Hacker News new | past | comments | ask | show | jobs | submit login

Working around DPI blocks is possible as long as you can get your hands on foreign VPS. Just invent your own protocol and use it for yourself. Wrap it with HTTPS or even HTTP, nobody's has resources to analyse every single website protocol.

However some huge ingress/egress traffic to unknown website with few random pages looks very suspiciously. So it's possible to select those websites using statistics analysis.

Now the question to hackers: how do I hide tunnelled traffic so its statistics does not look suspicious?

Ideally one would use some CDN webserver (like cloudflare or amazon), however without encrypted SNI, host is extractable with DPI.




FWIW I stumbled upon the fact that AnyConnect (VPN from Cisco) about 10 years ago could walk over our HTTPS/DPI proxies/firewalls at Ubisoft. Which was mostly interesting because it was Ubi itself using AnyConnect.

In my efforts to use Linux (which is not supported by Cisco) I found "OpenConnect" and it's partner: "OCServe"; which are open source compatible client & server software (respectively) for the protocol

On the wire traffic looks like normal HTTPS traffic, and without the SSL "CONNECT" header which DPI loves to drop as it's known used for proxies and vpn solutions.

YMMV, but it's worked for me with aggressive HTTP proxies in other companies too. :)


> Working around DPI blocks is possible as long as you can get your hands on foreign VPS. Just invent your own protocol and use it for yourself. Wrap it with HTTPS or even HTTP, nobody's has resources to analyse every single website protocol.

Some firewalls will simply drop those protocols.


That's what "domain fronting" was: you put an innocuous domain in the SNI but a different domain in the Host: header and in some circumstances with some CDNs this would work.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: