Cambridge Breached the Great Firewall of China 250
Darren Rayes writes to mention a ZDNet article on Cambridge academics' claims that they have breached the great firewall of China. They also claim that by misusing the firewall they can launch DDoS attacks against IP addresses behind the wall. From the article: "The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a 'sensitive' keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time."
Re:Stateless? (Score:5, Informative)
Stateless != ruleless. For example, you could use OpenBSD's "pf" to create a stateless firewall that references an external rules file, then use a cron job to rewrite that rules file once an hour. That might be a pretty reasonable approach if you're filtering billions of packets per hour and can't afford to track state for each connection.
Re:Legal action against Cambridge? (Score:2, Informative)
That isn't technically a DDoS (Score:5, Informative)
Re:Legal action against Cambridge? (Score:5, Informative)
FYI, Cambridge isn't a U.S. university.
Re:Fragmentation (Score:3, Informative)
Re:Legal action against Cambridge? (Score:5, Informative)
Re:Now they need a national-scale stateful firewal (Score:2, Informative)
Last weeks news - original post here (Score:5, Informative)
http://www.lightbluetouchpaper.org/2006/06/27/ign
And for all the details, the paper to be presented is here:
http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf [cam.ac.uk]
I think the interesting thing is that by configuring our end to ignore the invalid resets from the Great Firewall of China we can aid the distribution of otherwise censored material.
DDoS attacks against the GFC seems not to be that easy, as the article mentions the GFC is not one giant router at the backbone, but rather smaller machines closer to the end stations - the firewall is distributed accross an unknown number of gateways.
Re:Try the Saudi firewall (Score:2, Informative)
You are just as ignorant as the censored chinese. (Score:2, Informative)
And the line of tanks stopped because the single person driving the lead tank didn't know what to do. It wasn't a policy decision handed down by the PLA to not hurt anyone because of cameras. They had just finished killing dozens, possibly hundreds of innocent people. They were shooting automatic rifles into crowds of people in the middle of the street.
Re:Legal action against Cambridge? (Score:4, Informative)
Re:Congratulations; Same old tired argument. (Score:4, Informative)
Re:Stateless? (Score:3, Informative)
You misspelled "this".
State tables aren't happy magic O(zero) constructs - they take resources just like rulesets do. Imagine the case where a firewall is checking a billion simultaneous connections against a ruleset with only one entry. Do you honestly content that it'd be easier to look for the existence of a state table entry than to check for "dest addr == 1.2.3.4"? Especially if the ruleset were actually the output of FPGA that gets reconfigured on an hourly (or whenever) basis?
Or imagine that their blacklist granularity is a /24, figuring that blocking a "bad" addresses neighbors is probably desirable. In that case, they only have to track 16 million 24-bit network prefixes. Q: Is a.b.c.d blacklisted? A: It is if "blacklist[a*65536+b*256+c] == 1". I leave it to the reader to decide whether implementing an optimized version of that algorithm would be easier or harder than saving and checking state for millions of simultaneous connections.
Finally, my implementation would be inherently unsusceptible to a SYN flood. What happens when a stateful firewall gets a flood of incoming connections faster than it can make room to store them? That's also known as a DOS, which is generally something you don't want to design in to your system.
Re:Legal action against Cambridge? (Score:3, Informative)
Er. No, there's exactly one of each over 10k people in each [wikipedia.org] nation [wikipedia.org]. Of course, since Cambridge in this context isn't a city at all, and since there's essentially nobody who actually thinks of MIT when someone says Cambridge who has even a passing familiarity with universities, this is essentially moot.
at least one of which is also notable for its large univerity. Used to confuse the fuck out of me, for one.
Probably because you're posting without reading articles, at which point it would have been bloody obvious. Making excuses for being a dumbass just makes you look dumber. Stop while you're only sorta behind.