Show HN: Gecit – DPI bypass using eBPF sock_ops, no proxy or VPN (opens in new tab)

(github.com)

9 pointsboratanrikulu1mo ago2 comments

2 comments

That's so cool.

This is interestingly very similar to domain fronting, except in this case the server doesn't need to work around it because it will still see the correct SNI.

Do DPI servers in your experience only check the first SNI packet for a given connection?

boratanrikuluOP1mo ago

Thanks! Yes, the DPI systems I've tested against only look at the first ClientHello in a connection. They don't do full TCP reassembly. The fake packet arrives first (eBPF fires synchronously before the app sends data), DPI records that SNI, and the real ClientHello passes through unchecked.

More sophisticated DPI (like China's GFW) does reassembly and would likely catch this. But for simpler stateless DPI, it works.

Good analogy with domain fronting. The key difference is exactly what you said: the server sees the real SNI, so no server-side cooperation needed.

j / k navigate · click thread line to collapse