[freenet-chat] How to circumvent China's firewall
David 'Bombe' Roden
droden at gmail.com
Tue Jun 27 19:51:57 UTC 2006
Bruce Schneier recently posted this:
http://www.schneier.com/blog/archives/2006/06/ignoring_the_gr.html
Richard Clayton is presenting a paper (blog post here) that discusses
how to defeat China's national firewall:
...the keyword detection is not actually being done in large routers
on the borders of the Chinese networks, but in nearby subsidiary
machines. When these machines detect the keyword, they do not actually
prevent the packet containing the keyword from passing through the main
router (this would be horribly complicated to achieve and still allow
the router to run at the necessary speed). Instead, these subsiduary
machines generate a series of TCP reset packets, which are sent to each
end of the connection. When the resets arrive, the end-points assume
they are genuine requests from the other end to close the connection --
and obey. Hence the censorship occurs.
However, because the original packets are passed through the
firewall unscathed, if both of the endpoints were to completely ignore
the firewall's reset packets, then the connection will proceed
unhindered! We've done some real experiments on this -- and it works
just fine!! Think of it as the Harry Potter approach to the Great
Firewall -- just shut your eyes and walk onto Platform 9¾.
Ignoring resets is trivial to achieve by applying simple firewall
rules… and has no significant effect on ordinary working. If you want
to be a little more clever you can examine the hop count (TTL) in the
reset packets and determine whether the values are consistent with them
arriving from the far end, or if the value indicates they have come
from the intervening censorship device. We would argue that there is
much to commend examining TTL values when considering defences against
denial-of-service attacks using reset packets. Having operating system
vendors provide this new functionality as standard would also be of
practical use because Chinese citizens would not need to run special
firewall-busting code (which the authorities might attempt to outlaw)
but just off-the-shelf software (which they would necessarily
tolerate).
---
Interesting.
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://emu.freenetproject.org/pipermail/chat/attachments/20060627/be9b4dad/attachment.pgp
More information about the chat
mailing list