Detecting Probe-resistant Proxies (NDSS 20) about bbs HOT 4 OPEN

I believe these are the source code commits that aim to mitigate the vulnerabilities found in the paper:

• Obfuscated SSH: Implement "read forever" for OSSH
• obfs4: Alter tear down behavior to be less distinctive
• Outline: Probing resistance via timeout
• Lampshade: Add init message timeout to improve resistance to probing

MTProto already worked as the paper's authors recommend, and therefore didn't require a patch. As far as I am aware, there has not yet been any patch to shadowsocks-python.

from bbs.

there has not yet been any patch to shadowsocks-python

Just mention, it's lack of maintenance, nearly nobody use it now. Most user are using C/Go/Rust implementation.

from bbs.

We discussed this paper in our anti-censorship reading group on April 2. Here's a summary of our discussion:

• It's unlikely that the paper's data contains any obfs4 bridges. The handful of obfs4 bridges that the decision tree captured are probably false positives – the same is true for Lampshade and probably for most MTProto proxies.
• We were surprised that the data contains many (true positive) Psiphon users.
• Why were curious what their results would look like over UDP. Many UDP applications don't respond by default. What if obfs4 was using UDP instead of TCP?
• There may be other data sources that, when combined with the paper's datasets, may allow an attacker to narrow down the set of potential obfs4 bridges. For example, most obfs4 bridges expose an OR port, which an attacker can discover by port scanning an obfs4 bridge.

from bbs.

It appears that there are still many popular circumvention tools having the weaknesses demonstrated in this paper as of June 2021. Possible reasons include lack of maintenance or incomplete mitigation.

In this issue (XTLS/Xray-core#625), we shared a trick to quickly spot the weakness. In short, one can send 1) a large chunk of invalid data and 2) a 1-byte invalid data to the listening port (12345 in this example) of any circumvention tool:

python3 -c "print('a' * 900, end='')" | nc -v localhost 12345
python3 -c "print('a' *  1, end='')" | nc -v localhost 12345

If the behaviors are different, one can then start with a binary search to find the thresholds. Alternatively, one can try using the prober-simulator to analyze the reactions of the circumvention tools in a more systematic way.

When using the trick, keep in mind that the reactions of the server may not be deterministic. One may want to quickly repeated the test by:

for i in {1..10}; do python3 -c "print('a' * 900, end='')" | nc -v localhost 12345 && return; done

from bbs.