Slashdot Mirror


Cambridge Breached the Great Firewall of China

Darren Rayes writes to mention a ZDNet article on Cambridge academics' claims that they have breached the great firewall of China. They also claim that by misusing the firewall they can launch DDoS attacks against IP addresses behind the wall. From the article: "The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a 'sensitive' keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time."

10 of 250 comments (clear)

  1. Stateless? by Anonymous Coward · · Score: 3, Interesting

    How exactly does a stateless IDS block connections for up to an hour? Are there other components to the firewall I'm not aware of, or does stateless mean something else these days?

  2. I wonder... by mike260 · · Score: 3, Interesting

    ...what would happen if I sent some packets from google.com to google.cn, containing words like 'democracy' and 'Falun Gong'.

    1. Re:I wonder... by Turn-X+Alphonse · · Score: 3, Interesting

      Yes because a Chinese firewall is going to black English words right? They'll block the Chinese words obviously.

      --
      I like muppets.
    2. Re:I wonder... by TubeSteak · · Score: 5, Interesting

      http://www.google.cn/search?q=Falun

      Falun Gong Is a Cult
      www.china-embassy.org

      Research Society of Falun Dafa and the Falun Gong organization under its control are held to be illegal
      english.people.com.cn

      Fifteen Falun Gong Cult followers attempted to sabotage cable TV network equipment
      app1.chinadaily.com.cn

      southcn:Falun Gong Cult OUTLAWED
      www.newsgd.com

      Here we should point out that the banning of "Falun Gong" by the Chinese government is also part of
      www.chinaembassycanada.org

      Falun Gong Practitioner Not Sorry for Killing Father, Wife
      news.xinhuanet.com

      Now compare all that to
      http://www.google.com/search?q=Falun

      Now, if the Chinese Gov't is making Google filter based on English keywords, you think they're not going to do the same with their uber-firewall?

      Many Chinese schools teach english. It isn't like they only speak various Chinese dialects over there.

      --
      [Fuck Beta]
      o0t!
  3. Actually it would have to work the other way round by Opportunist · · Score: 4, Interesting

    As far as I understood it, the point is that the wall blocks out IPs outside of China that try to send "sensitive" data into China.

    Not a big deal either. Just send the IP Address of any mailserver you want to protect with a packet containing something "sensitive".

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Try the Saudi firewall by Anonymous Coward · · Score: 5, Interesting

    Chinese firewall is nothing - try getting through the Saudi firewall. As I understand it, the Chinese are at least a bit less modest about what is banned, so you should be able to at least get some legit porn sites through Chinese internet. However Saudi internet would block not just porn sites, but womens rights websites, womens magazines websites, even medical sites - anything that would display a photograph or illustration of a naked woman or man was stricly banned. Even it was just part of a human body, i.e. shoulders up.

  5. Re:Congratulations by TubeSteak · · Score: 5, Interesting
    Well done on writting a 'how-to' on pointers to make the firewall better.
    Actually, this flaw is inherent to the design of the great firewall.

    It's not something that is trivial to fix. Others can do a better job of explaining why, but for now, suffice it to say that it'd require a significant effort on the part of the Chinese Gov't.

    Maybe it can be fixed in The Great Firewall of China v2.0
    --
    [Fuck Beta]
    o0t!
  6. They're supposed to be helping them by Anonymous Coward · · Score: 5, Interesting
    I'm presenting a paper on Ignoring the Great Firewall of China at the 6th Workshop on Privacy Enhancing Technologies being held here in Cambridge this week. It turns out that this censorship system works by sending reset packets to each end of the connection, rather than blocking packets. If they don't dutifully close, but just discard the packets, the firewall is completely ineffective. More about this in the paper and in my security group blog posting. [http://www.cl.cam.ac.uk/~rnc1/]

    Their research is concerned with DRM ass hat tactics and such...pity!

  7. Re:Congratulations; Same old tired argument. by posterlogo · · Score: 4, Interesting

    Well done on writting a 'how-to' on pointers to make the firewall better. Im sure people out there new these things, and used them to their advantage. Now all holes will be plugged and even more censorship will rein in China. You have now had your 15mins of fame.

    This is the same old tired argument we hear here on Slashdot over and over again. Expose the flaws and you either 1) alert the hackers on how to expose them or 2) Allow the admins to patch them. It's funny how depending on your political ideology, people will swing either way. How about a consistent opinion in favor of revealing flaws? Those who favor security by obscurity deserve neither.

  8. Re:Tiannamen Where? by Joe+Decker · · Score: 5, Interesting

    Me too, it was an incredible symbol. The story of one of the photographers who captured that image is pretty amazing as well.