Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
In-depthanalysisoftheGreatFirewallofChinaChaoTang,COMP116,December14,2016
AbstractCreatedbytheGoldenShieldProject,theGreatFirewallofChina(GFW)isthebackboneofworld’slargestsystemofcensorship. Asanon-pathsystem,theGFWcanmonitortrafficandinjectadditionalpackets,butcannotstopin-flightpacketsfromreachingitsdestination.Itachievescensorshipusingthreemaintechniques:First,itinspectsallInternettrafficbetweenChinaandtherestoftheworld,thenterminateconnectionscontainingcensoredcontentbyinjectingforgedTCP
Resetpacketstobothends.WiththeadventofHTTPS,whichcannotbedecryptedbytheGFW,TCPRSThasseenfeweruseinrecent years.Second,theGFWblocksaccesstospecificIPaddressesthroughthegatewayroutersofallChineseISPs.Third,itusesDNStamperingtoreturnfalseIPaddressesinresponsetoDNSqueriestoblockeddomains.Thisaffectsqueries to bothdomesticandforeignDNSservices.IPblockingandDNStamperingtogetherarethebreadandbutterofGFW,effectivelycuttingoffallaccesstoblockedwebsites.But,suchdraconianmethodsinevitablycauseover-censoringandcollateraldamagetointernationalwebtrafficflowingthroughChinaandinnocentwebsites.ThethreemainwaysausercanbypasstheGFWaretheuseofVPNs,Proxies,andTor.However,GFWcanusedeeppacketinspectionandmachinelearningtoshutdownsuspectedVPNorproxytunnels,anduseanactiveprobingsystemtoshutdownTorbridgerelays.Asof
today,fewcommercialVPNservicesandthelatestTorprotocolsusingPluggableTransportsareviableapproaches.
FailedAttemptWhileconnectedtoaVPNserverinShenzhen,theauthorusedYahootosearchforthecensored
string“falun”.Theauthorwasunabletoconnecttowebsitesfromtheresultspage,evidentbyTCPRetransmissions.TheauthorinitiallythoughtthefiveTCPRSTpacketswerethedoingsofGFW.However,theACKnumberofthepacketswereall0,whichisuncharacteristicofforgedTCPRST
packets.Thus,itisunlikelythatGFWwasatplayhere.
TCPReset
HowItworksTheGFWinspectstrafficbypassingcopiestoout-of-banddevicesbasedonIntrusionDetection
Systems.Theoriginalpacketsareunaffected,whiletheIDSinspectsthecontentofthepacketandtherequestedURL.OncetheIDSdetectsblacklistedkeywords,theGFWrouterinjectsmultiple
forgedTCPRSTpacketstobothendpoints,forcingtheconnectiontobedropped.
Pros- On-patharchitectureisefficientanddoesnotcreateabottleneck- CapableofIPandTCPsegmentsreassembly- Maintainsflowstateregardingsourceanddestinationtoblockallfurthercommunicationsforanyperiodoftime.
Cons- NotcapableofinspectingHTTPStraffic- CanbebypassedbyignoringRSTpacketson
bothendpoints- Duetotheseconstraints,TCPRSTisnow
rarelyused
IPAddressBlocking
HowItworksBypeeringwiththegatewayroutersofallChineseISPs,GFWinjectsalistofblacklisteddestination
addressesintoBGP(BorderGatewayProtocol)andhijacksalltraffictoblockedwebsites.Thistechniqueiscallednullrouting.
Pros- Onlyaddsasmallloadtothegatewayrouter- Noadditionalinfrastructureneeded- Centralizedblacklistwithoutfurther
involvementfromISPs
Cons- Blacklistneedstobefrequentlyupdated- WebsitescanchangeIPaddressestostay
unblocked- Over-censoringoflegitimatewebsitesthat
sharethesameIPaddressesoraddressblocksasblockedwebsites
SuccessfulAttemptWhileconnectedtoaVPNserverinShenzhen,theauthortriedtoaccessGoogleviatheIP
216.58.200.46.Nodatawasreceivedandthesiteeventuallytimedout,asevidentbytheTCPRetransmissionpacketsinblack.
DNSTampering
HowItworksGFWmonitorseachDNSqueryoriginatingfromanyclientsinsideChinaattheborderoftheChineseInternet.Ifitdetectsaquerytoablockeddomainname,itinjectsafakeDNSreplywithaninvalidIP.ThisfakeDNSreplythentricklesdowntointernalrecursiveDNSserversinChina.Thus,almostall
DNSresolversinChinahavepoisonedcaches.
Pros- Lightweightyetefficient- Thereislittleablockedwebsitecando
besideschangingdomainname- Effectivelysealoffallaccesswhenusedin
conjunctionwithIPaddressblocking
Cons- Large-scalecollateraldamagetoDNSqueries
passingthroughChinaoriginatingelsewhere- Canunintentionallyredirecthugevolumesof
traffictoinnocentwebsites
SuccessfulAttemptWhileconnectedtoaVPNserverinShenzhen,theauthortriedtoaccesswww.facebook.com,ascan
beseenfromthestandardquery.DNSserverreturnedapoisonedaddress,93.46.8.89.TheTCPretransmissionsisevidencetheIPisinvalid.Furtherresearchrevealedthatthisisoneofseven
poisonedIPsregularlyusedbytheGFW .
BypassingtheGreatFirewallHowtheywork
VirtualPrivateNetworksworkbyroutingalltraffictoandfromacomputerthroughaserverusingmanysecureprotocols.Thus,allconnectionstotheoutsidewebappeartobecomingfromthe
locationoftheVPNserverinsteadoftheuser’sactuallocation.
Proxiesfunctionsimilarly,exceptonlybrowsertrafficisencrypted.
CountermeasuresbyGFWTheGFWhasenough
understandingofpopularVPNprotocolssuchthatitcanusedeeppacketinspectionandmachine
learningtoidentifyVPNconnections.ItfindsheuristicstoguesswhichTCP/UDPconnectionsareusedforVPN,thensimply
dropsallpackets.
Answerstocountermeasures
Fornon-commercialVPNsetups,theonlywaytomanuallydisguiseVPNtrafficistomakeitlooklike
standardHTTPSsessions.Therearemanydetailsthatneedtobemanuallymatched.Afew
commercialVPNsalsooperateinChina,despitethefactthattheycanbeeasilyshutdownbythe
governmentatanytime.
UsingVPNsandProxies UsingTorHowitworks
Tor'susersemploytheTornetworkbyconnectingthroughaseriesofvirtualtunnelsratherthanmakingadirectconnection,allowingthem
tocircumventtheGFW.
CountermeasuresbyGFWTorreliesonalargenumberofentryguardsandbridgerelaysasendpointstoofferconnectionsto
censoredregions.TheGFWimplementedareal-timeprobingsystemthatsearchesforbytesthatidentifyanetworkconnectionasTor.Ifthesebytesarefound,thefirewallinitiatesascanofthehostwhichisbelievedtobeabridgeandshutsitdown.ThisrenderedTorcompletelyinaccessiblein
Chinafor3years.
Answerstocountermeasures
In2015,theTorprojectreleasedobfs4andMeek,twoprotocolsthatusePluggableTransports.
PluggableTransportstransformtheTortrafficbetweenclientand
bridge.Obfs4offersanextralayerofencryptionusingasharedsecretkeydistributedout-of-band,while
MeekdisguisesTortrafficasregularcloudcomputingtraffic.Botharecurrentlyviableoptions.