-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using proxy and scraping services for hiding servers? #336
Comments
That's an interesting idea. So effectively your model is equivalent to (from a censor's perspective):
While the model may seem to be fairly common (Baidu.com?), there are still a few discrepancies censors may notice, majorly via traffic shaping detection:
Please feel free to point me out in case I made any mistake. And I believe there should be more common challenges that the circumvention community is currently facing. As said, web browsing might not be an ideal traffic source for mimicry purposes. There could be better candidates like online gaming, video streaming/conferences, etc. |
You're right there are quite a few features being used by some censors that this solution does not cover. I was mainly focused on Iran where it seems to me the main issue today with censorship are per-IP bandwidth limits rather than things like TLS-in-TLS detection. |
To be fair, overall this is still not a bad idea, since the strongest advantages the circumvention community has against censors are the variety and agility. To not fall into the dead cycle of cat-and-mouse game, I believe it is crucial to introduce more novel designs/approaches. |
Many ones are short-lived, but also many ones are long-lived, e.g. HTTP/2 connections. The problem is, if a proxy tunnel connection multiplexes several H/2 connections, the tunnel connection will be even longer-lived than each indivisual H/2 ones. And this cannot be shortened without breaking the payload connections. Given payload H/2 connections, the only way to shorten the tunnel connection time limit is connection migration, which is only available in H/3, or I forget where but wkrp may have mentioned it somewhere here. But overall this dimension is quite difficult to parrot in terms of engineering. |
the proxy services I have in mind do not allow listening for inbound connections on a port, hence the need for a middlebox and the pretending that there is a website with organic traffic. this upnproxy vulnerability sounds like a middlebox might not be necessary at all, meaning that clients can connect directly to a bunch of IPs? |
This idea is a bit out there and I lack some networking understanding to determine whether it is doable at all.
There are a few companies out there that provide access to a proxy network of "residential IPs". Basically comparable with botnets. You get a SOCKS5 proxy endpoint, and the TCP connections you establish through that proxy enter the public network through what I can assume is somebody's malware-infected mobile phone or home computer. Basically, botnet as a service. Those services have relatively high, but not prohibitively high prices per-gigabyte, and are mostly to bypass detection when scraping websites for data.
These companies advertise a pool of "millions of organic IPs". Now I wonder, can this kind of service be used in this setup:
(client ip, server ip)
distribution seem organic, as if foreign visitors are browsing the websitethe idea of middleboxes is not new for sure. what I wonder is, what are the challenges getting the traffic from the middlebox over the firewall, generally speaking, and am i correct in assuming there's a challenge in making that traffic seem organic?
The text was updated successfully, but these errors were encountered: