banner
二叉树树

二叉树树的xLog

Protect What You Love!
telegram
x
github
bilibili
steam_profiles
email
HomeArchives往事回溯 / Echoes

Let's discuss how to bypass the GFW.

#GFW292
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses how the Great Firewall (GFW) blocks internet traffic in China using various methods: 1. **IP Blackhole**: Some services, like Google and YouTube, are completely blocked. 2. **DNS Pollution**: The GFW returns false IP addresses for domain names. Users can bypass this by using hosts files or encrypted DNS. 3. **HTTP Hijacking**: Unencrypted traffic can be altered by the GFW, which can redirect users to error pages or anti-fraud sites. Using HTTPS can help, but SNI blocking may occur. 4. **SNI Blocking**: The GFW can see the server name in the Client Hello message sent before establishing a secure connection, allowing it to block non-whitelisted domains. Users can avoid this by not sending the server name. The document then analyzes the blocking of specific websites using Wireshark. It shows that while www.baidu.com is accessible, discord.com is blocked. Attempts to access discord.com with forced IP binding lead to connection resets due to GFW detecting the server name. However, sending an empty server name allows successful access. The document concludes with a mention of "tcpioneer," a tool that modifies TCP packets to evade GFW detection while still establishing a connection.

First, we need to understand how the GFW blocks our traffic#

  1. IP Blackhole: Currently unsolvable, but only affects certain services, such as Google services (Google, Twitter, YouTube, etc.)

  2. DNS Pollution: Returns a fake IP for a domain name. Use the hosts file to force a specific IP for a domain or use encrypted DNS (DoH, DNS signatures, etc.)

  3. HTTP Hijacking: Since the traffic is not encrypted, the GFW, acting as a natural man-in-the-middle, can directly tamper with it (e.g., redirecting to a 404 page, hijacking to an anti-fraud page, etc.). You can use HTTPS connections to avoid this, but you may encounter SNI blocking.

  4. SNI Blocking: Before establishing an encrypted connection between the client and the server, the client sends a Client Hello message, which is in plaintext and generally carries the server_name. The GFW can know which website you are trying to access and block domains not on the whitelist (e.g., discord.com). Since server_name is actually an extension and not mandatory, you can avoid SNI blocking by not sending it.

Now, let's analyze the GFW's blocking situation for different websites#

We use WireShark for packet capturing.

  • First, try to access www.baidu.com, which is a domain not blocked by the GFW.

    1. Let's ping it first.
      2024-10-21-20-16-48-image

    2. Get the IP: 2408:873d:22:18ac:0:ff:b021:1393

    3. Force binding through Hosts.
      2024-10-21-20-18-10-image

    4. Using WireShark for packet capturing, we can see that the Client Hello sent by the client clearly shows the Server Name field, and it can also receive the Server Hello normally, after which both parties begin communication.
      2024-10-21-20-24-03-image

    5. Check the browser, the website is accessed normally.
      2024-10-21-20-35-29-image

  • Let's try to access discord.com.

    1. Let's ping it first, and we can find that both the domain and the resolved IP are unreachable.
      2024-10-21-20-27-57-image

    2. At this point, we try to use itdog.cn for v4 ping and ping the resolved domain in sequence.
      2024-10-21-20-28-51-image

    3. It can be seen that the first IP is reachable.
      2024-10-21-20-29-40-image

    4. Force binding Hosts and try to capture packets.
      2024-10-21-20-35-58-image

2024-10-21-20-31-49-image

  1. It can be seen that after forcing Hosts binding, when the client sends the Client Hello, the GFW detects the Server Name field, and then the GFW sends a RST message to the client, which requests to reset the client connection. On the client side, an ERR_CONNECTION_RESET is received, meaning the connection has been reset. The user cannot access the webpage.
    2024-10-21-20-33-23-image

Next, try sending an empty Server Name message#

2024-10-21-20-41-37-image

2024-10-21-20-41-54-image

Successfully accessed. The Server Name field was not found in WireShark.

The Killer Move, tcpioneer#

It modifies TCP packets in such a way that the GFW cannot detect them, and WireShark cannot capture the Client Hello message, but it can still establish a connection, meaning the server sends a Server Hello.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.