fortuna
commented
5 years ago Thanks for the info. We are aware of that work.
- Max Lv's version of sssniff shows that ShadowsocksR is actually a lot easier to detect at scale than Shadowsocks
- The Random Forest paper is of questionable quality. It doesn't seem like a properly peer-reviewed work and doesn't seem very sound.
- The Encrypted Traffic Classification paper seems solid, but the categories seem broad and and the algorithm expensive enough for it to be not doable in real time. It may become a threat, but it doesn't seem like an imminent one. Something to keep an eye on.
- On HTTP/TLS headers: it's very easy to detect when an app is emulating a protocol. Whatever some may be doing, may not last long.
- We like the idea of using TLS. There's a proposal for SOCKS over TLS that I'm following, but it doesn't support encrypted UDP yet. Another possibility is to use a HTTPS proxy, but it doesn't support UDP.
- QUIC is another possibility, but transporting an unreliable protocol (UDP) over QUIC defeats the purpose of using UDP. There's a proposal to allow QUIC to transport data that doesn't need reliability. We will still need a routing protocol on top of QUIC (HTTPS CONNECT? SOCKS?), and a way to frame datagrams for UDP proxying, which is not specified yet.
- The round-robin idea sounds useful. We may consider that.
I understand that you have been looking for more information about how the protocol has been detected.
Here are some relevant projects/papers:
https://github.com/madeye/sssniff
https://github.com/shadowsocks/shadowsocks-libev/files/1374916/10.1109.IHMSC.2017.132.pdf
https://arxiv.org/pdf/1709.02656.pdf
I think that it would be a good time to start supporting obfuscation techniques such as adding fake HTTP/TLS headers (which would bypass the detection methods that have been discovered). Another idea would be wrapping the ShadowSocks protocol in TLS with certificates obtained from LetsEncrypt and the ability to round-robin servers to prevent traffic analysis. Something like a proxy using IETF QUIC would also be a solution.