TCP Obfuscation Injection
TCP injection sends a 64-byte random payload packet after the TCP handshake with a low TTL.
The injected packet is intended to disturb DPI stream reconstruction state. To avoid affecting the real TCP conversation, it uses a low TTL, 3 by default, so it is expected to expire in transit instead of reaching the origin server.
desync:
inject: true
inject-ttl: 3UA3F builds a raw TCP packet with swapped source and destination addresses, ACK and PSH flags, a 65535 window, and random payload.
The packet is intended to expire in transit. UA3F checks the observed TTL/Hop Limit before injecting so the configured inject-ttl is not higher than the estimated distance.
If fixed TTL rewriting is also enabled, outbound traffic may contain both normal TTL packets and low-TTL injected packets. For example, regular outbound packets may use TTL 64, while injected packets use TTL 3.
