The Great Firewall of China - Murray State University`s RacerNet
GFW
The Great Firewall of China
Ruiwei Bu
CSC 540
•
What?
Part of China’s “Golden Shield” Project
•
A huge firewall that covers mainland
China
•
Focusing on Internet Security, Control and CENSORSHIP
•
Name from The Great Firewall of China by Charles R. Smith, May 2012
•
Started in 1998
•
Famous for the block of Twitter,
Facebook, Google and so on
Who?
•
The Chinese Government
•
Binxing Fang - Father of the GFW
•
Xiong Gang, Meng Jiao, Cao Zi-gang, Wang Yong, Guo Li, Fang
Binxing, Research Progress and Prospects of Network Traffic
Classification. Journal of Integration Technology, Vol 1, May, 2012.
•
Hardware: CISCO and others
•
Software: Companies and Top
University research labs
Where?
•
Major Devices: ISP backbone and
International Gateway
•
Physical Location: Unclear, deployed allover China
•
Mongol.py
•
Target
as Twitter, Facebook, ...
•
Information related to Chinese
Government and Politics, such as
Tibetan issue
•
Opinions that go against the government
•
Cults, such as Falun Gong
•
Nation Security
•
“Random” Websites, such as Github,
SourceForge, Python’s Official Website
•
An Interesting Fact
Top UGC websites maybe blocked, such as Twitter, Facebook and Youtube
•
There are clones in China for all blocked UGC sites.
•
Twitter - Sina Weibo, Fanfou, ...
•
Facebook - Renren, ...
•
Youtube - Tudou, Youku, ...
•
Seems no-one cares about not-sofamous ones, such as Path
Typical Route
Abilities
•
IP Blocking
•
DNS Injection and Pollution
•
URL Filtering
•
Content Filtering and Censorship
•
Network Traffic Analysis
•
Interfere Secure Connections
•
Record user activities
•
Network Security
IP and URL Blocking
•
Most Simple Method
DNS Injection and
Pollution
•
/etc/hosts
•
Change DNS server, such as 8.8.8.8 or
OpenDNS
But...
•
Still can be polluted even use DNS outside of the GFW
•
DNS attacks returns RST packet before the DNS server returns the address
•
And the result is “Connection Reset”
•
Can harm the entire Internet
•
Anonymous: The collateral damage of internet censorship by DNS injection.
CCR July 2012.
URL/Content Filtering
•
Can be triggered by any potential keyword in a unknown blacklist.
Especially when searching with Google.
•
Usually blocks you 10-30 minutes
URL/Content Filtering
•
The name of the formal Chinese president is Hu Jintao ( 胡 锦涛
), but when you search carrot ( 胡 萝卜
) in
Google in mainland China....
Others
•
SSL Certificate Filtering and Faking
•
Github’s certificate was replaced by a self-signed certificate in Spring 2013
•
Fake Tor Nodes and obfs bridge probe and block
•
https://blog.torproject.org/blog/tor-partially-blocked-china
•
...
Solutions?
•
Host Modification
•
Proxy
•
VPN
Host Modification
•
/etc/hosts
•
%SystemRoot%/System32/drivers/etc/h osts
•
Most simple but not always work
•
Can block IP directly
Proxy
•
Tunnel Proxy
•
Forward Proxy
•
Reverse Proxy
•
Open Proxy
Online Proxies
•
Websites, so easy to use
•
Not safe and secure at all
•
Can be detected
Proxy Softwares
•
Freegate, Wujie
•
Who’s the funder?
•
Tor project
•
Onion Network
•
.onion pseudo top-level domain
• crimes - Silk Road and so on
•
GoAgent (Google App Engine as Proxy)
•
Maybe unsafe and unsecure
•
Tunnel Proxies
Usually deployed on private servers, such as VPS and GAE
•
Private and Safe, under full control by yourself
•
Requires advanced networking skills
•
SSH (Secure Shell) Tunnel and Port
Forwarding, 80, 443!
•
VPS servers or IP segments maybe blocked
•
Network Traffic Analysis
VPN
•
PPTP (Point-to-Point Protocol)
•
L2TP (Layer Two Tunneling Protocol)
•
More secure
•
OpenVPN
•
Maybe the best on desktop?
