Adding the idea of confusing GTW

[hiddify-com]

While the idea of fragmenting the TLS handshake packet particularly the SNI part is not a new idea, it works perfectly when using with cloudflare and xray. This means that for having a quick decision, GTW only looks at some specific patterns such as ClientHello, SNI and then compare it with whitelisted and blacklisted SNIs. GTW tries to avoid connection tracking as it needs more processing. Adding more techniques, even that they are detectable by GTW, but it needs more calculation and they can not easily apply it.

Although fragmenting the TLS handshake packet, specifically the SNI part, is not a novel concept, it works seamlessly when utilized with Cloudflare CDN and Xray. Consequently, to expedite the decision-making process, GTW examines certain patterns, including ClientHello and SNI, and compares them with a list of whitelisted and blacklisted SNIs. GTW aims to avoid connection tracking as it requires additional processing. While GTW can detect it as unusual traffic, additional techniques would require more computation and may not be easily applicable for GTW.

The idea is to add the following scenarios to the Raw Connection that are selectable by the user

1. fragmenting HelloClient into two part and sending the second part with some configurable delay

2. Creating a fake HelloClient that we know the server will drop it and then adding the real HelloClient in the fragmented manner.

   • ttl #the fake packets by TTL
   • md5 #the fake packets will have a wrong md5 option
   • csum #the fake packets will have a wrong checksum
   • ack #the fake packets will have a wrong ACK number

3. combining those approaches

What do you think about these?

we want to contribute in this part of Xray-Core however we are really confused. It would be great if you can help us in recognizing the right place in your codes for adding these actions. Or it would be greatly appreciated if you add it directly :-)

References: some great jobs are done in:

• GoodbyeDPI by @ValdikSS (for Windows)
• zapret by @bol-van (for Linux)
• Green Tunnel by @SadeghHayeri (for MacOS, Linux and Windows)
• DPI Tunnel CLI by @zhenyolka (for Linux and routers)
• DPI Tunnel for Android by @zhenyolka (for Android)
• PowerTunnel by @krlvm (for Windows, MacOS and Linux)
• PowerTunnel for Android by @krlvm (for Android)
• SpoofDPI by @xvzc (for macOS and Linux)
• GhosTCP by @macronut (for Windows)

[RPRX]

分割 Client Hello 并不难实现，其它的稍微麻烦点。但是这些方法都有非常明显、无法合理解释的特征，GFW 只需针对性检测即可。把它们加进 Xray 是可以的，但大概率会加速上清单，很快这些方法就会失效，这方面应该需要权衡一下。

参考 https://github.com/XTLS/Xray-core/issues/1906#issuecomment-1512176531 https://github.com/XTLS/Xray-core/discussions/1988#discussioncomment-5730428

[RPRX]

https://github.com/XTLS/Xray-core/issues/2000#issuecomment-1528913218

[egg1234]

@RPRX 如果按照下面这篇最新论文的方法是否更容易实现？

https://gfw.report/publications/usenixsecurity23/zh/

[hiddify-com]

Great We have added strategy parameter and we will add more strategy

We will let you know

[lepz0r]

There's also a DPI Circumvention tool called geneva which is more versatile & there's also Golang port of the engine, maybe we can integrate it into Xray

We can also use the original python version to find strategy using machine learning