nekohasekai
commented
11 months ago There's no evidence this works in China, and it's easily blocked.
Closed radiumatic closed 11 months ago
nekohasekai
commented
11 months ago There's no evidence this works in China, and it's easily blocked.
CyrusTheV
commented
5 months ago There's no evidence this works in China, and it's easily blocked.
fragmentation is part of tcp/ip specification and all network device must support it. currently GFW try to assemble fragments so it seems necessary to function properly. dropping TCP fragments violate network rule and cause instability in high-speed routers fragmentation occurs in general GFW cant cache TBs of data every second GFW cant hold every TCP packet and wait for fragments to come even if GFW detects fragments in some manner , adding delay between SYN,ACK fall him in trouble again. LOL personally i think "waiting" is fundamental weakness of routers and can be exploited in various ways.
CyrusTheV
commented
4 months ago There's no evidence this works in China, and it's easily blocked.
Please explain how this method could be blocked?!
radiumatic
commented
4 months ago @nekohasekai I want to bring your attention to this:
2dust/v2rayNG#2839
Also, another Iranian developer has found a way to unblock obvious UDP protocols (mostly Wireguard) by creating noise before handshake (and afaik, during sending packets). This works due to the fact that firewalls treat UDP as stateless and don't examine it as thoroughly as they do for TCP. The best part? There's no need to modify the server.
iamtrazy
commented
4 months ago this makes blocked cf domains work in my country (sri lanka) as well. please consider re-opening the feature.
radiumatic
commented
4 months ago this makes blocked cf domains work in my country (sri lanka) as well. please consider re-opening the feature.
Do you mind sharing an email address? It would be interesting to know what tools you use, and in general, how censorship works there.
This script fragments the TCP packet that contains the SNI of TLS and HTTP connections, further explanation can be found in the mentioned repository: https://github.com/GFW-knocker/gfw_resist_tls_proxy TL;DR: The DPI servers processing hundreds of gigabytes each second cannot wait for all the fragmented parts to arrive, be assembled and checked against the SNI whitelist/blocklist. Therefor, they are allowed. While this script is useful, its performance is awful. It would be really great to have singbox do this in the TLS\HTTP processing layer. (Being disabled by default, having an option to use it)