Comments (12)
- Simple sleep is unacceptable, because its blocking. To implement delay some queuing mechanism is required in another thread. In current version its possible to utilize OS built-in retransmission mechanism in fake/rst/rstack modes using --dpi-desync-retrans=1 option. First retransmission happens after 0.2 sec. OS kernel itself does what you request.
2.Is it your real experience or just your thoughts ? In Russia DPIs are located on ISP level. ISP local connection is very stable. Theoretically there may be drops on the path to DPI in countries like China or Iran with centralized firewall. But I also think country intranet is much more stable than outside world. Or you are on a bad radio channel with high drop rate ?
from zapret.
Indeed, naive sleeping is not acceptable. In terms of user experience, I can feel a significant slowdown when retransmission is enabled, perhapse 0.2 second is too long for each packet, especially when every packet in the stream will go through the queue. In contrast, delay of 2ms is enough for the injected packets to go ahead of the original one.
I'm not in Russia, and the peak packet drop rate here is crazy even for domestic traffic, so multiple copy of rst will be quite helpful.
from zapret.
No, not every packet is processed by desync. Only http requests (can be multiple) or TLS clienthello (only single per connection). It adds some delays but not too long.
If your drop rate is high then its your greater headache. With high packet loss everything will be damn slow.
Its not hard to add fake packet retransmission. if you want I'll do it.
But first I'd like you to test if it really helps.
At the end of desync.c find this code :
if (!rawsend((struct sockaddr *)&dst, params.desync_fwmark, newdata, newlen))
return res;
and copy-paste it as many times as you want, then recompile
from zapret.
I made three copies of rstack, and the success rate goes from 90% to 100% on 20 trial.
from zapret.
OK, i added --dpi-desync-repeats option. It resends every packet generated by nfqws N times
from zapret.
When I am looking at the tcpdump of the final packets, I noticed that not only the fake packet is send multiple times, but also the original packet. Isn't it very strange? The original packet should be verdict as accept, how come it is also duplicated?
FYI, I'm testing on openwrt using POSTROUTING, curl from both openwrt itself or PC, the result of tcpdump looks the same.
from zapret.
Yes, its my mistake, i already fixed it in last commit
With retrans=0 nfqws reinjects original packet with nfq drop verdict
with retrans=1 is the same, but with no reinjection, leaving the os to retransmit it after 0.2s
from zapret.
Thanks for the clarification!
I'm also curious about the ipv6 implementation. I didn't see the unbinding/rebinding of AF_INET6 in the code, yet it did work on v6, how does this work? I searched and here says you must bind on both. Will it have some hidden problem?
from zapret.
I dont know how it works. But it has always worked. With AF_INET queue receives both 4 and 6.
From docs :
Binds the given queue connection handle to process packets belonging to the given protocol family (ie. PF_INET, PF_INET6, etc). This call is obsolete, Linux kernels from 3.8 onwards ignore it.
This could explanation. But I tested this on centos 6 with 2.6 kernel and it also worked. Dont know why
from zapret.
I rechecked and confirm it really does not work on older kernels.
Fixed in last commit
from zapret.
An alternative command line design would be allow multiple modes like this:
nfqws --dpi-desync=rstack,rstack,disorder,rst
Then nfqws sends the corresponding packets according to the order specified. This not only allow for duplicated fake packets, but also a combination of approaches in case a single desync method is not robust enough. What do you think?
from zapret.
Not all actions are compatible with each other.
Now each dpi-desync mode represents complete strategy for evading DPI.
There's another software called geneva https://geneva.cs.umd.edu/papers/geneva_ccs19.pdf
it has universal strategy constructor and genetic algorithm for testing and finding working strategies.
Unfortunately its written in python, very slow and ineffective language, not for soho routers.
I'm not going to rewrite its functionality, but i'm ready to pre-program working evading strategies
from zapret.
Related Issues (20)
- Install on OpenWrt 5.10.176 Error: build tools not found HOT 4
- Unable to access router admin panel / Не могу зайти в админку роутера HOT 4
- Bad system call HOT 5
- twitter.com custom hosts problem solving HOT 11
- Более чем один интерфейс для интерент с разными способами запрета HOT 4
- install easy не работает на arch HOT 1
- Патч wg-mod для актуальной версии? HOT 1
- Android совместимость HOT 7
- How to connect to tunnel in Ubuntu HOT 1
- Обход блокировки OpenVPN UDP. HOT 4
- Нет доступных вариантов обхода DPI | No DPI bypass solutions available HOT 19
- Как указать свой фейковый хост для nfqws? HOT 7
- blockcheck.sh on openwrt 23.05 HOT 2
- Trojan found HOT 3
- Не работает запрет на сайтах вообще и не находит стратегий обхода. HOT 4
- nfqws QUIC ipfrag2 HOT 8
- TLS ClientHello identification issue HOT 3
- nfqws support for desync dns over tcp HOT 1
- `tpws` gets terminated unexpectedly with SIGSYS HOT 4
- tpws начинает потреблять 100% cpu HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zapret.