Test of Shadowsocks UDP handling in obfuscation mode
Software used: shadowsocks-libev 3.3.4 (TCP+UDP) on the server side, official Android Shadowsocks 5.0.5 client by Max Lv.
Without plugins
- Google DNS (8.8.8.8) over TCP is used by default. Shadowsocks converts DNS UDP queries to TCP.
- UDP data is transferred via proxy over UDP, without UDP-in-TCP incapsulation (this is expected, documented behavior).
Simple-obfs
Software: simple-obfs 0.0.5 on server, Simple Obfuscation by Max LV on Android, version 0.0.5.
- DNS is handled correctly, just as without the plugin
- UDP data is transferred via proxy, without obfuscation (ignoring obfs settings), to the IP address and port of simple-obfs server.
- UDP data discarded by server as simple-obfs supports only TCP, but if you configure shadowsocks over UDP on the same port without obfs-proxy on server, UDP data would work (without obfuscation).
V2ray-plugin
Software: v2ray-plugin v1.3.0 on server, V2ray Plugin by Max LV 1.3.0 on Android
Everything similar to simple-obfs situation: Shadowsocks ignores plugin configuration for UDP data and redirects it to the same host and port, without obfuscation by the plugin.
Resume
Shadowsocks obfuscation does not work for UDP traffic, as it was expected prior the test. However, I find it strange that UDP data does not get discarded and gets sent to server, bypassing plugin processing. This could be used as suspicious activity marker to detect proxies: common web browsers and other software won’t use UDP on port 443, except when using QUIC protocol, but in this case all further data transfer would be performed over UDP, which is not the case for Shadowsocks.
Calls in IMs and other software which use UDP won’t work efficiently, if at all.
P.S. during the test was found out that Firefox for Android send multiple empty UDP packets (10-20 in order, without any data), either on every connection or on every DNS query. After Shadowsocks encryption and incapsulation, these packets were seen as 10-20 55 byte UDP packets.