Thanks! Yes, the DPI systems I've tested against only look at
the first ClientHello in a connection. They don't do full TCP
reassembly. The fake packet arrives first (eBPF fires
synchronously before the app sends data), DPI records that SNI,
and the real ClientHello passes through unchecked.
More sophisticated DPI (like China's GFW) does reassembly and
would likely catch this. But for simpler stateless DPI, it works.
Good analogy with domain fronting. The key difference is exactly
what you said: the server sees the real SNI, so no server-side
cooperation needed.
More sophisticated DPI (like China's GFW) does reassembly and would likely catch this. But for simpler stateless DPI, it works.
Good analogy with domain fronting. The key difference is exactly what you said: the server sees the real SNI, so no server-side cooperation needed.