How nDPI Identifies Fully Encrypted Protocols
In the paper How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic it is described a technique used in censorship to identify and block fully encrypted protocols. This technique, limited to TCP flows, uses a few techniques that are applied on the first TCP packet with payload, making it fast and convenient although with a small (< 1%) percentage of false positives: Ex1: popcount(pkt) ≤ 3.4 or popcount(pkt) ≥ 4.6. len(pkt) len(pkt) Ex2: The first six (or more) bytes of pkt are [0x20, 0x7e]. Ex3: More than …