The Great Firewall of China (GFW) GFW has implemented a new method of detecting illegal traffic that blocks fully encrypted traffic in real time.
Since November 6, 2021, Internet users in China have been reporting their Shadowsocks and VMess servers being blocked. The blocking coincided with the holding of the sixth plenary session of the 19th Central Committee of the Chinese Communist Party. This was the first case of mass blocking of fully encrypted proxies in real time based on passive traffic analysis.
GFW uses a minimum of five sets of heuristics to detect spurious traffic. These exclusion rules are based on fingerprints of common protocols, a rough entropy test using the fraction of bits set, and the fraction, position, and maximum contiguous number of ASCII characters in the first TCP payload.
The system relies on a traffic analysis algorithm but has additional rules based on packet length.
One of the cornerstones in censorship circumvention is fully encrypted protocols, which encrypt every byte of the payload in an attempt to “look like nothing”. In early November 2021, the Great Firewall of China (GFW) deployed a new censorship technique that passively detects—and subsequently blocks—fully encrypted traffic in real time. The GFW’s new censorship capability affects a large set of popular censorship circumvention protocols, including but not limited to Shadowsocks, VMess, and Obfs4. Although China had long actively probed such protocols, this was the first report of purely passive detection, leading the anti-censorship community to ask how detection was possible.
