This repo includes the source code, data, and documentation to reproduce the major claims in the USENIX Security 2023 paper How China Detects and Blocks Fully Encrypted Traffic.
It is designed for anyone who is curious about the methodologies in our study and wants to reproduce the claims in our paper independently.
Note that it is possible that you cannot reproduce any of the experiment results because the GFW has stopped dynamic blocking since March, 2023. See this documentation for more information.
.
├── ae-appendix
├── artifacts
│ ├── ceased-dynamic-blocking
│ ├── common
│ ├── setup-vps
│ ├── sink-server
│ ├── test-entropy
│ ├── test-printable-fraction
│ ├── test-printable-longest-run
│ ├── test-printable-prefixes
│ ├── test-protocol-fingerprints
│ └── utils
├── CHECKLIST
├── LICENSE
└── README.mdceased-dynamic-blockingcontains the source code, data, and documentation on the observation that the GFW of China has stopped blocking random traffic dynamically at least since March 15, 2023.ae-appendixcontains the source code and Makefile to generate the artifact appendix.artifacts/setup-vpscontains the source code to set up remote VPSes.artifacts/sink-servercontains the source code for a sink server, which runs on the server side.artifacts/utilscontains client-side testing tools.artifacts/test-*contain five different tests. Each of them corresponds to a claim of the GFW's traffic exemption rules.artifacts/common-*is a module that contains code on which measurement tools are built.
To conduct the measurement experiments described in this repo, it requires at least one host in China and one host outside of China.
To assist the USENIX SECURITY'23 Artifact Evaluation, we provided the reviewers with two VPSes below.
| SSH Nickname | Location | ASN | CPU Model | # Core(s) | RAM | OS |
|---|---|---|---|---|---|---|
| usenix-ae-client-china | AlibabaCloud Beijing Datacenter | AS37963 | Intel Xeon Platinum 8163 | 1 | 1GB | Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-56-generic x86_64) |
| usenix-ae-client-us | DigitalOcean San Francisco Datacenter | AS14061 | Intel DO-Regular | 1 | 1GB | Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-88-generic x86_64) |
If you are not an AE reviewer, but simply want to repeat some of the experiments yourself, you need to purchase and set up the two servers yourself.
-
We refer you to this README for detailed instructions.
-
To set up the client (VPS in China), execute:
./artifacts/setup-vps/setup-client/to_alibaba_server.sh- To set up the server (VPS in the US), execute:
./artifacts/setup-vps/setup-server/to_digitalocean_server.sh- Note that we have replaced the IP addresses of the two machines with strings of
REDACTED_CN_SERVER_IPandREDACTED_US_SERVER_IPin our code and documentation. You may want to replace them with your servers' IP addresses (which are1.1.1.1and2.2.2.2in the below example), using some commands like these:
find . -type f ! -name "*.pcap" ! -path '*/\.*' -exec sed -i "s#REDACTED_US_SERVER_IP#1.1.1.1#g" {} \;
find . -type f ! -name "*.pcap" ! -path '*/\.*' -exec sed -i "s#REDACTED_CN_SERVER_IP#2.2.2.2#g" {} \;- First login to the VPS in China:
ssh usenix-ae-client-china- Send some random probes from
usenix-ae-client-chinato the port2ofusenix-ae-server-usby repetitively executing the following command:
head -c200 /dev/urandom | nc -vn REDACTED_US_SERVER_IP 2-
After executing the command a few times (1 time to 15 times), if you notice that the
nccannot connect toREDACTED_US_SERVER_IP:2anymore. Congratulations! The blocking is triggered (and will residually last for up to three minutes). You should still be able to connect to other ports of the same server, for example,REDACTED_US_SERVER_IP:3. It is also likely that you cannot trigger the blocking, because the GFW has stopped dynamic blocking since March, 2023. See this documentation for more information: [./artifacts/ceased-dynamic-blocking]. -
(Optional) Alternatively, one can use the triggering tools:
echo REDACTED_US_SERVER_IP | ./utils/affected-norand -p 2 -log /dev/nullThis tool will take a list of IPs on stdin, and perform (default 25) repeated connections to
the specified port, sending the
same (configurable) random payload in each connection. If the tool is unable to connect for
(default 5) consecutive connections in a row, the tool labels the IP as affected by
blocking (true in the affected column):
endTime,addr,countSuccess,totalTimeout,consecutiveTimeout,code,affected
1678258922,REDACTED_US_SERVER_IP:2,2,5,5,timeout,trueThis output means that connecting to the endpoint (REDACTED_US_SERVER_IP:2) succeeded in 2 connections, but then had 5 consecutive connections timeout in a row (and a total of 5 failed). Because there was at least 5 consecutive timeouts, our tool labels this endpoint/payload combination as affected (true).
We provide a list of estimated required time to reproduce different experiments.
| Experiments | Human Time (minutes) | Compute Time (minutes) |
|---|---|---|
| Ex0: test-random | 5 | 5 |
| Ex1: confirm-ceased-blocking | 15 | 2 days |
| Ex2: test-entropy | 30 | 30 |
| Ex3: test-printable-prefixes | 15 | 30 |
| Ex4: test-printable-fraction | 15 | 30 |
| Ex5: test-printable-longest-run | 15 | 15 |
| Ex6: test-protocol-fingerprints | 15 | 240 |