A proxy server was blocked in TCI and I will describe the method to (likely) reproduce.
Proxy:
Vless + TLS + Nginx with fake website in front (no CDN). Domain ends with .ir and the amount of traffic exchanged from/to server is less than 10 GB per month.
The blockage:
User receives no server hello after client hello (Firefox, Chrome, Safari, IOS) windows, be it in a real browser for the fake website, or simply using uTLS option of Xray. Proxy's IP is not blocked, and it's possible to do a complete handshake with a random fingerprints or android fingerprint. It is also possible to open the website in android (because of its fingerprint again). Only TCI is affected (in all cities), other ISPs show no sign of such blockage. SSH works fine in TCI as well.
How to reproduce:
Watch a censored online stream (e.g. Youtube) with last stable version V2rayN (5.39). Use an arbitrary proxy server, first, then in the middle of watching online stream switch to your proxy server. The uTLS option should be set to firefox, or chrome. It will likely alarm passive detection, and hopefully after a few tries you get your proxy server censored.
How it works?:
I guess after a usual handshake, the first packet user sends to web-server has some special characteristics, for example its volume is limited to a certain range. It is a GET request, after all. However, if you connect to proxy server with the method described above, the first packet after handshake will be most likely a ACK or Retransmittion packet, rather than a GET packet. Therefore, it alarms passive detection. It seems to be a good practice to turn anything that generate traffic automatically (messengers too) off, before connecting to proxy server.
Why blocking common finger prints?
No idea, do enlighten me.
Update:
Tested on another domain & IP, got the same result on Irancell ISP.
Update 2:
After two days, this blockage was lifted. However, it is possible to trigger it again.
A proxy server was blocked in TCI and I will describe the method to (likely) reproduce.
Proxy: Vless + TLS + Nginx with fake website in front (no CDN). Domain ends with .ir and the amount of traffic exchanged from/to server is less than 10 GB per month.
The blockage: User receives no server hello after client hello (Firefox, Chrome, Safari, IOS) windows, be it in a real browser for the fake website, or simply using uTLS option of Xray. Proxy's IP is not blocked, and it's possible to do a complete handshake with a random fingerprints or android fingerprint. It is also possible to open the website in android (because of its fingerprint again). Only TCI is affected (in all cities), other ISPs show no sign of such blockage. SSH works fine in TCI as well.
How to reproduce: Watch a censored online stream (e.g. Youtube) with last stable version V2rayN (5.39). Use an arbitrary proxy server, first, then in the middle of watching online stream switch to your proxy server. The uTLS option should be set to firefox, or chrome. It will likely alarm passive detection, and hopefully after a few tries you get your proxy server censored.
How it works?: I guess after a usual handshake, the first packet user sends to web-server has some special characteristics, for example its volume is limited to a certain range. It is a GET request, after all. However, if you connect to proxy server with the method described above, the first packet after handshake will be most likely a ACK or Retransmittion packet, rather than a GET packet. Therefore, it alarms passive detection. It seems to be a good practice to turn anything that generate traffic automatically (messengers too) off, before connecting to proxy server.
Why blocking common finger prints? No idea, do enlighten me.
Update: Tested on another domain & IP, got the same result on Irancell ISP.
Update 2: After two days, this blockage was lifted. However, it is possible to trigger it again.