Cambridge Breached the Great Firewall of China

Darren Rayes writes to mention a ZDNet article on Cambridge academics' claims that they have breached the great firewall of China. They also claim that by misusing the firewall they can launch DDoS attacks against IP addresses behind the wall. From the article: "The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a 'sensitive' keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time."

Re:Stateless?

[Just Some Guy]

How exactly does a stateless IDS block connections for up to an hour?

Stateless != ruleless. For example, you could use OpenBSD's "pf" to create a stateless firewall that references an external rules file, then use a cron job to rewrite that rules file once an hour. That might be a pretty reasonable approach if you're filtering billions of packets per hour and can't afford to track state for each connection.

Re:Legal action against Cambridge?

[ironwill96]

The sad thing is, they're not indirectly helping them - they ARE helping them. In TFA they state that they have reported their findings to the Chinese Computer Emergency Response Team. I assume these are the goons in charge of government censorship over there. I'm surprised after all the flak that Yahoo has caught for their chinese censorship assistance, that Cambridge would leap off that cliff as well by helping China to further block any ways for citizens to bypass the firewall and obtain information about "sensitive" topics. It really bothers me that so many in the U.S. who claim to value freedom so much (who are out blowing up fireworks today to celebrate such - fireworks mostly bought from China I might add), will help a country who values freedom so little.

That isn't technically a DDoS

[Jeian]

DDoS is using multiple computers to "flood" a target off the Internet. This would be a plain DoS attack using a software weakness to deny service.

Re:Legal action against Cambridge?

[CaymanIslandCarpedie]

Cambridge would leap off that cliff as well by helping China to further block any ways for citizens to bypass the firewall and obtain information about "sensitive" topics. It really bothers me that so many in the U.S. who claim to value freedom so much (who are out blowing up fireworks today to celebrate such - fireworks mostly bought from China I might add), will help a country who values freedom so little.

FYI, Cambridge isn't a U.S. university.

Re:Fragmentation

[Tontoman]

Most firewalls will reassemble fragmented packets in order to perform content analysis. How to do it is in the TCP/IP RFC's.

Re:Legal action against Cambridge?

[jabuzz]

Wrong Cambridge, Cambridge Univeristy (fourth oldest in the world) is in the South East of England, and not in North America. Full marks you have displayed a typically parochial American outlook on the World.

Re:Now they need a national-scale stateful firewal

[kohaku]

The way things are going, AOL will probably have an equivalent firewall in a few years time. Then they can rent it out. Hooray for the free world.

Last weeks news - original post here

[erik_norgaard]

It appears the link to the source is missing - I first read about it last week on Schneiers blog, linking ot the original blog post found here:

    http://www.lightbluetouchpaper.org/2006/06/27/igno ring-the-great-firewall-of-china/ [lightbluetouchpaper.org]

And for all the details, the paper to be presented is here:

    http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf [cam.ac.uk]

I think the interesting thing is that by configuring our end to ignore the invalid resets from the Great Firewall of China we can aid the distribution of otherwise censored material.

DDoS attacks against the GFC seems not to be that easy, as the article mentions the GFC is not one giant router at the backbone, but rather smaller machines closer to the end stations - the firewall is distributed accross an unknown number of gateways.

Re:Try the Saudi firewall

[Anonymous Coward]

Uh, no, they don't. Sattelite internet connections cost a shitload of money. When I was last there 3 years ago they were offering DSL broadband 1Mbit/sec for around the equivalent of $100/month (it cost a lot as it was unmetered, you could download GBs a day on it). Satellite dishes for television are something else. Again, from when I was last there, might be different now, there were a whole 2 Arabic channels on the Ku band but I think up to 50 on C band, and it cost SAR1000 (about $300) to have a guy come and install a C band dish and reciever. They weren't exactly a luxury, most everyone I saw, poor or rich had them because Saudi doesn't have a vast terrestial television infrastructure like anywhere else.

You are just as ignorant as the censored chinese.

[Anonymous Coward]

What TV cameras? We're lucky that photos managed to get out of there, the Chinese secret police were assaulting, detaining, and destroying the film of journalists. The film that did get out was smuggled out.

And the line of tanks stopped because the single person driving the lead tank didn't know what to do. It wasn't a policy decision handed down by the PLA to not hurt anyone because of cameras. They had just finished killing dozens, possibly hundreds of innocent people. They were shooting automatic rifles into crowds of people in the middle of the street.

Re:Legal action against Cambridge?

[mrogers]

This paper was presented at the Privacy Enhancing Technologies Workshop [petworkshop.org], alongside with papers about Tor [eff.org] and Mixminion [mixminion.net]. I'm pretty confident that the authors aren't trying to help the Chinese government. What they are doing is embarrassing the Chinese government, presenting it with a difficult choice between dismantling its firewall and suffering DoS attacks, and publicising a method of circumventing the firewall. By using the normal channels for vulnerability disclosure, the authors protect themselves from politically-motivated accusations of "cyberterrorism".

Re:Congratulations; Same old tired argument.

[John Courtland]

The banner can tell you program version information and sometimes the host OS, machine architecture and running modules. Apache's webserver banner is a good example. It can, if set up to, tell you the version of apache, the version of PHP, the host OS kernel revision, and what processor is hosting that OS. That's a lot of information that really isn't necessary. Usually it's displayed when a ErrorDocument handler returns a 404 itself.

Re:Stateless?

[Just Some Guy]

That comment is bullshit. A lookup in the state table is actually _way_ more efficient than going through the ruleset for each packet, moreso if the ruleset is larger.

You misspelled "this".

State tables aren't happy magic O(zero) constructs - they take resources just like rulesets do. Imagine the case where a firewall is checking a billion simultaneous connections against a ruleset with only one entry. Do you honestly content that it'd be easier to look for the existence of a state table entry than to check for "dest addr == 1.2.3.4"? Especially if the ruleset were actually the output of FPGA that gets reconfigured on an hourly (or whenever) basis?

Or imagine that their blacklist granularity is a /24, figuring that blocking a "bad" addresses neighbors is probably desirable. In that case, they only have to track 16 million 24-bit network prefixes. Q: Is a.b.c.d blacklisted? A: It is if "blacklist[a*65536+b*256+c] == 1". I leave it to the reader to decide whether implementing an optimized version of that algorithm would be easier or harder than saving and checking state for millions of simultaneous connections.

Finally, my implementation would be inherently unsusceptible to a SYN flood. What happens when a stateful firewall gets a flood of incoming connections faster than it can make room to store them? That's also known as a DOS, which is generally something you don't want to design in to your system.

Re:Legal action against Cambridge?

[stonecypher]

Incidentally, there are more Cambridges in the US than in the UK

Er. No, there's exactly one of each over 10k people in each [wikipedia.org] nation [wikipedia.org]. Of course, since Cambridge in this context isn't a city at all, and since there's essentially nobody who actually thinks of MIT when someone says Cambridge who has even a passing familiarity with universities, this is essentially moot.

at least one of which is also notable for its large univerity. Used to confuse the fuck out of me, for one.

Probably because you're posting without reading articles, at which point it would have been bloody obvious. Making excuses for being a dumbass just makes you look dumber. Stop while you're only sorta behind.