Testing Shadowsocks UDP handling with obfuscation enabled

Test of Shadowsocks UDP handling in obfuscation mode

Software used: shadowsocks-libev 3.3.4 (TCP+UDP) on the server side, official Android Shadowsocks 5.0.5 client by Max Lv.

Without plugins

  1. Google DNS (8.8.8.8) over TCP is used by default. Shadowsocks converts DNS UDP queries to TCP.
  2. UDP data is transferred via proxy over UDP, without UDP-in-TCP incapsulation (this is expected, documented behavior).

Simple-obfs

Software: simple-obfs 0.0.5 on server, Simple Obfuscation by Max LV on Android, version 0.0.5.

  1. DNS is handled correctly, just as without the plugin
  2. UDP data is transferred via proxy, without obfuscation (ignoring obfs settings), to the IP address and port of simple-obfs server.
  3. UDP data discarded by server as simple-obfs supports only TCP, but if you configure shadowsocks over UDP on the same port without obfs-proxy on server, UDP data would work (without obfuscation).

V2ray-plugin

Software: v2ray-plugin v1.3.0 on server, V2ray Plugin by Max LV 1.3.0 on Android

Everything similar to simple-obfs situation: Shadowsocks ignores plugin configuration for UDP data and redirects it to the same host and port, without obfuscation by the plugin.

Resume

Shadowsocks obfuscation does not work for UDP traffic, as it was expected prior the test. However, I find it strange that UDP data does not get discarded and gets sent to server, bypassing plugin processing. This could be used as suspicious activity marker to detect proxies: common web browsers and other software won’t use UDP on port 443, except when using QUIC protocol, but in this case all further data transfer would be performed over UDP, which is not the case for Shadowsocks.

Calls in IMs and other software which use UDP won’t work efficiently, if at all.

P.S. during the test was found out that Firefox for Android send multiple empty UDP packets (10-20 in order, without any data), either on every connection or on every DNS query. After Shadowsocks encryption and incapsulation, these packets were seen as 10-20 55 byte UDP packets.

Fixed in Android version. Now it doesn’t relay UDP by default when any plugin is enabled.

Интересно, если использовать QUIC вместо Websocket-TLS, будут такие же проблемы?

Речь про V2ray-plugin? Да, т.к. сама система плагинов поддерживает только TCP-трафик, а по какому протоколу сам плагин подключается к серверу — неважно.

это со стороны Shadowsocks или плагина такая шляпа?

Плагинная система Shadowsocks поддерживает только TCP
https://shadowsocks.org/en/spec/Plugin.html

Restrictions

a. Plugin over plugin is NOT supported. Only one plugin can be enabled when a shadowsocks service is started. If you really need this feature, implement a plugin-over-plugin transport as a SIP003 plugin. b. Only TCP traffic is forwarded. For now, there is no plan to support UDP traffic forwarding.

грустненько :roll_eyes: