Неработоспособность шифрованных протоколов (ShadowSocks/VMESS) (25.04.2024 +)

Internet censorship all around the world Russia
27

I ran some tests with the Outline SDK, which may work differently than other implementations. It looks like the blocking depends on the location of the server. It also depends on the port number. I was also able to confirm that the initial packet size makes a difference, but only in some ISPs.

  • Bee Line seems to be the only one considering the packet size, but only for the Vultr server, not DigitalOcean.
  • MTS blocked Shadowsocks access to a server on DigitalOcean, but not Vultr. They are likely using the IP address.
  • Blocking on DigitalOcean only happened for the key on port 443. No blocking for the key on the same server, but on port 5555.
  • MegaFon blocked Shadowsocks access to a server on Vultr, but not on DigitalOcean. They are likely using the IP address as well.
  • The packet size didn’t make a difference for MegaFon and MTS
  • Tele2 is not blocking.

Tests

The tests used port 443 for the DigitalOcean server and port 20888 for the Vultr server.

I was not able to reproduce blocking on Tele2. Results for Bee Line depended on the initial packet. Results for MTS and Megafon depended on where the server was.

With a DigitalOcean server and large initial packet (over 800 bytes):

  • :x: MTS was consistently timing out
  • :warning: MegaFon worked most times, with some timeouts. Inconsistent.
  • :white_check_mark: Tele2 was consistently working
  • :white_check_mark: Bee Line was consistently working

Example:

image
image1547×668 116 KB

Using a smaller initial packet didn’t seem to make a difference.

However, when using a key on a different port, 5555, on the same DigitalOcean server, I could consistently connect to the server on all ISPs:

image
image1617×744 141 KB

I was also able to connect to the management API on that server, on another high port number.

With a Vultr server and large initial packet:

  • :white_check_mark: MTS was consistently working
  • :x: MegaFon was consistently blocked. Not a timeout. I was getting an EOF from the SOCKS5 service I was using, so the Shadowsocks client probably got a FIN or a RESET.
  • :white_check_mark: Tele2 was consistently working
  • :x: Bee Line was consistently timing out

Example:

image
image1617×668 120 KB

With a Vultr server and small initial packet (300 bytes):

  • :white_check_mark: MTS was consistently working
  • :x: MegaFon was consistently blocked. Not a timeout. I was getting an EOF from the SOCKS5 service I was using, so the Shadowsocks client probably got a FIN or a RESET.
  • :white_check_mark: Tele2 was consistently working
  • :white_check_mark: Bee Line was consistently working

Example:

image
image1617×668 115 KB

ISPs are targeting specific cloud providers, as reported in April.

I was able to demonstrate that www.digitalocean.com, which runs on Cloudflare, is blocked by SNI. You observe timeouts:

image
image1617×801 144 KB

I did manage to successfully fetch the page on Tele2 once.

If you use TLS Record Fragmentation, you can successfully, and consistently fetch the page:

image
image1617×649 123 KB