bbs icon indicating copy to clipboard operation
bbs copied to clipboard
verified publisher icon net4people

New GFW ip blockage Bypass method

Open developer861 opened this issue 8 months ago • 3 comments

main Idea -> TCP violation:

GFW needs to check every packet against large list of filtered ip in order to drop them

since its not practical in huge traffic, they separate tcp handshake (SYN) and check them only.

in fact, they only drop SYN packet with blocked ip in both direction.

so we can bypass ip filtering by building communication link without tcp handshake.

how important is it?

  1. it bypass ip blockage, so it bypass principal core of filtering

  2. it change the paradigm of anti-censorship from "hiding traffic" / "escaping blockage" to "drilling whatever blocked" what more can a censorman do after detecting a VPN, beside blocking ip?

  3. similar to fragment that bypass filtered Domain/SNI , it operate at the lower network layer

  4. no matter which protocol used at upper level, it can drill everything, even blocked port

can GFW block tcp violation method?

  1. this method is not based on a bug nor a protocol at application layer

  2. it operate on lowest possible layer of network (transport and ip layer)

  3. need lots of dedicated Hardware to fight with (not achievable in software)

  4. we use TCP ACK/PUSH packets which is 100000X more frequent than SYN

  5. they have large list of blocked ip that want to drop

  6. they simply cant hold & check every single packet in high speed traffic. (unless with millions of dollar HW investment)

Project: https://github.com/GFW-knocker/gfw_resist_tcp_proxy

Creator: @GFW-knocker

developer861 avatar Apr 05 '25 01:04 developer861

some other developers like @patterniha also used similar methods but it seems that the main limitation is android and ios phones root access

developer861 avatar Apr 05 '25 02:04 developer861

Since GFW in china is IP black hole. it may not work. But there are lots of ip not blocked by the black hole.

maoist2009 avatar Apr 14 '25 05:04 maoist2009

DPI systems do not limit their inspection to just TCP-SYN packets. Instead, they analyze all packets until a complete TCP handshake is observed. For TLS connections, this would also include inspecting the ClientHello payload. For plain-text HTTP connections, it might include the HTTP request, etc. Once the TCP flow is established, it is typically added to a "flowtable," allowing subsequent packets that match the IP 5-tuple to bypass the packet inspection process. This is often accelerated by offloading capabilities from network cards or network packet brokers.

It's trivial for a DPI system to inspect the first packet of a TCP flow. If it identifies that the packet is not a TCP-SYN, it can block the connection accordingly.

PapayaJackal avatar Apr 16 '25 12:04 PapayaJackal