Slashdot Mirror

← Back to Stories (view on slashdot.org)

VPN Providers Say China Blocks Encryption Using Machine Learning Algorithms

Posted by timothy on from the man-vs-state-with-a-cast-of-millions dept.

An anonymous reader writes "The internet control in China seems to have been tightened recently, according to the Guardian. Several VPN providers claimed that the censorship system can 'learn, discover and block' encrypted VPN protocols. Using machine learning algorithms in protocol classification is not exactly a new topic in the field. And given the fact that even the founding father of the 'Great Firewall,' Fan Bingxing himself, has also written a paper about utilizing machine learning algorithm in encrypted traffic analysis, it would be not surprising at all if they are now starting to identify suspicious encrypted traffic using numerically efficient classifiers. So the arm race between anti-censorship and surveillance technology goes on."

14 of 111 comments (clear)

  1. Havoc by Anonymous Coward · · Score: 5, Interesting

    This has been causing havoc and reduces availability and integrity of our VPN access to our Chinese clients. The insane part is, most of them are in the aerospace and defense industry and are usually mostly owned by the Chinese government. It's indiscriminate. So far steganography techniques have worked, at the reduction of speed and standardisation, but it's hard to explain to clients why they suddenly can't access network resources and expect your company to fix everything.

    1. Re:Havoc by Anonymous Coward · · Score: 5, Interesting

      Yes, basically. We created software which encapsulates the connection in another protocol and re-encodes the data, shoved it in a VM and put one here and over there. We made it modularised so we can create support for new protocols and encoding easily. It's slower and usually requires a higher tolerance latency and bandwidth configuration for the protocol you are tunnelling but I'm surprised we whipped it up so quickly and it works.

  2. This is true by sadboyzz · · Score: 5, Informative

    I was just in Beijing for two weeks. I have access to two OpenVPN servers, one in New York another in California. These are personal servers so they aren't on the IP based blacklist. However, my connection from Beijing to either of the two would crap out after a day or two, and the only remedy was to change the OpenVPN server port.

    It seems right now they update their blacklist every 24~48 hours. I did not test whether the amount of traffic (idle vs. busy) would affect the time it takes them to block you. Blacklists last longer than two weeks, as the original ports I used was still blocked by the time I left. SSH connections does not seem to be affected at this time.

    1. Re:This is true by VortexCortex · · Score: 5, Funny

      SSH connections does not seem to be affected at this time.

      Can you find a solution to your problem then?

      *Jeopardy music*

      Let's see what Tim has. You've written, "Don't do business in China", I'm sorry, we were looking for "SSH tunneling". Susan, you've written, "Port Changing Cron Job", no, that's incorrect as well. Yiu? You've written, "There is no Problem"... No, that's incorr--- Wait, the judges say we'll accept that answer, Yiu Wins!

    2. Re:This is true by sadboyzz · · Score: 4, Insightful

      I find SSH tunneling to be much less efficient than OpenVPN. With OpenVPN I can have a more-or-less usable remote VNC desktop from Beijing to New York, which is not possible using SSH tunneling.

      Anyway, that is not a real solution, as there is nothing to prevent them from cutting off SSH connections when they feel like it. There is no technical solution to a political problem.

    3. Re:This is true by sadboyzz · · Score: 4, Informative

      Yes, I did, it does not work, they are able to distinguish VPN from HTTPS traffic. Their detection scheme doesn't seem to care about the port number.

  3. Re:"Arm race"? by SJHillman · · Score: 3, Funny

    It's actually a race between severed zombie limbs.

  4. Noise. by Anonymous Coward · · Score: 5, Insightful

    Raise the noise floor, hide your encrypted data among legitimate looking traffic. For various meanings of legitimate. One can only fathom the amount of useless garbage that gets passed on backbone links. From malfunctioning programs, unknown millions of installations of random programs phoning home for updates, spam, web bots, ddos, facebook. An endless sea of data for your subversive little packets to get lost in.

    Less efficient? Sure. But a lot harder to find.

    So what if they have adaptive learning sniffers. We can invent adaptive learning garbage a whole lot faster than they can keep up.

  5. Is that a DOS vector? by bigtrike · · Score: 4, Interesting

    You might be able to use this to simulate encrypted traffic to something legitimate and cause it to be blocked.

  6. Tunneling through SSH comes to mind. by Anonymous Coward · · Score: 5, Interesting

    The interesting question is if they man-in-the-middle it.

    1. Re:Tunneling through SSH comes to mind. by PlusFiveTroll · · Score: 3, Informative

      Being that his computer already knows the signature of his server, it would show up very quickly.

  7. Targetting commercial VPN providers? by Keruo · · Score: 3, Interesting

    I'm assuming they're targetting commercial vpn providers rather than companies using VPN?
    If not, I'd like to get some address where to register corporate endpoints which should be excluded from filtering.
    Otherwise managing workstations and servers located in China might become rather tedious.
    Atleast this IPSEC VPN to China which I'm using to post this message seems to work just fine right now.

    --
    There are no atheists when recovering from tape backup.
  8. Only big pipes are affected by cpghost · · Score: 5, Interesting

    If you need a narrow band VPN, you could always encrypt it in such a way that it can't be detected by the sniffers. For example, use something like the technique used by port knocking, i.e. utilize the time domain for your encrypted channel. In other words, don't send encrypted data directly, just send regular data and modulate the time intervals between the packets to reflect your encrypted data.

    --
    cpghost at Cordula's Web.
  9. We've also run into this. by jafo · · Score: 4, Interesting

    Over about the last 2 weeks, one of our hosting clients OpenVPN connections to their machines in China have been failing. We can still SSH into the machine in China, glad they haven't blocked that. We ended up setting up a block of several hundred ports with DNAT to the normal OpenVPN port, and then set up 64 (the max allowed) servers in the client config so it can cycle between them. That's been effective so far.

    It took a while to figure out, because I was able to send test traffic via "date | nc -u server 1194", and that would go through, but the OpenVPN connection wouldn't.

    Sean