Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Great Firewall of China What is it and how does it work?

Published byMarcia Jefferson Modified over 7 years ago

Similar presentations

Presentation on theme: "The Great Firewall of China What is it and how does it work?"— Presentation transcript:

1 The Great Firewall of China What is it and how does it work?
Student brief - by Alexandra Snoy Computer Networks Monday 24 April 2017

2 Background Largest and most sophisticated internet censorship system in the world, filtering information flow both in and out of China Built at the end of the 90’s Operated by the Ministry of Industry and Information Technology (MIIT) of China Its exact mode of operation is not publicly disclosed, and the system is in constant evolution Some international research attempts to figure out how the system works: we will see 3 examples ranging over the last 10 years.

3 Where does the filtering occur?
Mostly at the 24 border AS (i.e. peering with other countries) belonging to CHINANET and CNCGROUP, the 1st and 2nd largest ISPs in China respectively. Inside these AS, almost 500 routers performing filtering were found by performing probes with increasing TTL from/to different locations Almost 80% distributed among CHINANET’s different regional routers, several hops into the country, and almost 20% on CNCGROUP’s backbone routers  ISPs have different deployment strategies Xu X., Mao Z.M., Halderman J.A. - Internet Censorship in China: Where Does the Filtering Occur? (Univ. Michigan, 2011)

4 Filtering techniques used
IP filtering IP addresses get put on a blacklist and get routed to a null route via BGP but difficult to maintain list of IPs, danger of leaking the null route to neighbors, and possible “overblocking” (several websites hosted on the same IP for example) DNS poisoning/hijacking filtering routers sniff for keywords in DNS type A queries, then spoof a reply from a supposedly authoritative DNS server but give a fake IP address but can cause important collateral damage for transiting traffic TCP packet inspection / TCP reset main method, more precise with less side-effects  discussed next

5 TCP reset: how does it work?
Routers have attached an Intrusion Detection System (IDS) with a list of keywords to look for in both incoming and outgoing TCP packets e.g. GET /?falun will trigger the IDS The router will then forge TCP reset packets (i.e. with the RST flag set) and send them to both endpoints so that they both stop sending packets to each other Subsequently, for a certain amount of time any attempt to set up a new connection between the two same endpoints will trigger the RST packets even in the absence of any keywords Clayton, R., Murdoch, S., Watson, R. - Ignoring the Great Firewall of China (Univ. Cambridge, 2006)

6 TCP reset: limitations
Router and IDS capacities: need to store the state of the endpoints and, have to send forged RST packets before the endpoints can exchange real packets limit blocking time: a few minutes to 1 hour, 20 minutes on average inspect only part of the traffic (2/3 approximately) Risk of DoS attacks: i.e. an attacker wanting to prevent a Chinese embassy to access some official site in China can spoof its IP and trigger the Firewall blocking of subsequent connections between the end points only happens if closely related port numbers are used Clayton, R., Murdoch, S., Watson, R. - Ignoring the Great Firewall of China (Univ. Cambridge, 2006)

7 TCP reset: circumvention
This type of filtering does rely on end points implementing well- behaved TCP behavior: what happens if they don’t abort on RST ? The reset packets are additional, and legitimate packets actually go through the Firewall unchanged, so a normal connection can be maintained simply by ignoring the reset packets. Although it is somewhat unclear whether an user in China can justify this as not being an attempt to evade the Firewall Clayton, R., Murdoch, S., Watson, R. - Ignoring the Great Firewall of China (Univ. Cambridge, 2006)

8 Blocking Tor: past efforts
IP blacklisting of directory authorities  circumvented using bridges, i.e. unpublished Tor relays allowing censored users to access the Tor network HTTP header filtering  circumvented using HTTPS But since October 2011: unpublished Tor bridges were reported to get blocked after only a few minutes  How did the Firewall find them? Winter P., Lindskog S. - How the Great Firewall of China is Blocking Tor (Karlstad Univ., 2012)

9 Blocking Tor: DPI & scanners
The Firewall uses Deep Packet Inspection (DPI) to detect Tor packets. DPI identifies the cipher list contained in the TLS handshake particular to Tor The IP:port destination is then relayed to distributed scanner machines that try to establish Tor connections to the newly found bridge. A successful connection results in that IP:port pair getting blocked. Winter P., Lindskog S. - How the Great Firewall of China is Blocking Tor (Karlstad Univ., 2012)

10 Blocking Tor: evading the DPI detection
Filtering scanner machines: difficult because they are too hard to tell apart from legitimate Tor users Some software has been developed to obfuscate the traffic so that the TLS cipher list cannot be identified anymore, but needs to run on both sides Authors propose a server side tool that rewrites the TCP window size announced by the bridge during the TCP handshake, forcing the client to split its cipher list across two TCP segments, which seems to be sufficient to bypass the DPI detection (apparently doesn’t perform packet reassembly) Winter P., Lindskog S. - How the Great Firewall of China is Blocking Tor (Karlstad Univ., 2012)

Download ppt "The Great Firewall of China What is it and how does it work?"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
Guide to Computer Network Security

Guide to Computer Network Security
A Guide to major network components

A Guide to major network components
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Networking Components Chad Benedict – LTEC 4550 1.

Networking Components Chad Benedict – LTEC
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

Similar presentations

Ads by Google