new IR-GFW behaviour - Target : XRAY

[mikeesierrah]

Recently, the IR-GFW has implemented a new type of censorship using DP. They are specifically targeting WebSocket (no-tls) connections established by XRAY clients. Yes, you read that correctly—XRAY clients. While standard WebSocket (no-tls) connections remain unaffected, those made through XRAY are being throttled and limited, resulting in a poor network experience. In contrast, the same connections made using Sing-box clients do not encounter any issues.

This DPI strategy was introduced in response to the growing use of Cloudflare CDN to circumvent censorship measures. The selective throttling of XRAY client connections indicates a new scary level of DPI in GFW

Currently the only ISP implementing this type of DPI is IR-MCI which is also a leading ISP in inspecting and filtering REALITY connections.

[Kiya6955]

I have this problem too!
@RPRX @yuhan6665 @chika0801 What is your guess?

screen-20240531-002821.2.mp4

[armanem2]

Me to

[mmmray]

it's not surprising that vless without tls is being blocked, more surprising however that there is a difference between clients.

the pcap for both sing-box-client and xray-client with regard to vless+ws+notls is completely identical. i checked it on a config yesterday that was allegedly blocked. if you have a config where one client is blocked and another one isn't, i suggest to capture the connection attempt/urltest with wireshark and upload the pcap here.

also i suggest to try replacing ws with httpupgrade, and vless with vmess, to see if it makes a difference.

[ImMohammad20000]

I've test with vmess ws its the same result

[BobZombiE69]

I have the same experience. Only affected xray-core clients.
config: Vless+WS+CDN+(NO-TLS)
client: NekoBox connects perfectly without any issues!!!
client: v2rayNG cannot connect or has almost 90% packet loss. (because it is normal in Iran, usually DPI only throttles upload speed to 10 kbps !!! almost zero)

(freshly installed both clients without any custom settings)
I also downgraded v2rayNG client and server versions down to 1.8.5 but still the same issue.
In my tests, I tried 3 different servers from 2 different sources.
I also need to mention that these configs were working perfectly till 2 days ago then suddenly DPI started this new blocking across the whole country.

[realartin]

i agree with you mehrad and this is most be fix

[99freaking]

Same issue with tls+ws and fragment in Android.
Fragment values make successful connection on ios apps but on android "v2rayng", it doesn't connect.
Interestingly If we use "v2rayng" in proxy mode with "Rethinkdns" app, it again connects; because in this way, connection fingerprint changes.

[BobZombiE69]

I captured packets and attached the file here
Clients in Linux CLI:
sing-box-1.10.0-alpha.5-linux-amd64
and
Xray 1.8.7 3f0bc13 (go1.21.5 linux/amd64)

pcap-singbox-xray.zip

[us254]

XRAY clients where WebSocket connections are being throttled or blocked due to unusual opcodes in the WebSocket frames. Specifically, your packet capture (pcap) data shows frames with reserved opcodes (0x3 to 0x7), which are not standard and should not appear in normal WebSocket communication. These unusual opcodes might be triggering the DPI measures by IR-GFW, leading to the poor network experience.

[mbm13781221]

Can you please post screenshot of reserved opcodes , from Wireshark?

[BobZombiE69]

Today the restriction removed temporarily, so i repeated the packet capture at the time when Xray was working fine.
Here is Xray-ok pcap file:

xray-ok-jun-01-restriction-removed-temporarily.zip

@us254 @RPRX

[Kiya6955]

Please contact me on Telegram