Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Cambridge Breached the Great Firewall of China 250

Darren Rayes writes to mention a ZDNet article on Cambridge academics' claims that they have breached the great firewall of China. They also claim that by misusing the firewall they can launch DDoS attacks against IP addresses behind the wall. From the article: "The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a 'sensitive' keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time."
This discussion has been archived. No new comments can be posted.

Cambridge Breached the Great Firewall of China

Comments Filter:
  • by Anonymous Coward on Tuesday July 04, 2006 @01:10PM (#15656672)
    With enough people working on it, we can temporarily block the entire country from the rest of the Internet. How's that for a fourth of July?
  • by zanderredux ( 564003 ) * on Tuesday July 04, 2006 @01:11PM (#15656677)
    Isn't Cambridge deliberately creating an opportunity for the Chinese government to prosecute them?

    What about those inside China using those exploits for legitimate ends?

    Is Cambridge indirectly helping the Chinese government to fix firewall issues?

    Are Cambridge researchers after fame at the expense of the freedom of the Chinese people?

    • The sad thing is, they're not indirectly helping them - they ARE helping them. In TFA they state that they have reported their findings to the Chinese Computer Emergency Response Team. I assume these are the goons in charge of government censorship over there. I'm surprised after all the flak that Yahoo has caught for their chinese censorship assistance, that Cambridge would leap off that cliff as well by helping China to further block any ways for citizens to bypass the firewall and obtain information a
      • by Anonymous Coward
        The University of Cambridge is an English university, not an American company, you (obligatory) insensitive clod!

        (It's "obligatory" because it's the only way insightful anonymous coward comments get modded up.)
      • by CaymanIslandCarpedie ( 868408 ) on Tuesday July 04, 2006 @01:34PM (#15656764) Journal
        Cambridge would leap off that cliff as well by helping China to further block any ways for citizens to bypass the firewall and obtain information about "sensitive" topics. It really bothers me that so many in the U.S. who claim to value freedom so much (who are out blowing up fireworks today to celebrate such - fireworks mostly bought from China I might add), will help a country who values freedom so little.

        FYI, Cambridge isn't a U.S. university.
        • Not that it's at all relevant, but Cambridge is very buddy buddy with MIT

          http://www.cambridge-mit.org/cgi-bin/default.pl [cambridge-mit.org]

          /Just showing that they both have very smart technical people learning/researching there.

          • How in the name of @#$(@$#* is knowing how to circumvent the great firewall going to do any good if you don't tell anyone about it.

            This is not helping China. They know how their firewall works, they built it. They also know where Cambridge University is (unlike half the readers of Slashdot).

            Slashdot is helping China by bringing the article to their attention.

            This has been circulating in the security blogs for a week now. There are basically two schools of thought. One is that we might fix the IP stac

        • I was thinking Cambridge, MA (where MIT is located and right next door to Harvard), my bad :-P University of Cambridge is of course in England. Still, they should be ashamed of themselves for helping China - England claims to value freedom as well IIRC.
          • Part of valuing freedom is valuing Chinese self-governance. It's not freedom if we step in and replace it every time someone disagrees with us. Banging the drum and screaming freedom is not a good reason to go tell the Chinese they're running their own country wrong. That's what self-important plutocrats and warmongers who need justifications behind which to hide do.

            Believe it or not, even America has to say "wow, China, you get to run your own country today" once in a while.
      • by Anonymous Coward on Tuesday July 04, 2006 @02:08PM (#15656875)
        I'm presenting a paper on Ignoring the Great Firewall of China at the 6th Workshop on Privacy Enhancing Technologies being held here in Cambridge this week. It turns out that this censorship system works by sending reset packets to each end of the connection, rather than blocking packets. If they don't dutifully close, but just discard the packets, the firewall is completely ineffective. More about this in the paper and in my security group blog posting. [http://www.cl.cam.ac.uk/~rnc1/]

        Their research is concerned with DRM ass hat tactics and such...pity!

      • Cambridge ... in the U.S.

        You're a navigator by blood, aren't you? Wrong side of the planet, by the way.

        <ryoga class="satire/obscure">WHERE THE FUCK IS JAPAN?</ryoga>
      • by mrogers ( 85392 ) on Tuesday July 04, 2006 @05:00PM (#15657393)
        This paper was presented at the Privacy Enhancing Technologies Workshop [petworkshop.org], alongside with papers about Tor [eff.org] and Mixminion [mixminion.net]. I'm pretty confident that the authors aren't trying to help the Chinese government. What they are doing is embarrassing the Chinese government, presenting it with a difficult choice between dismantling its firewall and suffering DoS attacks, and publicising a method of circumventing the firewall. By using the normal channels for vulnerability disclosure, the authors protect themselves from politically-motivated accusations of "cyberterrorism".
      • I think the point they're trying to show that information censorship is useless, and creates more security problems than it prevents. In addition, cheap solutions won't work. If China want's real censorship, then the very least we can do is force them to spend buco bucks on it, or force them into an all or nothing situation. Like it or not, China needs connectivity to the rest of the world more than the rest of the world needs connectivity to China.

        China also has a very "wall" orientated culture. Someb
    • six of one... (Score:5, Insightful)

      by Armchair Dissident ( 557503 ) * on Tuesday July 04, 2006 @01:59PM (#15656850) Homepage
      ...half a dozen of the other.

      Certainly TFA suggests that the DoS attack could be used against chinese government computers, but this could also be used against chinese citizens. An exploit is, after all, an exploit. So I would suggest that in the case of the DoS attack, reporting it to the appropriate people - in this case the Chinese authorities - was the right thing to do.

      Unfortunately, in this case, the very flaw that allows a DoS against machines within China also permits those inside the firewall to ignore the resets sent back, so by reporting the DoS, they've also reported how the censorship can be circumvented. (or, by discovering the censorship circumvention they've unfortunately stumbled upon a DoS attack).

      In this case, I really don't think that there is a One True Answer.
  • Mongolians? (Score:5, Funny)

    by veinard ( 469297 ) on Tuesday July 04, 2006 @01:13PM (#15656683)
    Weird, I didn't know there were many mongolians at cambridge...
  • Stateless? (Score:3, Interesting)

    by Anonymous Coward on Tuesday July 04, 2006 @01:13PM (#15656685)
    How exactly does a stateless IDS block connections for up to an hour? Are there other components to the firewall I'm not aware of, or does stateless mean something else these days?
    • Re:Stateless? (Score:5, Informative)

      by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Tuesday July 04, 2006 @01:18PM (#15656700) Homepage Journal
      How exactly does a stateless IDS block connections for up to an hour?

      Stateless != ruleless. For example, you could use OpenBSD's "pf" to create a stateless firewall that references an external rules file, then use a cron job to rewrite that rules file once an hour. That might be a pretty reasonable approach if you're filtering billions of packets per hour and can't afford to track state for each connection.

    • Perhaps the IDS is stateless, and the firewall itself (i.e. iptables) is not.
    • Perhaps they are using the Political definition?
  • by Ant P. ( 974313 ) on Tuesday July 04, 2006 @01:19PM (#15656704) Homepage
    An "active" spamfilter that automatically shoots down chinese spammers. The IP gets blocked off for an hour and can't spam anyone at all outside china.

    Of course at the same time I can think of a million abusive applications for this...
  • Solution? (Score:5, Insightful)

    by QuantumFTL ( 197300 ) * on Tuesday July 04, 2006 @01:19PM (#15656705)
    I wonder what the chinese government would do if groups of individuals from around the world used techniques like this to DDoS the firewall. I highly doubt that they could get their population to accept them completely shutting off access to the outside world, and a stateful firewall would be considerably more expensive, assuming they wanted to keep their same (terrible) level of performance.

    What does slashdot think about this?
    • Re:Solution? (Score:3, Insightful)

      by hoggoth ( 414195 )
      > I highly doubt that they could get their population to accept them completely shutting off access to the outside world

      Their population accepts a lot worse than losing Internet access.
      I don't think a government that rolls tanks over dissidents is going to worry too much about cutting off their Internet.
      • The Chinese Gov't wouldn't cut off internet access to the outside world.

        The reason they've gone to such lengths with the great firewall is that they recognize internet access is essential to China's economy and productivity.

        It makes no sense for the Gov't to cut off the outside.
        They'd sooner rebuild the great firewall from the ground up.
    • Tiannamen Where? (Score:3, Interesting)

      I highly doubt that they could get their population to accept them completely shutting off access to the outside world

      Er, exactly which China are we talking about here. If the population don't accept things then they get run over by tanks.

    • "...I highly doubt that they could get their population to accept them completely shutting off access to the outside world..."

      Hey, it's happened before (Google for "Qing dynasty", "isolationism"), of course, it led to the Opium Wars and China's eventual sub-division...Who knows what might've been if they'd just been a little more like the ancestors in the "trade and diplomacy" departments -- maybe I'd have learned Chinese at four instead of (trying and mostly failing) at forty...

  • I wonder... (Score:4, Interesting)

    by mike260 ( 224212 ) on Tuesday July 04, 2006 @01:21PM (#15656718)
    ...what would happen if I sent some packets from google.com to google.cn, containing words like 'democracy' and 'Falun Gong'.
    • Re:I wonder... (Score:4, Interesting)

      by Turn-X Alphonse ( 789240 ) on Tuesday July 04, 2006 @01:36PM (#15656770) Journal
      Yes because a Chinese firewall is going to black English words right? They'll block the Chinese words obviously.
      • Re:I wonder... (Score:5, Interesting)

        by TubeSteak ( 669689 ) on Tuesday July 04, 2006 @01:57PM (#15656842) Journal
        http://www.google.cn/search?q=Falun [google.cn]

        Falun Gong Is a Cult

        Research Society of Falun Dafa and the Falun Gong organization under its control are held to be illegal

        Fifteen Falun Gong Cult followers attempted to sabotage cable TV network equipment

        southcn:Falun Gong Cult OUTLAWED

        Here we should point out that the banning of "Falun Gong" by the Chinese government is also part of

        Falun Gong Practitioner Not Sorry for Killing Father, Wife

        Now compare all that to
        http://www.google.com/search?q=Falun [google.com]

        Now, if the Chinese Gov't is making Google filter based on English keywords, you think they're not going to do the same with their uber-firewall?

        Many Chinese schools teach english. It isn't like they only speak various Chinese dialects over there.
        • So google.cn is whitelisted, on the understanding that they do some filtering of their own?
        • Re:I wonder... (Score:3, Insightful)

          by RWerp ( 798951 )
          Interesting bit of facts you posted here. So Google does not simply censor keywords like "Falun". They block some web pages and let through others, those which say things convenient for the China government. Effectively, google.cn is an extension of the Chinese propaganda ministry. I wonder whether Google checks the content of the pages on its own, or does it get a list of the allowed pages from the Chinese? "Don't be evil" :))
      • That's a real showstopper of a problem you've spotted there.
  • hard to believe (Score:2, Insightful)

    I can't imagine why anyone would choose a stateless firewall over one the preforms stateful inspection on all traffic. There are so many options available (pix, checkpoint, or just a well built iptables system), it would seem you'd have to work at finding something stateless.
  • Should china's firewall be slashdotted so that it can't work anymore and therefore allow the people of china a free internet? (free as in not censored).

  • by Jeian ( 409916 ) on Tuesday July 04, 2006 @01:31PM (#15656756)
    DDoS is using multiple computers to "flood" a target off the Internet. This would be a plain DoS attack using a software weakness to deny service.
    • Thanks, saves me saying it.

      People, a DDoS is a Distributed Denial of Service. The hint's in the first word, don't use it if it doesn't apply :)
    • A DDoS attack is an attack that is distributed across many machines colaborating to bring down a target machine. It does not necessarialy have to flood a target off the machine in the sense of a SYN attack. For that matter - as in the case of the SYN attack - it doesn't have to be from multiple identifiable sources; simply from many sources.

      RTFA. The attack can be either from a single machine, or it can be distributed. The source of the attack is unimportant. Either a single machine can generate the pa
  • by Anonymous Coward on Tuesday July 04, 2006 @01:40PM (#15656781)
    Chinese firewall is nothing - try getting through the Saudi firewall. As I understand it, the Chinese are at least a bit less modest about what is banned, so you should be able to at least get some legit porn sites through Chinese internet. However Saudi internet would block not just porn sites, but womens rights websites, womens magazines websites, even medical sites - anything that would display a photograph or illustration of a naked woman or man was stricly banned. Even it was just part of a human body, i.e. shoulders up.
  • That would mean that I could actually fight those ssh bruteforce zombies that apparently make up 95% of KorNET.

  • Benefits of the wall (Score:3, Interesting)

    by debrain ( 29228 ) on Tuesday July 04, 2006 @01:52PM (#15656825) Journal
    I think there are some good points to the existence of the firewall. While the firewall itself is a bad thing, no doubt, the fact that the Chinese have access to the internet at all is a huge step forward for them. We're talking about a country that was totalitarian for centuries, with virtually no interest in or comprehension of indivdiual human freedoms.

    It also speaks to the power of the internet's design. Here is a nation notorious for its control of information, and the techniques they use are easy to discover, and possible to circumvent. If China can't restrict the internet, then there's hope that other governments and maybe even multinational corporations won't be able to pull it off either.

    With luck, the firewall will become an irony of the past, as the importance of human dignity becomes apparant to the Chinese government.
  • Now China will have to build a really, really big stateful firewall. Probably something like AOL's cacheing server.
  • When a bunch of ninjas rough up the geeks in Cambridge, don't be surprised.
  • National Security (Score:5, Insightful)

    by subl33t ( 739983 ) on Tuesday July 04, 2006 @02:31PM (#15656961)
    Go ahead, mod me down.

    Couldn't the Chinese government view this as an act of terrorism? In the interest of national security the Chinese government will start an ambiguous "War on Terror" after the the US "War on Terror" and "War on Drugs" which are _also_ unwinnable and declared solely to keep the ruling party in power via fear.

    • The Terrorist Song
      by Usurper_ii
      (Sung to the tune of Python's The Lumber Jack Song)

      I'm a terrorist and I'm OK
      I read at night and I work all day.

      The Government:
      He's a terrorist and he's OK
      He reads at night and he works all day.

      I read a lot and I seek the truth
      I go to the lavatory.
      After OKC, I saw some things that didn't make sense to me.

      The Government:
      He doesn't believe our story about OKC,
      We monitor when he goes to the lavatory.
      On Wednesday night, he went to an unapproved web site.

      He's a terrorist and he's OK
      He reads at night and he works all day.

      When, after 9-11 didn't all add up,
      I met with others on the net, to talk it up.

      The government:
      He didn't believe our story about 9-11.
      We followed him to unapproved web sites after hours.
      In our report, well say he had bomb-making materials under his sink.

      He's a terrorist and he's OK
      He reads at night and he works all day.

      I don't think a plane hit the Pentagon.
      I think the World Trade Center buildings fell all wrong.
      I wish I could convince my dear ol' mom!!

      The government:
      He's a terrorist and we're going to make him pay?!
      We read his e-mail and didn't like what he had to say?!...

      Just me:
      I wish I'd been born, back when America was really free!!

      The Government:
      He's a terrorist and we're going to make him pay
      He reads the Constitution and knows his rights.
      He's just like McVeigh, Bin Laden, and al-Qaeda!!

      He's a terrorist and he's OK
      He reads at night and he works all day.

      • Funny, I wrote that this morning, and ever since then, I can't help but envision ended up in some sort of scene right out of My Cousin Vinny, where I'm sitting in front of a judge saying "I wrote 'I'm a terrorist!' ... I wrote 'I'm a terrorist?!?!'"

        Only the bad part is, unlike in My Cousin Vinny, there is no jury and my trial is in secret.

  • by Theovon ( 109752 ) on Tuesday July 04, 2006 @02:33PM (#15656966)
    Is it just me, or does it seem rather unkind to go about declaring, "Look at me! I just conducted a cyber-attack against China!" Hey, I'm no fan of China's government or censorship, and I am aware that China have tried to attack other countries' computers, but two wrongs don't make a right. Unless we're doing something defensive to ward off an attack from China, I see little point in taunting them and giving them reason to tighten security even further. It just doesn't seem right.
    • You're absolutely right, and that's why we shouldn't have gone into Iraq, even if you buy the latest BS "reasons" -- that we wanted to liberate the people. Oh, it's perfectly fine to liberate the Iraqi people, but don't you dare touch China or North Korea.

      I guess our idealism suddenly vanishes when the other side also has nukes.
  • by erik_norgaard ( 692400 ) on Tuesday July 04, 2006 @03:39PM (#15657186) Homepage
    It appears the link to the source is missing - I first read about it last week on Schneiers blog, linking ot the original blog post found here:

        http://www.lightbluetouchpaper.org/2006/06/27/igno ring-the-great-firewall-of-china/ [lightbluetouchpaper.org]

    And for all the details, the paper to be presented is here:

        http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf [cam.ac.uk]

    I think the interesting thing is that by configuring our end to ignore the invalid resets from the Great Firewall of China we can aid the distribution of otherwise censored material.

    DDoS attacks against the GFC seems not to be that easy, as the article mentions the GFC is not one giant router at the backbone, but rather smaller machines closer to the end stations - the firewall is distributed accross an unknown number of gateways.
  • If a well-known Chinese university did anything like that to UK networks, the UK government would be screaming "cyberattack" and "cyberterrorism".

10.0 times 0.1 is hardly ever 1.0.