Reports of China disrupting shadowsocks

[Will Scott]

https://www.reddit.com/r/China/comments/6ofsw6/from_weibo_not_veri_yetconfirmed_shenzhen_has/

Do we have any easy tools for testing shadowsocks connection stability?

Greatfire's testing still shows 100% stability for it's only shadowsocks-based protocol: https://cc.greatfire.org/en?b=2

[b.l. masters]

Hi,

I don't know if this is related:

The Random Forest Based Detection of Shadowsock's Traffic

http://ieeexplore.ieee.org/document/8048116/

I had read this article yesterday. And I thought it was still R&D, and the approach was still getting improved upon. 
But maybe it is already getting put to use in certain regions. 

Also, this is unrelated to Shadowsocks, but still may be of interest to this group:

Identifying Tor Anonymous Traffic Based on Gravitational Clustering 
Analysis

http://ieeexplore.ieee.org/document/8048117

On Fri, Oct 13, 2017 at 8:41 AM, Tom <hex...@foxmail.com> wrote:

In the past few days, there are many Chinese people report that their can not connect their own VPS which run shadowsocks service.[1]

Their experience is similar. At first, they found shadowsocks server port was blocked. Then they changed port. About one day later, they found their VPS IP address was blocked.

But it is not all people meet meet with this situation. I also run shadowsocks(shadowsocks-libev) on my VPS, it is still work yet.

[1] https://github.com/shadowsocks/shadowsocks-libev/issues/1719
https://github.com/shadowsocks/shadowsocks/issues/988#issuecomment-336032466 etc.

On July 20, 2017 11:39:46 PM GMT+08:00, Will Scott <will...@gmail.com> wrote:
>https://www.reddit.com/r/China/comments/6ofsw6/from_weibo_not_veri_yetconfirmed_shenzhen_has/

--
English is not my native language, please excuse my typing error.

--
You received this message because you are subscribed to the Google Groups "Network Traffic Obfuscation" group.
To unsubscribe from this group and stop receiving emails from it, send an email to traffic-obf+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Vinicius Fortuna [vee-NEE-see.oos]]

There are a few red flags on this paper, which makes me skeptical. 

They say: "Like most principles of proxy software, Shadowsocks firstly establish a SSH [8] based encrypted channel with servers which are outside the firewall", which is simply wrong. Did they test the right thing? SSH is a lot easier to identify.

They don't give any detail on how they created the training and test sets. They say the control traffic came from non-shadowsocks traffic from 26 random servers, but that's it. For example, if the control traffic had no encrypted connection then an encrypted connection will stand out.

I'm not convinced they found anything. :-/

Does anyone know what the "Center for Cyber Security" and "Science and Technology on Communication Security Laboratory" are?

I wonder if this is government propaganda to scare people out of using Shadowsocks...

There's a whole discussion on Github, mostly in Chinese:

https://github.com/shadowsocks/shadowsocks/issues/988

Vinicius Fortuna

[b.l. masters]

Yeah. I could totally see it being a ploy/propaganda.

Though, one question. Do you think this approach could possible provide any indicators that Shadowsocks/ some form of circumvention might be in use even if it wasn't "proving it"??

I ask because there is definitely a pattern of "user testing" non-proven technology within select populations. They don't actually have to reach the 85% accuracy rate claim in the paper to bring someone in, state that they have evidence about an activity, and then see what the response is they get back from someone invited to tea. So, even if they are only getting much smaller identification rates, and their assessments wouldn't stand up in a "rule of law" situation, this approach could still be very effective if it was providing some indicators.

[Sergey Frolov]

That paper is riddled with factual errors and typos. Frankly, I don't even understand what's going on in Figure 2. Conference looks shady.
Also, in other paper by the same author you have mentioned ("Identifying Tor Anonymous Traffic Based on Gravitational Clustering Analysis"): according to 2nd paragraph of Introduction, the paper is written with purpose of "catching criminals", rather than improving fingerprinting resistance of Tor. This might give another insight into their intentions.
I agree with Vini they probably haven't found anything. Furthermore, we seen much better accuracy with prior attacks.

As for blocking Shadowsocks(and other randomizing protocols, since being random is fingerprint in itself), you should be able to identify them with simple entropy+length tests(extremely strong feature authors didn't use for some reason) and get false negative rate close to 0, and false positive rate below 1%[1]. Apparently, this false positive rate is not small enough (see: base rate fallacy), and censors never employed it. Nevertheless, I believe those attacks might be improved with more heuristics and features to approach practicality, albeit not at line speed rate.

[1] http://pages.cs.wisc.edu/~liangw/pub/ccsfp653-wangA.pdf - Seeing through Network-Protocol Obfuscation

 Figure 2. Accuracy goes up with test set size for some reason, and accuracy rate in Chinese is linear, as opposed to English, I guess. Wat.

To unsubscribe from this group and stop receiving emails from it, send an email to traffic-obf...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Network Traffic Obfuscation" group.

To unsubscribe from this group and stop receiving emails from it, send an email to traffic-obf...@googlegroups.com.

[Brandon Wiley]

I agree with Sergey that Shadowsocks is easy to block using known attacks and existing filtering hardware. If it's not blocked, it's because the filters have not chosen to turn on this filtering.

However, I would also like to mention that we test Shadowsocks reachability every day from locations all around the world as part of our Transport Canaries initiative, and we have not seen any evidence of Shadowsocks blocking from any locations. While we will not be able to detect all blocking events, large-scale blocking based on protocol identification should be evident in our testing. There are many other ways you could get blocked besides protocol identification. It's hard to tell in these anecdotal situations of observed IP blocking how the IP was selected for blocking, either by protocol identification or other means.

To unsubscribe from this group and stop receiving emails from it, send an email to traffic-obf+unsubscribe@googlegroups.com.

[David Fifield]

On Fri, Oct 13, 2017 at 08:41:34PM +0800, Tom wrote:
> In the past few days, there are many Chinese people report that their can not connect their own VPS which run shadowsocks service.[1]
>
> Their experience is similar. At first, they found shadowsocks server port was blocked. Then they changed port. About one day later, they found their VPS IP address was blocked.
>
> But it is not all people meet meet with this situation. I also run shadowsocks(shadowsocks-libev) on my VPS, it is still work yet.
>

> https://github.com/shadowsocks/shadowsocks-libev/issues/1719
> https://github.com/shadowsocks/shadowsocks/issues/988#issuecomment-336032466 etc.

I've heard several reports now of widespread disruption in about the
last five days, not only with Shadowsocks.

Tor's obfs4 usage in China was already fairly low, so it's hard to say
whether there was a decrease. However meek shows an unmistakeable
increase (see the third graph). A hypothesis: blocking of obfs4/other
systems is displacing users onto meek.
https://people.torproject.org/~dcf/metrics-country.html?end=2017-10-15&country=cn

[Tom]

On October 14, 2017 12:53:22 AM GMT+08:00, "'Vinicius Fortuna [vee-NEE-see.oos]' via Network Traffic Obfuscation" <traff...@googlegroups.com> wrote:
>Does anyone know what the "Center for Cyber Security" and "Science and
>Technology on Communication Security Laboratory" are?
>I wonder if this is government propaganda to scare people out of using
>Shadowsocks...

"Center for Cyber Security"(信息安全工程中心) and "Science and Technology on Communication Security Laboratory"(保密通信重点实验室) belong to China Electronics Technology Group Corporation NO.30 Research Institute.

GFW is maintained by CNCERT/CC(The National Computer Network Emergency Response Technical Team/Coordination Center of China, or CNCERT). There is not direct relationship between CNCERT/CC and China Electronics Technology Group Corporation. So I don't think that paper cause shadowsocks disruption. And shadowsocks Community also think that these are many errors in that paper. It seems that someone just in order to finish his paper.

On October 15, 2017 9:32:20 AM GMT+08:00, David Fifield <da...@bamsoftware.com> wrote:
>I've heard several reports now of widespread disruption in about the
>last five days, not only with Shadowsocks.

Yes, and I also see many people said that Lantern doesn't work well since Oct. 5.[1]

[1] https://github.com/getlantern/lantern/issues
https://github.com/getlantern/forum/issues

[Will]

There are also some reports emerging that UDP connections are experiencing disruption, e.g.:

https://www.reddit.com/r/China/comments/76hjrm/lol_china_just_blocked_all_unregistered_udp/

[David Fifield]

On Sun, Oct 15, 2017 at 10:02:22AM -0400, Will wrote:
> There are also some reports emerging that UDP connections are experiencing
> disruption, e.g.:
> https://www.reddit.com/r/China/comments/76hjrm/lol_china_just_blocked_all_unregistered_udp/

It would seem that increased severity of blocking should result in
collateral damage. It could be that the government is China is willing
to tolerate additional damage during this politically sensitive time
(which would be consistent with reports from the past). Have any Chinese
speakers seen reports of problems that are not related to circumvention,
for example ordinary web sites not working?

[David Fifield]

Here's a summary blog post (in Chinese):

https://program-think.blogspot.com/2017/10/gfw-news.html

There's a large number of comments; a Chinese speaker may be able to
pull useful information out of them.