The most obvious sign of using a VPN, and why doesn't GFW use it?

[opmaaadi]

When you're using a VPN, almost all your traffic is going to a specific server (let's ignore CDN's possibility). These governments could define a threshold (like 90%) and then ban any server a user sends more traffic to than the threshold specified.

Why doesn't GFW utilize this technique though?

I think it has to do with computing power. Due to the massive scale of the outbound data, I think they cannot do such a "stateful" analysis.

If that's the case, Could we say that in upcoming years when they can afford to do such an analysis, the current generation of VPNs and proxies will all be unusable?

[donnyxray]

When you're using a VPN, almost all your traffic is going to a specific server (let's ignore CDN's possibility).

Please check recommended configs for xray, v2fly, etc. You'll notice they always come with geodata to separate local Chinese traffic from overseas traffic.

Anyone providing service in China splits traffic. If they don't, they will get complaints about WeChat being slow, Taobao showing the International version, Youku not playing content, etc, etc. Also, connecting from the VPN server back to China is considered a risk. Most will block this and hence force the user to split traffic.

TL;DR: GFW does not utilize this characteristic because it is rarely seen in China. (Different from traditional VPN setups seen in other countries.)

[PatrickstarWritesCode]

Wouldn't this flag anyone downloading a file? If yes then downloading will be impossible.

[ignoramous]

I think they cannot do such a "stateful" analysis.

QUIC makes such analysis even harder (since both client and server can have mobile/fluid IPs). Though, I'd imagine, HTTP/3 (perhaps the most important protocol using QUIC) is by GFW blocked altogether.

[opmaaadi]

Wouldn't this flag anyone downloading a file? If yes then downloading will be impossible.

Well downloading takes place in some minutes or hours. I'm talking about a client who is sending most its traffic to one IP for days/months.

[opmaaadi]

When you're using a VPN, almost all your traffic is going to a specific server (let's ignore CDN's possibility).

Please check recommended configs for xray, v2fly, etc. You'll notice they always come with geodata to separate local Chinese traffic from overseas traffic.

Anyone providing service in China splits traffic. If they don't, they will get complaints about WeChat being slow, Taobao showing the International version, Youku not playing content, etc, etc. Also, connecting from the VPN server back to China is considered a risk. Most will block this and hence force the user to split traffic.

TL;DR: GFW does not utilize this characteristic because it is rarely seen in China. (Different from traditional VPN setups seen in other countries.)

That's a good point. But I think the idea still could be utilized.

They could analyze the "outside China" traffic, meaning if for instance 90% of a user's traffic going outside China is going to one specific IP, then that IP is a proxy/VPN.

[donnyxray]

They could analyze the "outside China" traffic, meaning if for instance 90% of a user's traffic going outside China is going to one specific IP, then that IP is a proxy/VPN.

Please do check out xray and v2fly. A lot of these types of ideas have been considered in their design. They can listen on multiple ports, multiple IP's, multiple servers, even use multiple protocols at the same time, and piece it all back together on the client and server sides.

While the 90% may be a common in a simple setup, it's not a technical requirement of these proxy tools. When the GFW implements your proposal, xray/v2fly users will spend a few extra dollars to get additional IP's and work around it without much effort.

[nDman]

Because they can't spend all their money for internet filtering. Continues monitoring all ip and prots needs lot's of monitoring hardware and huge internet bandwidth to do. It is almost impossible to do that. It is much easier and cheaper to filter protocols and block the IP that used it.