二叉树树

二叉树树

瞎几吧写
HomeArchives

Let's discuss how to bypass the GFW.

#GFW15
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses how the Great Firewall (GFW) blocks internet traffic in China using various methods: 1. **IP Blackholing**: Some services, like Google and Twitter, are completely blocked. 2. **DNS Pollution**: Returns false IP addresses for domain names. Solutions include using a hosts file or encrypted DNS (like DoH). 3. **HTTP Hijacking**: Unencrypted traffic can be altered by GFW, leading to redirections or blocks. Using HTTPS can help, but SNI blocking may still occur. 4. **SNI Blocking**: The GFW can see the server name sent in the Client Hello message, allowing it to block non-whitelisted domains. Avoiding the server name can bypass this. The document also analyzes the blocking of specific websites using Wireshark. For example, accessing baidu.com works fine, while discord.com is blocked. Attempts to ping and force IP binding show that GFW detects the server name and resets the connection. However, sending an empty server name allows access. A tool called tcpioneer is mentioned as a way to modify TCP packets to evade GFW detection while still establishing a connection.

First, we need to understand how the GFW blocks our traffic#

  1. IP black hole: Currently unsolvable, but only affects certain services, such as Google services (Google, Twitter, YouTube, etc.)

  2. DNS pollution: Returns a fake IP for the domain name. Use the hosts file to force the domain name to correspond to an IP or use encrypted DNS (DoH, DNS signing, etc.)

  3. HTTP hijacking: Since the traffic is not encrypted, the GFW, as a natural man-in-the-middle, can directly tamper with it (e.g., redirecting to a 404 page, hijacking to an anti-fraud page, etc.). You can use HTTPS connections to avoid this, but you may encounter SNI blocking.

  4. SNI blocking: Before establishing an encrypted connection between the client and the server, the client sends a Client Hello message, which is in plaintext and generally carries the server_name. The GFW can know which website you are trying to access and block domains that are not on the whitelist (e.g., discord.com). Since server_name is actually an extension and not mandatory, you can avoid SNI blocking by not sending it.

Now, let's analyze the GFW's blocking situation for different websites#

We use WireShark for packet capturing.

  • First, try to access www.baidu.com, which is a domain not blocked by the GFW.

    1. Let's ping it first.
      155abd629670af43c48b68824b90aba0

    2. Get the IP: 2408:873d:22:18ac:0:ff:b021:1393

    3. Force binding through Hosts.
      a1532f85e221403375344c2a034e7bfd

    4. Capture packets with WireShark, and you can see that the Client Hello sent by the client clearly shows the Server Name field, and it can also receive Server Hello normally, then both sides start communication.
      8d2eec3abef49409365766415e3365cc

    5. Check the browser, the website is accessible.
      d6da3eb267cb026f16370892b3400e9f

  • Now let's try to access discord.com.

    1. Let's ping it first, and we can find that both the domain name and the resolved IP are unreachable.
      04c88ce3c3aea71a2d3fc08b9619fe1a

    2. At this point, we try to use itdog.cn for v4 ping and ping the resolved domain names in sequence.

    e39a5118c8d8ac103c0e0b4da277606d

    1. It can be seen that the first IP is reachable.
      13f3161256f183d2805b77e280da844d

    2. Force binding Hosts and try to capture packets.
      236093ea6b7765ac71c93e1b74013066

db6cb203779bdc8be2588f7ae4392328

  1. It can be seen that after forcing the Hosts binding, when the client sends the Client Hello, the GFW detects the Server Name field, and then the GFW sends a RST message to the client, which requests to reset the client connection. On the client side, it receives ERR_CONNECTION_RESET, meaning the connection has been reset. The user cannot access the webpage.
    33046ac4392695d19c95793292047221

Next, try sending an empty Server Name message.#

286e177cbbe83736210b93cbf196618c

547c0ac01d6fcccd673a93290787c19e

Successfully accessed. The Server Name field was not found in WireShark.

The trump card, tcpioneer#

It modifies TCP packets in such a way that the GFW cannot detect them, and WireShark cannot capture the Client Hello message, but it can still establish a connection, meaning the server sends Server Hello.
ceaa1431591e5251dfc5000b903e76fa

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.