knock up GFW IP blockage
- GFW needs to check every packet against large list of filtered ip in order to drop them
- since its not practical in huge traffic, they separate tcp handshake (SYN) and check them only.
- in fact, they only drop SYN packet with blocked ip in both direction.
- so we can bypass ip filtering by building communication link without tcp handshake.
- it bypass ip blockage, so it bypass principal core of filtering
- it change the paradigm of anti-censorship from "hiding traffic" / "escaping blockage" to "drilling whatever blocked"
- what more can a censorman do after detecting a VPN, beside blocking ip?
- similar to fragment that bypass filtered Domain/SNI , it operate at the lower network layer
- no matter which protocol used at upper level, it can drill everything, even blocked port
- this method is not based on a bug nor a protocol at application layer
- it operate on lowest possible layer of network (transport and ip layer)
- need lots of dedicated Hardware to fight with (not achievable in software)
- we use TCP ACK/PUSH packets which is 100000X more frequent than SYN
- they have large list of blocked ip that want to drop
- they simply cant hold & check every single packet in high speed traffic. (unless with millions of dollar HW investment)
- need a VPS
- need root/admin access in both client & server to modify/send/sniff crafted packet
- we implement method1 : a prototype for proof-of-concept that can run on both windows & linux
- its not ready for production yet but we plan to build stable and standalone version in near future
- next step is to implement on xray-core
- thus anyone can easily create a "tcp violation" config and revive blocked vps ip