Great Firewall Filtering Revealed
Researchers at the University of Cambridge have done some analysis on how the PRC’s Great Firewall (GFW) handles the “blocking” or interruption of web page loading midstream when it detects sensitive keywords related to the day after June 3 and certain religious groups. What they discovered is quite surprising, because it indicates that the mechanism is simple, clever, but at the same time, quite straighforward to circumvent. Read on for a layman’s explanation of the technical paper.
For the non-techie, the simple explanation is that the GFW sends a “TCP reset” packet to both the web server supplying the suspicious page and to the client (ie. your computer) loading it. It’s the equivalent of an “emergency stop” packet usually reserved for situations of bad connectivity so that both sides know to disconnect abruptly.
It appears the GFW in PRC cleverly uses this technique so that it can stymie the loading of pages, and so it does not have to actively make subsequent decisions to drop packets by correlating them to previous ones. In techie terms, having to store the history of what has been sent and received is called “state information” as in the technical state of affairs the router must accumulate. (This is not to be confused with State information as with “state secrets” or “enemies of the state”!)
I say it is clever, because this means you need far fewer computers, processing power and memory to implement effective blocking. In fact, GFW operators could use off-the shelf Cisco (or whatever) routers with no modified firmware whatsoever, and just have a set of machines sit on the side detecting keywords, and sending out “TCP resets.” Simple, effective, and with a low impact for network engineering.
Well the researchers realized that because this “TCP reset” was the sole mechanism for cutting off loading the content, the page information (including sensitive information and all) was still being sent through all the way to your client computer in the PRC! But because of the “TCP reset,” the client was simply shutting down reception of such packets so the Web browser never got the content. That is, they were actually travelling down the cable (or over Wifi) to your locale in the PRC, but the computer was ignoring them.
So in their tests, they said – what if we simply instructed the computer to ignore the “TCP reset” and keep loading. Would it work? The answer is: yes. From their blog:
…the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey. Hence the censorship occurs.
However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall’s reset packets, then the connection will proceed unhindered! We’ve done some real experiments on this — and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall — just shut your eyes and walk onto Platform 9¾.
Cool results. One problem – you need both the Web server and the client to ignore “TCP reset” packets to make this workaround effective. The researchers have suggested that making this behavior modification to the “TCP/IP stack” of networking code in routers and operating systems was desirable anyway, and they’re probably right. But that’s quite a tall order to get Microsoft, Apple, Palm, Symbian, and all the other folks with IP networking in their OSes to change. (But interestingly, with open source software like Linux, a patch and recompile of the kernel to do this is quite simple.)
Nevertheless, this does provide some insight into how the GFW manages to be effective in keyword blocking given how much traffic the PRC Internet chokepoints have to handle. It’s the network filtering equivalent of Occam’s Razor – the simplest and most straightforward (and low impact) implementation is the most likely.
Researcher Richard Clayton was hopeful about the impact of this discovery:
…the key point is that changing the TCP/IP stacks to ignore the firewall is almost a no-brainer for the vendor. There are excellent technical reasons for discarding the firewall’s resets as a matter of course. If stack builders did this as standard, then an entire Great Firewall of China mechanism entirely fails to work. That can only, in my view, be a good result.
[Hat tip to: Bruce Schneier]
June 29th, 2006 09:29
[...] Sure you can encrypt the drive, you can install firewalls, web application firewalls, and anti-virus, but can you protect it from spyware? Lots of spyware is not detected by anti-virus for some reason (to this day, I really don’t get why). Instead they sell different products which are not standard, or worse, let the user fend for themselves. So they end up downloading stuff like Microsoft’s Defender or Ad-aware (if they know to be paranoid about it). I haven’t yet seen one corporate laptop with anti-spyware installed by default for users. [...]
July 1st, 2006 02:14
[...] While it probably doesn’t clear up the Rice Cracker story, some good firewall-related news out of England: Researchers at Cambridge have reportedly discovered how China accomplishes automatic blocking of web pages that contain counterrevolutionary keywords. Andrew Lih, a new media researcher at the University of Hong Kong, explains it in lay terms: …the simple explanation is that the GFW sends a “TCP reset†packet to both the web server supplying the suspicious page and to the client (ie. your computer) loading it. It’s the equivalent of an “emergency stop†packet usually reserved for situations of bad connectivity so that both sides know to disconnect abruptly. [...]
July 5th, 2006 22:50
[...] Andrew Lih » Blog Archive » Great Firewall Filtering Revealed (tags: china internet censorship GFW) [...]
August 9th, 2007 13:41
[...] Also yesterday, moogee at ProState reposted the open letter mentioned above, receiving these comments: [匿å] 2nd [61.48.43.*] @ 2007-8-8 19:49:18 顶! w00t! [匿å] asdf [124.116.187.*] @ 2007-8-8 20:12:29 ç¾å的都是æ•æ„Ÿè¯ All the names are sensitive keywords [匿å] è€ç¢— [219.153.130.*] @ 2007-8-8 20:23:53 很有勇气,但是实在ä¸å¥½æ„æ€ï¼Œè€Œä¸”也很ä¸å¸Œæœ›è¯´ï¼Œæ²¡æœ‰ä»»ä½•ç”¨å¤„。至少我个人对那些什么***先生已ç»ä¸æŠ±ä»»ä½•ä¿¡å¿ƒäº†ã€‚ So brave, but it’s also a bit embarrassing and, I really don’t want to say this but, completely useless. At least I personally have lost faith in those xxx guys. [匿å] 。。。 [58.83.196.*] @ 2007-8-8 20:29:52 åå•ä¸Šçš„å„ä½ä¿é‡å•Š Everyone on the list, please take care. [匿å] 大SB [121.10.148.*] @ 2007-8-8 20:48:18 真是一群大SB!广东人说:鸡åŒé¸è®²ã€‚ 有用å—ï¼Ÿå¥¥ä½ å¦ˆçš„è¿ï¼ They’re all a bunch of idiots! In Cantonese we say: the ducks talk and chickens agree. Is this of any use? Fuck the Olympics! [匿å] rock [59.49.19.*] @ 2007-8-8 21:05:48 [匿å] è€ç¢— [219.153.130.*] @ 2007-8-8 20:23:53 很有勇气,但是实在ä¸å¥½æ„æ€ï¼Œè€Œä¸”也很ä¸å¸Œæœ›è¯´ï¼Œæ²¡æœ‰ä»»ä½•ç”¨å¤„。至少我个人对那些什么***先生已ç»ä¸æŠ±ä»»ä½•ä¿¡å¿ƒäº†ã€‚ ************ å¦‚æžœä½ è®¤ä¸ºæ²¡æœ‰ç”¨çš„è¯ï¼Œé‚£æ£å¥½æˆå…¨äº†å®˜å®¶ã€‚ 肯定有用的,åšå’Œä¸åšï¼Œæ˜¾ç„¶æ˜¯ä¸åŒçš„。 践行é‡å˜ï¼ŒæœŸå¾…è´¨å˜ã€‚ “So brave, but it’s also a bit embarrassing and, I really don’t want to say this but, completely useless. At least I personally have lost faith in those xxx guys.” ——if you think it’s useless, you should go become a government official Of course it’s useful, there’s an obvious difference between if they’d done this and if they hadn’t. [We must] implement quantitative change, hope for qualititive change. [匿å] æ”¯æŒ [210.72.218.*] @ 2007-8-8 21:10:08 终于在奥è¿ä¸å¬åˆ°äº†äººè¯ï¼Œæ„Ÿå—到还活在人间 什么都是è¦å®žé™…行动æ‰èƒ½äº‰å–的,åªåœç•™åœ¨æƒ³å’Œéª‚æ‰æ˜¯çœŸçš„傻,和懦 I finally hear humans speaking about the Olympics; it feels like I’m among the living again Everything is only won through practical implementation; stopping merely at thinking and cursing is the real stupidity. [匿å] js [60.187.235.*] @ 2007-8-8 22:02:21 开奥è¿ä¼šç»™å…±å…šè„¸ä¸Šè´´é‡‘。 Hosting the Olympics is going to give the Party gold face plating [匿å] 二哥 [121.204.49.*] @ 2007-8-9 2:32:25 æ“ä½ å¦ˆB,罗永浩,连岳为什么没ç¾ï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿï¼Ÿ Fuck you Luo Yonghao and Lian Yue, why didn’t you sign it??????????????? [匿å] iamlifeiamlife [218.58.62.*] @ 2007-8-9 10:29:43 æ¥äººå•Šï¼Œå¦å…‹ä¼ºå€™ï¼ Come on y’all, the tanks are waiting! [匿å] 圣人本尊 [211.101.49.*] @ 2007-8-9 10:43:21 如果找我ç¾å,我ç»å¯¹ä¸ç¾ 我从æ¥ä¸å‚与这ç§æ´»åŠ¨ï¼Œå› 为我从æ¥å°±ä¸å¯¹å…±åŒªæŠ±ä»»ä½•å¹»æƒ³ï¼ è¦æƒ³èŽ·å¾—å¹³ç‰ã€è‡ªç”±å’Œæ°‘主, ä½ ä¸èƒ½é 共匪的怜悯 ä½ åªæœ‰æ—¥ç¿»å…±åŒªæ‰è¡Œï¼Œåªæœ‰æŠŠä»–们这群劣质统治者赶下å°æ‰è¡Œ 骂了个比的共匪 If they’d asked me to sign, I absolutely would’ve refused I never participate in these sorts of activities, because I’ve never harbored any fantasies whatsoever about the Commie bandits! If you want to earn equality, freedom and democracy You can’t rely on sympathy from the Commie bandits All you can do is overthrow them, get these twisted tyrants out of power Bloody Commie bandits Share This [...]
May 31st, 2008 08:05
I stopped and vaginal fisting me goto her stay, blonde, i was stuck in california.
June 12th, 2008 06:45
Carrie lapped up my back, they talked, the rest of dread andexcitement. shakira sex Rhianna noticed he.
July 20th, 2008 03:28
asslicking
September 5th, 2008 13:29
emma watson panties
September 16th, 2008 06:37
straight teeth oakland
September 21st, 2008 16:24
Please not mujeres lesbianas desnudas mujeres sohard. Put them angled more than anything and uncle here.
February 27th, 2009 01:19
[...] Andrew Lih » Great Firewall Filtering Revealed [...]
November 6th, 2009 19:04
There was once great china wall – visible even from the Moon. Now they invented Great China Firewall. But I discovered Skydur.com – it goes through the wall and I can access all my favorite sites again – youtube, twitter, facebook and hulu ! It’s just about $5 per month but if you signup for the whole year they offer 10% discount – http://www.skydur.com
January 11th, 2010 01:27
Are there any new firms developing antivirus firewall applications? The old ones are not that good