The outline-ss-server 1.4 proxy server has been released, using the protocol Shadowsocks to hide traffic patterns, bypass firewalls, and deceive packet inspection systems. The server is being developed by the Outline project, which additionally provides a framework of client applications and a management interface, allowing for the rapid deployment of multi-user systems. Shadowsocks-servers based on outline-ss-server in public cloud environments or on-premises hardware, manage them via a web interface, and organize user access using keys. The code is developed and maintained by Jigsaw, a division within Google created to develop tools for censorship circumvention and facilitate the free exchange of information.
Outline-ss-server is written in Go and distributed under the Apache 2.0 license. It is based on the proxy codeServer go-shadowsocks2, created by the developer community Shadowsocks. Recently, the main activity of the project Shadowsocks is focused on developing a new server in the Rust language, while the Go implementation has not been updated for over a year and is noticeably lagging behind in functionality.
Differences between outline-ss-server and go-shadowsocks2 come down to support for connecting multiple users through a single network port, the ability to open multiple network ports to receive connections, hot restart support and configuration updates without breaking connections, built-in monitoring and traffic modification tools based on the prometheus platform .io.
Outline-ss-server also adds protection against attacks involving sending verification requests and traffic replay. A verification request attack is aimed at detecting the presence of a proxy; for example, an attacker can send a request to the target. Shadowsocks-server data sets of varying sizes and analyze how much data the server will read before detecting an error and closing the connection. A traffic replay attack is based on hijacking the session between the client and server followed by an attempt to resend the intercepted data to determine the presence of a proxy.
To protect against attacks through verification requests, the outline-ss-server server, when incorrect data arrives, does not terminate the connection and does not display an error, but continues to receive information, acting as a kind of black hole. To protect against replay, the data received from the client is additionally checked for repetitions by checksums stored for the last few thousand handshake sequences (maximum 40 thousand, the size is set at server startup and consumes 20 bytes of memory per sequence). To block repeated responses from the server, all server handshake sequences use HMAC authentication codes with 32-bit tags.
By the level of traffic concealment protocol Shadowsocks In its implementation, outline-ss-server is similar to the Obfs4 pluggable transport in the Tor anonymity network. The protocol was created to bypass China's Great Firewall and allows for fairly effective obfuscation of traffic routed through another server (the traffic is difficult to identify thanks to the inclusion of a random seed and the simulation of a continuous flow).
SOCKS5 is used as the proxy protocol for requests. A SOCKS5-enabled proxy is launched on the local system, which tunnels traffic to the remote server from which the requests are actually executed. Traffic between the client and server is placed in an encrypted tunnel (AEAD_CHACHA20_POLY1305, AEAD_AES_128_GCM, and AEAD_AES_256_GCM authenticated encryption is supported), concealing the fact that the tunnel is being created is the primary goal. ShadowsocksTCP and UDP tunneling is supported, as well as the creation of custom tunnels not limited to SOCKS5, through the use of plugins similar to Tor's pluggable transports.
Source: opennet.ru
