Ignoring the "Great Firewall of China"

The Great Firewall of China is an important tool for the Chinese Government in their efforts to censor the Internet. It works, in part, by inspecting web traffic to determine whether or not particular words are present. If the Chinese Government does not approve of one of the words in a web page (or a web request), perhaps it says “f” “a” “l” “u” “n”, then the connection is closed and the web page will be unavailable — it has been censored.

This user-level effect has been known for some time… but up until now, no-one seems to have looked more closely into what is actually happening (or when they have, they have misunderstood the packet level events).

It turns out [caveat: in the specific cases we’ve closely examined, YMMV] that the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey. Hence the censorship occurs.

However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall’s reset packets, then the connection will proceed unhindered! We’ve done some real experiments on this — and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall — just shut your eyes and walk onto Platform 9¾.

Ignoring resets is trivial to achieve by applying simple firewall rules… and has no significant effect on ordinary working. If you want to be a little more clever you can examine the hop count (TTL) in the reset packets and determine whether the values are consistent with them arriving from the far end, or if the value indicates they have come from the intervening censorship device. We would argue that there is much to commend examining TTL values when considering defences against denial-of-service attacks using reset packets. Having operating system vendors provide this new functionality as standard would also be of practical use because Chinese citizens would not need to run special firewall-busting code (which the authorities might attempt to outlaw) but just off-the-shelf software (which they would necessarily tolerate).

There’s a little more to this story (but not much) and all is revealed in our academic paper (Clayton, Murdoch, Watson) which will be presented at the 6th Workshop on Privacy Enhancing Technologies being held here in Cambridge this week.

NB: There’s also rather more to censorship in China than just the “Great Firewall” keyword detecting system — some sites are blocked unconditionally, and it is necessary to use other techniques, such as proxies, to deal with that. However, these static blocks are far more expensive for the Chinese Government to maintain, and are inherently more fragile and less adaptive to change as content moves around. So there remains real value in exposing the inadequacy of the generic system.

The bottom line though, is that a great deal of the effectiveness of the Great Chinese Firewall depends on systems agreeing that it should work … wasn’t there once a story about the Emperor’s New Clothes ?

78 thoughts on “Ignoring the "Great Firewall of China"

  1. Unfortunatly, this isn’t that effective a bypass. As the resets are (unless painfully broken) sent in both directions, you need software on both sides of the connection.

    If you have software on both sides of the connection, you can do FAR FAR FAR more subtle covert channels that would completely/drastically increase the difficulty of detecting censorable communication.

  2. First, it’s a totally effective bypass — it works just fine, using very simple mechanisms.

    Secondly, we understand entirely that discarding resets is needed at both at ends of the connection, abeit not very complicated software is necessary to do it. Standard firewalls do it out of the box.

    However (see the paper) we also understand that the dynamics are very different if the firewall can correctly log what is being transferred — distinguishing porn from politics. That’s not the case for encrypted links (which could easily be banned per se by looking at the entropy of the packets; and an entirely negative view taken of what the content was) or proxies (which is merely a scaling issue, so a question merely of money and commitment).

    However, the key point is that changing the TCP/IP stacks to ignore the firewall is almost a no-brainer for the vendor. There are excellent technical reasons for discarding the firewall’s resets as a matter of course. If stack builders did this as standard, then an entire Great Firewall of China mechanism entirely fails to work. That can only, in my view, be a good result.

  3. I explained this mechanism in 5th HOPE conference:
    http://www.dit-inc.us/report/hope2004/cover.htm Sorry the slides are hard to read without the video presentation

    This is one of the many mechanisms that is being used. Some new mechanisms were added later on.

    The reset will be send from the firewall to both client and server, so you need to convince both sides to ignore reset.

  4. This is all great, but keyword filtering is really not the big issue in China. The only time you notice it is when you use sites like Google, which have extra sensitivity conditions beyond keywords. On my own site I have virtually all bad keywords in different documents, and they fly through without a hitch to me in China.

    The annoying thing is the site bans of blogspot.com, wordpress.com, bbc.com and the temporary blocks of wikipedia.org. That epochtimes and such propaganda sites are blocked is really of no importance; people in the West drastically overemphasize the will of the Chinese to gather such information. In any case, you can always use anonymous.org for blogspot.com and such sites (but not for epochtimes).

  5. If China uses a “Great Firewall” can the Bush Administration be far behind?

    Since at least two of their covert programs to monitor phone conversations and international bank transactions of US citizans and corporations have been uncovered by the NY Times and other stellar members of print journalism, will they find a way to use a similar concept to block pubic discussion of these, and other, points of high vulnerability as they see them??

    Just curious!

  6. I am a Chinese,My english is bad, We need your help,For anthropic freedom,Help us! Thank your very much! Freedom vive!
    Beat down Communist Party! Liberate all human!

  7. 中国共产党的防火墙封锁网络时用的方法不只一种,但主要有如下三种:

    1、IP封锁
    2、关键字过滤
    3、域名解析欺骗

    有以上任意一种在,中国用户就不能上到国外的一些网站

  8. I have no idea how to figure whether the Bush administration will try to build such a firewall. I can’t say I would be surprised if they did do it, complete with all the spin to paint opponents as terrorist sympathizers. Freedom is slavery, and all that rot.

  9. Gee Jim,

    I guess that you never lived in China or you have never read Peter Hessler’s memoir “River Town”.

    The Chinese have their own way of seeing these things which has little to do with the radical opinions of right wing nuts. However, I will say this that there is a class of Chinese, not very numerous, who seem to parrot the ideas and notions of the extreme Western rigth wing nuttery.

    This is not a simple subject. Certainly it’s not well portrayed by either the Hong Kong or Taiwan types who squeek loudly, even if the Hong Kong types have degrees from U of Toronto or even Columbia U or even Harvard or what ever you may suggest! Most Chinese who have easy access to the Internet are happy enough to enjoy the “freedoms” that they have.

    Caucasian whiners “scream” about limits on “free speech”. These days with regular practices of the Bush Administration which considers “free speech” as a “threat to the security of US citizens”, it does seem a tad of a stretch to paint one side or the other as less tolerant of “free speech”.

    Free speech is something you know you have when you can use it as I am right now!

  10. There are of course other ways of evading the firewall. Anything that encrypts the traffic will prevent the traffic from being inspected. We discuss this in the paper. Using a simple proxy such as anonymouse.org will not work well. This type of system prevents websites from learning who their visitors are, but without any encryption (that’s what their FAQ says) on the link to the proxy, the traffic is still in the clear as it crosses the firewall and will therefore be subject to censorship.

  11. Richard;
    Great jobs!
    We are doing the job to break the CCP’s blockage. Our strategy is to use dynamic IPs and SSL. It is very simple to write an iptable command for our server but I do not think it will work as you said in your paper because there are some other fake signals. We can recompile LInux and FreeBSD easily, we would be your test site if you have interest to develop a strategy to break the Chinese Bulin Wall. Our dynamic IP site, https://www.ddint.org/mvnforum/mvnforum/index?lang=en has dynamically be traced and been blocked by CCP. It is a good site to test out your strategy. We change our IP hourly and SSL certificate daily. But our domain name is kidnapped. We need more mirrors with different domain names on different machines. We have a database cluster running behind our web site which could support unlimitted number of mirrors.

  12. I wouldn’t say its a big secret that one of the technical tools the government uses is connection resets, this is fairly obvious to ascertain – your browser tells you the connection is reset.

    One issue I have been seeing, is that the connection resets happen both ways – incoming traffic from ‘problem’ isp’s to china served sites receive the resets also. Its not just an inside -> out filter, its happens both ways*.

    eg
    Blocked ip range -> Inside China site (experience connection resets)
    China -> Outside blocked ip range (experience connection resets)

    *Limited testing (this may not be a china wide effect).

    This is an interesting unintended side effect.

    Also remember that different isp’s have different blocks
    eg – on cable internet in shanghai you can get to BBC.co.uk
    On adsl (in most area’s), you can’t.

    So one thing to note is that not all blocks are system wide.

    Also note that certain block mechanisms come and go, this is commonly believed to be because of the process overhead – its not feasible on the scales we’re dealing with here.

  13. Richard, Anonymouse.org helps to bypass the static blocks you mentioned but it’s true that the unencrypted traffic may be subject
    to censorship via the keyword-filter.

    However, their sustaining membership allows encryption and
    works well here in PRC.

  14. Nik, anonymous.org switches to autopart.com, useless. Robert Gagnon, why do you insinuate that the great firewall is no big deal? This is not a partisan issue. Not everything in the world has to be pushed to one side or the other of the U.S. 2-party ranting system.

    Here is what the Chinese Internet community needs: an application that can be installed on a user’s computer that will take the geeky setup out of the world of nerds and put it into the hands of the average Joe (or Zhou) so we can all use it without hiring a network/IT consultant to come to our home and tinker with the settings for an hour. If it were platform independent, even better.

  15. Interesting. Also interesting is the statement in news coverage that someone involved in finding this hole has made sure to report it to whatever part of the Chinese government is responsible for these access controls, so that they might consider how to fix the hole. An interesting decision – why was this finding publicised and then also given directly to the Chinese government? (Or are the news reports incorrect?)

  16. We reported the denial-of-service attack to CERT (who passed it to CERT-CN) when we first realised that this was an issue, way back in March. In our view the simplest way of addressing this problem would be to turn off the keyword detection — and we are disappointed that they have not done so. Otherwise, we suspect, the only way of addressing the problem would be to discard the current design and replace it entirely — which would be expensive and time-consuming.

    Reporing security flaws to the vendor (and we cannot tell who the vendor is in this case; presumably some Chinese Government Agency, CERT-CN will have known) is widely accepted to be proper behaviour.

    We did NOT report the observation that discarding resets made the firewall ineffective, or our other thoughts about dealing with faked SYN/ACK packets. That’s a matter of functionality failure — not of security.

  17. I come from China.I hate to see all the leader’s activity news ,all the GDP growth news.Everyone live in a lying world ,no true words .we don’t feel any improvement in our life .On the countrary,we have more pressure today.Could you kindly introduce a operative way to Break China censorship ?I don’t want the theory.Thanks a lot

  18. To ignore resets: read the paper for firewall rules appropriate for a *nix system. If you’re using Windows then you’ll need some custom software. At present, we haven’t written any 🙁

  19. whow, that was FAST!
    I’m using winXP sp2
    I found this WIPFW software that claims to have the same functions as IPFW made for windows(from http://belnet.dl.sourceforge.net/sourceforge/wipfw/wipfw-0.2.8.zip)
    However, after installing and trying the command for the IPFW with no errors, i tried to access wikipedia and image.google.com (searched for “tiananmen”) and was unable to access both (actually the google one loaded 4 or 5 picture results, then got timed out), all same as before

    is it the software’s problem or am i trying it on the wrong sites?

  20. You should read the paper again… it’s necessary for BOTH ends to ignore resets. Also, high profile sites may be blocked by other mechanisms instead — such as straightforward discarding of all packets to the particular IP address. Plus there’s the “blocking with confusion” that we describe.

    The mechanism can be simple to overcome — but not entirely trivial 🙁

    Also, please note our comments about the possibility of logging!

  21. Oh yeah….sorry about that, my bad
    Could you give an example of which site currently blocked can be accessed using the method in the post?

  22. I have set my machine up to ignore packets with the RST flag. If anyone wants to test if from China, just send me an e-mail and I will give you an address of a page hosted on my server that would otherwise have been blocked. Remember that you need to ignore RST’s in your end as well (see the paper and post nr. 39 above)

    michael[at]carceri[dot]dk

  23. I believe that IP blocking by China is more of an issue. They seem to have lot’s of body monitoring the web those days, and blocking any IP that they don’t like. The force IP blacklists to all their ISPs almost daily I’ve heard…

  24. I live in Shanghai. I have tried Tor to no avail. So far the only thing that has remotely helped is just copying and pasting blocked sites into http://www.fastsec.com which at least gets me into Google at times when it is censored.

    I find it hard to believe that there is no software readily available that easily bypasses the Great Firewall of China.

  25. Is that possible to launch massive attach on those censor servers? They are really disgusting existences.

    As a Chinese citizen I am really sorry to have such a government.

    And, to Robert Gagnon, dont tell me how the Chinese people are “satisfied”. You have no idea what the heck are you talking about.

  26. Could you give us an example of a website that can bypass censorship? Possibly a new one…the old ones have been blocked…

  27. I have tried asking the staff of Peacefire…but their censorship websites keep getting blocked…

  28. I ment like an actual website name like from Peacefire? If anyone has ever even heard of Peacefire…it gives the best websites to bypass websites ever! I’m on their mailing list, but i don’t get on the computer much and I have to use the school’s computer…I can’t check my email on yahoo either because it blocks it…So please! Anybody that knows it by chance please help me out here…I dont have much time….

    Or if anyone knows another good website to bypass censorship I would really like to know….Thank you. ——-Rocka Da Kil/ Spawnn666

    And Contact me if you play RUNESCAPE!!!

  29. I am a foreigner living in China for 5 years now and really got fedup ‘coz we were blocked for more than 2 weeks even from our own blogs…so I tried your method and VOILA it works –for all my block websites (but the format is a little screwy) but who care about that! TX

  30. Of course, a much simpler and more effective method would be to install SmartHide. Is a perfect solution for the biggest online problem – Complete Anonymity. This unique program will keep your IP address (and your identity) hidden; secure all the protocols on your PC (E-mail, Web-browsing, Instant Messaging, P2P, etc); provide full encryption of your traffic while working in Internet, and a lot more.

    Anonymous surfing with Smart Hide

  31. The previous comment is an advert … the text is pretty much the same as you will find on the smarthide.com web website. There’s not a lot of detail there, but from the looks of it this is a pretty standard third party proxy — so the third party (who seem to be based in Salem Oregon) will be aware of all your activities — as will anyone in that jurisdiction who can serve them with paperwork to inspect their logs. This may be fine for you, but to describe it as a “simpler and more effective method” is really rather too simple and may not be effective for you.

    Oh — and there’s dozens of other third party proxies if you think that’s a solution. Don’t go with the first one you see! especially if you look at their website and it takes you 10 minutes to work out what company is running it, where they are based, and even what nationality they are!

  32. @ Richard
    Kudos for providing an analysis, rather than simply deleting the advert. Much more useful 🙂

  33. Richard, as for me i think it is better to use the service of the trusted people who provide such a service rather than using proxies which are scanned or to use tor which can be monitored by anyone?

  34. My web site was swamped with Chinese traffic downloading my software and providing pirate keys to unlock it. The Chinese traffic consisted almost entirely of thieves. So I’d like to block it. Then came the idea that I could let the GFC do the blocking for me!

    Then I read your articles and realized something else. If we want to defeat the GFC we could all add lots of banned key words to our web sites. If most of the web sites in the free world had these blocked words, then the GFC would block everything — and the Chinese web users would demand a loosening.

    But I don’t know which Chinese would benefit the most, the average citizens or the thieves.

  35. Don’t they know, the more they try to suppress the freedom of the people, the more they will inspire them. They could crush the followers of any creed by doing what Western Society has done – turn it into a mindless and spiritless commercial Festival. Let any system follow its own devices and it will rapidly become extinct, but criticize and punish it, and it will flourish like the forest.

  36. What about launching a massive DDoS on all the systems that do China’s content filtering?

  37. 中国共产党的防火墙封锁网络时用的方法不只一种,但主要有如下三种:

    1、IP封锁
    2、关键字过滤
    3、域名解析欺骗

    有以上任意一种在,中国用户就不能上到国外的一些网站

    Just at courtesy translation.

    Below is a Google translation the LSH pst above on| June 29th, 2006 at 12:07 UTC

    Communist Party of China firewall blocking network method used in more than one, but mainly has the following three types:

    1, IP blocking
    2, keyword filtering
    3, domain name to deceive the

    Have more than an arbitrary, Chinese users will not be able to go abroad on a number of sites

  38. Richard Clayton, do you know any ways to bypass an isp’s blacklist? if a chinese user types in a url, the url is checked against an isp blacklist of sites, and if the url is on the blacklist then access is denied. the blacklist blocks urls, ip addresses etc.

  39. Freedur.com allow me to bypass China firewall with my favorite browser – firefox. You don’t need even to install it – they have portable version.
    You can use it even at school. I always watch Yutube at school as my internet at home is so slow. It supports SSL too so I can read my gmail.

  40. A VPN is a must if you`re living in China. It`s almost impossible to get online without one. For example, if you go to a blocked site, Internet access is cut off COMPLETELY for one or two minutes. It becomes extremely annoying after a while. I am using this VPN now: http://www.sunvpn.com/, had no problems with it.

  41. Great article! 🙂 I think a VPN would work just as well . Also, its secure and reliable. So, a VPN really helps if you’re in China. There are many such services like HighspeedVPN . Its one of the services that hasnt been blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *