SS servers are getting blocked

[OneHappyForever]

What version of shadowsocks-libev are you using?

Several servers, with different versions

What operating system are you using?

Windows, iOS, Android, Mac OS

What did you do?

Use shadowsocks to connect to the internet

What did you expect to see?

Sites loading

What did you see instead?

VPS IP got banned

What is your config in detail (with all sensitive info masked)?

Shadowsocks protocol
Port 443
encryption chacha20

IMPORTANT: my vps running vpn software like Cisco openconnect did not get blocked. Could it be that they can now recognize shadowsocks traffic from vpn and block only those vps?

[luxin88]

my ss server is blocked too

[martincz]

+1

[OneHappyForever]

It seems to happen at regular intervals. Not systematically, but on certain days, several IPs all get blocked at the same time.

[cbwang2016]

Is there any program/website that can check ss server connectivity in China unicom, mobile, telecom every minute?

[cbwang2016]

Evidence: v2ex
Lots of people are facing the same situation, no matter they're using DigitalOcean, Linode, Vultr, AWS or Aliyun.

[kang000feng]

Guys you can try to change your ip and use port 80 ++ietf poly1305 , it should work well

[leonshaw]

Got blocked, too. Changing port works but blocked again after about one day (slight use). All packets from that server port gets dropped. I'm changing cipher to chacha20-ietf-poly1305 and see what will happen. Not very optimistic, though.
What about negotiating for a dynamic server port in handshake phase? (Not sure if this will cause the entire ip to be blocked).

[hrimfaxi]

Some of mine are blocked too. After some research I find this paper participle interesting:
The Random Forest based Detection of Shadowsock's Traffic

We can get over 85% detection accuracy rate in our experiments after
 applying Random Forest Algorithm by collecting train set, gathering 
features, training models and predicting results.

If that's why, no matter how ports and algorithm are changed, the servers will be kept blocked.
Maybe if random payload / delay are deployed we can resist from being blocked?
I recommend anyone interested this issue have the paper read.

Download link (PDF):
10.1109@IHMSC.2017.132.pdf

[kang000feng]

@leonshaw @luxin88 try my solution

[zyf2008Neptune]

got blocked+1
A serious situation now.

[A37stKpDodi4BEr65TXb]

@hrimfaxi no mention of false positive rate and costing in the paper. Seems to me the experiments were run entirey in a controlled lab setting. No proof that it's been implemented in real world.

[OneHappyForever]

@hrimfaxi I wouldn’t put too much weight on that paper.

• the English is bad. They couldn’t even take the time to double check the English with someone. Shows something about the quality of the work they’re doing.

• They wrongly assume shadowsocks uses the ssh protocol. They base their research on this false assumption.

• they claim they can get up to 85% assurance. That is very low. Implementation will produce a lot of false positives.

[ghost]

my ss server is blocked too

Are you also use port 443? @luxin88 @martincz @leonshaw @zyf2008Neptune etc.

你们被封的端口也是和 OneHappyForever 一样使用的是 443 吗？加密模式呢？

[luxin88]

@paperbag not 443, but higher than 1024

[zyf2008Neptune]

@paperbag 端口8088,加密chacha20-ietf-poly1305只要登一次第二天端口就会被墙，过几天整个VPS的IP就可能被墙。

[kang000feng]

@zyf2008Neptune 加密方式没问题， 高位端口的问题，你换IP 再换用八零端口

[luxin88]

@kang000feng 不存在的，一样封，因为ip被盯上了

[kang000feng]

@luxin88 你换IP后后再按上面配置就不会被盯上了，至少至今没有收到被封的报告

[leonshaw]

@paperbag I'm using some arbitrary port.
@kang000feng Hard to change IP, only changed cipher.
Seems my IP is blocked today, every port, including SSH. However, ICMP ping still works. And strangely, a long-live SSH connection survives.

[terrywh]

@leonshaw same here.

[AndreiLeman]

They blocked just 443 port i used before for quite a long time. And after I changed to 8443 they blocked server by IP. They blocked my VPS! Bastards!

(community provider associated with China Unicom confirmed to me that extreme measures are taken due to Summit at 19th).

[pullugit]

CHINA UNICOM - all my 5 ss servers got blocked a few hours ago.
About 5 days ago SG ip went dead first. VPS is up running. Ping from China locations timed out. Ping China from VPS also timed out. => Blocking is two way.
A few hours ago, all the rest US & JP ips went dead too.
I never stick to any one for a long period. Always change to another after a few hours.
All configured to use 443 and IETF POLY.
I believe GFW analyzed my traffic to foreign ips, and if it find a certain pattern it blocks it.
Also worth mentioning that always a field of ips get blocked.
Very desperate for the moment. I simply can't do my job now.

[kk160524]

My vps is dead. The first only to seal off the port, I modified the port and then continue to use the day. Then my ip was completely sealed off. Now I have no longer dare to continue to use my other vps. Afraid they are dead

[guijianchou]

My vultr and do got blocked too, with port 10369 and aes-256-gcm. But one survived : the one I brought from third-party, two months ago, with rc4-md5-6,origin, plain.It seems all they traffic exchange by another China mainland Aliyun server to the overseas

[SpiritSoulXSoul]

My US VPS got blocked too, It's my spare VPS, I just used it for a little while.

What version of shadowsocks-libev are you using?
libev 3.0.8

What operating system are you using?
CentOS 7x64 Kernel 4.11(Server)
Windows 10 1703(Client)

What did you do?
Use shadowsocks to download a file and connect to internect.
a few hours later, this VPS got blocked.

What is your config in detail (with all sensitive info masked)?
my main VPS running well, here is the difference between the two config:
Blocked:
local: US,
encryption: camellia-256-cfb,
TCP fast open: on,
timeout: 30,
server port: 40000++,
UDP: off
still running:
local: JP,
encryption: chacha20-ietf (config1) & chacha20-ietf-poly1305 (config2)
TCP fast open: off,
timeout: 10,
server port: 30000++,
UPD: off (config1) & on (config2)

Hope this information can help improve shadowsocks. :)

[4044ever]

Can you please post your rough location. The blocking is usually not uniform. It;s worst around Beijing, but I heard in Guangdong it's fine. Roughly translated: 北京有问题，广东小问题

[ghost]

Guys you really need to put simple-obfs on top of ss, without obfuscation the wall can just blanket block traffic it doesn't recognize, not much tech needed. It's under the Shadowsocks project too, check it out.

[myliyifei]

IP blocked!

• libev 2.5.2 RC4-MD5
• always use jump station to access the server, never access the ssh port from mainland directly.
• change the ssh port to non-standard port.
• with non-standard port TLS web servers
• restrict ss visit back to mainland ip ranges.

several VPS were blocked at the same time( 10:00 am), which some have large traffic, some only have small.
some use serverspeed, some use google bbr. some are running more than two years, some are running less than a week.

hope this report is useful

[OneHappyForever]

I noticed a similar thing. IP blocks happen around 10 am these past few days

[myliyifei]

IP blocked again. 10-19 about 9:50 AM

change to libev 3.1.0 AEAD chacha20-itef-poly1305, still useless
except SS(1000-10000) and SSH(not 22 port), no any others services, such as web etc.

I think the wall watch the import VPS and ip ranges, cut off any large encryption traffic.

[rule2c]

Got blocked, too. Can't ping my server IP.

[buddhazhou]

My VPS port with SS was lower than 1000 and the cipher was chacha20-ietf-poly1305.
Around 2 weeks ago, port was blocked, then i changed port to 1021.
next day, VPS IP was blocked until now, not sure whether it would be unblocked or not.
there was a website collocated on my VPS as well on 80/443.

Two of my friends , their VPS are running with RC4-MD5 (one uses the sampe port as mine, the other is with port 5353 ), so far so good.

[OneHappyForever]

I think this is really good. The more info we can get, the more chance we'll have to do something about it.

Let’s see if servers get blocked at 10 am today like last time

[myliyifei]

IP blocked again with AEAD cipher. about 9:10 AM today.

[bash99]

My vps is ok in last week, aead + obfs.

[kumokami]

我的也是被墙好几次，然后我加了层stunnel，在境内做了中转，现在是正常运行一个多星期。看支持一层SSL/TLS是有必要了。
==== google translate ====
My server was blocked several times, then I wrapper it with stunnel. It's aready run a week.
Time to support SSL/TLS.

[triaqu]

我是9号两台端口被封，奇怪的是还包括电脑连接的goflyway的端口。第二天一台IP被封，ping发现是ip从2到180都封了，所以也不清楚是谁造成的。
在一台IP被封后，试着用一台境外VPS作中转连被封IP的ss，用到现在中转那台没出现任何问题，后来把终端那台换为正常的vps并把加密设为rc4-md5，想试试是两台都会封还是只封其中一台，可到现在用了四五天都正常，除终端那台连接端口有时感觉有干扰。

[bash99]

@v2abcd why not just use ss's subproject obfs? which has ssl obfs support.

[OneHappyForever]

Anyone using simple-obfs? What has been your experience? Anyone got d using that plugin? What port would you recommend using?

[myliyifei]

use obfs with http port 80, blocked again. try TLS one more time

[yanxurui]

Do you any guys know the strategy of blocking?
Let's see what we can do to escape the network censorship.

[OneHappyForever]

Do you guys use ip addresses or url for the server address?

[ted-dev-42]

是否可以用随机添加数据的方式来消除流量特征？

[ghost]

^That's what obfs does. It actually goes one step further and makes it look like normal website traffic, so your traffic doesn't stand out as something unknown.

[madeye]

Please report any general issue here: https://github.com/shadowsocks/shadowsocks-org/issues

This issue tracker is only for shadowsocks-libev related bug reporting.