Cloak seems detected by Iran Gov firewall

[Evolve6996]

hello, recently (like a week or ago) there was a mass blockage of VPNs in my country, I am using openvpn+Cloak, a few days ago my domain address was blocked by the firewall, so I started investigating how they detected it.

last night, first my connection throttled and after a few hours, my VPS IP address was blocked!

I cannot say it 100% because of the cloak but it looks like the cloak is detected, cause symptoms happened when I was mostly using my cloak+openvpn server.

is Cloak using version 112 of Firefox maybe they just somehow figured this out because of the old fingerprints of the cloak?

[Evolve6996]

Update: finally, I managed to run the cloak with cdn.

The connection speed is not bad, but somehow connection drops after like 1 minute!

I have a somewhat similar setup with the same IP with Vmess+ws+tls+cdn and it works fine!

ISP:TCI

[irgfw]

Yes. SS+Cloak is detected and blocked on most of Iran's ISPs. (MCI/MTN/TCI). But with a super clean IP address and limited users/traffic it would be ok as well. The main problem with Cloak is the browser fingerprinting is not updated. with a small update on them, "maybe" it could work again.

[Evolve6996]

Yes. SS+Cloak is detected and blocked on most of Iran's ISPs. (MCI/MTN/TCI). But with a super clean IP address and limited users/traffic it would be ok as well. The main problem with Cloak is the browser fingerprinting is not updated. with a small update on them, "maybe" it could work again.

thanks for your replay.

I didn't know this, I wasn't using it after Mahsa's movement. it seems after that it was detected. because, in the past, I was using it and it was pretty much fine.

do you think the reason first my domain blocked then my ip was because of cloak? or the detection reason of the domain could be different?

[RPRX]

Cloak 的 Client Hello 存在设计失误，可以被检测出异常，该特征与哪个浏览器或哪个版本的指纹无关：https://github.com/net4people/bbs/issues/287#issuecomment-1718887813

但是我们收到了 REALITY 被伊朗 GFW 封锁的报告 https://github.com/XTLS/Xray-core/issues/2778 ，并且 Cloak 似乎没有过于流行以至于会被单独针对，所以伊朗 GFW 可能尚未针对上述小众特征，更有可能是在针对普遍的 IP、域名、流量特征等，它们也会导致 Cloak 被封锁。

此外，我们收到的一份秘密报告称，若对 REALITY 进行特殊的设置，伊朗 GFW 就不会封锁它，但报告者不希望公开这个方法。

Cloak's Client Hello has a design flaw that can be detected as an anomaly, and this feature is independent of the browser or fingerprint version used: https://github.com/net4people/bbs/issues/287#issuecomment-1718887813

However, we have received reports of REALITY being blocked by the Iranian GFW https://github.com/XTLS/Xray-core/issues/2778 and Cloak doesn't seem to be so popular that it would be individually targeted, so the Iranian GFW may not yet be targeting the above mentioned niche traits, but more likely targeting common IPs, domains, traffic profiles, etc., which could also cause Cloak to be blocked.

Additionally, we have received a confidential report that the Iranian GFW does not block REALITY if it is set up in a special way, but the reporter does not wish to publicize this method.

[irgfw]

We are testing Reality heavily in Iran. and we know what that special settings are. but after testing them it showed that the IP history and the cleanliness of it is more important that some security (firewall/iptables/ufw/...) settings.

[Evolve6996]

The IP history and the cleanliness of it is more important that some security (firewall/iptables/ufw/...) settings.

I guess I have to confirm that, my IP address was from a nonpopular host I could even be able to use regular OpenVPN but I tend to avoid using it for security. I was using Cloak for like 3 months until I got blocked although my usage was personal and it might be the cause that the blockage took this long.

Cloak 的 Client Hello 存在设计失误，可以被检测出异常，该特征与哪个浏览器或哪个版本的指纹无关：#287 (comment)

但是我们收到了 REALITY 被伊朗 GFW 封锁的报告 XTLS/Xray-core#2778 ，并且 Cloak 似乎没有过于流行以至于会被单独针对，所以伊朗 GFW 可能尚未针对上述小众特征，更有可能是在针对普遍的 IP、域名、流量特征等，它们也会导致 Cloak 被封锁。

此外，我们收到的一份秘密报告称，若对 REALITY 进行特殊的设置，伊朗 GFW 就不会封锁它，但报告者不希望公开这个方法。

I highly appreciate your information 👍

I want to talk a little:

although you said the popularity of the cloak is not high that much to be targeted by GFW, i have seen something strange! Sometimes during my usage, the connection was throttling for like 1 to 2 minutes even during low usage, every time it happened i checked my internet connection and my server ping time without cloak, and both were normal!

recently, I have seen domains of people with even very low usage of VPN getting blocked very quickly, it seems they powered up their capability or increased their threshold for targeting, and they now checking even for low-usage vpns.

[irgfw]

Because the trigger is not based on Usage. it's based on packet-size and some traffic characteristics.

[Evolve6996]

Because the trigger is not based on Usage. it's based on packet size and some traffic characteristics.

tbh dude imo, saying the trigger solely is based on characteristics of the connection is a little bit questionable for me.

considering they do not have enough resources to probe the whole existing connections, they have to rely on some sort of filter, so connections with high usage could be a real candidate for this purpose.

[markpash]

@irgfw @Evolve6996 You should consider it's both. There could be any number of heuristics used to determine if an IP should be blocked. We don't know, and while there has been some scientific testing, because we don't control all the variables, it's hard to say otherwise. There's so many different ways someone could think of to try and trigger a block. So let's not discount anything so easily.

[Evolve6996]

@irgfw @Evolve6996 You should consider it's both. There could be any number of heuristics used to determine if an IP should be blocked. We don't know, and while there has been some scientific testing, because we don't control all the variables, it's hard to say otherwise. There's so many different ways someone could think of to try and trigger a block. So let's not discount anything so easily.

I said the same thing...

---

btw, the main developer of Cloak updated its fingerprints, i tested with CDN again but could not get a stable connection. I described the situation here: https://github.com/cbeuw/Cloak/issues/246