Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cambridge Breached the Great Firewall of China

Posted by ryuzaki0 on from the didn't-work-against-the-mongol-spammers-either dept.

Darren Rayes writes to mention a ZDNet article on Cambridge academics' claims that they have breached the great firewall of China. They also claim that by misusing the firewall they can launch DDoS attacks against IP addresses behind the wall. From the article: "The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a 'sensitive' keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time."

29 of 250 comments (clear)

  1. Submit details! by Anonymous Coward · · Score: 5, Funny

    With enough people working on it, we can temporarily block the entire country from the rest of the Internet. How's that for a fourth of July?

  2. Legal action against Cambridge? by zanderredux · · Score: 5, Insightful
    Isn't Cambridge deliberately creating an opportunity for the Chinese government to prosecute them?

    What about those inside China using those exploits for legitimate ends?

    Is Cambridge indirectly helping the Chinese government to fix firewall issues?

    Are Cambridge researchers after fame at the expense of the freedom of the Chinese people?

    1. Re:Legal action against Cambridge? by Anonymous Coward · · Score: 3, Funny

      The University of Cambridge is an English university, not an American company, you (obligatory) insensitive clod!

      (It's "obligatory" because it's the only way insightful anonymous coward comments get modded up.)

    2. Re:Legal action against Cambridge? by CaymanIslandCarpedie · · Score: 5, Informative

      Cambridge would leap off that cliff as well by helping China to further block any ways for citizens to bypass the firewall and obtain information about "sensitive" topics. It really bothers me that so many in the U.S. who claim to value freedom so much (who are out blowing up fireworks today to celebrate such - fireworks mostly bought from China I might add), will help a country who values freedom so little.

      FYI, Cambridge isn't a U.S. university.

      --
      "reality has a well-known liberal bias" - Steven Colbert
    3. Re:Legal action against Cambridge? by jabuzz · · Score: 5, Informative

      Wrong Cambridge, Cambridge Univeristy (fourth oldest in the world) is in the South East of England, and not in North America. Full marks you have displayed a typically parochial American outlook on the World.

    4. Re:Legal action against Cambridge? by mrogers · · Score: 3, Informative

      This paper was presented at the Privacy Enhancing Technologies Workshop, alongside with papers about Tor and Mixminion. I'm pretty confident that the authors aren't trying to help the Chinese government. What they are doing is embarrassing the Chinese government, presenting it with a difficult choice between dismantling its firewall and suffering DoS attacks, and publicising a method of circumventing the firewall. By using the normal channels for vulnerability disclosure, the authors protect themselves from politically-motivated accusations of "cyberterrorism".

  3. Re:Congratulations by Trigun · · Score: 4, Insightful

    Better they do it from the outside then the Chinese government find the guys doing it from the inside.

  4. Mongolians? by veinard · · Score: 5, Funny

    Weird, I didn't know there were many mongolians at cambridge...

  5. Stateless? by Anonymous Coward · · Score: 3, Interesting

    How exactly does a stateless IDS block connections for up to an hour? Are there other components to the firewall I'm not aware of, or does stateless mean something else these days?

    1. Re:Stateless? by Just+Some+Guy · · Score: 5, Informative
      How exactly does a stateless IDS block connections for up to an hour?

      Stateless != ruleless. For example, you could use OpenBSD's "pf" to create a stateless firewall that references an external rules file, then use a cron job to rewrite that rules file once an hour. That might be a pretty reasonable approach if you're filtering billions of packets per hour and can't afford to track state for each connection.

      --
      Dewey, what part of this looks like authorities should be involved?
  6. Solution? by QuantumFTL · · Score: 4, Insightful

    I wonder what the chinese government would do if groups of individuals from around the world used techniques like this to DDoS the firewall. I highly doubt that they could get their population to accept them completely shutting off access to the outside world, and a stateful firewall would be considerably more expensive, assuming they wanted to keep their same (terrible) level of performance.

    What does slashdot think about this?

  7. I wonder... by mike260 · · Score: 3, Interesting

    ...what would happen if I sent some packets from google.com to google.cn, containing words like 'democracy' and 'Falun Gong'.

    1. Re:I wonder... by Turn-X+Alphonse · · Score: 3, Interesting

      Yes because a Chinese firewall is going to black English words right? They'll block the Chinese words obviously.

      --
      I like muppets.
    2. Re:I wonder... by TubeSteak · · Score: 5, Interesting

      http://www.google.cn/search?q=Falun

      Falun Gong Is a Cult
      www.china-embassy.org

      Research Society of Falun Dafa and the Falun Gong organization under its control are held to be illegal
      english.people.com.cn

      Fifteen Falun Gong Cult followers attempted to sabotage cable TV network equipment
      app1.chinadaily.com.cn

      southcn:Falun Gong Cult OUTLAWED
      www.newsgd.com

      Here we should point out that the banning of "Falun Gong" by the Chinese government is also part of
      www.chinaembassycanada.org

      Falun Gong Practitioner Not Sorry for Killing Father, Wife
      news.xinhuanet.com

      Now compare all that to
      http://www.google.com/search?q=Falun

      Now, if the Chinese Gov't is making Google filter based on English keywords, you think they're not going to do the same with their uber-firewall?

      Many Chinese schools teach english. It isn't like they only speak various Chinese dialects over there.

      --
      [Fuck Beta]
      o0t!
  8. Actually it would have to work the other way round by Opportunist · · Score: 4, Interesting

    As far as I understood it, the point is that the wall blocks out IPs outside of China that try to send "sensitive" data into China.

    Not a big deal either. Just send the IP Address of any mailserver you want to protect with a packet containing something "sensitive".

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. That isn't technically a DDoS by Jeian · · Score: 5, Informative

    DDoS is using multiple computers to "flood" a target off the Internet. This would be a plain DoS attack using a software weakness to deny service.

  10. Re:hard to believe by cperciva · · Score: 3, Insightful

    I can't imagine why anyone would choose a stateless firewall

    Stateful firewalls scale poorly.

    --
    Tarsnap: Online backups for the truly paranoid
  11. Try the Saudi firewall by Anonymous Coward · · Score: 5, Interesting

    Chinese firewall is nothing - try getting through the Saudi firewall. As I understand it, the Chinese are at least a bit less modest about what is banned, so you should be able to at least get some legit porn sites through Chinese internet. However Saudi internet would block not just porn sites, but womens rights websites, womens magazines websites, even medical sites - anything that would display a photograph or illustration of a naked woman or man was stricly banned. Even it was just part of a human body, i.e. shoulders up.

  12. Re:Congratulations by TubeSteak · · Score: 5, Interesting
    Well done on writting a 'how-to' on pointers to make the firewall better.
    Actually, this flaw is inherent to the design of the great firewall.

    It's not something that is trivial to fix. Others can do a better job of explaining why, but for now, suffice it to say that it'd require a significant effort on the part of the Chinese Gov't.

    Maybe it can be fixed in The Great Firewall of China v2.0
    --
    [Fuck Beta]
    o0t!
  13. six of one... by Armchair+Dissident · · Score: 4, Insightful

    ...half a dozen of the other.

    Certainly TFA suggests that the DoS attack could be used against chinese government computers, but this could also be used against chinese citizens. An exploit is, after all, an exploit. So I would suggest that in the case of the DoS attack, reporting it to the appropriate people - in this case the Chinese authorities - was the right thing to do.

    Unfortunately, in this case, the very flaw that allows a DoS against machines within China also permits those inside the firewall to ignore the resets sent back, so by reporting the DoS, they've also reported how the censorship can be circumvented. (or, by discovering the censorship circumvention they've unfortunately stumbled upon a DoS attack).

    In this case, I really don't think that there is a One True Answer.

    --

    The ways of gods are mysteriously indistinguishable from chance.
  14. They're supposed to be helping them by Anonymous Coward · · Score: 5, Interesting
    I'm presenting a paper on Ignoring the Great Firewall of China at the 6th Workshop on Privacy Enhancing Technologies being held here in Cambridge this week. It turns out that this censorship system works by sending reset packets to each end of the connection, rather than blocking packets. If they don't dutifully close, but just discard the packets, the firewall is completely ineffective. More about this in the paper and in my security group blog posting. [http://www.cl.cam.ac.uk/~rnc1/]

    Their research is concerned with DRM ass hat tactics and such...pity!

  15. Re:Congratulations; Same old tired argument. by posterlogo · · Score: 4, Interesting

    Well done on writting a 'how-to' on pointers to make the firewall better. Im sure people out there new these things, and used them to their advantage. Now all holes will be plugged and even more censorship will rein in China. You have now had your 15mins of fame.

    This is the same old tired argument we hear here on Slashdot over and over again. Expose the flaws and you either 1) alert the hackers on how to expose them or 2) Allow the admins to patch them. It's funny how depending on your political ideology, people will swing either way. How about a consistent opinion in favor of revealing flaws? Those who favor security by obscurity deserve neither.

  16. Re:Tiannamen Where? by Joe+Decker · · Score: 5, Interesting

    Me too, it was an incredible symbol. The story of one of the photographers who captured that image is pretty amazing as well.

    --
    I'm a nature photographer.
  17. National Security by subl33t · · Score: 5, Insightful

    Go ahead, mod me down.

    Couldn't the Chinese government view this as an act of terrorism? In the interest of national security the Chinese government will start an ambiguous "War on Terror" after the the US "War on Terror" and "War on Drugs" which are _also_ unwinnable and declared solely to keep the ruling party in power via fear.

  18. Cyber Attacks, a good thing?? by Theovon · · Score: 4, Insightful

    Is it just me, or does it seem rather unkind to go about declaring, "Look at me! I just conducted a cyber-attack against China!" Hey, I'm no fan of China's government or censorship, and I am aware that China have tried to attack other countries' computers, but two wrongs don't make a right. Unless we're doing something defensive to ward off an attack from China, I see little point in taunting them and giving them reason to tighten security even further. It just doesn't seem right.

  19. Last weeks news - original post here by erik_norgaard · · Score: 4, Informative

    It appears the link to the source is missing - I first read about it last week on Schneiers blog, linking ot the original blog post found here:

        http://www.lightbluetouchpaper.org/2006/06/27/igno ring-the-great-firewall-of-china/

    And for all the details, the paper to be presented is here:

        http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf

    I think the interesting thing is that by configuring our end to ignore the invalid resets from the Great Firewall of China we can aid the distribution of otherwise censored material.

    DDoS attacks against the GFC seems not to be that easy, as the article mentions the GFC is not one giant router at the backbone, but rather smaller machines closer to the end stations - the firewall is distributed accross an unknown number of gateways.

  20. Oblig. Monty Python (parody) - The Terrorist Song by usurper_ii · · Score: 3, Insightful

    The Terrorist Song
    by Usurper_ii
    (Sung to the tune of Python's The Lumber Jack Song)

    I'm a terrorist and I'm OK
    I read at night and I work all day.

    The Government:
    He's a terrorist and he's OK
    He reads at night and he works all day.

    I read a lot and I seek the truth
    I go to the lavatory.
    After OKC, I saw some things that didn't make sense to me.

    The Government:
    He doesn't believe our story about OKC,
    We monitor when he goes to the lavatory.
    On Wednesday night, he went to an unapproved web site.

    Chorus:
    He's a terrorist and he's OK
    He reads at night and he works all day.

    When, after 9-11 didn't all add up,
    I met with others on the net, to talk it up.

    The government:
    He didn't believe our story about 9-11.
    We followed him to unapproved web sites after hours.
    In our report, well say he had bomb-making materials under his sink.

    Chorus:
    He's a terrorist and he's OK
    He reads at night and he works all day.

    I don't think a plane hit the Pentagon.
    I think the World Trade Center buildings fell all wrong.
    I wish I could convince my dear ol' mom!!

    The government:
    He's a terrorist and we're going to make him pay?!
    We read his e-mail and didn't like what he had to say?!...

    Just me:
    I wish I'd been born, back when America was really free!!

    The Government:
    He's a terrorist and we're going to make him pay
    He reads the Constitution and knows his rights.
    He's just like McVeigh, Bin Laden, and al-Qaeda!!

    Chorus:
    He's a terrorist and he's OK
    He reads at night and he works all day.

    --
    Ron Paul
  21. Re:Congratulations; Same old tired argument. by John+Courtland · · Score: 3, Informative

    The banner can tell you program version information and sometimes the host OS, machine architecture and running modules. Apache's webserver banner is a good example. It can, if set up to, tell you the version of apache, the version of PHP, the host OS kernel revision, and what processor is hosting that OS. That's a lot of information that really isn't necessary. Usually it's displayed when a ErrorDocument handler returns a 404 itself.

    --
    Slashdot is proof that Sturgeon's Law applies to mankind.
  22. Re:Congratulations by 91degrees · · Score: 3, Insightful

    It's information.

    They're academics.

    Their whole raison d'etre is to learns and share their learning. The information itself is ethically neutral. It can be used for good or for bad.