Is there a way to avoid active probing

[mmrabbani]

Some protocols are vulnerable to active probing and GFW can detect server by sending request to server.
If IP ranges that are used for active probing are known, Is there a way to avoid active probing by changing xray configuration?
For example, if I add syntax like this to server routing, will server block active probing servers? Or server still have handshake and can be detected by GFW?

  {
    "outboundTag": "blocked",
    "type": "field",
    "source": [
      "2.188.0.0/16",
    ],

[hawshemi]

First of all, IP addresses used for Probing are Unknown...
Second of all, you should not just block them. In contrast, you should forward them to an external website.
For example, in Reality config, we have dest parameter for this matter. In other protocols, you should use nginx to forward the suspicious IP addresses to an external website where you are stealing TLS traffic or something else...

One of the factors (especially for Iran GFW) is the response from the server when it's probed. It should NOT be blocked, it should send 200 OK status when it's requested. if the request is not completed the Iran-GFW will put the IP address on the Gray-List.

[mmrabbani]

First of all, IP addresses used for Probing are Unknown...

For Iran, most of active probing servers are belonging to Infrastructure company. So we we can detect most of infrastructure IPs (I know no list is 100% accurate)
https://www.ip2location.com/as49666
There may be other ways to detect GFW server in other countries.

For example, in Reality config, we have dest parameter for this matter.

Reality can be detected in Iran. I don't know it is because of active probing or not. but using "dest" cannot guarantee server normal behavior. I haven't tried nginx to forward traffic from suspicious IPs. I don't how easy would it be to have different behavior to different range IPs by nginx. Can you describe more?

if the request is not completed the Iran-GFW will put the IP address on the Gray-List.

Because there are many many website that follow US sanction and don't respond to Iranian IPs, not responding does not necessarily mean being suspicious.

It is helpful to have others contribute to this discussion

[hawshemi]

For Iran, most of active probing servers are belonging to Infrastructure company. So we we can detect most of infrastructure IPs (I know no list is 100% accurate) https://www.ip2location.com/as49666 There may be other ways to detect GFW server in other countries.

Actually, Iran has some other AS numbers that run probing like AS58224 and AS21341. Also, the IP ranges are vast and include most of the residential IP addresses from TCI (Mokhaberat) ISP. So we cannot just block the TCI ISP and hope the active probe can't probe the VPS IP.

Reality can be detected in Iran. I don't know it is because of active probing or not. but using "dest" cannot guarantee server normal behavior. I haven't tried nginx to forward traffic from suspicious IPs. I don't how easy would it be to have different behavior to different range IPs by nginx. Can you describe more?

Reality, by itself, cannot be detected in Iran (yet!), the Iranian GFW will probe the VPS IP address based on the IP range + total amount of traffic + SNI. these are 3 factors for the GFW. For example, you have an IP address from Hetzner starting 91.107. and using www.speedtest.net SNI. Because this combination is very popular and vast (and GFW knows this range from Hetzner and SNI), once the traffic is going through, the GFW starts to probe and limit the UL/DL speed or 10x the jitter ping based on TLS traffic (non-TLS traffic like plain vless-http is OK)
I investigated the configurations from the servers that were banned by MCI and TCI last month. And I can say 90% of them had wrong configurations and were from famous IP ranges with wrong SNIs. (For example, the VPS IP address was from Germany but the SNI was from the US and not even close to the VPS IP address). The relation between the VPS IP address and SNI is very important and needs to be configured precisely.

Because there are many many website that follow US sanction and don't respond to Iranian IPs, not responding does not necessarily mean being suspicious.

I meant the HTTP status code. even when a website has blocked an Iranian IP address, it will return 403 forbidden code. GFW doesn't care about the content or website, all it needs is some sort of insurance that the VPS IP address is not used by proxy trafficking. When there is absolutely nothing on the VPS IP address the return code is 503 which is Service Unavailable. This is NOT OK for GFW, all we need is to handle that request.

I'm writing an article about Iran-GFW and its behaviour as I tested with different kinds of protocols and logged the requests. All I can say now is Iran definitely has Active-Probing like China. But it can be handled with a simple forwarder, like nginx or dest from reality.