Rapid Field Testing and Deployment of Circumvention Tech in Russia.pdf (846.1 KB)
LEAP, a maker of VPN software used by multiple VPNs, released a report in April 2025 about testing of circumvention strategies in Russia, through communication with users and a dedicated VPN app called Avos. The report contains interesting information about IP/port hopping, QUIC, and entropy-based protocol classification.
Page 3:
LEAP Encryption Access Project (LEAP) is field-testing and helping provision multiple circumvention techniques (CTs) tailored specifically to the Russian context. Our comprehensive approach, covering development, testing, provisioning, and secure invite distribution, addresses the complex and varied network conditions across Russia. We prioritize user safety through a privacy-preserving methodology and rely on first-hand user feedback to guide technical improvements.
We’re especially encouraged by the combination of our Hopping Pluggable Transport with QUIC, which distributes traffic across multiple IPs and ports while mimicking normal encrypted web sessions, making classification and blocking far more difficult. This approach aligns with emerging technologies like INVISV’s MASQUE implementation, which enables tunneling of TCP/UDP traffic through web servers and services using HTTPS. We see this as a key direction for future work.
Key findings. This report summarizes our field-testing results, which demonstrate that all tested protocols effectively provide Russian users with open-internet access — Avos users included. We’re especially encouraged by the combination of our Hopping Pluggable Transport with QUIC, which distributes traffic across multiple IPs and ports while mimicking normal encrypted web sessions, making classification and blocking far more difficult. This approach aligns with emerging technologies like INVISV’s MASQUE implementation, which enables tunneling of TCP/UDP traffic through web servers and services using HTTPS. We see this as a key direction for future work.
Mention of entropy-based classification on page 6:
Our own research and measurements, as well as existing research on censorship shows an increasing evidence of entropy-based traffic classification being used in the wild — where high-entropy traffic is flagged as suspicious, potentially indicating a tunneling protocol. Censors also analyze connection characteristics such as:
- The duration of client connections (short vs. long-lived)
- The packet distribution pattern (e.g., bursty vs. steady flows)
- The volume of traffic associated with a specific server
By combining these indicators, censors can often identify circumvention proxies over time, particularly when throughput levels exceed typical thresholds for common web usage.
Past discussion of blocking of randomized protocols in Russia: Неработоспособность шифрованных протоколов (ShadowSocks/VMESS) (25.04.2024 +).
IP/port hopping as a mitigation of classification based on connection behavior:
Despite protocol-level evasion, connection behavior still poses a risk. To address this, we introduced Hopping PT— a port and IP hopping transport that fragments and redistributes tunneled traffic across a randomized (yet deterministic) sequence of ports or even multiple bridge IPs making it harder for censors to apply static rules based on known endpoints. Hopping PT operates orthogonally to other transports, meaning it can be layered over obfs4, obfs4+KCP, or QUIC to increase resistance against correlation attacks and port-based filtering.
The use of Hopping PT in conjunction with QUIC opens a promising path: distributing traffic across multiple IPs and ports while mimicking mainstream encrypted web sessions makes classification and blocking far more difficult. In Russia this hybrid approach is not yet widely detected, as it blends QUIC’s modern encryption profile with Hopping PT’s agility. There is currently no known classifier targeting this specific combination. It sidesteps both traditional entropy-based filtering and static rule-based blocking. As QUIC adoption grows, hopping+QUIC becomes harder to isolate without risking disruption to legitimate services. This approach aligns with emerging technologies like INVISV’s MASQUE implementation, which enables tunneling of TCP/UDP traffic through web servers and services using HTTPS. We see this as a key direction for our future work and integration.
They discuss the difficulty of retaining volunteer testers:
Retention of volunteer field testers is difficult. We are exploring ways to incentivize field testing. For instance, for the most recent round of tests, we paid attention to properly explain to our tech savvy pool of testers what kinds of protocols we use, how they function, why this is an innovative and important effort and how they can contribute to improving it. We showed some of the results from the first rounds of tests and explained how they informed the mobile client development. This has helped to re-involve people from the first rounds of tests who could see the value of their contributions. We also offered them free invite codes for Avos VPN to share with their friends and family.
Keeping volunteer testers engaged is tough. Participation often drops off over time, especially without incentives. We’re exploring options to sustain engagement, like providing invite codes for Avos, and providing measurement data and more explanations about the functioning and evolution of our protocol stack which helps motivate tech savvy testers, as they can see the value of their efforts. We’re also working on expanding our tester base by building opt-in testing tools directly into the VPN app — so less tech-savvy users can easily provide data for analysis.