Inside the Great Firewall of China's Tor Blocking

Trailrunner7 writes with an article at Threat Post about China's ability to block Tor. From the article: "The much-discussed Great Firewall of China is meant to prevent Chinese citizens from getting to Web sites and content that the country's government doesn't approve of, and it's been endowed with some near-mythical powers by observers over the years. But it's somewhat rare to get a look at the way that the system actually works in practice. Researchers at Team Cymru got just that recently when they were asked by the folks at the Tor Project to help investigate why a user in China was having his connections to a bridge relay outside of China terminated so quickly. Not only is China able to identify Tor sessions, it can do so in near real-time and then probe the Tor bridge relay and terminate the session within a couple of minutes."

And you say Chinese can't innovate

[DCTech]

Clearly they're one of the best software engineers in the world when they want to, being capable of real-time packet inspection and probing. China has over 1.7 billion people who almost all want to work in IT. They will rule the world.

Re:And you say Chinese can't innovate

Where did they pick up the extra 400 million people from?

Re:And you say Chinese can't innovate

[axx]

Do you really believe that a census on over one billion people, who have (who had?) an incentive to lie about their progeny, is credible?

Hell, I might be wildly off the mark but for all we know there could be two billion people in China, I wouldn't be that surprised.

Hopefully someone more aware of the reality of the situation will chime in.

Re:And you say Chinese can't innovate

[gman003]

Wikipedia cites 1.3 billion

The margin of error in the US census is 0.009%.

Even allowing for China to have a margin of error a hundred times that of America's, you're looking at a maximum inaccuracy of ~12 million people, not 300.

Re:And you say Chinese can't innovate

[Ethanol-fueled]

Haw, I might believe you if you can prove to us that it's solely Chinese technology doing the filtering, and not solutions from Western vendors such as Naurus or Procera.

All of the big links provide only details about the type of filtering and not the hardware used.

Re:And you say Chinese can't innovate

[cp.tar]

Despite the error in your numbers, your post reminded me of Focus in Vernor Vinge’s A Deepness in the Sky.
Spooky.

Re:And you say Chinese can't innovate

[saleenS281]

You're assuming they're building it themselves. Given the recent accusations and lawsuit against Cisco, it's entirely possible that a US or some other country based company is writing the code they're using.

http://www.huffingtonpost.com/2011/05/23/cisco-falun-gong-lawsuit_n_865585.html

Re:And you say Chinese can't innovate

[QQBoss]

It isn't an issue of error bars, it is more an issue of outright fraud in the census.

Illegal aliens (both internal and external... do you know anything about the hukou system?) have an extremely high incentive to remain uncounted, particularly if they have children.

From 2008:

http://www.china-briefing.com/news/2008/09/01/is-china%E2%80%99s-population-really-13-billion.html

Re:And you say Chinese can't innovate

[wisty]

Are they actually capable of real time packet encryption; or do they just run it like a proxy? The lag can be horrific, like there's some server at the border waiting for the whole page to download, before they forward it to you.

Re:And you say Chinese can't innovate

[sadboyzz]

The reality of the situation in China is that the government is under _huge_ pressure to drop the draconian population control policy, aka one-child policy. However, there is no sign from the regime that it would even consider budging on this issue. So if anything, they have an incentive to _overstate_ the population, rather than understate it.

The other reality is that hundreds of elementary schools rural areas were closed down over the past few years due to not having enough school kids. Class rooms that once hold 40 children were down to 5, so the local gov simply closed the under attended schools and moved the children into bigger schools in towns, forcing some kids to travel great distances just to get to school everyday. The Hong Kong based Phoenix media ran a documentary on this a couple of years ago, which for some reason, was not aired in mainland China.

Re:And you say Chinese can't innovate

[QQBoss]

How many people are actually in China, I am in no position to guess. But I am in a position to know that census undercounting does occur and why.

As I mentioned, the "uncounteds" are both internal and external illegal aliens. Unlike most of the Western world, where the right of free travel is assumed, within China you are only legally allowed to live/work/"own" property in the place where you have a hukou (this is a gross oversimplification, but it is the beginning of a discussion). Many of the presumed 400M illegals are native Chinese who have chosen to live where they have no permission to live, doing so under the radar to avoid sanctions which in the past could have been quite onerous. They aren't at their home city to be counted (though children usually are, staying with grandparents, since without a local hukou they have no right to go to school where their parents are living) and they avoid being counted in the city where they are living because they could be forced to return to their officially registered home.

About 6 or 7 years ago, the hukou laws were supposedly eliminated, but anyone who says they have been completely abolished is wrong. Decentralized, perhaps, but they still exist and are enforced whenever the right government official gets their panties in a wad. Unless and until the hukou laws are actually abolished, the charade will continue.

Re:And you say Chinese can't innovate

[rtb61]

Reality is by far the majority of Chinese in China work as near slave labour in factories or as peasants on farms working for a pittance. Don't get confused by numbers and percentages, plus independent thinking, striving for their voice, Chinese tend to be the ones who have already left and live elsewhere in the world. That is aproximately 40 million people http://en.wikipedia.org/wiki/Overseas_Chinese which you blithely reduce nothing.

The numbers of Chinese who have a voice in China and are in a position to control anything only number in the tens of thousands, it is an corporo-Fascist Autocracy after all.

Internet censorship in China is made significantly easier because by far the majority can not afford and must gain access through a limited number of internet cafe's. As time progresses and the majority of people living in China release how backward they are in their rights and how cowardly they have been in failing to fight for them, will of course start to baulk at passing that future on to their children and grandchildren and strive to break the autocracy that controls them.

So in a future China where 1.3 billion want internet access, we will see how effective the government is at censoring them and keeping them cowed.

Re:And you say Chinese can't innovate

[ron_ivi]

Sure, but Cisco probably outsourced the work to China.

Re:And you say Chinese can't innovate

I left my job at a major router company around 2004 specifically because Chungwah Telecom was asking for us to implement features to aid spying. Although, interestingly enough, you had to read between the lines to understand that it was for spying... A lot of the techniques that do it are essentially system testing-sounding features like "clone traffic matching this IP to a second address on a different port."

At that time, deep packet inspection was not yet a reality, but any engineer could easily see that, as the data/traffic moves through numerous custom ASICs and FPGAs, and the headers get inspected, why not examine more of the data in the packet? The first stage I saw of it in the public at large was detection of layer 5 and up protocols, e.g. traffic-limiting bittorrent.

Last time I was in Taiwan (which has a grumpy relationship w/ China), one of my younger student friends in a University there demonstrated, as his Master's project, an algorithm to detect images without (fully) decoding them. The secret there was to extract, from JPGs only, the DC blocks representing the average RGB values of each 8x8 block. If you know JPG you'll recognize that. The system then ran conventional "porn detection" algorithms, etc. on the extracted mini-images.

So, yes, I can verify that 1. American companies are writing code to spy on the rest of the world and ourselves. 2. Chinese are asking for it, just like any other feature. 3. The requests for capabilities are often subtle, such that most engineers don't realize what the algorithms are doing and 4. capabilities to do this are steadily growing more powerful.

So, now, what are you going to do about, boys?

My college did it easier

[The+MAZZTer]

Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks.

At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.

Re:My college did it easier

[TSHTF]

Tor has changed since you read last... "Bridges" were added to Tor and are not listed in any central directory.

Tor bridges

Re:My college did it easier

[xiando]

Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks. At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.

This was the situation. Countries did download the entire Tor directory and block all the nodes listed in it. This is why bridge relays were invented, and there is no public list off all bridge relays. It works like this: You get a bridge address, you connect to a bridge and the bridge then connects to the Tor network. This changed the arms-race. GFW is now able to detect the Tor bridges and this is a set-back for the Tor-project. They will find a solution which fools the GFW and the Chinese will lose face.

Re:My college did it easier

[BitterOak]

Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks.

At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.

We have to remember though what Tor was designed to do and what it was not designed to do. Tor was designed to protect the privacy of individuals who don't want their browsing habits revealed. It does this by preventing your IP address from being available to the web server you connect to, and additionally it encrypts traffic so intermediaries, such as your ISP can't snoop on your traffic. It was NOT designed as a means of bypassing firewalls that are actively try to block Tor. That was never its purpose.

Re:My college did it easier

[Fluffeh]

It was NOT designed as a means of bypassing firewalls that are actively try to block Tor. That was never its purpose.

Totally agree that it was not the original purpose, but I would add to your comment and congratulate the folks behind Tor for taking a stand and trying to allow their software to get past the GFW. Sometimes when you realize that your software is being used for something more important (possibly something much more important than not letting your ISP know what you are doing) then it is a great opportunity to change your purpose somewhat. If the purpose itself isn't being changed, then it is still heart warming to see the effort being made anyhow.

obfuscation?

[wierd_w]

If we learned more about how they detect the tor session, couldn't we obfuscate the data to combat detection?

I mean, encrypted data stands out from normal traffic like a sore thumb, and unless the user is a bank, transacting large amounts of it puts up a red flag. But, what if we obfuscated the data so that it looks like ordinary unencrypted/uncoded data?

Re:obfuscation?

[DCTech]

And Chinese will just block it again. And unlike slower cat-and-mouse game in western countries, Chinese can react quickly without going thru all the hierarchies and courts. At the same time, Tor project needs to keep updating their clients and servers, and it probably doesn't take anything at all for Chinese to block new changes. They have the advantage here.

Re:obfuscation?

[mSparks43]

I mean, encrypted data stands out from normal traffic like a sore thumb.

Actually, I think this is something of a myth.
"normal traffic" these days is mostly compressed.
Since the goal of both encryption and compression is to achieve a byte stream that is otherwise indistinguishable from random noise, I don't think one set of random noise stands out much more than another set of random noise.

Only thing that really separates traffic these days is imperfections in these algs and the negotiation protocols.
____
My suggestion for their problems would be to negotiate an otherwise compressed stream that is widely used (e.g. gzip) then tunnel the encrypted data through this stream, ideally encrypting post compression.

Thank you Chinese government

[circletimessquare]

for helping us build more robust Tor protocols

Oh, you thought you were going to actually kill the average Chinese citizen's desire for free access to information? You didn't understand that a stronger Tor protocol or something even better than Tor is the actual result of your escalation of the arms race?

You're pretty ignorant about basic human nature, aren't you, you authoritarian assholes.

Oh, and btw you grumpy old shitbags:

http://www.nytimes.com/2012/01/04/world/asia/chinas-president-pushes-back-against-western-culture.html

The reason you are lamenting the influence of Western culture on China, and not basking in pride at the influence of Chinese culture on the West, is because YOU CENSOR EVERYTHING IN YOUR CULTURE. So Chinese Culture is hobbled and decimated. Because you think you can control, nevermind why you think you should control, Chinese thought. Instead of a great big strong tree, you have a demented little broken bush. Because of YOUR efforts at preventing Chinese culture from growing, by censoring everything, you morons

You ignorant controlling douchebags. Your average Chinese citizen understands this, why don't you you stupid old and decrepit paranoid control freaks?

Re:Thank you Chinese government

And how you do really feel?

Re:Thank you Chinese government

[circletimessquare]

Question: what is the greatest ally in the growth of Western Cultural influence in China?

Answer: The Chinese Central Government, for working so hard to make sure that Chinese Culture can't grow.

They think that controlling culture, and growing it, are compatible concepts. Culture grows when it freely crosspollinates with other world cultures. Japanese culture has freely been assimilating culture from around the world and we still recognize a distinctly Japanese culture. The game of controlling culture and "protecting" culture from "illegitimate" influences is the game of the insecure little person who believes Chinese culture is inferior. The person proud of being Chinese is freely dabbling in world culture, infusing their own thoughts, and defining Chinese culture as strong and new. Culture needs to crosspollinate to survive and grow. Sit on it, control it, keep it in a box, and your culture dies.

Look at what these ignorant insecure douchebags are doing:

http://www.nytimes.com/2012/01/01/world/asia/censors-pull-reins-as-china-tv-chasing-profit-gets-racy.html?pagewanted=all

I know: I can hear the typical snobby Western voice now: "I wish my government would censor the Kardashians and Jersey Shore."

And for thinking that way, you have merely identified yourself as knowing nothing about how culture actually works, and have allied yourself with authoritarianism. congratulations, you're ignorant and you're an asshole. i'd much rather have people watching jersey shore than some government entity telling them what to see and watch. and there is nothing wrong with the pursuit of empty guilty pleasures, that's a PERFECTLY VALID SEGMENT OF CULTURE. think of it as creative ferment from which greater cultural products spring forth. without the base of empty silly nonsense, the "higher" cultural products have nothing to grow out of.

Re:SSH

[xiando]

Bugged planet indeed, I wonder if any of our lovely "free world" companies like Amesys or Siemens are selling the DPI gear, or if China is using a fully homebaked solution.

If you watch the 28c3 Torproject presentation available at http://tinyurl.com/7c893sl then you will learn that western corporations like Intel, Nokia and Cisco are heavily involved in Internet surveillance and censorship around the world.

Re:Tor is designed to be easily censored

[xiando]

Freenet and I2P both serve their purpose. None of them serve the same purpose as Tor. Tor lets you connect to the normal Internet so you can view your normal web comics, visit CIA information gathering honey-pots like Facebook and so forth. Freenet and I2P are designed for hidden internal traffic in those networks. Sure, you can share a file on Freenet, but you can not visit your favorite news website. Different tools for different jobs.

Re:Not that much new here...

[xiando]

Tor exit node based blocking has been used on various IRC servers to combat abuse for years and years now, The chinese might be doing something more fancy, but that only shows that they didn't go for the fairly easy and quick solution.

The Torproject responded with bridges when countries started to block entire countries like those IRC servers do. The entire list of Bridges is not public. What GFW now does to detect and block those bridges is something new and it is something entirely different. The "download the entire list of Tor servers and block them" method was used and stopped being efficient thanks to Tor bridges.

Lose face

For those unfamiliar with the concept "face", it's the social equivalent of getting modded -1

Tor, China and the USA

[xiando]

I tell you, free speech and freedom in general in America is doomed. The NDAA2012 combined with SOPA is just another brick in the wall on the path towards a completely tyrannical fascist government. Some Americans argue that the USA is there already. Today we are talking about Tor being blocked by the Great Firewall of China. How long will it take before we are talking about the Great Firewall of the USA blocking websites, software like Tor, I2P, Freenet and so on? Beware that western corporations like Intel, Cisco, Nokia and Siemens are the ones who are delivering the technology used by countries like China. The US and the west already has this technology. I do not see it as a question of if but when these technologies will be used in the US and other "free" western countries. The Tor project should be supported. Why people in other countries need it today may be why you need it tomorrow.

Re:Tor, China and the USA

You're right--the US is nothing close to communist. The US is however VERY close to or has already acheived fascism, which is properly defined by the inventor of the word as the merger of corporate and state interestes. We absolutely have that. Right now the only thing we're missing is the traditional single dictator, but I'm not all that certain that it's required in version 2.0.

It is kind of amusing to see people equate "socialism" with "communism" or use either of those terms in conjunction with fascism though--and it's even more amusing to watch people blame government for "stealing" things when, at best, it's been the enabler of the theft by large multinational bankers and corporations. It's everyone's vaunted "private industry" and "free enterprise" that are the thieves. They rig the game, or they outright steal, and they use part of their takings to enable a media campaign to get everyone to hate the one force that could possibly stop all that--proper (in the interests of the people) government regulation.

Were it not so tragic, it would be even more amusing to watch people complain about "big government" willingly step into the TSA's porno scanners, support indefinite detention of whoever doesn't look like them, and generally engage in their fawning behavior over the ever-militarized police forces who truly occupy our cities and our streets. It is "law enforcement", which is almost never used against the rich and corporate, that is the greatest threat to freedom, liberty, and especially life these days, and yet that's the one part of government these morons never seem to question. "Law enforcement" has tried and will continue to try to bring this and many other evils to the US, and that sort of thing must be stopped at all costs.

Re:Not that much new here...

They're not blocking exit nodes -- they're blocking your first hop(s) into the tor network

direct that somewhere else

[s.petry]

I have no idea why you are on a tangent accusing someone else of wanting censorship. The point was that your rant (now two of them) is being directed at technical people in the US, not the Chinese Government.

How about writing mean letters to the Chinese Government, or getting involved in Politics instead of ranting here on /.?

Trust me, personally I'm not for anything that China does. With out of control IP laws, rampant corruption, and pay-for-politics in the US we have a shitload to worry about at home. With things like SB1867 being passed on 1/31/11 by our President, and now the big push for SOPA we are on our way to becoming a whole like like them.

Oh.. one more thing.. The US Government will not censor anything like you mentioned. What better way of distracting people from the fucked up shit they are doing than to spoon feed people stuff like that?

ssh tunnel on nonstandard port

[gatkinso]

This seems a bit obvious... does anybody know how much luck folks have had with this method?

Re:ssh tunnel on nonstandard port

[peterindistantland]

This definitely work. I have no problem using SSH even on the standard port in China. Since ssh is encrypted, deep packet inspection is useless, unless they ban SSH altogether, which they don't.

Re:ssh tunnel on nonstandard port

[lakeland]

It works, though it stands out like a sore-thumb.

Re:Fear & Lolling

[icebraining]

Using a VPN service advertised on popular websites seems akin to buying drugs from a guy who advertises at the local police station.

It had to happen eventually

[ALeader71]

As with any war, maneuvers lead to counter maneuvers. Escalation leads to further escalation. The only way to end a war is either by choice (as we did in Vietnam and now in Afghanistan), out maneuvering your enemy (siege of Stalingrad, battle of the Bulge), or if the enemy destroys its own credibility with the people (Iraq insurgency movement).

So good going China, you've managed to shut down TOR. I'm sure you have shared your successes with other "Great Firewall" regimes and those who desire "Great Firewall" status. But those who created TOR gained legitimacy, so they will be back with better weapons and in greater numbers.