HACKING THE GREAT FIREWALL

From the archive, originally posted by: [ spectre ]

HACKING THE FIREWALL
http://www.lightbluetouchpaper.org/2006/06/27/ignoring-the-great-firewall-of-china/

“The Great Firewall of China is an important tool for the Chinese Government in their efforts to censor the Internet. It works, in part, by inspecting web traffic to determine whether or not particular words are present. If the Chinese Government does not approve of one of the words in a web page (or a web request), perhaps it says “f” “a” “l” “u” “n”, then the connection is closed and the web page will be unavailable – it has been censored. This user-level effect has been known for some time… but up until now, no-one seems to have looked more closely into what is actually happening (or when they have, they have misunderstood the packet level events).

It turns out, in the specific cases we’ve closely examined, that the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection – and obey. Hence the censorship occurs.

However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall’s reset packets, then the connection will proceed unhindered! We’ve done some real experiments on this – and it works just fine! Ignoring resets is trivial to achieve by applying simple firewall rules… and has no significant effect on ordinary working. If you want to be a little more clever you can examine the hop count (TTL) in the reset packets and determine whether the values are consistent with them arriving from the far end, or if the value indicates they have come from the intervening censorship device. We would argue that there is much to commend examining TTL values when considering defences against denial-of-service attacks using reset packets. Having operating system vendors provide this new functionality as standard would also be of practical use because Chinese citizens would not need to run special firewall-busting code (which the authorities might attempt to outlaw) but just off-the-shelf software (which they would necessarily tolerate).

NOTE: There’s also rather more to censorship in China than just the “Great Firewall” keyword detecting system – some sites are blocked unconditionally, and it is necessary to use other techniques, such as proxies, to deal with that. However, these static blocks are far more expensive for the Chinese Government to maintain, and are inherently more fragile and less adaptive to change as content moves around. So there remains real value in exposing the inadequacy of the generic system.”

RICHARD CLAYTON
http://www.cl.cam.ac.uk/~rnc1/
http://www.lightbluetouchpaper.org/

IGNORING THE GREAT FIREWALL OF CHINA
http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf

Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson
University of Cambridge Computer Laboratory

“The so-called “Great Firewall of China” operates, in part, by inspecting TCP packets for keywords that are to be blocked. If the keyword is present, TCP reset packets (viz: with the RST flag set) are sent to both endpoints of the connection, which then close. However, because the original packets are passed through the firewall unscathed, if the endpoints completely ignore the firewall’s resets, then the connection will proceed unhindered. Once one connection has been blocked, the fire-wall makes further easy-to-evade attempts to block further connections from the same machine. This latter behaviour can be leveraged into a denial-of-service attack on third-party machines.”

INTERNET FILTERING IN CHINA IN 2004-2005:
http://www.opennetinitiative.net/studies/china/ONI_China_Country_Study.pdf

“China’s Internet filtering regime is the most sophisticated effort of its kind in the world. Compared to similar efforts in other states, China’s filtering regime is pervasive, sophisticated, and effective. It comprises multiple levels of legal regulation and technical control.  It involves numerous state agencies and thousands of public and private personnel.  It censors content transmitted through multiple methods, including Web pages, Web logs, on-line discussion forums, university bulletin board systems, and e-mail messages.  Our testing found efforts to prevent access to a wide range of sensitive materials, from pornography to religious material to political dissent.  ONI sought to determine the degree to which China filters sites on topics that the Chinese government finds sensitive, and found that the state does so extensively.  Chinese citizens seeking access to Web sites containing content related to Taiwanese and Tibetan independence, Falun Gong, the Dalai Lama, the Tiananmen Square incident, opposition political parties, or a variety of anti-Communist movements will frequently find themselves blocked.  Despite conventional wisdom, though, ONI found that most major American media sites, such as CNN, MSNBC, and ABC, are generally available in China (though the BBC remains blocked). Moreover, most sites we tested in our global list’s human rights and anonymizer categories are accessible as well.  While it is difficult to describe this widespread filtering with precision, our research documents a system that imposes strong controls on its citizens’ ability to view and to publish Internet content.  Unlike the filtering systems in many other countries, China’s filtering regime appears to be carried out at various control points and also to be dynamic, changing along a variety of axes over time.

This combination of factors leads to a great deal of supposition as to how and why China filters the Internet.  These complexities also make it very difficult to render a clear and accurate picture of Internet filtering in China at any given moment.  Filtering takes place primarily at the backbone level of China’s network, though individual Internet service providers also implement their own blocking.  Our research confirmed claims that major Chinese search engines filter content by keyword and remove certain search results from their lists. Similarly, major Chinese Web log (“blog”) service providers either prevent posts with certain keywords or edit the posts to remove them.We found also that some keyword searches were blocked by China’s gateway filtering and not the search engines themselves.  Cybercafe´s, which provide an important source of access to the Internet for many Chinese, are required by law to track Internet usage by customers and to keep correlated information on file for 60 days.  As a further indication of the complexity of China’s filtering regime, we found several instances where particular URLs were blocked but the top-level domain of these URLs was accessible, despite the fact that the source of content appeared consistent across the domain – suggesting that filtering may be conducted at a finer level in China than in the other countries that we have studied closely.  Moreover, China’s Internet filtering appears to have grown more refined, sophisticated, and targeted during the years of ONI’s testing. China’s intricate technical filtering regime is buttressed by an equally complex series of laws and regulations that control the access to and publication of material online.  While no single statute specifically describes the manner in which the state will carry out its filtering regime, a broad range of laws – including media regulation, protections of “state secrets,” controls on Internet service providers and Internet content providers, laws specific to cybercafe´s, and so forth – provide a patchwork series of rationales and, in sum, massive legal support for filtering by the state.  The rights afforded to citizens as protection against filtering and surveillance, such as a limited privacy right in the Chinese Constitution, that otherwise might provide a counter-balance against state action on filtering and surveillance, are not clearly stated and are likely considered by the state to be inapplicable in this context. China operates the most extensive, technologically sophisticated, and broad-reaching system of Internet filtering in the world.  The implications of this distorted on-line information environment for China’s users are profound, and disturbing.”

OPEN NET INITIATIVE
Probing Chinese Search Engine Filtering
http://www.opennetinitiative.net/bulletins/005/

OVERVIEW
http://news.bbc.co.uk/2/hi/programmes/click_online/4587622.stm

SOME PUBLIC WEB-BASED CIRCUMVENTION SERVICES
www.peacefire.org
www.anonymizer.com
www.unipeak.com
www.anonymouse.org
www.proxyweb.net
www.guardster.com
www.webwarper.net
www.the-cloak.com

Leave a Reply