Great Firewall of China Uses TCP Resets

This blog post about the Great Firewall of China by Cambridge University researchers is fascinating:

It turns out [caveat: in the specific cases we’ve closely examined, YMMV] that the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey. Hence the censorship occurs.

So China is censoring its citizens using ten-year-old technology. How long before they upgrade?

Update: Tom Ptacek shows this story is old news. Great historical insights Tom!

Comments

Anonymous said…
The "ten year old technology" works very well. What is there to "upgrade?" Please elaborate.
2:03 PM
Richard Bejtlich said…
David,

In their post (and paper) the Cambridge researchers explain how it is possible to break this system by ignoring resets. Chinese citizens who deploy such countermeasures will be able to evade the Great Firewall. The upgrade would occur if the Chinese government decides to implement real firewalling via access control lists on inline devices.
2:16 PM
Anonymous said…
Thanks for the response Rich. Yes, I read the paper too. The reset has to be ignored on both sides not just the Chinese side. Basically defeating the system boils down to breaking TCP conventions on at least packets from China. Once we all do that then they will upgrade the firewall. Point is, they made sure the technique is economically feasible to them and intractable to rest of the world. I don’t think they are the ones who need the upgrade. What say you?
2:29 PM
Richard Bejtlich said…
This is easy to beat. Assume you are a dissident running a Web site in China. Someone from the US tries to visit. RST RST to the Web site, RST RST to the visitor. Solution: Web site ignores RSTs from "visitors," visitors ignore RSTs from "Web site." This is not something that can be done by the average Joe, but neither are many other techniques that evade controls. Result: US visitor sees Chinese dissident Web site.

Now reverse it. Assume you are a Chinese dissident trying to visit a US Web site. Same solution.

Hence, the Chinese government will have to upgrade their "firewall" if they want to keep their citizens locked down.
2:48 PM
Anonymous said…
The "Great Firewall of China" as described in the article, if correct, isn't a firewall at all. In addition to the simplicity of bypassing it by ignoring RSTs from (and in) China (or, as the article suggests, ignoring RSTs with a different TTL value than the SYN and SYN/ACK), it ignores one basic fact; that the Internet != HTTP. Simply using SSL (HTTPS), SSH, or any number of other encrypted protocols would work fine. So too would any non-TCP protocol. To truly "protect" their population from outside ideas, they'd need to run application proxies for every allowed protocol, which may not be economically feasible/justifyable.

- Chris
7:51 PM
Richard Bejtlich said…
Chris, I partially agree as far as non-TCP protocols go. But for TCP, they could have a knock-down rule for any TCP traffic to/from any censored site.

For UDP, spoofed ICMP unreachable messages and other ICMP errors could be used.

Outside of that, I agree this is not an effective method of access control (which is good for freedom, thankfully).
9:28 PM
Anonymous said…
The Bluecoat Systems sales rep (in the DC Metro area) touts that they provide filtering for Saudi Arabia (the whole country) and a whole bunch of 3 letter agencies with the letters A,B,C,I,N in them. They do SSL filtering by which the proxy spoofs the far SSL certificate, so the encrypted traffic can be inspected too.
3:01 PM
Anonymous said…
we receive today the news that Iran is blocking sites like www.youtube.com,
the best we can do is you publish web proxy sites, soon they will relise the they cant stop the fredom of information and speech in the internet!!

here is a nice list of web-proxies without the word proxy in the name, to make the life for diffucult to the censors!

www.cristine.info
www.shannen.info
www.analise.info
www.affrica.info
www.charleen.info
www.alaura.info
www.bernadine.info
www.adita.info
www.anjelita.info
www.brygida.info
www.cristine.info
www.proxysolar.com
www.giuliana.info
www.giuliana.info
www.wynonna.info
www.wenda.info
5:53 PM
Anonymous said…
brand new proxy, with both cgia and php

http://www.rofflecakes.org/
11:42 AM
Anonymous said…
Will the 6/4 IP cause them problems? When that comes out maybe they would not have the ability (at least for a while) to do the things they are doing. My download speeds are horrible, and my VPN service Provide http://www.strongvpn.com says it's probably due to their filtering methods. I get past the firewall ok, but with or without the VPN it's horribly slow.
I'm curious to know what speeds others are getting?
I'm in Shenzhen on China Telecom.
2:05 AM
alex smith said…
When I go to "Scan Search Engines for new vpn" I get this pop up
2:23 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more