Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cambridge Breached the Great Firewall of China

Posted by ryuzaki0 on from the didn't-work-against-the-mongol-spammers-either dept.

Darren Rayes writes to mention a ZDNet article on Cambridge academics' claims that they have breached the great firewall of China. They also claim that by misusing the firewall they can launch DDoS attacks against IP addresses behind the wall. From the article: "The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a 'sensitive' keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time."

5 of 250 comments (clear)

  1. Re:Stateless? by Just+Some+Guy · · Score: 5, Informative
    How exactly does a stateless IDS block connections for up to an hour?

    Stateless != ruleless. For example, you could use OpenBSD's "pf" to create a stateless firewall that references an external rules file, then use a cron job to rewrite that rules file once an hour. That might be a pretty reasonable approach if you're filtering billions of packets per hour and can't afford to track state for each connection.

    --
    Dewey, what part of this looks like authorities should be involved?
  2. That isn't technically a DDoS by Jeian · · Score: 5, Informative

    DDoS is using multiple computers to "flood" a target off the Internet. This would be a plain DoS attack using a software weakness to deny service.

  3. Re:Legal action against Cambridge? by CaymanIslandCarpedie · · Score: 5, Informative

    Cambridge would leap off that cliff as well by helping China to further block any ways for citizens to bypass the firewall and obtain information about "sensitive" topics. It really bothers me that so many in the U.S. who claim to value freedom so much (who are out blowing up fireworks today to celebrate such - fireworks mostly bought from China I might add), will help a country who values freedom so little.

    FYI, Cambridge isn't a U.S. university.

    --
    "reality has a well-known liberal bias" - Steven Colbert
  4. Re:Legal action against Cambridge? by jabuzz · · Score: 5, Informative

    Wrong Cambridge, Cambridge Univeristy (fourth oldest in the world) is in the South East of England, and not in North America. Full marks you have displayed a typically parochial American outlook on the World.

  5. Last weeks news - original post here by erik_norgaard · · Score: 4, Informative

    It appears the link to the source is missing - I first read about it last week on Schneiers blog, linking ot the original blog post found here:

        http://www.lightbluetouchpaper.org/2006/06/27/igno ring-the-great-firewall-of-china/

    And for all the details, the paper to be presented is here:

        http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf

    I think the interesting thing is that by configuring our end to ignore the invalid resets from the Great Firewall of China we can aid the distribution of otherwise censored material.

    DDoS attacks against the GFC seems not to be that easy, as the article mentions the GFC is not one giant router at the backbone, but rather smaller machines closer to the end stations - the firewall is distributed accross an unknown number of gateways.