A new GitHub project demonstrates a sophisticated DPI bypass technique using eBPF's sock_ops to intercept TLS connections and inject fake ClientHello packets with spoofed SNI before the real handshake occurs. The method includes MSS clamping for packet fragmentation and integrates a built-in DoH resolver for enhanced stealth. This represents a significant advancement in network censorship evasion with potential implications for both security and privacy tools.
Background
Deep Packet Inspection (DPI) is commonly used by network operators to monitor and filter traffic, while eBPF is a Linux kernel technology that allows running sandboxed programs at various hook points. TLS handshake manipulation has become a key area in censorship circumvention research.
- Source
- Lobsters
- Published
- Apr 5, 2026 at 10:25 PM
- Score
- 8.0 / 10