DPI-Bench evaluates DPI (Deep Packet Inspection) bypass techniques through systematic testing against real censorship infrastructure. This document describes the testing methodology, scoring criteria, and best practices.
Before running evasion tests, DPI-Bench validates each target:
- DNS Resolution — Resolve the target domain and verify DNS is not poisoned
- TCP Reachability — Confirm the target IP:port accepts TCP connections
- TLS Handshake — Verify a standard TLS handshake completes (or is blocked)
- HTTP Baseline — Send a plain HTTPS request to establish the baseline behavior
If the baseline HTTPS request succeeds, the target is not blocked from the test location, and evasion testing is skipped for that target. The most meaningful results come from targets that are actively blocked.
DPI-Bench attempts to identify the DPI system by analyzing:
- RST Timing — Time between ClientHello and RST packet (characteristic per DPI vendor)
- RST Pattern — Single RST, triple RST, delayed RST
- Block Pages — HTTP block page content matching against known DPI signatures
- DNS Behavior — Poisoned DNS responses indicating DNS-level filtering
- Connection Patterns — Timeout vs. RST vs. redirect behavior
Known DPI signatures include TSPU (Russia), Great Firewall (China), FortiGuard, Sandvine PacketLogic, and Netsweeper.
Each evasion technique is tested against each blocked target:
- Split the TLS ClientHello across TCP segment boundaries
- Test multiple split offsets (1, 2, 3, 5, 10, 40, 100 bytes)
- Measure which offsets succeed in bypassing the DPI
- Fake RST — Send a fake RST with low TTL before the real ClientHello
- Fake SYN+ACK — Inject a fake SYN+ACK to reset DPI state
- Disorder — Send TCP segments out of order
- Split with OOB — Use TCP urgent data to split the stream
- Send fake packets with TTL values that expire before the server
- Scan TTL 1-10 to find the optimal value
- Test both fake RST and fake data payloads
- Randomize JA3 fingerprint by shuffling cipher suites
- Add GREASE values to extensions
- Shuffle TLS extension order
- Mimic specific browser fingerprints
- Fragment SNI — Split the ClientHello at the SNI boundary
- Fake SNI — Send a ClientHello with a fake (allowed) domain first
- Empty SNI — Send a ClientHello with an empty SNI extension
- Replace SNI — Replace the SNI value with an allowed domain
- Omit SNI — Remove the SNI extension entirely
- Corrupt QUIC initial packets in specific ways
- Spoof version negotiation packets
- Manipulate connection IDs
Each test produces a binary result:
- PASS — The evasion technique successfully bypassed DPI and the target was accessible
- FAIL — The connection was blocked (RST, timeout, or block page)
Success is determined by:
- TLS handshake completed successfully
- HTTP response received with expected status code
- Response content does not match known block page signatures
- Pass Rate — Percentage of tests that succeeded
- Technique Effectiveness — Per-technique pass rate across all targets
- Target Difficulty — Per-target pass rate across all techniques
- Optimal Configuration — Best technique + parameters for each target
- Run from the censored network — Tests must be run from behind the DPI
- Use multiple targets — Test against several blocked domains for consistency
- Repeat tests — Run each test multiple times to account for intermittent behavior
- Document ISP and location — Results vary by ISP and region
- Test at different times — DPI behavior may change during peak hours
- Use a VPN baseline — Verify targets are accessible via VPN to confirm blocking
DPI-Bench is a research and testing tool. It should be used:
- For security research and academic study of censorship systems
- To evaluate the effectiveness of anti-censorship tools
- To document and understand network filtering implementations
Users are responsible for complying with applicable laws in their jurisdiction.