The Great Firewall of China - Murray State University`s RacerNet
Download
Report
Transcript The Great Firewall of China - Murray State University`s RacerNet
GFW
The Great Firewall of China
Ruiwei Bu
CSC 540
What?
• Part of China’s “Golden Shield” Project
• A huge firewall that covers mainland
China
• Focusing on Internet Security, Control
and CENSORSHIP
• Name from The Great Firewall of China
by Charles R. Smith, May 2012
• Started in 1998
• Famous for the block of Twitter,
Facebook, Google and so on
Who?
• The Chinese Government
• Binxing Fang - Father of the GFW
•
Xiong Gang, Meng Jiao, Cao Zi-gang, Wang Yong, Guo Li, Fang
Binxing, Research Progress and Prospects of Network Traffic
Classification. Journal of Integration Technology, Vol 1, May, 2012.
• Hardware: CISCO and others
• Software: Companies and Top
University research labs
Where?
• Major Devices: ISP backbone and
International Gateway
• Physical Location: Unclear, deployed
allover China
• Mongol.py
TargetContent), such
• UGC (User Generated
as Twitter, Facebook, ...
• Information related to Chinese
Government and Politics, such as
Tibetan issue
• Opinions that go against the
government
• Cults, such as Falun Gong
• Nation Security
• “Random” Websites, such as Github,
An Interesting Fact
• Top UGC websites maybe blocked,
such as Twitter, Facebook and Youtube
• There are clones in China for all
blocked UGC sites.
• Twitter - Sina Weibo, Fanfou, ...
• Facebook - Renren, ...
• Youtube - Tudou, Youku, ...
• Seems no-one cares about not-sofamous ones, such as Path
Typical Route
Abilities
• IP Blocking
• DNS Injection and Pollution
• URL Filtering
• Content Filtering and Censorship
• Network Traffic Analysis
• Interfere Secure Connections
• Record user activities
• Network Security
IP and URL Blocking
• Most Simple Method
DNS Injection and
Pollution
• /etc/hosts
• Change DNS server, such as 8.8.8.8 or
OpenDNS
But...
• Still can be polluted even use DNS
outside of the GFW
• DNS attacks returns RST packet before
the DNS server returns the address
• And the result is “Connection Reset”
• Can harm the entire Internet
• Anonymous: The collateral damage of
internet censorship by DNS injection.
CCR July 2012.
URL/Content Filtering
• Can be triggered by any potential
keyword in a unknown blacklist.
Especially when searching with Google.
• Usually blocks you 10-30 minutes
URL/Content Filtering
• The name of the formal Chinese
president is Hu Jintao (胡锦涛), but
when you search carrot (胡萝卜) in
Google in mainland China....
Others
• SSL Certificate Filtering and Faking
• Github’s certificate was replaced by a
self-signed certificate in Spring 2013
• Fake Tor Nodes and obfs bridge probe
and block
•
• ...
https://blog.torproject.org/blog/tor-partially-blocked-china
Solutions?
• Host Modification
• Proxy
• VPN
Host Modification
• /etc/hosts
• %SystemRoot%/System32/drivers/etc/h
osts
• Most simple but not always work
• Can block IP directly
Proxy
• Tunnel Proxy
• Forward Proxy
• Reverse Proxy
• Open Proxy
Online Proxies
• Websites, so easy to use
• Not safe and secure at all
• Can be detected
Proxy Softwares
• Freegate, Wujie
• Who’s the funder?
• Tor project
• Onion Network
• .onion pseudo top-level domain
• crimes - Silk Road and so on
• GoAgent (Google App Engine as Proxy)
• Maybe unsafe and unsecure
Tunnel
Proxies
• Usually deployed on private servers,
such as VPS and GAE
• Private and Safe, under full control by
yourself
• Requires advanced networking skills
• SSH (Secure Shell) Tunnel and Port
Forwarding, 80, 443!
• VPS servers or IP segments maybe
blocked
• Network Traffic Analysis
VPN
• PPTP (Point-to-Point Protocol)
• L2TP (Layer Two Tunneling Protocol)
• More secure
• OpenVPN
• Maybe the best on desktop?
A Simple Proxy
Server
•Demo Time!