Defeating China's National Firewall

Bruce Schneier is reporting on his blog that a recent paper is discussing how to defeat China's national firewall. From the article: "However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall's reset packets, then the connection will proceed unhindered! We've done some real experiments on this -- and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall -- just shut your eyes and walk onto Platform 9¾."

Publish and Perish

Okay, now that you let the cat out of the bag, how long before the Great Chinese Firewall gets this hole plugged?

On the otherhand, the more they try to squeeze star systems, the more they will slip out of thier han (or something like that).

How to get drugs into USA

Why should American's be denied drugs just because their govenment makes such huge efforts to limit the drugs flowing into America? Here's how you can get those poor miserable people the drugs they want and need...

See the parallel?

Re:How to get drugs into USA

Sure do. Dear Rest Of The World: SEND MORE DRUGS.

Re:How to get drugs into USA

I see the parallel, but I don't see what you think it proves. There are a lot of people who think that censorship and prohibition are equally immoral.

You forgot something...

I think your post got cut off. Would you please repost?

You can pick up from "Here's how you can get those poor miserable people the drugs they want and need..."

Thanks!

Re:Drug Parallel

Most libertarians believe that (currently) illegal drugs should only be legal for adults. Minors don't have the full responsibility of adults to take care of themselves. There are also a lot of more moderate ones who believe that taxing them is okay, especially if it can help lower other taxes. Their main reason for supporting legalization of drugs is that it would lower black market crime, and end up saving lives, although ideology is obviously an important reason.

Re:Drug Parallel

Libertarianism isn't necissarily opposed to taxes and regulations. It is opposed to FORCED taxes and regulations. Taxes should be "optional" in the sense that if you "use" (buy/sell/trade) something that is taxed, you are volunteering to pay/levy that tax.

You do realize that this policy would justify every existing form of regulation and taxation? Income, after all, is nothing more than a straight trade, currency for labor. Even inheritance taxes would be justified, since inheritance is a gift from one person to another, and gifts are merely a subset of trades in which "goodwill" is traded for tangible property. What, then, would you consider a "forced" tax, since you have apparently chosen to define all taxes and regulations as "voluntary"?

More generally, any claim by a third party for a portion of the goods exchanged in any trade against the will of both the buyer and the seller must be considered theft from a libertarian point of view. That includes all taxes, which -- by definition -- differ from trades only in that they are coerced, i.e. non-voluntary. That has always been the libertarian position, despite the claims of the so-called Libertarian Party to the contrary. The LP has been sacrificing libertarian principles for political power for some time now; their present goals, while more liberal than the two major parties, are hardly "libertarian" in nature.

Re:Drug Parallel

More people die from the narco traffic violence than from the war in Iraq in the same time period. All of these deaths are caused by US policy but nobody cares about people dying who are not in our country. (One of) the reasons we invaded Iraq was to spread democracy. If we really wanted to spread democracy we could first start by legalizing and taxing drugs in the USA. This would nearly shut down many of the large violent drug cartels that keep dictators in power.

Re:How to get drugs into USA

See the parallel?

There is no parallel. The prohibitions on freedom of speech on and information about the different forms of government are uniquely self-perpetuating. Prohibitions on alcohol, drugs, and almost anything else are not like that and can be abolished by the popular will within a reasonably democratic society because discussing them remains legal, even if using is not.

Re:Publish and Perish

From reading the article it's not just a hole, it's the primary basis of their "firewall". Their system is apparantly built the way it is because any other method would be too expensive and/or slow. TO prevent this workaround will require enourmous expenditures in reworking their network structure.

Re:Publish and Perish

Someone should tell them that they put their firewall in backwards.

Re:Publish and Perish

I have a feeling that instead they'll just roll up the death vans and execute those criminals. After all, if they are defeating the firewall, they clearly are up to something sneaky and are a threat to the existing order...

But how will they know? You cannot tell if a remote host is responding to reset packets from your firewall, at least not directly. This seems like it will work.

Re:Publish and Perish

> You cannot tell if a remote host is responding to reset packets from your firewall, at least not directly.

If you had to send multiple resets for the same port pair, they're ignoring you.

Re:Publish and Perish

Yes, we can mock the Great Firewall implementors for incompetence, but let's remember that the technical means are really only a reminder of the underlying law. Many laws don't have any built-in means of enforcement at all. My car has no speed governor to keep it under 65 mph, does that mean the government is just stupid? Or that I can't get busted for speeding? Almost all laws are easy to break; the real problem is getting away with it, especially if the government decides to target you for whatever reason.

Re:Publish and Perish

But can we use this with a machine coded matrix to get Jack Bauer out?

The sound you hear...

...is a billion Chinese walking into the great wall of China...all at once.

Dear Guys,

Thanks for doing the security analysis for us. We appreciate your hard work and excellent documentation.

Your Pal,

Wen

Duh ... just use Gopherspace

No one is monitoring that protocol

Detectable and Illegal

Wouldn't this be easily detectable and probably illegal (for someone in china)? It sounds like a good way to get in trouble.

When are they going to realise...

that most of the Chinese people don't know/care about the firewall?

Re:When are they going to realise...

If these stats [internetworldstats.com] are even semi-accurate, then internet penetration is less then 10% of the population. I guess that would mean a whopping 90% really could care less about the great firewall. Now, how many of the 10% (roughly 110 million people) care about the great firewall? Well this is somewhat more debatable, but you'd have to imagine some of them are supporters of the current system and would therefore not mind...

Re:When are they going to realise...

Exactly. When I was teaching a Chinese girl this time last year as part of my TESOL course I couldn't help but ask those questions. She said that most people she met in the uk had asked her about the firewall and censorship. She told me that most people she knew didn't really notice or care, even her father who teaches at a university. Make of that what you will. I'm not sure what to make of it.

National Firewall

Another way to defeat that firewall is to have everyone on both sides sending, say, ICMP/TCP/UDP pings through it.
Will it be able to deal with this enormous amount of traffic jamming into a "single point"?

Damn you Mongolians!

That's the last time you break down my shitty firewall!

Jeez, why is it everytime chinese build a wall, those damn mongolians gotta break it down?

They're not Mongolians...

They're Mongorians!

And before someone lambasts me for making fun of Engrish, I should clarify that I'm amused by all variations of the English language. A good number of my fellow Maltese citizens butcher English, for example, even though it's supposed to be a first language. Only in Malta can you fill your car up with pitlor (petrol), have your football team lose on a pineltri (penalty), and make windows out of enimielju (aluminium). By the way, those aren't Maltese words, those are what many Maltese people think the English words actually are. Oh, and they also think that Hoover, Jablo, Kenwood, and Geyser literally mean a vacuum cleaner, polystrene foam, a cake mixer, and a hot water heater, respectively.

Here's the South Park clip about Mongorians from YouTube [youtube.com].

Harry Potter??!

How the heck is it anything like shutting your eyes and walking onto Platform 9¾?

Maybe if the Chinese authorities found you on board this 'train', they could act like those terrible dementor things I guess.

Irresponsible

It is irresponsible for people to post ways of bypassing the security restrictions a sovereign nation has enacted upon its people. If the Chinese people don't like the way their government is restricting their access to information then they have a moral obligation to overthrow that government, either peacefully via voting in the next election, or by force using a militia formed from the people. By showing the Chinese people ways to exist comfortably within the restrictions imposed by an immoral government we're not helping them to reach a better place in life.. namely a free and democratic Republic of China.

Re:Irresponsible

It is irresponsible for people to post ways of bypassing the security restrictions a sovereign nation has enacted upon its people.

Why wait for the revolution before taking any other action? Your position is ridiculous.

-jcr

Re:Irresponsible

Back in the real world however, you can't overthrow the government whenever you don't agree with it, especially when they have lots of guns and tanks and all you have are disgruntled peasents. Sometimes civil disobediance is the best policy. Besides, you can't generate outrage against something like this until most of the people actually know about it, and even then many of them will believe the government line that they're only blocking "harmful materials" that you shouldn't be looking at anyway. Enough people start getting in trouble over bypassing the firewall and you might actually start educating the public about this.

Re:Irresponsible

Your post should be modded as Funny or Stupid (not Insightful) because 1) Chinese don't have elections with several parties, they are all from the Communist party and are approved office holders regardless of who wins, there is ONLY 1 party 2) Militia? WTF? The Chinese can't own firearms, and the last organized oppisition protest in Tiannimen (sp?) Square they squashed the opposition (with tanks) 3) It's NOT irresponsible for showing ways around Chinese Internet Security because the restrictions of the "immoral" Government don't ALLOW people access to information that they could USE to make China a better place. We are not showing them how to Exist comfortably within restrictions we are showing them how to get around the restrictions so they can share information and learn things that WILL allow them to have a free China one day. I'd rather we were called "irresponsible" and did something than be called moral and responsible but did nothing to advance the cause of Freedom.

Re:Irresponsible

No, people were pretty much crushed by tanks. You see, GP was basically repeating (and I assume satirizing) the party line. For instance, if you are in the United States and do a google image search for Tiananmen Square [google.com] you mostly find pictures of tanks. Do a China google images search for the same term [google.cn] and you get a much more patriotic view of things. Hmm... the ratio used to be a lot more unbalanced... I wonder if Google is intentionally letting the filtering slide, or if reporters have simply found ways around the google.cn filtering rules.

Huh? Why can't they have help?

Do you recall that little American Revolution way back in the mid 1770's? You know, the one the then-English colonies were LOSING? The U.S. would have been in quite a pickle without the French providing financial and military aid. Sure, it was in their own self-interest, but that makes their aid no less valuable.

Just because a Revolution receives assisstance from the outside makes it no more or less legitimate.

SirWired

Why is revolution the only answer?

Why do you think that the only legitimate way to deal with a bad government is to overthrow it, by election or force? What's wrong with getting a bad government to change its ways?

Do you think that any time a government is doing something bad, that the government should be overthrown (or voted out)? What if a government is doing some really wrong things, but it's also doing some good things? Suppose you think that a President has done one thing that's very wrong, but that aside from that one thing, he's done a fantastic job. Are you morally obliged to vote that President out? Imagine it's 1948. You think Truman did a terrible thing when he used nuclear weapons in Japan, but you approve of everything else he's done, and you don't like Dewey. Are you morally required to vote for Dewey anyway?

Do you think that armed rebellion is the only way for a non-democratic government to become democratic? If so, why do you think this? There are examples in recent history of non-democratic governments becoming democratic without a shot being fired (e.g., most of Eastern Europe). Or think about the way the U.K. changed from a non-democratic monarchy to a parliamentary democracy with a figurehead monarch.

Have you thought about what would be involved in overthrowing China's government by force? For some period of time, China would be without any government at all. Think how wonderful it would be for a country with a population of over a billion and a large supply of nuclear weapons to find itself suddenly without a government.

One way to get a government to stop trying to regulate something is to make its efforts to regulate it spectacularly ineffective. This happened in the United States with Prohibition. Why can't it happen in China?

DOS?

If I'm correct, and I think I am:

This has the potential to triple the traffic through their firewall as resets are sent for every packet. So consequently, not only is it an illegal act of hacking (even by US standards) but the potential does exist for a resulting DOS attack that could take the firewall down completely.

Kids have to much time on their hands. No matter how "horrible" Chinese internet policy is by US standards, it's their damned network segment. Let them work it out for themselves.

It's not THEIRS

>No matter how "horrible" Chinese internet policy is by US standards, it's their damned network segment. Let them work it out for themselves.

The chinese internet doesn't belong to the chinese government, it belongs to the chinese people. When they have a real democracy then "they" (the people) can decide how to run it. Until then we shouldn't respect how "they" (the government) want to run the internet any more than we would if some bank robbers were holding hostages and "they" (the robbers) wanted to decide how to run the bank.

Re:the chinese government is illegitimate

Illegitimate? Whatever, dude. The Chinese are, with the exception of Americans, the most patriotic people I've ever come into contact with -- nationalist fervor is so ingrained here it's absolutely frightening. They're not interested in revolt and on the whole are happy with the status quo. They love their country and go on and on about it. Really. If there were a vote tomorrow there is no doubt in my mind that the CCP would win.

During the Chinese civil war, the Communist party was overwhelmingly supported by the people.

Your assertion that non-democratic societies are illegitimate suggests that most societies in history have been illegitimate. I'm not sure that's a particularly useful definition of legitimacy.

I don't kmow about China

But even in the west I feel more comfortable using [revis.co.uk] Tor [eff.org], a (well, close enough) anonymizing proxy.

I used to use JAP [tu-dresden.de] (a similar project but the client was Java based and less transparent) but Tor is considerably faster. Throughput up to 60K/sec on a 512k/sec DSL line (as fast as it ever goes with no proxy) means that it's practical to use for all traffic and makes the needle much harder to find in the haystack.

It's a dying shame that /. is censored in China...

Or they might actually be able to enjoy their newfound freedom for the three days until it's plugged and they are subsequently arrested.

for those who didn't read harry potter

Could we just think of this as the "Indiana Jones and the Last Crusade" approach?

This should take a while to plug

Because the filtering is not done on the routers, but rather on external machines this should take some time to plug. Off the top of my head I can't imagine how the Chinese government would change their filtering to defeat this trick. On a Linux box you could just set an iptables rule:

bash-3.0# iptables -s 0/0 -d 0/0 -p tcp --tcp-flags RST -j DROP

should take care of the reset packets at the local end. The remote end would need to drop them as well, but that would be easy to setup. Maybe we could setup some proxies for those in mainland China that would drop the resets so they could surf anywhere. Might be hard to restrict to those coming from mainland China.

Just a thought.

the_crowbar

Bad example!

... and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall -- just shut your eyes and walk onto Platform 9¾.

Or you just type in:

idspispopd = Walk through wall in noclip style

Unless the web server also ignores reset packets..

...this will not work. Both sides need to ignore the reset packets, otherwise the remote web server will close the connection when it receives one. From TFA:

"However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall's reset packets, then the connection will proceed unhindered!"

"Defeat China's Great Firewall: Take 37"

I'm getting a bit tired of this...

America is beginning to have it's own firewall.

Creeping legal legislation against porn sites.

Gambling too. Using phone lines to bet shouldn't be illegal. Encroaches on civil liberties.

Just a scratch on the surface

Gimmicks like these wont last long. How many chinese would actually search for information against their government? Even if they do, they will always have the fear of being caught. Until every Ying Yang realizes the need to overthrow the system, nothing is going to happen.

Spoofed resets don't work against a modern OS

Third party off-to-the-side resets are actually hard to do against a modern OS. Remember that big TCP reset against Cisco routers that could tear down BGP sessions... The fix was to be more restrictive on accepting reset packets. To do a third-party reset you have to be able to send the reset in real-time or each endpoint will have advanced their sequence window (actually the ack window is what matters). The reset will be properly ignored as invalid because each endpoint has moved on which would be impossible if one had actually sent the reset.

A third party spoofer can play games with the TCP Timestamps to effectively shut down a connection and he only has to be near-realtime. Send the right value and all of the legitimate packets get dropped by the OSes PAWS checks. I'll leave that one as an exercise to the reader.

Great walls not so great in China

This sort of reminds me of the way the Mongols defeated the Great Wall of China.

Did they tear the wall down? No.

Did they march around one end of the wall? No.

They simply bribed a guard to open the gates.

Maybe China shouldn't be so fixated on walls.

Defeating US immegration policy...

Where does the arrogance come from that entitles us in the western world to defeat any setup (legal or physical) in foreign countries based on *our* values?

We would be offended if China would try to defeat US or EU labor laws, immigration policy, or othther domestic or international policies.

Cisco will be upset!

Somewhere, a Cisco employee in the US will have to now form a team to make sure that the Chinese government can repress unhindered.

Then he'll go home to his wife and kids, proud that he's done a good job. If you're here, raise your hand.

Kind of funny, eh, that repression has been outsourced to us now. (Yes, Cisco helped set up the great firewall, sold the equipment, and worked extensively to prevent free access by Chinese citizens.)

Harry Potter?

Maybe you ought to wait till the last book comes out. If you saw the news, you know what I'm talking about.

Been there...the firewall isn't a big deal

The problem is not the firewall. Having traveled in and around China with my laptop I never had difficulty getting around the firewall. However what is much more insidious is the active monitoring of your hotel room's internet connection. And they even let you know your being monitored because a little icon pops up in the lower right hand corner of the screen.

Personally I used vpn software to get around a bunch of these issues. However I could have been arrested and charged with crimes against the state for even possessing the software. Let alone using it.

The Great Chinese Firewall is a sham...if the government wants to get you they'll just watch what you type. ALL hotel connections are monitored, maybe not continuously but they are monitored.

-anon because I still need to travel in China on occasion.

China's Great Intrusion Detection System

In many respects sending Reset packets to both sides of an unwanted connection based on the content of the traffic is much more the behavior of an Intrusion Detection System than just a firewall. The Cisco IDS devices and I would imagine other brands as well typically have an entire interface just for sending reset packets to close unwanted connections between hosts based on certain rules and content inspection.

Disgusting

http://www.chinalaw.gov.cn/jsp/contentpub/browser/ contentpro.jsp?contentid=co214114811- [chinalaw.gov.cn]

Use a VPN and bypass local restrictions

Any VPN provider that terminates in the US will allow you to bypass your local government's firewall. Providers include:

* PublicVPN.com
* HotspotVPN.com
* SpotLock (via iPass)
* iPig

Some (most?) of them also allow VoIP access, so you can bypass those pesky local telcos.

Modern-day Hsiung-Nu

The "Digital Barbarians" are breaking down the other Great Wall in China- good news and good stuff. I always waanted to do something like host Triangle Boy- but now w/ this workaround maybe I won't have to.

The Firewall's Not the Problem

I've been living in China for the past year, and have asked lots of people about this. The only people who care about the firewall are foreigners, because the firewall blocks foreign sites. The vast majority of Chinese don't care that they can't read bbc.co.uk. What they DO care about is the staggering number of domestic blogs and news sites that get shut down each month for being labled "obscene" or "seditious," and no amount of internet wizardry is going to let you access a site whose server has been confiscated and webmaster imprisoned. I suppose Google could step up to the plate and start caching all of these doubleplus ungood blogs before they get taken down, and then perhaps bypassing the firewall would be useful, but I'm not going to hold my breath waiting for that to happen.

I won't count on it.

What if chinese monitor it and record those who drop the packets and continue to connect(at same time when they suppose to disconnect)?

This has less to do with the great firewall ...

This is a flaw in the implementation of TCP/IP in the OS at both ends:
Allowing a unknown, unauthorized third party to reset a connection.
Bruce described this could be used as a DOS attack. This is the essence.
The great firewall of China is a popular example, because of the political dimension.
Mention this as a defeat for the great firewall of china is a way of packaging the message.

might as well move to kent state

i think a lot shit we get here about china is to distract us from a very systemmatic, and calculated erosion of our rights here. better secure freedom in the usa before interfering with another unjust government.

great firewall of china

I have a little experience of working in China.
We run an encrypted ssl vpn for our company data, which the chinese authorities are probably a little nervous about us using in china for obvious reasons. What I find is that after about 24 hours usage , the internet goes mysteriously down a lot of the time. This would be the response to somebody who's firewall was rejecting their block packets surely. They just shut down your access to the net unless you play by their rules....and probably take you out the back and shoot you in the back of the head if you keep breaking their rules.....
After another 5 years of George W, that's where you'll probably be at in the "land of the free" too ;-)

The cure is lag?!?

If you want to be a little more clever you can examine the hop count (TTL) in the reset packets and determine whether the values are consistent with them arriving from the far end, or if the value indicates they have come from the intervening censorship device.

leave it to china to turn lag into something good.

Re:Long term solution...

I really think that the only real long-term solution to the censorship is for the Chinese government to stop it. Anything else is, like you said, not a real solution.

Re:HAXORED BY CHINESE!

Don't you mean...

Firewall 1,306,313,812; Haxors 1 ?

Re:The real question is

Cisco IOS, more likely.