Great Firewall of China Uses TCP Resets

This blog post about the Great Firewall of China by Cambridge University researchers is fascinating:

It turns out [caveat: in the specific cases we’ve closely examined, YMMV] that the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey. Hence the censorship occurs.

So China is censoring its citizens using ten-year-old technology. How long before they upgrade?

Update: Tom Ptacek shows this story is old news. Great historical insights Tom!

Comments

Anonymous said…
The "ten year old technology" works very well. What is there to "upgrade?" Please elaborate.
David,

In their post (and paper) the Cambridge researchers explain how it is possible to break this system by ignoring resets. Chinese citizens who deploy such countermeasures will be able to evade the Great Firewall. The upgrade would occur if the Chinese government decides to implement real firewalling via access control lists on inline devices.
Anonymous said…
Thanks for the response Rich. Yes, I read the paper too. The reset has to be ignored on both sides not just the Chinese side. Basically defeating the system boils down to breaking TCP conventions on at least packets from China. Once we all do that then they will upgrade the firewall. Point is, they made sure the technique is economically feasible to them and intractable to rest of the world. I don’t think they are the ones who need the upgrade. What say you?
This is easy to beat. Assume you are a dissident running a Web site in China. Someone from the US tries to visit. RST RST to the Web site, RST RST to the visitor. Solution: Web site ignores RSTs from "visitors," visitors ignore RSTs from "Web site." This is not something that can be done by the average Joe, but neither are many other techniques that evade controls. Result: US visitor sees Chinese dissident Web site.

Now reverse it. Assume you are a Chinese dissident trying to visit a US Web site. Same solution.

Hence, the Chinese government will have to upgrade their "firewall" if they want to keep their citizens locked down.
Anonymous said…
The "Great Firewall of China" as described in the article, if correct, isn't a firewall at all. In addition to the simplicity of bypassing it by ignoring RSTs from (and in) China (or, as the article suggests, ignoring RSTs with a different TTL value than the SYN and SYN/ACK), it ignores one basic fact; that the Internet != HTTP. Simply using SSL (HTTPS), SSH, or any number of other encrypted protocols would work fine. So too would any non-TCP protocol. To truly "protect" their population from outside ideas, they'd need to run application proxies for every allowed protocol, which may not be economically feasible/justifyable.

- Chris
Chris, I partially agree as far as non-TCP protocols go. But for TCP, they could have a knock-down rule for any TCP traffic to/from any censored site.

For UDP, spoofed ICMP unreachable messages and other ICMP errors could be used.

Outside of that, I agree this is not an effective method of access control (which is good for freedom, thankfully).
Anonymous said…
The Bluecoat Systems sales rep (in the DC Metro area) touts that they provide filtering for Saudi Arabia (the whole country) and a whole bunch of 3 letter agencies with the letters A,B,C,I,N in them. They do SSL filtering by which the proxy spoofs the far SSL certificate, so the encrypted traffic can be inspected too.
Anonymous said…
we receive today the news that Iran is blocking sites like www.youtube.com,
the best we can do is you publish web proxy sites, soon they will relise the they cant stop the fredom of information and speech in the internet!!

here is a nice list of web-proxies without the word proxy in the name, to make the life for diffucult to the censors!

www.cristine.info
www.shannen.info
www.analise.info
www.affrica.info
www.charleen.info
www.alaura.info
www.bernadine.info
www.adita.info
www.anjelita.info
www.brygida.info
www.cristine.info
www.proxysolar.com
www.giuliana.info
www.giuliana.info
www.wynonna.info
www.wenda.info
Anonymous said…
brand new proxy, with both cgia and php

http://www.rofflecakes.org/
Anonymous said…
Will the 6/4 IP cause them problems? When that comes out maybe they would not have the ability (at least for a while) to do the things they are doing. My download speeds are horrible, and my VPN service Provide http://www.strongvpn.com says it's probably due to their filtering methods. I get past the firewall ok, but with or without the VPN it's horribly slow.
I'm curious to know what speeds others are getting?
I'm in Shenzhen on China Telecom.
alex smith said…
When I go to "Scan Search Engines for new vpn" I get this pop up

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics