Bypassing DPI with eBPF, no VPN or proxy needed
19 points by boratanrikulu
19 points by boratanrikulu
For others who might need to know, DPI stands for Deep Packet Inspection.
I've heard that this worked wonders to bypass the iranian firewall. I'd be curious to know how DPI middleboxes vendors will react to this, add 2,3,4,.... SNI checks? Could it wait to whitelist the connection by waiting for some response on the same connection ? I guess that would require that every connection is processed by the same box on both directions which could add even more overhead... Best solution would be to not have DPI :)
Right, more sophisticated DPI could do full TCP reassembly and check multiple ClientHellos. The fake+TTL trick works against stateless DPI that only inspects the first segment. Against something like China's GFW that does reassembly, this wouldn't work.
It seems they already can respond to this semi-automatically.
According to the Geedge Networks leaks:
Even when TSG is unable to identify the specific application or service associated with a user’s activity, it can flag any unusual large traffic flows as suspicious. Following this identification, the system can be configured to block the flagged traffic after a predetermined period, for example 24 hours. This approach corresponds to observations of the GFW, which has been observed similarly blocking any high-bandwidth encrypted traffic flow after a certain duration, even if it cannot identify the specific nature of the traffic.
...
The system possesses the capability to maintain a reputation score for each subscriber, which is determined by their online activities and the extent of personal information the system has collected about them. Should a subscriber’s reputation score decline significantly, their internet service may be cut-off and they might be required to undergo photo ID and facial recognition verification to authenticate their identity and improve their score. Furthermore, the system can identify individual subscribers as known VPN users and then later track their Internet usage and categorize any future unknown high bandwidth traffic flows as suspicious. This individualized classification can lead to the identification and blocking of previously unidentified services when an internet user switches to a new VPN provider, potentially exposing this new VPN and implicating not only the identified internet user but also all other users of this service.
I recommend reading the full report, it is a good glimpse into how they operate. Another decent info source is the net4people bbs (hosted on github for some reason), and Great Firewall Report.
It is always a cat and mouse game to bypass blocking, but this censorship (alongside advanced malware) being widespread instead of restricted only to governments who could build it themselves, terrifies me.
Did you use an LLM to edit this? It’s not blatantly obvious here like something generated completely by an LLM, but it still has a slight bit of the usual LLM phrasing that I can’t stand.
I used an LLM to help with the draft, then edited it myself. If specific phrasing feels off I'm happy to fix it, English isn't my first language so it's hard to tell sometimes.
It reads like slop. It cheapens your message and made me stop reading. LLMs leave very obvious tells in your writing, at least in English.
I'd rather read your writing, imperfections and all, than the output of an LLM.
And that's before we get to the ethics. LLMs devalue the things I like about humanity. Using them helps build a bleak future.