China's Internet been an Intranet means GFW don't need to be precise in recognizing traffic flows. A little false positive is fine.
Some examples:
- Dropping GRE packet so PPTP VPN is not possible
- Send TCP RST to both end when a connection to dport=22 generated too much traffic
Also from my understanding, it's not that hard to use some basic machine learning techniques to classify the traffic. That's the reason why Tor project developed obfsproxy to obfuscate the traffic flow.
obfuscation of traffic to make it not look like VPN can be helpful, but traffic flow analysis based on source/origin IPs, timing and kbps/pps can still identify what looks like a VPN.
Some examples: - Dropping GRE packet so PPTP VPN is not possible - Send TCP RST to both end when a connection to dport=22 generated too much traffic
Also from my understanding, it's not that hard to use some basic machine learning techniques to classify the traffic. That's the reason why Tor project developed obfsproxy to obfuscate the traffic flow.