VPN Providers Say China Blocks Encryption Using Machine Learning Algorithms

An anonymous reader writes "The internet control in China seems to have been tightened recently, according to the Guardian. Several VPN providers claimed that the censorship system can 'learn, discover and block' encrypted VPN protocols. Using machine learning algorithms in protocol classification is not exactly a new topic in the field. And given the fact that even the founding father of the 'Great Firewall,' Fan Bingxing himself, has also written a paper about utilizing machine learning algorithm in encrypted traffic analysis, it would be not surprising at all if they are now starting to identify suspicious encrypted traffic using numerically efficient classifiers. So the arm race between anti-censorship and surveillance technology goes on."

Havoc

This has been causing havoc and reduces availability and integrity of our VPN access to our Chinese clients. The insane part is, most of them are in the aerospace and defense industry and are usually mostly owned by the Chinese government. It's indiscriminate. So far steganography techniques have worked, at the reduction of speed and standardisation, but it's hard to explain to clients why they suddenly can't access network resources and expect your company to fix everything.

Re:Havoc

Yes, basically. We created software which encapsulates the connection in another protocol and re-encodes the data, shoved it in a VM and put one here and over there. We made it modularised so we can create support for new protocols and encoding easily. It's slower and usually requires a higher tolerance latency and bandwidth configuration for the protocol you are tunnelling but I'm surprised we whipped it up so quickly and it works.

This is true

[sadboyzz]

I was just in Beijing for two weeks. I have access to two OpenVPN servers, one in New York another in California. These are personal servers so they aren't on the IP based blacklist. However, my connection from Beijing to either of the two would crap out after a day or two, and the only remedy was to change the OpenVPN server port.

It seems right now they update their blacklist every 24~48 hours. I did not test whether the amount of traffic (idle vs. busy) would affect the time it takes them to block you. Blacklists last longer than two weeks, as the original ports I used was still blocked by the time I left. SSH connections does not seem to be affected at this time.

Re:This is true

[VortexCortex]

SSH connections does not seem to be affected at this time.

Can you find a solution to your problem then?

*Jeopardy music*

Let's see what Tim has. You've written, "Don't do business in China", I'm sorry, we were looking for "SSH tunneling". Susan, you've written, "Port Changing Cron Job", no, that's incorrect as well. Yiu? You've written, "There is no Problem"... No, that's incorr--- Wait, the judges say we'll accept that answer, Yiu Wins!

Noise.

Raise the noise floor, hide your encrypted data among legitimate looking traffic. For various meanings of legitimate. One can only fathom the amount of useless garbage that gets passed on backbone links. From malfunctioning programs, unknown millions of installations of random programs phoning home for updates, spam, web bots, ddos, facebook. An endless sea of data for your subversive little packets to get lost in.

Less efficient? Sure. But a lot harder to find.

So what if they have adaptive learning sniffers. We can invent adaptive learning garbage a whole lot faster than they can keep up.

Tunneling through SSH comes to mind.

The interesting question is if they man-in-the-middle it.

Only big pipes are affected

[cpghost]

If you need a narrow band VPN, you could always encrypt it in such a way that it can't be detected by the sniffers. For example, use something like the technique used by port knocking, i.e. utilize the time domain for your encrypted channel. In other words, don't send encrypted data directly, just send regular data and modulate the time intervals between the packets to reflect your encrypted data.