On Sat, Jan 07, 2023 at 10:13:25AM -0500, Kevin Bock wrote:

My apologies if everyone is already aware of this: I wanted to share a new paper I came across this morning out of China this past week that suggests low-cost identification methods for snowflake traffic. One of their detection mechanisms is by identifying the STUN DNS lookups, so I thought it was relevant to this discussion, but they also propose using other features of the DTLS handshake for identification.

Thanks, I was not aware of this.

I'm a little surprised this was published, but better to know now than have to reverse engineer later I suppose.

It's not so unusual—there's more of this kind of thing in the open literature than one might expect. The corresponding author Cheng Guang (程光) of Southeast University is also one of the inventors on a patent for V2Ray identification using entropy features: https://patents.google.com/patent/CN113301041

His publication history has a lot of research in this line: https://dblp.org/pid/99/4812-1.html And he has regular old IEEE, ACM, and other profiles: https://ieeexplore.ieee.org/author/37653483600 https://dl.acm.org/profile/81423595524 https://kns.cnki.net/kcms/detail/knetsearch.aspx?sfield=au&code=00004202...