search

MatsuriDayo / NekoBoxForAndroid

NekoBox for Android / sing-box / universal proxy toolchain for Android
https://matsuridayo.github.io/
Other
9.71k stars 837 forks source link

FR : Packet Fragmentation - Hide SNI From GFW #556

Open mikeesierrah opened 4 months ago

mikeesierrah commented 4 months ago

Description suggestions

fragment is getting added to V2rayNG using this pull request - please implement this feature to Nekobox

Quote from @GFW-knocker

about SNI, ESNI & ECH (skip if you want)

leaking domain name (SNI) is the famous old bug of TLS protocol which is not fixed yet as of 2023 some attempt started a few years ago trying to encrypt SNI called ESNI, which is deprecated today Cloudflare stopped supporting ESNI in the summer of 2022 another way is Encrypted Client Hello (ECH), which is in draft version and not well-documented I made many efforts to use ECH, but its too complex and still is in development also its based on DNS-over-HTTPS which is already filtered by GFW

about GFW SNI filtering on Cloudflare IPs (skip if you want)

Cloudflare IPs are high traffic, and 30% of the web is behind them so GFW can't simply block them by traffic volume and all traffic is encrypted except client hello, which leaks server name (SNI) so GFW extracts SNI from client hello, and when SNI is in the whitelist, it passes

if SNI is in the blacklist, GFW sends TCP-RST to terminate TCP socket

about packet fragment (skip if you want)

we hide SNI by fragmenting client hello packet into several chunks. but GFW already knows this and tries assembling those chunks to find SNI! LOL but we add a time delay between fragments. LOL since Cloudflare IPs have too much traffic, GFW can't wait too long. LOL GFW high-speed cache is limited, so it can't cache TBs of data looking for a tiny TCP fragment. LOL so it forgets those fragments after a second. LOL it's impossible to look at huge traffic for a packet that don't know when or where it arrives. LOL so it's forced to Give up. LOL

can GFW block fragments? (skip if you want)

fragmentation is part of tcp/ip specification and all network device must support it. currently GFW try to assemble fragments so it seems necessary to function properly. dropping TCP fragments violate network rule and cause instability in high-speed routers fragmentation occurs in general GFW cant cache TBs of data every second GFW cant hold every TCP packet and wait for fragments to come even if GFW detects fragments in some manner , adding delay between SYN,ACK fall him in trouble again. LOL personally i think "waiting" is fundamental weakness of routers and can be exploited in various ways.

more info about the project is here -https://github.com/GFW-knocker/gfw_resist_tls_proxy more info About packet fragmentation

Necessity of recommendations

fragment helps users to bypass GFW filtering on SNI -- which is happening rapidly in Iran recently

Mahdi-zarei commented 4 months ago

How exactly do you expect fragment to be added to Nekobox? Nekobox is simply a GUI for sing-box and sing-box does not implement fragment so this feature cannot be added to Nekobox. Please do some research to see if such requests have already been made before spamming such issues.