[freenet-chat] How to circumvent China's firewall

Matthew Toseland toad at amphibian.dyndns.org
Tue Jun 27 20:36:28 UTC 2006 

Very cool. So they don't actually run enormous transparent proxies? If
so, how come mention of the blacklisted word 'freenet' on IRC is
permitted?

Obviously the firewall will be "improved" in the future, and the TTL fix
will not permanently fix the problem, as the TTL can be stolen from the
packet containing the forbidden term. (It would help with more general
DoSs of course).

On Tue, Jun 27, 2006 at 09:51:57PM +0200, David 'Bombe' Roden wrote:
> Bruce Schneier recently posted this:
> 
> http://www.schneier.com/blog/archives/2006/06/ignoring_the_gr.html
> 
> Richard Clayton is presenting a paper (blog post here) that discusses 
> how to defeat China's national firewall:
> 
>     ...the keyword detection is not actually being done in large routers 
> on the borders of the Chinese networks, but in nearby subsidiary 
> machines. When these machines detect the keyword, they do not actually 
> prevent the packet containing the keyword from passing through the main 
> router (this would be horribly complicated to achieve and still allow 
> the router to run at the necessary speed). Instead, these subsiduary 
> machines generate a series of TCP reset packets, which are sent to each 
> end of the connection. When the resets arrive, the end-points assume 
> they are genuine requests from the other end to close the connection -- 
> and obey. Hence the censorship occurs.
> 
>     However, because the original packets are passed through the 
> firewall unscathed, if both of the endpoints were to completely ignore 
> the firewall's reset packets, then the connection will proceed 
> unhindered! We've done some real experiments on this -- and it works 
> just fine!! Think of it as the Harry Potter approach to the Great 
> Firewall -- just shut your eyes and walk onto Platform 9??.
> 
>     Ignoring resets is trivial to achieve by applying simple firewall 
> rules??? and has no significant effect on ordinary working. If you want 
> to be a little more clever you can examine the hop count (TTL) in the 
> reset packets and determine whether the values are consistent with them 
> arriving from the far end, or if the value indicates they have come 
> from the intervening censorship device. We would argue that there is 
> much to commend examining TTL values when considering defences against 
> denial-of-service attacks using reset packets. Having operating system 
> vendors provide this new functionality as standard would also be of 
> practical use because Chinese citizens would not need to run special 
> firewall-busting code (which the authorities might attempt to outlaw) 
> but just off-the-shelf software (which they would necessarily 
> tolerate).
> 
> ---
> 
> Interesting.
> 
> 	David



> _______________________________________________
> chat mailing list
> chat at freenetproject.org
> Archived: http://news.gmane.org/gmane.network.freenet.general
> Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/chat
> Or mailto:chat-request at freenetproject.org?subject=unsubscribe

-- 
Matthew J Toseland - toad at amphibian.dyndns.org
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://emu.freenetproject.org/pipermail/chat/attachments/20060627/09537eeb/attachment.pgp

More information about the chat mailing list