China
Blocking is performed by dropping packets from the client to the server, rather than packet substitution with the RST flag, which was previously performed with selective blocking by SNI content. After blocking a packet with ESNI, for 120 to 180 seconds, all network packets that match the combination of source IP, destination IP and destination port number are also blocked. HTTPS connections based on older versions of TLS and TLS 1.3 without ESNI are skipped as usual.
Recall that to organize the operation of several HTTPS sites on the same IP address, the SNI extension was developed, which transmits the host name in clear text in the ClientHello message transmitted before the encrypted communication channel is established. This feature makes it possible on the ISP side to selectively filter HTTPS traffic and analyze which sites the user opens, which does not allow achieving complete confidentiality when using HTTPS.
The new TLS extension ECH (formerly ESNI), which can be used in conjunction with TLS 1.3, eliminates this shortcoming and completely eliminates the leakage of information about the requested site when parsing HTTPS connections. In combination with access through the content delivery network, the use of ECH / ESNI also makes it possible to hide from the provider the IP address of the requested resource. Traffic inspection systems will only see calls to the CDN and will not be able to apply blocking without TLS session spoofing, in which case the user's browser will display a corresponding certificate substitution notification. DNS remains a possible leak channel, but DNS-over-HTTPS or DNS-over-TLS can be used by the client to hide DNS access.
Researchers are already
Another workaround is to use a non-standard connection negotiation process, for example, blocking does not work when pre-sending an additional SYN packet with an incorrect sequence number, manipulating packet fragmentation flags, sending a packet with both FIN and SYN flags set, substituting an RST packet with an incorrect control amount or send before the start of packet connection negotiation with the SYN and ACK flags. The described methods are already implemented in the form of a plugin to the toolkit
Source: opennet.ru