
How China Detects and Blocks Shadowsocks - JayXon
https://gfw.report/blog/gfw_shadowsocks/
======
LinuxBender
Suggestion to the folks in China: Consider using a combination of port
knocking and conditional DNAT's in iptables, so that legit sources port
knocking with the right key will go to shadowsocks and probes will go to
something that could be mistaken as it, but is harmless in the eyes of those
managing the GFW.

There is a tool that does something similar, SSLH [1], that will route SSH,
HTTPS and VPN traffic to the right daemon. Similar idea, different
implementation. Perhaps you could contact the author and have them add support
for Shadowsocks. Then have two daemons, the legit Shadowsocks, and a dummy
daemon that is something else. Perhaps even get the devs for SS and SSLH to
brainstorm together on this.

[1] - [https://github.com/yrutschle/sslh](https://github.com/yrutschle/sslh)

