VPN Providers Say China Blocks Encryption Using Machine Learning Algorithms 111
An anonymous reader writes "The internet control in China seems to have been tightened recently, according to the Guardian. Several VPN providers claimed that the censorship system can 'learn, discover and block' encrypted VPN protocols. Using machine learning algorithms in protocol classification is not exactly a new topic in the field. And given the fact that even the founding father of the 'Great Firewall,' Fan Bingxing himself, has also written a paper about utilizing machine learning algorithm in encrypted traffic analysis, it would be not surprising at all if they are now starting to identify suspicious encrypted traffic using numerically efficient classifiers. So the arm race between anti-censorship and surveillance technology goes on."
Havoc (Score:5, Interesting)
Is that a DOS vector? (Score:5, Interesting)
You might be able to use this to simulate encrypted traffic to something legitimate and cause it to be blocked.
Tunneling through SSH comes to mind. (Score:5, Interesting)
The interesting question is if they man-in-the-middle it.
Re:Havoc (Score:2, Interesting)
What steganography techniques? Like masking your VPN link as streaming audio/video?
Targetting commercial VPN providers? (Score:4, Interesting)
If not, I'd like to get some address where to register corporate endpoints which should be excluded from filtering.
Otherwise managing workstations and servers located in China might become rather tedious.
Atleast this IPSEC VPN to China which I'm using to post this message seems to work just fine right now.
Only big pipes are affected (Score:5, Interesting)
Re:Havoc (Score:5, Interesting)
We've also run into this. (Score:5, Interesting)
Over about the last 2 weeks, one of our hosting clients OpenVPN connections to their machines in China have been failing. We can still SSH into the machine in China, glad they haven't blocked that. We ended up setting up a block of several hundred ports with DNAT to the normal OpenVPN port, and then set up 64 (the max allowed) servers in the client config so it can cycle between them. That's been effective so far.
It took a while to figure out, because I was able to send test traffic via "date | nc -u server 1194", and that would go through, but the OpenVPN connection wouldn't.
Sean