A questioned on how GreenTunnel and networking works ;D

[uczpre]

"we send it in 2 parts: first comes GET / HTTP/1.0 \n Host: www.you and second sends as tube.com \n .... In this example, ISP cannot find blocked word youtube in packets and you can bypass it!"
-This works because we still have the real ip of the server while the domain name can be used by the server to find out which service it's hosting right ?
"GreenTunnel use DNS over HTTPS and DNS over TLS to get real IP address and bypass DNS Spoofing."
-DNS HTTPS to a neutral non blocking DNS like cloudflare 1.1.1.1 ?

pls help :D

[EbrahimTahernejad]

The problem

China and Iran's GFW have a bunch of systems to detect and drop connections, one of which is the live packet sniffing system.
It works on the 3rd layer of the network, the IP layer.

TLS (SSL)

Let's first see how a TLS handshake works

Those white boxes are not encrypted, so the only points they can sniff and make something out of what the connection is about are those parts.

The packet they are sniffing is the ClientHello packet. Which is structured like this:

As you can see, there are several extensions at the end.
One of these extensions is server_name which for example could be youtube.com.
If the GFW sees a packet containing the server_name with unwanted values, it will drop such packets disturbing the handshake process.

Plain HTTP

The same goes for plain HTTP, but this time, there is no server_name, the whole packet body is unencrypted so they need to just first confirm it's an HTTP packet and then check if the packet contains the text Host: youtube.com \n

Solution

There is a big issue with these "live" systems. There are too many packets, and holding on to previous packets puts a huge toll on these systems as there are a lot of source-destination IP pairs.

TLS

There is a solution for "large packets" is network layer 3 (IP Layer): Fragmentation

Let's say I'm sending a packet of size 4000. If you check your internet connection, you'll probably see an MTU around the size 1500.
It's a router's job to split these packets into multiple "Fragments" (Read more: https://en.wikipedia.org/wiki/IP_fragmentation)

Relying on GFW's inability to hold previous fragments of a ClientHello packet, we'll create artificial fragments from a ClientHello packet.

Plain HTTP

When the host header is seen, split the packet into 2 from the middle of the value of that host.

DNS

Plain DNS requests are sniffable (and hijackable). So we can use DNS over HTTPS and DNS over TLS to tackle this issue.

References

TLS image source: D. Shamsimukhametov, A. Kurapov, M. Liubogoshchev and E. Khorov, "Is Encrypted ClientHello a Challenge for Traffic Classification?," in IEEE Access, vol. 10, pp. 77883-77897, 2022, doi: 10.1109/ACCESS.2022.3191431.

Fragmentation image source: https://en.wikipedia.org/wiki/IP_fragmentation