Outline detected and disrupted in Middle East

[felixding]

A Middle East user of my Outline service reported that

my ISP is too quick to detect and disrupt (if not outright block) Shadowsocks... At the moment, any of the server options only work for a couple of minutes or websites before my connection just hits a black hole.

I’ll keep trying for another couple of days but not too hopeful since the ISP also cratered my Outline setup last year in just over a month.

This feedback is very disturbing as I have just switched to Outline for the service. My speculation is his ISP blocks any type of unknown traffic, as he said the v2ray + TLS servers from me are fine.

The worst case scenario is the censors have figured out a way to classify Shadowsocks traffic. There have been anecdotes but no hard evidence.

Any thoughts?

[fortuna]

Thanks for the report. We need more information to determine whether the ISP uses a block list or allow list of protocols or traffic categories. Would any random bytes sent over the wire be blocked? I also wonder if the port number makes a difference.

What Shadowsocks client are they using? That also makes a difference, as some may not merge the SOCKS address and initial data in the first packet.

[fortuna]

This could also be a bug in the client. I know our Linux client has some disconnection issues, and Windows used to have too.

[cjhenck]

Hi Felix - is your user still experiencing these problems? Does it happen if they use a client that supports selective proxying?

[felixding]

@fortuna @cjhenck

Sorry for the late response. I'm following up with the user. So far what I know is that it happens when he uses Shadowrocket, an iOS app. Is there any easy way for him to see if the blockage is on a white/back list basis?

[fortuna]

One of the detection resistance changes we made was on the client, to make the socks address and initial connection data go together in the same packet. This makes the first packet have an unpredictable size. It may be that Shadowrocket is sending first the socks address, then the initial data. In that case the first packet would have a fixed, distinct size.

Besides Outline, clients based on shadowsocks-libev (shadowsocks-android, shadowsocks-windows) should also support that behavior, if their dependency is up to date. One would have to check what exactly Shadowrocket does, but it may be the culprit.

[felixding]

Hi,

I just got the feedback from that user. It turns out that Outline was actually fine. The problem was caused by the user's misconfiguration of Shadowrocket.

This is good news! Thanks for the followup. I'll close the issue.

[fortuna]

Phew, I'm glad to hear. Configuration issues are a common problem. We tried to streamline it a bit by writing our own client and adding the invite page flow. You may consider having a similar invite flow.

I also recognize that our Linux and Windows clients have some bugs where the user loses connectivity after some time and may feel like blocking. We are working on trying to diagnose that and fix, but it sometimes hard to reproduce.