The outline-ss-server 1.4 proxy server has been released, using the Shadowsocks protocol to hide the nature of traffic, bypass firewalls, and trick packet inspection systems. The server is being developed by the Outline project, which additionally provides a binding of client applications and a control interface that allows you to quickly deploy outline-ss-server-based multi-user Shadowsocks servers in public cloud environments or on your own equipment, manage them via a web interface and organize user access by keys . The code is developed and maintained by Jigsaw, a division within Google created to develop tools for circumventing censorship and organizing the free exchange of information.
Outline-ss-server is written in Go and distributed under the Apache 2.0 license. The go-shadowsocks2 proxy server code, created by the Shadowsocks developer community, is used as a basis. Recently, the main activity of the Shadowsocks project has been focused on the development of a new server in the Rust language, and the Go implementation has not been updated for more than a year and is noticeably behind in functionality.
Differences between outline-ss-server and go-shadowsocks2 come down to support for connecting multiple users through a single network port, the ability to open multiple network ports to receive connections, hot restart support and configuration updates without breaking connections, built-in monitoring and traffic modification tools based on the prometheus platform .io.
The outline-ss-server also adds protection against probe requests and traffic replay attacks. An attack through verification requests is aimed at determining the presence of a proxy, for example, an attacker can send data sets of various sizes to the target Shadowsocks server and analyze how much data the server will read before determining an error and closing the connection. A replay attack is based on hijacking a session between a client and a server and then trying to resend the hijacked data to determine if a proxy exists.
To protect against attacks through verification requests, the outline-ss-server server, when incorrect data arrives, does not terminate the connection and does not display an error, but continues to receive information, acting as a kind of black hole. To protect against replay, the data received from the client is additionally checked for repetitions by checksums stored for the last few thousand handshake sequences (maximum 40 thousand, the size is set at server startup and consumes 20 bytes of memory per sequence). To block repeated responses from the server, all server handshake sequences use HMAC authentication codes with 32-bit tags.
In terms of the level of traffic hiding, the Shadowsocks protocol in the outline-ss-server implementation is close to the Obfs4 pluggable transport in the anonymous Tor network. The protocol was created to bypass China's traffic censoring system (the "Great Firewall of China") and allows you to quite effectively hide traffic forwarded through another server (traffic is problematic to identify due to attaching a random seed and simulating a continuous stream).
SOCKS5 is used as a protocol for proxying requests - a proxy with SOCKS5 support is launched on the local system, which tunnels traffic to a remote server from which requests are actually executed. The traffic between the client and the server is placed in an encrypted tunnel (authenticated encryption AEAD_CHACHA20_POLY1305, AEAD_AES_128_GCM and AEAD_AES_256_GCM is supported), hiding the fact of the creation of which is the primary task of Shadowsocks. TCP and UDP tunneling is supported, as well as the creation of arbitrary tunnels, not limited to SOCKS5, through the use of plug-ins, reminiscent of pluggable transports in Tor.
Source: opennet.ru