Sergey Frolov (University of Colorado Boulder), Jack Wampler (University of Colorado Boulder), Eric Wustrow (University of Colorado Boulder)
Censorship circumvention proxies have to resist ac-
tive probing attempts, where censors connect to suspected servers
and attempt to communicate using known proxy protocols. If the
server responds in a way that reveals it is a proxy, the censor can
block it with minimal collateral risk to other non-proxy services.
Censors such as the Great Firewall of China have previously been
observed using basic forms of this technique to find and block
proxy servers as soon as they are used. In response, circumventors
have created new “probe-resistant” proxy protocols, including
obfs4, Shadowsocks, and Lampshade, that attempt to prevent
censors from discovering them. These proxies require knowledge
of a secret in order to use, and the servers remain silent when
probed by a censor that doesn’t have the secret in an attempt to
make it more difficult for censors to detect them.
In this paper, we identify ways that censors can still
distinguish such probe-resistant proxies from other innocuous
hosts on the Internet, despite their design. We discover unique
TCP behaviors of five probe-resistant protocols used in popular
circumvention software that could allow censors to effectively
confirm suspected proxies with minimal false positives. We
evaluate and analyze our attacks on hundreds of thousands of
servers collected from a 10 Gbps university ISP vantage point
over several days as well as active scanning using ZMap. We
find that our attacks are able to efficiently identify proxy servers
with only a handful of probing connections, with negligible false
positives. Using our datasets, we also suggest defenses to these
attacks that make it harder for censors to distinguish proxies
from other common servers, and we work with proxy developers
to implement these changes in several popular circumvention
tools.