1. bookVolume 2015 (2015): Issue 1 (April 2015)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Copyright
© 2020 Sciendo

Analyzing the Great Firewall of China Over Space and Time

Published Online: 18 Apr 2015
Page range: 61 - 76
Received: 22 Nov 2014
Accepted: 12 Feb 2015
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Copyright
© 2020 Sciendo
Abstract

A nation-scale firewall, colloquially referred to as the “Great Firewall of China,” implements many different types of censorship and content filtering to control China’s Internet traffic. Past work has shown that the firewall occasionally fails. In other words, sometimes clients in China are able to reach blacklisted servers outside of China. This phenomenon has not yet been characterized because it is infeasible to find a large and geographically diverse set of clients in China from which to test connectivity. In this paper, we overcome this challenge by using a hybrid idle scan technique that is able to measure connectivity between a remote client and an arbitrary server, neither of which are under the control of the researcher performing measurements. In addition to hybrid idle scans, we present and employ a novel side channel in the Linux kernel’s SYN backlog. We show that both techniques are practical by measuring the reachability of the Tor network which is known to be blocked in China. Our measurements reveal that failures in the firewall occur throughout the entire country without any conspicuous geographical patterns.We give some evidence that routing plays a role, but other factors (such as how the GFW maintains its list of IP/port pairs to block) may also be important.

Keywords

[1] Censorship Wiki. https://censorshipwiki.torproject.org.Search in Google Scholar

[2] Linux kernel source tree. http://git.kernel. org/cgit/linux/kernel/git/torvalds/linux.git/ tree/net/ipv4/inet_connection_sock.c?h= 4d0fa8a0f01272d4de33704f20303dcecdb55df1#n562.Search in Google Scholar

[3] tcp(7) - Linux man page. http://linux.die.net/man/7/tcp.Search in Google Scholar

[4] Extensive Analysis and Large-Scale Empirical Evaluation of Tor Bridge Discovery. In INFOCOM, Orlando, FL, USA, 2012. IEEE.Search in Google Scholar

[5] Alexa. Alexa top sites in China. http://www.alexa.com/ topsites/countries/CN.Search in Google Scholar

[6] C. Anderson, P. Winter, and Roya. Global censorship detection over the RIPE Atlas network. In Free and Open Communications on the Internet. USENIX, 2014.Search in Google Scholar

[7] Anonymous. Towards a comprehensive picture of the Great Firewall’s DNS censorship. In Free and Open Communications on the Internet. USENIX, 2014.Search in Google Scholar

[8] Antirez. new TCP scan method, 1998.Search in Google Scholar

[9] W. Chen, Y. Huang, B. F. Ribeiro, K. Suh, H. Zhang, E. de Souza e Silva, J. Kurose, and D. Towsley. Exploiting the IPID field to infer network path and end-system characteristics. In Passive and Active Network Measurement. Springer, 2005.Search in Google Scholar

[10] China internet and mobile phone users. Available at http: //www.procurasia.com/china-industrial-sourcing/chinastatistics- corner/china-internet-users/.Search in Google Scholar

[11] R. Clayton, S. J. Murdoch, and R. N. M. Watson. Ignoring the Great Firewall of China. In Privacy Enhancing Technologies. Springer, 2006.Search in Google Scholar

[12] J. R. Crandall, D. Zinn, M. Byrd, E. Barr, and R. East. ConceptDoppler: A weather tracker for Internet censorship. In Computer and Communications Security. ACM, 2007.Search in Google Scholar

[13] A. Dainotti, C. Squarcella, E. Aben, K. C. Claffy, M. Chiesa, M. Russo, and A. Pescapé. Analysis of country-wide Internet outages caused by censorship. In Internet Measurement Conference. ACM, 2011.Search in Google Scholar

[14] J. Dalek, B. Haselton, H. Noman, A. Senft, M. Crete- Nishihata, P. Gill, and R. J. Deibert. A method for identifying and confirming the use of URL filtering products for censorship. In Internet Measurement Conference. ACM, 2013.Search in Google Scholar

[15] R. Dingledine, N. Mathewson, and P. Syverson. Tor: the second-generation onion router. In USENIX Security Symposium. USENIX Association, 2004.Search in Google Scholar

[16] Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: fast Internet-wide scanning and its security applications. In USENIX Security Symposium. USENIX Association, 2013.Search in Google Scholar

[17] R. Ensafi, J. Knockel, G. Alexander, and J. R. Crandall. Detecting intentional packet drops on the Internet via TCP/IP side channels: Extended version. CoRR, abs/1312.5739, 2013. Available at http://arxiv.org/abs/1312.5739.Search in Google Scholar

[18] R. Ensafi, J. Knockel, G. Alexander, and J. R. Crandall. Detecting intentional packet drops on the internet via TCP/IP side channels. In Passive and Active Measurement Conference. Springer, 2014.Search in Google Scholar

[19] R. Ensafi, J. C. Park, D. Kapur, and J. R. Crandall. Idle port scanning and non-interference analysis of network protocol stacks using model checking. In USENIX Security Symposium. USENIX Association, 2010.Search in Google Scholar

[20] E. Katz-Bassett, H. V. Madhyastha, V. K. Adhikari, C. Scott, J. Sherry, P. Van Wesep, T. Anderson, and A. Krishnamurthy. Reverse Traceroute. In Networked Systems Design & Implementation. USENIX Association, 2010.Search in Google Scholar

[21] S. Khattak, M. Javed, P. D. Anderson, and V. Paxson. Towards illuminating a censorship monitor’s model to facilitate evasion. In Free and Open Communications on the Internet. USENIX Association, 2013.Search in Google Scholar

[22] G. Lowe, P. Winters, and M. L. Marcus. The Great DNS wall of China. Technical report, New York University, 2007.Search in Google Scholar

[23] G. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure.Org LLC, Sunnyvale, CA, USA, 2009.Search in Google Scholar

[24] H. V. Madhyastha, T. Isdal, M. Piatek, C. Dixon, T. Anderson, A. Krishnamurthy, and A. Venkataramani. iPlane: An information plane for distributed services. In Operating Systems Design and Implementation. USENIX Association, 2006.Search in Google Scholar

[25] Z. M. Mao, J. Rexford, J. Wang, and R. H. Katz. Towards an accurate AS-level traceroute tool. In SIGCOMM ’03: Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, pages 365-378, New York, NY, USA, 2003. ACM Press.Search in Google Scholar

[26] Global RIPE Atlas Network Coverage. Available at https: //atlas.ripe.net/results/maps/network-coverage/.Search in Google Scholar

[27] World map of PlanetLab nodes. Available at https://www. planet-lab.org/generated/World50.png.Search in Google Scholar

[28] The DIMES project: Active Agents by Countries in Last 7 Days. Available at http://www.netdimes.org/new/?q= node/52.Search in Google Scholar

[29] M-Lab Platform: Server Map. Available at http://www. measurementlab.net/infrastructure.Search in Google Scholar

[30] MaxMind - GeoIP2 City Accuracy. Available at https:// www.maxmind.com/en/geoip2-city-database-accuracy.Search in Google Scholar

[31] M. Morbitzer. TCP idle scans in IPv6. Master’s thesis, Radboud University Nijmegen, The Netherlands, 2013.Search in Google Scholar

[32] D. Nobori and Y. Shinjo. VPN gate: A volunteer-organized public vpn relay system with blocking resistance for bypassing government censorship firewalls. In Networked Systems Design and Implementation. USENIX, 2014.Search in Google Scholar

[33] J. C. Park and J. R. Crandall. Empirical study of a nationalscale distributed intrusion detection system: Backbone-level filtering of HTML responses in China. In Distributed Computing Systems. IEEE, 2010.Search in Google Scholar

[34] T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., 1998.Search in Google Scholar

[35] Z. Qian and Z. M. Mao. Off-path TCP sequence number inference attack. In Security & Privacy. IEEE, 2012.Search in Google Scholar

[36] Z. Qian, Z. M. Mao, Y. Xie, and F. Yu. Investigation of triangular spamming: a stealthy and efficient spamming technique. In Symposium on Security and Privacy. IEEE, 2010.Search in Google Scholar

[37] S. Sanfilippo. hping. http://www.hping.org, 2006.Search in Google Scholar

[38] Sparks, Neo, Tank, Smith, and Dozer. The collateral damage of internet censorship by dns injection. SIGCOMM Computer Communication Review, 42(3):21-27, 2012.Search in Google Scholar

[39] The Tor Project. Relay descriptor archives. https://metrics. torproject.org/data.html#relaydesc.Search in Google Scholar

[40] The Tor Project. Tor metrics - direct users by country. https://metrics.torproject.org/userstats-relay-country.html? graph=userstats-relay-country&start=2014-01-01&end= 2014-07-01&country=cn&events=off.Search in Google Scholar

[41] Tokachu. The not-so-great firewall of China. 2600 Magazine, Winter 2006-2007.Search in Google Scholar

[42] TorStatus. Tor network status. http://torstatus.blutmagie. de.Search in Google Scholar

[43] G. Walton. China’s golden shield : corporations and the development of surveillance technology in the People’s Republic of China. International Centre for Human Rights and Democratic Development, 2001.Search in Google Scholar

[44] Y. A. Wang, C. Huang, J. Li, and K. W. Ross. Queen: Estimating packet loss rate between arbitrary internet hosts. In Passive and Active Network Measurement. Springer, 2009.Search in Google Scholar

[45] N. Weaver, R. Sommer, and V. Paxson. Detecting Forged TCP Reset Packets. In Network and Distributed System Security. The Internet Society, 2009.Search in Google Scholar

[46] P. Winter and S. Lindskog. How the Great Firewall of China is blocking Tor. In Free and Open Communications on the Internet. USENIX Association, 2012.Search in Google Scholar

[47] J. Wright. Regional variation in Chinese internet filtering. Technical report, University of Oxford, 2012.Search in Google Scholar

[48] X. Xu, Z. M. Mao, and J. A. Halderman. Internet censorship in china: Where does the filtering occur? In Passive and Active Measurement Conference. Springer, 2011. Search in Google Scholar

Plan your remote conference with Sciendo