Tuesday, June 27, 2006

Great Firewall of China Uses TCP Resets

This blog post about the Great Firewall of China by Cambridge University researchers is fascinating:

It turns out [caveat: in the specific cases we’ve closely examined, YMMV] that the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey. Hence the censorship occurs.

So China is censoring its citizens using ten-year-old technology. How long before they upgrade?

Update: Tom Ptacek shows this story is old news. Great historical insights Tom!

13 comments:

David Webb said...

The "ten year old technology" works very well. What is there to "upgrade?" Please elaborate.

Richard Bejtlich said...

David,

In their post (and paper) the Cambridge researchers explain how it is possible to break this system by ignoring resets. Chinese citizens who deploy such countermeasures will be able to evade the Great Firewall. The upgrade would occur if the Chinese government decides to implement real firewalling via access control lists on inline devices.

David Webb said...

Thanks for the response Rich. Yes, I read the paper too. The reset has to be ignored on both sides not just the Chinese side. Basically defeating the system boils down to breaking TCP conventions on at least packets from China. Once we all do that then they will upgrade the firewall. Point is, they made sure the technique is economically feasible to them and intractable to rest of the world. I don’t think they are the ones who need the upgrade. What say you?

Richard Bejtlich said...

This is easy to beat. Assume you are a dissident running a Web site in China. Someone from the US tries to visit. RST RST to the Web site, RST RST to the visitor. Solution: Web site ignores RSTs from "visitors," visitors ignore RSTs from "Web site." This is not something that can be done by the average Joe, but neither are many other techniques that evade controls. Result: US visitor sees Chinese dissident Web site.

Now reverse it. Assume you are a Chinese dissident trying to visit a US Web site. Same solution.

Hence, the Chinese government will have to upgrade their "firewall" if they want to keep their citizens locked down.

Anonymous said...

Check out www.proxydom.com to access blocked sites.

Chris Byrd said...

The "Great Firewall of China" as described in the article, if correct, isn't a firewall at all. In addition to the simplicity of bypassing it by ignoring RSTs from (and in) China (or, as the article suggests, ignoring RSTs with a different TTL value than the SYN and SYN/ACK), it ignores one basic fact; that the Internet != HTTP. Simply using SSL (HTTPS), SSH, or any number of other encrypted protocols would work fine. So too would any non-TCP protocol. To truly "protect" their population from outside ideas, they'd need to run application proxies for every allowed protocol, which may not be economically feasible/justifyable.

- Chris

Richard Bejtlich said...

Chris, I partially agree as far as non-TCP protocols go. But for TCP, they could have a knock-down rule for any TCP traffic to/from any censored site.

For UDP, spoofed ICMP unreachable messages and other ICMP errors could be used.

Outside of that, I agree this is not an effective method of access control (which is good for freedom, thankfully).

mcburton said...

Richard,
I think the key here is "effective enough." East asian countries (pardon my blanket assumption...call me culturally insensitive) I have noticed deploy a "non-deterministic" approach to problem solving. For China to block ALL undesired connections is extremely difficult(and $$$), especially considering the magnatude of current and potential netizens. I am sure they know that TCP resets are a poor solution when you are trying to implement a firewall, but I bet its a "good enough" solution (for now). I like to use the example of car emissions: Cars and motorbikes produce exhaust. In western (or westernized) countries we have strict laws regulating the emission levels of all vehicles. The result, for which we pay an extremely high price (in terms of bureaucracy and $$$), is nice clean air. This is a very deterministic solution. In Vietnam (and China I assume) I noticed different solutoin to the same problem. Buy a 5 cent facemask or scarf. It doesn't solve the problem, but it IS cheap. It is "good enough." This is the non-deterministic solution. China is still a developing country, I find it a bit unreasonable to expect them to implement costly solutions to an IT problem when they still have rampant poverty and other more pressing problems. The Great Firewall of China, IMHO, is only prolonging the inevitable...I hope the government realizes this and would focus their energy and effort on other matters. I think we can all agree, this method of access control is good for freedom :)

Anonymous said...

The Bluecoat Systems sales rep (in the DC Metro area) touts that they provide filtering for Saudi Arabia (the whole country) and a whole bunch of 3 letter agencies with the letters A,B,C,I,N in them. They do SSL filtering by which the proxy spoofs the far SSL certificate, so the encrypted traffic can be inspected too.

Anonymous said...

we receive today the news that Iran is blocking sites like www.youtube.com,
the best we can do is you publish web proxy sites, soon they will relise the they cant stop the fredom of information and speech in the internet!!

here is a nice list of web-proxies without the word proxy in the name, to make the life for diffucult to the censors!

www.cristine.info
www.shannen.info
www.analise.info
www.affrica.info
www.charleen.info
www.alaura.info
www.bernadine.info
www.adita.info
www.anjelita.info
www.brygida.info
www.cristine.info
www.proxysolar.com
www.giuliana.info
www.giuliana.info
www.wynonna.info
www.wenda.info

Anonymous said...

brand new proxy, with both cgia and php

http://www.rofflecakes.org/

Anonymous said...

Will the 6/4 IP cause them problems? When that comes out maybe they would not have the ability (at least for a while) to do the things they are doing. My download speeds are horrible, and my VPN service Provide http://www.strongvpn.com says it's probably due to their filtering methods. I get past the firewall ok, but with or without the VPN it's horribly slow.
I'm curious to know what speeds others are getting?
I'm in Shenzhen on China Telecom.

alex smith said...

When I go to "Scan Search Engines for new vpn" I get this pop up