recently had their servers blocked in China only on IPv4. The tiny open-source community I'm in operates a small custom CDN (HTTPS enforced), recently receiving a similar ban as well, but without having any proxy ever run on them. We decided to investigate ourselves by cooperating with the proxy operators in China, while also running tests from said CDN servers. The blocks we received didn't match your description, which says the same ports are only inaccessible when connecting from a proxy client. But rather, all connections to our specific IPv4 addresses get dropped on all of our tested ISPs (China Mobile, China Unicom and China Telecom), regardless of port number or underlying protocol used (TCP, UDP, ICMP); meanwhile, all IPv6 addresses of the same servers remained untouched. Knowing the protocol doesn't affect the resulting behaviour, we first staged a test sending UDP packets back and forth. UDP packets sent to the blocked IPv4 address could be received as normal, while the replies were all dropped. Then we got on route tracing, confirming that the packets sent back to China were only dropped when exiting their global Internet exchange. If we didn't have our CDN servers blocked, we may never look into this problem, seek help and cooperate with the proxy operators. The Chinese proxy operators got their servers from popular cloud providers like Vultr, while the CDN servers we maintain are directly leased from server dealers, most of them had no connection with popular cloud providers. We didn't know precisely how the servers got blocked in the first place, the only resemblance is that we all have enabled TLS. If GFW specifically targets proxy operators by fingerprint, why the heck did a small CDN running only web servers, get caught in the crossfire???
Is the IP address of the blocked server outside of China? I suspect that in sensitive times, China will block all foreign servers on port 443 indiscriminately, and then unblock them after a period of time Meanwhile, an old GFW program is still running in parallel, identifying and blocking traffic, so some users have reported that servers using ports other than 443 will still be blocked
At the same time, I was thinking that if a foreign server has been maintaining a high traffic, long time connection with a single Chinese IP, and no long time, high traffic transmission with other Chinese IPs, this feature is likely to have been learned by GFW and applied to blocking, ignoring any protocol, encryption
本人4年前租赁了一个VPS,IP地址最后一次变更是在20个月之前。 前天(10月3日)上午十二点左右突然发现VPS上配置的V2ray服务无法连接(Vmess+tls+ws+nginx+formal website, without CDN)
于是开始排查错误,首先尝试使用22端口登录ssh,未见22端口的限制。 本人先更换掉了v2ray使用的一个老域名,尝试配置使用一个新域名来排除域名封禁。 然后尝试使用Chrome直接HTTPS访问代理监听的二级域名,Nginx反代中针对非websocket协议访问配置的重定向生效了,直接301重定向到了主域名,且检查Nginx访问日志能看到请求。(由此本人误以为中游连接没有问题,于是开始排查上游服务器端)
此处有一个细节,即本人在调整服务器端V2ray配置的时候,由于Nginx和V2ray的端口在调整之初未能统一,因此Nginx错误日志中能够看见有很多Upstream Connect Refused报错。
后来将端口统一过后,服务器端错误消失不见,访问日志再也看不到请求,连接仍未恢复。推测Nginx服务器一开始能够收到来自客户端的请求(在返回的是HTTP 502时),但之后(理应返回正常的数据时)其请求的返回包被强行丢弃,GFW的残留审查继续维持了对源端口的封禁。那么也印证了或许GFW真的能够根据某些特征对流量进行过滤
然而,针对客户端和服务端的多次排错均未发现问题,于是又开始怀疑是否是连接问题,恰巧本人的一位朋友也反映了这个情况,印证了本人的猜想。 于是本人同时更换了协议和链接端口。(Trojan + tls + nginx) 服务暂时恢复正常。
数小时过后,Trojan端口被封锁。但ssh直连仍未受影响,表明服务器未被封锁。这与您的描述 “如果用户在端口被封后,改换了端口,那么整个服务器都会被封锁” 不符。
迫于无奈,本人启用了弃用的SSR进行临时链接(auth_chain_a协议 + plain混淆 + chacha20加密),服务暂时恢复正常(证实防火长城此次针对的确实是TLS协议)
再次建立起链接后,本人尝试将代理监听的二级域名通过Cloudflare CDN代理以绕过封锁,事实证明该方法到现在为止都可行。(证实此次封锁只针对部分IP地址和端口,而非针对域名)
To share my case (perhaps it will help the investigation).
I leased a VPS 4 years ago and the IP address was last changed 20 months ago. The day before yesterday (October 3) at about 12:00 am suddenly found that the V2ray service configured on the VPS could not be connected (Vmess+tls+ws+nginx+formal website, without CDN)
So I started to troubleshoot the error, and first tried to use port 22 to log in to ssh, but I did not see the port 22 restriction. I first replaced an old domain name used by v2ray and tried to configure a new domain name to exclude domain blocking. Then I tried to use Chrome direct HTTPS access proxy listening to the secondary domain, Nginx anti-generation for non-websocket protocol access configured redirection took effect, directly 301 redirected to the main domain, and check the Nginx access logs can see the request. (Thus I mistakenly thought that there was no problem with the midstream connection, so I started troubleshooting the upstream server side)
There is a detail here, that is, I am adjusting the server-side V2ray configuration, because the Nginx and V2ray ports at the beginning of the adjustment failed to unify, so the Nginx error log can see a lot of Upstream Connect Refused errors.
Later, after the ports were unified, the server-side errors disappeared and the access logs no longer saw requests, but the connection was still not restored. Presumably the Nginx server was able to receive requests from the client at first (when it returned HTTP 502), but then (when it should have returned normal data) its return packets were forcibly discarded, and GFW's residual review continued to maintain the blocking of the source port. Then it also confirms that perhaps GFW is really able to filter traffic based on certain characteristics
However, for the client and server side of the multiple debugging did not find the problem, so began to wonder whether it was a connection problem, coincidentally, a friend of mine also reported the situation, confirming my suspicions. So I changed both the protocol and the link port. (Trojan + tls + nginx) The service was back to normal for a while.
A few hours later, the Trojan port was blocked. However, the ssh direct link remained unaffected, indicating that the server was not blocked. This does not match your description "If a user changes the port after it has been blocked, then the entire server is blocked".
As a last resort, I enabled the deprecated SSR for temporary links (auth_chain_a protocol + plain obfuscation + chacha20 encryption) and the service was temporarily restored to normal (confirming that Firewall was indeed targeting the TLS protocol this time)
After re-establishing the link, I tried to bypass the blocking by passing the proxy listening to the second-level domain through the Cloudflare CDN proxy, which proved to be feasible so far. (confirmed that this blocking is only for some IP addresses and ports, not for domains)
The last doubt is that the website on my server is not rudimentary, on the contrary, there are many services running on the secondary domain (V2ray included) and a content-filled blog running on the primary domain. If it is really active detection, I am not so sure about it.
Hope this helps with the investigation.
There is evidence both for and against the hypothesis of TLS fingerprinting in this thread.
- A web browser can access the circumvention server's port, but a circumvention client program cannot. comment
- trojan, Xray, V2Ray TLS+Websocket, VLESS, and gRPC are affected, but naiveproxy is not. comment
- Neither trojan nor a web browser can access the circumvention server port. comment
- Of 5 vless+tls servers, 3 were blocked and 2 were not. comment
- A CDN with diverse non-circumvention clients was blocked comment
Of course, there can be more than one thing happening. It may be simultaneously true that connections are being blocked by TLS fingerprint, and that there is some kind of flow-based access pattern analysis to identify TLS proxies.
Is it possible to argue that the current behavior pattern of GFW has evolved based on Occam's Razor to the point of "being able to identify TLS-based wall protocols" or "Ban any protocol as long as there is a long period of heavy traffic with multiple IP connections from outside the country"?
I think this is an indiscriminate 443 port blocking, offshore servers with high traffic and long connection durations are in this range
There is some research on detecting proxies based on common access patterns by clients. This research paper from 2018 uses spectral clustering of an access pattern graph in an attempt to distinguish proxy users from non–proxy users. See Sections 3.2 and 3.4.B. The target of the paper is web proxies, but the technique could be applied to other kinds of proxies.
A Web Proxy Detection Method based on Multiple Feature Analysis
DOI: 10.19363/J.cnki.cn10-1380/tn.2018.07.04
The paper gives a rationale for clustering access patterns:
我们的假设是, 使用代理的用户的行为是相似的, 他们有一些固有的访问模式。也就是说, 用户倾向于寻求更高效的代理服务器, 他们通过代理服务更愿意访问那些仅能通过代理才能够使用的服务。当某个代理服务不起作用时, 代理用户会寻求其他的代理服务。
Our hypothesis is that users using proxies behave similarly, and that they have some inherent access patterns. That is, users tend to seek more efficient proxies, and they prefer to access services that can only be used through proxies. When a proxy service does not work, proxy users will seek other proxy services.
I am not claiming that something like this is happening in this case, only saying that there is some evidence of it being researched.
我有4台vps,只有一台常用的被封了443端口,之后又在这台常用的vps上架设了tuic,6小时内被封8443端口,只看了youtube视频 所有的vps都只有我一个人在用,没有与任何人共享 我个人总结,根据你的流量和连接时长来封禁的
I have 4 vps, only one commonly used. one was blocked on port 443, after that and setting up tuic on this commonly used vps, within 6 hours port 8443 was blocked, only watched youtube videos All vps are only used by me, not shared with anyone My personal summary, blocking is according to your traffic and connection length
During a sudden change like this, circumvention tool developers have an advantage over the GFW: agility: In the short term, you can change the protocol faster than the GFW can react. The GFW has, no doubt, been planning today's blocking of TLS-based circumvention tools for weeks or months; it will likely not be able to do another such large-scale action without more planning and coordination. By acting quickly, you can perhaps keep the advantage during this time of intensified blocking. We already have the first necessary element, which is quick awareness of the problem. Now we can try countermeasures, for example tweaking the TLS fingerprint as @gfw-report suggested.
According to the paper, the restriction is applied based on the clients(or the users) themselves' common features. Thus, it should be approved that there are "some features" that only belong to the proxy client.
For the realistic problems, at least everyone can use a large public CDN server to mix the data amongest the others' and using some tricks of Firewall to prevent GFW from active detecting. (Like using a specific UA, for a instance, change "Chrome" to "Chremo" and filtering based on the UA) GFW can do nothing about this unless they decides to block the CDN server.
According to the paper, the restriction is applied based on the clients(or the users) themselves' common features. Thus, it should be approved that there are "some features" that only belong to the proxy client.
If I understand the paper correctly, the shared features among users are only their access patterns. Two users are similar if they access similar destinations. However there is another component to the system, which is is crawling and extracting features from web pages, such as whether the URL has a certain structure, whether there is a form
on the page, etc. Clustering only tells you which users are similar; you also need a separate source of features to know which destinations are proxies. In the case of TLS-based circumvention proxies, those other features could be some of the things people have suggested: TLS fingerprint, connection duration, ratio of clients to servers, etc.
My personal commonly used vps, using vmess+ws+tls. It has been running normally for 2 years and has not been blocked before. However, in the past two days, port 443 has been blocked twice. It is shown that it was blocked for a while and then unblocked, and then blocked again within a few hours. Only 443 ports are blocked, 80 and other ports are connected normally.
10 VPSes with vmess+tls+web, disguised station with the web site, currently unharmed.
After reading source code of v2ray, it seems TLS fingerprint feature was a experimental feature in 2019, but it was then removed for unknown reason.
Xray have at least implemented uTLS, but it was not enabled by default. I guess that is the reason why v2ray based client was banned.
SS-AEAD、Trojan 存活情况要比 VMESS+ANY+TLS 好的多,统计了十几台各个国家地区的服务器,VMESS 这边仅剩几个北美的服务器存活,而 SS-AEAD、Trojan 基本上都存活下来了。
不只是 443 被封锁,使用非标准端口,一样被封锁。443 不是神,在 GFW 面前任何端口都没有区别。
我在 10 月 2 日就观察到了被封锁现象,不只是 10 月 3 日,但是大规模封锁是在 10 月 3 日中午。10 月 2 日的封禁方式是封锁该 IP 的全部协议,10 月 3 日则大多表现为只封禁端口,而不封锁整个IP。在 10 月 2 日后侥幸存活下来的服务器,大多都采用封禁端口的形式。即使更换端口,虽然短时间可以连通,但是会在几个小时内,端口继续被封禁。
而将这些服务器转而使用 VMESS+ANY,即不加 TLS,则可以正常使用不会被封禁。自 10 月 3 日至今,这些不使用 TLS 的 VMESS 服务器仍然存活。也有部分服务器使用了 Trojan,目前也是存活完好。
有理由怀疑,VMESS 的 TLS 在实现方式上是不是有特征可供利用。
完全解释不通 Trojan TLS 基本不会被封锁的现象,均使用了相同的 v2ray 核心,以及大多数人使用 Clash 核心作为客户端。
截至到 22-10-16 这些 Trojan 服务器也被封锁,即使添加回落等方式。
SS-AEAD and Trojan survive much better than VMESS+ANY+TLS. After counting a dozen servers from various countries, only a few North American servers survive on the VMESS side, while SS-AEAD and Trojan basically survive.
Not only 443 is blocked, but also when using non-standard ports. 443 is not a god, and no port makes any difference in front of GFW.
I observed the blocking phenomenon on October 2, not just October 3, but at noon on October 3. The blocking method on October 2 was to block all protocols of the IP, while on October 3 it was mostly to block the port but not the whole IP. Even if the ports were changed, they could be connected for a short time, but within a few hours, the ports would continue to be blocked.
If these servers are switched to VMESS+ANY, i.e. without TLS, they can be used normally without being blocked. Since October 3, these VMESS servers without TLS are still alive. There are also some servers that use Trojan, but they are still alive and well.
It is reasonable to wonder if there are features in VMESS's TLS implementation that could be exploited.
It does not make sense at all that Trojan TLS would be largely unblocked, all use the same v2ray core, and most use the Clash core as a client.
As of 22-10-16, these Trojan servers have also been blocked. Even adding fallbacks etc.
SS-AEAD、Trojan 存活情况要比 VMESS+ANY+TLS 好的多,统计了十几台各个国家地区的服务器,VMESS 这边仅剩几个北美的服务器存活,而 SS-AEAD、Trojan 基本上都存活下来了。
不只是 443 被封锁,使用非标准端口,一样被封锁。443 不是神,在 GFW 面前任何端口都没有区别。
我在 10 月 2 日就观察到了被封锁现象,不只是 10 月 3 日,但是大规模封锁是在 10 月 3 日中午。10 月 2 日的封禁方式是封锁该 IP 的全部协议,10 月 3 日则大多表现为只封禁端口,而不封锁整个IP。在 10 月 2 日后侥幸存活下来的服务器,大多都采用封禁端口的形式。即使更换端口,虽然短时间可以连通,但是会在几个小时内,端口继续被封禁。
而将这些服务器转而使用 VMESS+ANY,即不加 TLS,则可以正常使用不会被封禁。自 10 月 3 日至今,这些不使用 TLS 的 VMESS 服务器仍然存活。也有部分服务器使用了 Trojan,目前也是存活完好。
有理由怀疑,VMESS 的 TLS 在实现方式上是不是有特征可供利用。
完全解释不通 Trojan TLS 基本不会被封锁的现象,均使用了相同的 v2ray 核心,以及大多数人使用 Clash 核心作为客户端。
SS-AEAD and Trojan survive much better than VMESS+ANY+TLS. After counting a dozen servers from various countries, only a few North American servers survive on the VMESS side, while SS-AEAD and Trojan basically survive.
Not only 443 is blocked, but also when using non-standard ports. 443 is not a god, and no port makes any difference in front of GFW.
I observed the blocking phenomenon on October 2, not just October 3, but at noon on October 3. The blocking method on October 2 was to block all protocols of the IP, while on October 3 it was mostly to block the port but not the whole IP. Even if the ports were changed, they could be connected for a short time, but within a few hours, the ports would continue to be blocked.
If these servers are switched to VMESS+ANY, i.e. without TLS, they can be used normally without being blocked. Since October 3, these VMESS servers without TLS are still alive. There are also some servers that use Trojan, but they are still alive and well.
It is reasonable to wonder if there are features in VMESS's TLS implementation that could be exploited.
It does not make sense at all that Trojan TLS would be largely unblocked, all use the same v2ray core, and most use the Clash core as a client.
Unfortunately, my wall server uses the trojan protocol, which is also blocked, and browser access is not available
SS-AEAD、Trojan 存活情况要比 VMESS+ANY+TLS 好的多,统计了十几台各个国家地区的服务器,VMESS 这边仅剩几个北美的服务器存活,而 SS-AEAD、Trojan 基本上都存活下来了。
不只是 443 被封锁,使用非标准端口,一样被封锁。443 不是神,在 GFW 面前任何端口都没有区别。
我在 10 月 2 日就观察到了被封锁现象,不只是 10 月 3 日,但是大规模封锁是在 10 月 3 日中午。10 月 2 日的封禁方式是封锁该 IP 的全部协议,10 月 3 日则大多表现为只封禁端口,而不封锁整个IP。在 10 月 2 日后侥幸存活下来的服务器,大多都采用封禁端口的形式。即使更换端口,虽然短时间可以连通,但是会在几个小时内,端口继续被封禁。
而将这些服务器转而使用 VMESS+ANY,即不加 TLS,则可以正常使用不会被封禁。自 10 月 3 日至今,这些不使用 TLS 的 VMESS 服务器仍然存活。也有部分服务器使用了 Trojan,目前也是存活完好。
有理由怀疑,VMESS 的 TLS 在实现方式上是不是有特征可供利用。
完全解释不通 Trojan TLS 基本不会被封锁的现象,均使用了相同的 v2ray 核心,以及大多数人使用 Clash 核心作为客户端。
使用CloudFlare 进行代理后,原本被封禁的TLS协议链接恢复正常,并未更换任何其他配置,因此TLS指纹识别假设并不完全可信。
SS-AEAD and Trojan survive much better than VMESS+ANY+TLS. After counting a dozen servers from various countries, only a few North American servers survive on the VMESS side, while SS-AEAD and Trojan basically survive.
Not only 443 is blocked, but also when using non-standard ports. 443 is not a god, and no port makes any difference in front of GFW.
I observed the blocking phenomenon on October 2, not just October 3, but at noon on October 3. The blocking method on October 2 was to block all protocols of the IP, while on October 3 it was mostly to block the port but not the whole IP. Even if the ports were changed, they could be connected for a short time, but within a few hours, the ports would continue to be blocked.
If these servers are switched to VMESS+ANY, i.e. without TLS, they can be used normally without being blocked. Since October 3, these VMESS servers without TLS are still alive. There are also some servers that use Trojan, but they are still alive and well.
It is reasonable to wonder if there are features in VMESS's TLS implementation that could be exploited.
It does not make sense at all that Trojan TLS would be largely unblocked, all use the same v2ray core, and most use the Clash core as a client.
After using CloudFlare as a proxy, the originally blocked TLS protocol link was restored to normal without replacing any other configuration, so the TLS fingerprinting assumption is not entirely plausible.
SS-AEAD、Trojan 存活情况要比 VMESS+ANY+TLS 好的多,统计了十几台各个国家地区的服务器,VMESS 这边仅剩几个北美的服务器存活,而 SS-AEAD、Trojan 基本上都存活下来了。 不只是 443 被封锁,使用非标准端口,一样被封锁。443 不是神,在 GFW 面前任何端口都没有区别。 我在 10 月 2 日就观察到了被封锁现象,不只是 10 月 3 日,但是大规模封锁是在 10 月 3 日中午。10 月 2 日的封禁方式是封锁该 IP 的全部协议,10 月 3 日则大多表现为只封禁端口,而不封锁整个IP。在 10 月 2 日后侥幸存活下来的服务器,大多都采用封禁端口的形式。即使更换端口,虽然短时间可以连通,但是会在几个小时内,端口继续被封禁。 而将这些服务器转而使用 VMESS+ANY,即不加 TLS,则可以正常使用不会被封禁。自 10 月 3 日至今,这些不使用 TLS 的 VMESS 服务器仍然存活。也有部分服务器使用了 Trojan,目前也是存活完好。 有理由怀疑,VMESS 的 TLS 在实现方式上是不是有特征可供利用。 完全解释不通 Trojan TLS 基本不会被封锁的现象,均使用了相同的 v2ray 核心,以及大多数人使用 Clash 核心作为客户端。
使用CloudFlare 进行代理后,原本被封禁的TLS协议链接恢复正常,并未更换任何其他配置,因此TLS指纹识别假设并不完全可信。
Here's the thing, GFW does not dare block CloudFlare, 1, the number of IPs is too large, 2, blocking will lead to legal websites (such as being blocked, can only block SNI