Beating the Digital Great Wall of China
For many years now, the Chinese Government has been filtering traffic with certain “offending” key words like D-e-m-o-c-r-a-c-y, F-a-l-u-n and many others. This national censorship has been accepted by most of the world as fact. Even large dotcoms such as Google, Yahoo and Microsoft have customized their Chinese search engines to not return results with these offending keywords. In the spirit of national sovereignty, people are complying.
Just yesterday, Richard Clayton (via Bruce Scheneier) describes in his blog a way to beat the Digital Great Wall of China:
It turns out that the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsidiary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey.
Now this really hits me. Why didn’t I think of that? Well, of course, I never really had the chance to study on a live Chinese network. Besides, most of us just accept censorship as fact. However, the solution makes sense. Those Chinese network engineers are really smart folks! Such as simple solution for a potentially complex problem.
If this were the case then adding a simple host-based firewall rule to ignore these RST packets would go a long way. Maybe an iptables rule like the one below could do the trick?
iptables -A INPUT -m tcp -p tcp -s <offending source address> --tcp-flags RST -j DROP
Of course, this might cause some problems as it blocks all RST packets from the source. So the host might end up with a lot of stale TCP connection that will just time out eventually. As the article suggests, you can use the hop count to block the packets smartly. If the TTL of the RST packet was only decremented by an obviously border firewall or router then you can drop it.
This is a case of security-by-participation. These machines only get censored if they listen to these censors. This is a pretty shrewed idea and it is actually cheaper than implementing giant firewalls at the boundary of Chinese networks (of course, they might have these too). Instead, this distributed approach puts the load on many edge devices. Maybe your Huawei router has special commands to activate Digital Great Wall of China features?
April 30th, 2007 at 4:02 am
[…] This statement is purposely ambiguous. However, It is pretty clear that they want websites to register. By mentioning Yahoo, I guess they even want foreign sites to register. So does that mean ALL websites? Including sites under the sovereignty of another nation? If they claim to only require Philippines sites to register how about sites that are hosted abroad? Where do those lie? How about foreign sites talking about Filipino content? Are these covered too? Don’t tell me they require all websites in the ENTIRE WORLD to register with them? Can they even do it? What will they do if those sites don’t? Will they now implement something like the Great Firewall of China? […]