Suggestion to the folks in China: Consider using a combination of port knocking and conditional DNAT's in iptables, so that legit sources port knocking with the right key will go to shadowsocks and probes will go to something that could be mistaken as it, but is harmless in the eyes of those managing the GFW.<p>There is a tool that does something similar, SSLH [1], that will route SSH, HTTPS and VPN traffic to the right daemon. Similar idea, different implementation. Perhaps you could contact the author and have them add support for Shadowsocks. Then have two daemons, the legit Shadowsocks, and a dummy daemon that is something else. Perhaps even get the devs for SS and SSLH to brainstorm together on this.<p>[1] - <a href="https://github.com/yrutschle/sslh" rel="nofollow">https://github.com/yrutschle/sslh</a>