Some ideas about detecting ss flow

[ytgui]

Hi All,
These days my connections to vps with shadowsocks seems not stable, I think gfw could detect my vps, so I make some simple attempts as follows:

figure_1 (dataset_1): normal tcp (95% http / https) flow captured by wireshark (about 1GB)
figure_2 (dataset_2): ss flow filtered from dataset_1 (about 50MB)

left chart: data len (amplitude) in time domain
mid chart: Fourier domain analyse (Meaningless value in axis-x)
right chart: histogram of data len

In the two figures, we could easily noticed that ss-server works similarly to a web server, but all payload are encrypted.

And here's a method may could detect ss:

if similar_to_web_server(ip, batch_amplitude):
    if all_data_are_encrypted(ip, batch_payload):
        block_ip(ip)

In addition, whether it's neural network or decision trees, training on encrypted ss payload will learn nothing ( white noise). But if use whole flow (included ip header, tcp / udp header), network could extract features from addr/ port dst, addr / port src, flow_len, as mentioned above.

Here's the demo code
https://github.com/bosskwei/temp/blob/master/detect_shadowsocks.py

You should change line 65 to pcap file path, and 45 to your local_ip such as 192.168.0.1

[arthurkiller]

Awesome work, dude!

I come up with same issues. Clarify what actually happening is much more important.
Let me tell what's going on:

I have 4 independent port listened on my VPS to provide service.
First day, One of them was blocked. But others are reachable. I still can SSH to remote login my host.

Next day , all my ports was blocked including 22 port. I can not even remote login my host anymore.

My service on AWS got some trouble these days too. Traffic from Peking out to Singapore looks good, but incoming traffic was shit! 60% packet got lost and I DONT KNOW WHY.

So , In my view, there is no evidence shown that there comes any tech-way to detect SS trafic. What happened is only CAUSE OF THE 19th MEETING OF CCP

[arthurkiller]

@bosskwei
Do we need t make SS repack the tcp packet in to several random length ss-packet?

[tony1016]

Means if I use simple-obfs http mode,then will pass the gfw because all my data seem like unencrypted??

[Mygod]

#81 (comment)

[ytgui]

@tony1016 Actually I don't know how to deal with it, obfs may be lead to other problems...

[ZhangJiupeng]

@tony1016 Not pretty sure. I tried this method yesterday, to pretend my traffic as HTTP flows, it works soon, but my port is surprisingly banned today (maybe the GFW is just simply triggered by detecting large traffic and then block all the suspected traffic), and I am still figuring out what has happened. To locate these problems, we still need more reports on GFW's recent actions.

[Mygod]

I encourage everyone to do experiments and post their results online. It's helpful for analyzing GFW via crowdsourcing in some sense.

[ytgui]

@Mygod Hi, I upload a demo code to verify this idea, help me test it..

[leonshaw]

I just wonder what is the criteria you use to conclude two traffic pattern are "similar". Have you tried other types of traffic?
Generally ss doesn't change packet length pattern (much). The reason it's like HTTP is probably that the payload is HTTP traffic.
To verify if the firewall detect ss in this manner, we need some sort of controlled experiment.

[ytgui]

@leonshaw

1. See my code,

np.abs(freq_feature - F)
np.abs(hist_feature - H)

Other traffics are totally different from http:

And, my work is just a demo, I tried to extract features manual. I do not have enough time and dataset to train a neural network.
Whether it's neural network or decision trees, training on encrypted ss payload will learn nothing ( white noise). But if use whole flow (included ip header, tcp / udp header), network could extract features as above.

2. Yes, (1) traffic like HTTP, (2) but no tls handshake, no http header is enough to confirm your server as a unknown proxy.

3. So, I put my idea and code here, you could do experiment and paste your results.

[Mygod]

Please try to refrain from doing statistical/timing analysis. So far I've only seen evidence of GFW not doing them.

[ytgui]

Closed because there is no evidence that gfw doing them.

[ytgui]

@klzgrad Thank you for your advice, but I will still keep this issue close unless gfw could indeed detect ss.
And if anyone has ideas about it please reference this issue.