Saudi Arabia/UAE: DPI now search just for SNI extension in the payload

According to several reports in GoodbyeDPI KSA and UAE threads, Saudi Arabian and UAE DPI system has changed SNI block implementation, now they search for SNI Extension (as seen in TLS ClientHello) in every TCP packet, up to 256 bytes from the start of TCP payload.

This works even when there was no TCP three-way handshake (a single TCP ACK or PSH/ACK with 0000000e000c0000096e74632e7061727479 payload (ntc.party SNI extension) receives RST ACK from the censor).

This started to happen somewhere in the middle of May. I guess both countries use DPI provided by Sandvine.

PCAP is available in thread.

To be precise, this started to happen on the 9th of May 2024 in KSA.