2015-ensafi-active-probing
Examining how the Great Firewall discovers hidden circumvention serverscore
canonical link → · doi: 10.1145/2815675.2815690
Abstract
We measure the Great Firewall of China's active-probing system. After
observing a connection that uses a circumvention protocol (Tor obfs2/3,
obfs4, Shadowsocks, etc.), the GFW initiates probe connections to the
destination IP+port to confirm the protocol before blocking.
Team notes
THE definitive paper on GFW active probing. Anyone designing a new
Lantern protocol must reckon with the threat model in this paper:
if the protocol responds to a probe connection differently from a
benign service, the IP gets blocked. The reverse-TLS / Reflex line
of defense is a direct response to this threat.