Ignoring the Great Firewall of China

An Overview of Ignoring the Great Firewall of China By: Matt Landau

Original Paper: Ignoring the Great Firewall of China Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson University of Cambridge, Computer Laboratory

Topics Background 3 Types of Content Blocking Systems How the Great Firewall Works The Firewall Design Countermeasures Political Concerns Conclusion

Background What is Censorship? What does China Censor? Why do they Censor?

What is Censorship? The suppression of ideas and information that certain persons - individuals, groups or government officials - find objectionable or dangerous. - The American Library Association Books won t stay banned. They won t burn. Ideas won t go to jail. In the long run of history, the censor and the inquisitor have always lost. The only weapon against bad ideas is better ideas. - Alfred Whitney Griswold, New York Times

What does China Censor? Rival political parties Popular non-government organizations (Falun Gong) Many foreign news sites (BBC, CBS, ABC) Historical Events and Topics (Tiananmen Square, Human Rights)

Why do they Censor? To control the meaning of words, concepts, and ideas The word free still existed... but could only be used in such statements as The dog is free from lice or This field is free from weeds. It could not be used in its old sense of politically free or intellectually free, since political and intellectual freedom no longer existed even as concepts, and were therefore of necessity nameless. - George Orwell, 1984

Why do they Censor? What does Tiananmen Square make you think of? Tanks? Soldiers? Massacre? Fall of Democracy? End of Freedom?

Three Types of Content Blocking Systems Packet Dropping DNS Poisoning Content Inspection - Proxy & IDS

Packet Dropping All traffic to a specific IP address is discarded Content hosted on that computer disappears Cheap and easy to implement

Packet Dropping Has 2 Problems: A list of IP addresses must be maintained and kept up-to-date Overblocking - Many websites are hosted on the same server and share an IP address For.com,.org, and.net domains 69.8% share an IP address with 50 or more websites.

DNS Poisoning Malicious DNS servers are setup to do one of two things when a lookup is performed Do not answer the request Answer with an incorrect IP address Does not suffer from overblocking There is difficulty in only blocking only the website while still allowing email on the domain

Content Inspection - Proxy All traffic passes through a proxy server that censors content on an item by item basis Extremely precise - block single images or web pages while leaving the rest of the site accessible Expensive to implement because of the speed required to analyze and filter all traffic in real-time

Content Inspection - IDS Use an Intrusion Detection System to perform content inspection If content matching key words is found it is discarded...or another action can be chosen to be performed More flexible than proxy-based content inspection Used by the Great Firewall of China

How the Great Firewall Works RST Packets Timers

RST Packets When keywords are found that the government wished to censor by the IDS it does not drop the packets. Instead if forges TCP RST packets to the client and the server so that they will both drop the connection

RST Packets Example of an uncensored page transmission as seen from the client cam(53382) china(http) [SYN] china(http) cam(53382) [SYN, ACK] cam(53382) china(http) [ACK] cam(53382) china(http) GET / HTTP/1.0<cr><lf><cr><lf> china(http) cam(53382) HTTP/1.1 200 OK (text/html)<cr><lf> etc. china(http) cam(53382)... more of the web page cam(53382) china(http) [ACK]... and so on until the page was complete

RST Packets Example of a censored page transmission as seen from the client cam(54190) china(http) [SYN] china(http) cam(54190) [SYN, ACK] TTL=39 cam(54190) china(http) [ACK] cam(54190) china(http) GET /?falun HTTP/1.0<cr><lf><cr><lf> china(http) cam(54190) [RST] TTL=47, seq=1, ack=1 china(http) cam(54190) [RST] TTL=47, seq=1461, ack=1 china(http) cam(54190) [RST] TTL=47, seq=4381, ack=1 china(http) cam(54190) HTTP/1.1 200 OK (text/html)<cr><lf> etc. cam(54190) china(http) [RST] TTL=64, seq=25, ack zeroed china(http) cam(54190)... more of the web page cam(54190) china(http) [RST] TTL=64, seq=25, ack zeroed china(http) cam(54190) [RST] TTL=47, seq=2921, ack=25

RST Packets Notice that the sequence numbers for the 3 RST packets are 1, 1461, and 4381 with identical TTLs This is because the firewall is incrementing the initial GET sequence number by 1460 and then by 1460 x 3 so that even if other packets have already been received hopefully one of the RST s will be within the sequence window This is done because many TCP/IP implementations now verify that RST packets are within the current sequence window to prevent malicious attacks

RST Packets Example of an censored page transmission as seen from the server cam(54190) china(http) [SYN] TTL=42 china(http) cam(54190) [SYN, ACK] cam(54190) china(http) [ACK] TTL=42 cam(54190) china(http) GET /?falun HTTP/1.0<cr><lf><cr><lf> china(http) cam(54190) HTTP/1.1 200 OK (text/html)<cr><lf> etc. china(http) cam(54190)... more of the web page cam(54190) china(http) [RST] TTL=61, seq=25, ack=1 cam(54190) china(http) [RST] TTL=61, seq=1485, ack=1 cam(54190) china(http) [RST] TTL=61, seq=4405, ack=1 cam(54190) china(http) [RST] TTL=61, seq=25, ack=1 cam(54190) china(http) [RST] TTL=61, seq=25, ack=2921 cam(54190) china(http) [RST] TTL=42, seq=25, ack zeroed cam(54190) china(http) [RST] TTL=42, seq=25, ack zeroed

RST Packets As can be seen RST packets are sent to the server as well as the client The only data that was received at the client is that which was sent before the server received it s first RST packet They also have identical TTLs

Timers After a connection has been reset all traffic between the two computers is blocked for a random period up to 1 hour, the average was 20 minutes This is done by sending a RST packet immediately following the SYN, ACK, SYN-ACK handshake It is not based on current content, only on the fact that recently there was blocked content

The Firewall Design Known Hardware Speculation Based on Analysis

Firewall Design Uses Cisco s Security Intrusion Detection System Packets arriving at Chinese routers are queued normally while also copied to an IDS device for inspection If the IDS determines the packet is bad 3 RST packets are sent to the client and server

Firewall Design Because the IDS is a separate device bad packets are not removed from the router s queue The firewall relies on the TCP/IP stack at both ends to drop the connection and relevant data

Countermeasures Ignoring RST packets Splitting Keywords DOS Attacks

Ignoring RST Packets Does not require a new TCP/IP stack Can be implemented in Linux using iptables iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP Now all TCP packets with the RST flag set are discarded

Ignoring RST Packets cam(55817) china(http) [SYN] china(http) cam(55817) [SYN, ACK] TTL=41 cam(55817) china(http) [ACK] cam(55817) china(http) GET /?falun HTTP/1.0<cr><lf><cr><lf> china(http) cam(55817) [RST] TTL=49, seq=1 china(http) cam(55817) [RST] TTL=49, seq=1 china(http) cam(55817) [RST] TTL=49, seq=1 china(http) cam(55817) HTTP/1.1 200 OK (text/html)<cr><lf> etc china(http) cam(55817)... more of the web page cam(55817) china(http) [ACK] seq=25, ack=2921 china(http) cam(55817)... more of the web page china(http) cam(55817) [RST] TTL=49, seq=1461 china(http) cam(55817) [RST] TTL=49, seq=2921 china(http) cam(55817) [RST] TTL=49, seq=4381 cam(55817) china(http) [ACK] seq=25, ack=4381 china(http) cam(55817) [RST] TTL=49, seq=2921 china(http) cam(55817)... more of the web page china(http) cam(55817)... more of the web page cam(55817) china(http) [ACK] seq=25, ack=7301 china(http) cam(55817) [RST] TTL=49, seq=5841 china(http) cam(55817) [RST] TTL=49, seq=7301 china(http) cam(55817) [RST] TTL=49, seq=4381 china(http) cam(55817)... more of the web page china(http) cam(55817) [RST] TTL=49, seq=8761... and so on until the page was complete

Ignoring RST Packets As can be seen when RST packets are ignored the IDS continues to send more RST packets 3 at a time to both the client and server However, these packets are successfully ignored and the web page loads properly The firewall is completely ineffective

Denial of Service A connection between a computer inside and one outside the Great Firewall can be denied by sending spoofed packets containing blocked words. Could prevent traveling diplomats from accessing servers in their Chinese offices Could prevent Chinese government computers from receiving computer security updates

Denial of Service The authors found a reasonably effective attack could be maintained by a single user on a dail-up internet connection It is unknown if their are safeguards in place to detect these DOS attacks or allow diplomats to bypass the firewall

Political Concerns What if Chinese citizens are caught bypassing the firewall?

Political Concerns The firewall may log what the user is doing along with its content filtering This would allow the Chinese government to see that a user s computer is ignoring RST packets Encryption renders the firewall useless, but may be a red flag for investigation just by its use

Conclusions

Conclusions The Great Firewall of China inspects packets using an IDS to look for specific content When the content is detected spoofed RST packets are sent to both TCP endpoints to terminate the connection If RST packets are ignored at both ends the content flows normally and the firewall continues to send RST packets with no effect

The Internet interprets censorship as damage and routes around it. - John Gilmore Electronic Freedom Foundation [The End]