Slashdot Mirror
VPN Providers Say China Blocks Encryption Using Machine Learning Algorithms
An anonymous reader writes "The internet control in China seems to have been tightened recently, according to the Guardian. Several VPN providers claimed that the censorship system can 'learn, discover and block' encrypted VPN protocols. Using machine learning algorithms in protocol classification is not exactly a new topic in the field. And given the fact that even the founding father of the 'Great Firewall,' Fan Bingxing himself, has also written a paper about utilizing machine learning algorithm in encrypted traffic analysis, it would be not surprising at all if they are now starting to identify suspicious encrypted traffic using numerically efficient classifiers. So the arm race between anti-censorship and surveillance technology goes on."
This has been causing havoc and reduces availability and integrity of our VPN access to our Chinese clients. The insane part is, most of them are in the aerospace and defense industry and are usually mostly owned by the Chinese government. It's indiscriminate. So far steganography techniques have worked, at the reduction of speed and standardisation, but it's hard to explain to clients why they suddenly can't access network resources and expect your company to fix everything.
bits will copy, packets will route.
I was just in Beijing for two weeks. I have access to two OpenVPN servers, one in New York another in California. These are personal servers so they aren't on the IP based blacklist. However, my connection from Beijing to either of the two would crap out after a day or two, and the only remedy was to change the OpenVPN server port.
It seems right now they update their blacklist every 24~48 hours. I did not test whether the amount of traffic (idle vs. busy) would affect the time it takes them to block you. Blacklists last longer than two weeks, as the original ports I used was still blocked by the time I left. SSH connections does not seem to be affected at this time.
It's actually a race between severed zombie limbs.
Raise the noise floor, hide your encrypted data among legitimate looking traffic. For various meanings of legitimate. One can only fathom the amount of useless garbage that gets passed on backbone links. From malfunctioning programs, unknown millions of installations of random programs phoning home for updates, spam, web bots, ddos, facebook. An endless sea of data for your subversive little packets to get lost in.
Less efficient? Sure. But a lot harder to find.
So what if they have adaptive learning sniffers. We can invent adaptive learning garbage a whole lot faster than they can keep up.
You can have an arm race too.
"When information is power, privacy is freedom" - Jah-Wren Ryel
You might be able to use this to simulate encrypted traffic to something legitimate and cause it to be blocked.
What about SSL? We're looking into expanding our use of an SaaS ERP system into China. If it requires SSL will it stop working some day?
The interesting question is if they man-in-the-middle it.
I'm assuming they're targetting commercial vpn providers rather than companies using VPN?
If not, I'd like to get some address where to register corporate endpoints which should be excluded from filtering.
Otherwise managing workstations and servers located in China might become rather tedious.
Atleast this IPSEC VPN to China which I'm using to post this message seems to work just fine right now.
There are no atheists when recovering from tape backup.
If you need a narrow band VPN, you could always encrypt it in such a way that it can't be detected by the sniffers. For example, use something like the technique used by port knocking, i.e. utilize the time domain for your encrypted channel. In other words, don't send encrypted data directly, just send regular data and modulate the time intervals between the packets to reflect your encrypted data.
cpghost at Cordula's Web.
It certainly sucks, and is bad for business, but slowing down or shutting down VPN links is one thing, decrypting them is another.
But honestly, I've heard of ISPs in the West using deep packet inspection to weed out encrypted traffic and shape it down into the mud.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Good luck blocking pairs of devices with entangled quantum particles. They travel through the fabric of reality or whatever, not copper cables. Place one inside the country and one outside and that's point to point and untraceable as far as we know.
The biggest mistake made in design of the web protocol was starting out with a non encrypted protocol http. In 20/20 hindsight it should have always been https and nothing else. I look for the day when browser makers disable http.
All I think of when I hear that phrase is something akin to a leg race. I imagine a bunch of Chinese nationals racing each other on a track while doing handstands.
It's kind of funny, the things one can extrapolate from a simple grammatical error.
Two dialup modems on each end of a VoIP session. It could totally work. Totally.
That was TBDR (too boring)
So are they basically using entropy to detect probable encryption?
The Chinese are wasting there time, buying a year or two of incomplete censorship at the cost of giving everyone the means to defeat such methods afterwards, when new software methods are developed and become universally available.
Consider the problem. You wish to kill the use of encryption so you have the capability of inspecting any data block that travels across the Internet. Luckily, such censorship is fighting maths, and will always lose accordingly. Here's why.
Attempts to block encryption are actually attempts to identify the use of encryption- a mathematical impossibility UNLESS you already know all possible permutations of 'legal' data that might travel across the network. All you can do is attempt to identify SUSPICIOUS data with some statistical level of success, and obviously that success level must be very high to make the method viable and successful.
Thus, the people fighting the block simply have to use methods that make the detection system generate far too large a percentage of false positives. For those using encryption, this is simply an issue of SIGNAL-TO-NOISE ratios. That is to say, you accept the encrypted data will be, say, 5% of the data stream, wasting 95% of the bandwidth, but forcing false positive detection rates into the stratosphere.
Of course, we all suspect that China is targeting casual users of VPNs, not hardcore security agencies (who would simply use stenography to encode sensitive data in JPGs, video or audio streams). On the other hand, people who go to the trouble of using VPNs are going to find away to defeat signature detection too. This leaves us with the understanding that China is currently doing this censorship because, currently, some bunch of bods in Chinese universities or software houses are making a VERY good living by persuading the Chinese government to waste their money paying for such short-term and self-defeating services.
The article makes reference to machine-learning (which always translates to a bunch of low paid grunts in a warehouse tediously sitting in front of terminals where they get to input new data rules on the basis of the intercepted data presented to them- this is how Google works too- there is no such thing as AI in any real sense). Luckily, the internet 'learns' too through the combined actions of many thousands of individuals who wish to protect it.
A final thought. The Internet is the most perfect intelligence gathering tool ever invented. This function is degraded when governments are stupid enough to publicly attack its freedoms. Bashing the Internet brings short term political gains to governmental opportunists, but drives the security services up the wall. The desire to encrypt is driven by petty action against users, like the Bittorrent prosecutions. Those that MUST encrypt have always done so and will always do so. It is much like the situation with online ads and ad-blockers. The use of ad-blockers grows when the 'offensiveness' of online-ads grows. Thus the ad people have a massive incentive to NEVER irritate users with ads that do bad things. However, like China, they are too stupid to get this, so they make their ads more irritating and more dangerous (serving scareware), so the use of ad-blockers grows.
Just post some nice pictures on a forum and embed your message. Put your data in plain sight.
This has got to be a testing phase before the US starts trying to mandate this on their networks. How long do you think it will be? Obama's still got 4 more years, after all...
Over about the last 2 weeks, one of our hosting clients OpenVPN connections to their machines in China have been failing. We can still SSH into the machine in China, glad they haven't blocked that. We ended up setting up a block of several hundred ports with DNAT to the normal OpenVPN port, and then set up 64 (the max allowed) servers in the client config so it can cycle between them. That's been effective so far.
It took a while to figure out, because I was able to send test traffic via "date | nc -u server 1194", and that would go through, but the OpenVPN connection wouldn't.
Sean
Machine learning holds a great promise for the future of humanity. We aspire to create an artificial general intelligence and many advances in all sorts of fields (medicine, education, auto, social networking, recommendation, assisting disabled persons, etc).
It's a sad day when freedom of speech is being limited by applying highly flexible self adapting algorithms such as this one.
Crap; the Borg have learned our 'rotate the frequencies' trick.
When an authority suppresses a minority, the minority builds resentment. If there is no outlet, the resentment grows into rebellion. If the authority suppresses the dissent it doesn't go away. It festers. Eventually all of the minorities in China will all be unhappy and ready for a full revolt. If authority tightens it's grip, the country will explode. Angry upset minorities rebelling simultaneously across all of China would be more than the authority can suppress. It will become like Syria. If China does not change course, Syria is it's future.
The only effective way to fight this is just to let China go. They don't want traffic they don't like? Fine, f 'em. Drop ALL traffic into their ISPs. Companies who keep playing ball with them will only have themselves to blame when the cost of doing business is so high that it's infeasible.
Low hanging fruit is SSH and SSL VPN signatures. Protocol encapsulation tricks are now mandatory. Say that DNS based VPN tunnel by Dan Kaminsky (OzymanDNS) , or abusing the ability to send payload data in TCP SYN packets to emulate UDP...
Yes. My OpenVPN connection to my home PC in the USA has been down for several weeks. It gets the initial packet, after the OpenVPN handshake, and then after that it's 100% of packets dropped to/from the OpenVPN server port. I still have SSH access to my home PC in the USA.
I had originally tried using SSH tunneling before, with no luck because the DNS entries are poisoned as well. It wasn't until I got a tip on reddit.com/r/linux that you can set firefox to send DNS queries through the SSH tunnel (SOCKS proxy). This works well, but is about 1/5th the performance of my OpenVPN connection using udp.
Cisco is claiming here that they've got hardware for sale that can specifically target and block *all* encrypted VPN traffic, 100% of the time. Hopefully OpenVPN can update their protocol or do something that can make it harder to identify!
Swapping steganographic images with an acoustic coupler & Kermit could be fun.
Or perhaps create a fake conversation over a normal VOIP channel, using WAV / VOC files padded with data, using, for example:
http://www.heinz-repp.onlinehome.de/Hide4PGP.htm
I don't live in China so I haven't had a chance to test this, but I would guess Tor/Onion is more or less the ideal way of keeping a stable connection out of China. Just run a private exit node outside China. Tor change the tunnel connections regularly to obscure it's existence.
VPN Providers Don't Cry Plox!
Recipes for USA bankrupt - http://tinypaste.com/0d66f dd = dollar deluge (printed in the infinity)