0、Foreword
When I was researching the Quanzhou whitelist some time ago, I checked the information and saw that many people reported that "whitelists" also appeared in Henan province. Further investigation found that Henan is not a whitelist, but a provincial GFW blacklist that is stricter than the general GFW blacklist. , using classic SNI blocking.
After testing, Henan's SNI blocking seems to be two screens: the first one directly filters TLDs. Country-specific domain names such as .al
, and seriously abused domain names such as .xyz
and .top
will directly block The second step is similar to a blacklist. Even domain names such as .com
and .net
that can pass the first test will be blocked if they fail to pass the review. This review may be traffic detection. Whether it meets the Characteristics of certain protocols; it may also be a review of website content to determine whether sensitive words appear.
1.Solution
According to a discussion on GitHub1, enabling TCP Timestamps can bypass this blocking. At present, the principle is not that this method will not be detected by GFW, but that GFW directly Bypass
the Client Hello with Timestamps enabled ( It seems that there is nothing we can do about this kind of package for the time being, laugh ).
Enable TCP Timestamps:
1.1、Windows
Execute in PowerShell:
1 | netsh interface tcp set global timestamps=enabled |
Check if it is enabled:
1 | netsh interface tcp show global |
If the value in the first line is enabled
, it is successfully enabled.
1.2、Linux
implement:
1 | sysctl -w net.ipv4.tcp_timestamps=1 |
Although the command is ipv4
, it takes effect on both IPv4 and IPv6 networks.
1.3、Android
If it is Android 13 or above, the system has enabled it by default.
Execute in Termux (rooted)/ADB Shell (not rooted):
1 | sysctl net.ipv4.tcp_timestamps |
Check whether it is turned on. If the output value is equal to 0
, it means it is not turned on.
implement:
1 | cat /proc/sys/net/ipv4/tcp_timestamps 1 |
or
1 | sysctl -w net.ipv4.tcp_timestamps=1 |
to enable.
2. Related discussions
This method is not omnipotent. Here is a summary of the relevant discussions on GitHub for reference:
TCP Timestamps option cannot bypass SNI blocking at GFW located in Beishangguang;
TCP Fast Open can bypass the SNI blocking of GFW located in Beijing, Shanghai and Guangzhou (only IPv4 and IPv6 exported from Guangzhou were tested), but Xray's TCP Fast Open is only effective for Linux and has no effect when enabled on Windows.
Enable TCP Timestamps to Bypass SNI Blocking
Comments