GFW The Great Firewall of China Ruiwei Bu CSC 540
What? Shield” Project • Part of China’s “Golden • A huge firewall that covers mainland China • Focusing on Internet Security, Control and CENSORSHIP • Name from The Great Firewall of China by Charles R. Smith, May 2012 • Started in 1998 • Famous for the block of Twitter, Facebook, Google and so on
Who? • The Chinese Government • Binxing Fang - Father of the GFW • Xiong Gang, Meng Jiao, Cao Zi-gang, Wang Yong, Guo Li, Fang Binxing, Research Progress and Prospects of Network Traffic Classification. Journal of Integration Technology, Vol 1, May, 2012. • Hardware: CISCO and others • Software: Companies and Top University research labs
Where? • Major Devices: ISP backbone and International Gateway • Physical Location: Unclear, deployed allover China • Mongol. py
Target • • • UGC (User Generated Content), such as Twitter, Facebook, . . . Information related to Chinese Government and Politics, such as Tibetan issue Opinions that go against the government Cults, such as Falun Gong Nation Security “Random” Websites, such as Github, Source. Forge, Python’s Official Website
An Interesting Fact • Top UGC websites maybe blocked, such as Twitter, Facebook and Youtube • There are clones in China for all blocked UGC sites. • Twitter - Sina Weibo, Fanfou, . . . • Facebook - Renren, . . . • Youtube - Tudou, Youku, . . . • Seems no-one cares about not-sofamous ones, such as Path
Typical Route
Abilities • IP Blocking • DNS Injection and Pollution • URL Filtering • Content Filtering and Censorship • Network Traffic Analysis • Interfere Secure Connections • Record user activities • Network Security
IP and URL Blocking • Most Simple Method
DNS Injection and Pollution • /etc/hosts • Change DNS server, such as 8. 8 or Open. DNS
But. . . • Still can be polluted even use DNS outside of the GFW • DNS attacks returns RST packet before the DNS server returns the address • And the result is “Connection Reset” • Can harm the entire Internet • Anonymous: The collateral damage of internet censorship by DNS injection. CCR July 2012.
URL/Content Filtering • Can be triggered by any potential keyword in a unknown blacklist. Especially when searching with Google. • Usually blocks you 10 -30 minutes
URL/Content Filtering • The name of the formal Chinese president is Hu Jintao (胡锦涛 ), but when you search carrot (胡萝卜 ) in Google in mainland China. .
Others • SSL Certificate Filtering and Faking • Github’s certificate was replaced by a self-signed certificate in Spring 2013 • Fake Tor Nodes and obfs bridge probe and block • • . . . https: //blog. torproject. org/blog/tor-partially-blocked-china
Solutions? • Host Modification • Proxy • VPN
Host Modification • /etc/hosts • %System. Root%/System 32/drivers/etc/h osts • Most simple but not always work • Can block IP directly
Proxy • Tunnel Proxy • Forward Proxy • Reverse Proxy • Open Proxy
Online Proxies • Websites, so easy to use • Not safe and secure at all • Can be detected
Proxy Softwares • Freegate, Wujie • Who’s the funder? • Tor project • Onion Network • . onion pseudo top-level domain • crimes - Silk Road and so on • Go. Agent (Google App Engine as Proxy) • Maybe unsafe and unsecure
Tunnel on private servers, Proxies • Usually deployed such as VPS and GAE • Private and Safe, under full control by yourself • Requires advanced networking skills • SSH (Secure Shell) Tunnel and Port Forwarding, 80, 443! • VPS servers or IP segments maybe blocked • Network Traffic Analysis
VPN • PPTP (Point-to-Point Protocol) • L 2 TP (Layer Two Tunneling Protocol) • More secure • Open. VPN • Maybe the best on desktop?
A Simple Proxy Server Demo Time!
Скачать презентацию GFW The Great Firewall of China Ruiwei Bu
0961cd478b2fd8f99b39f0ddf202ad3b.ppt