Slashdot Mirror

← Back to Stories (view on slashdot.org)

China Cuts Off Some VPNs

Posted by timothy on from the we-see-what-you-did-there dept.

jaa101 writes The Register (UK) and the Global Times (China) report that foreign VPN services are unavailable in China. A quote sourced to "one of the founders of an overseas website which monitors the Internet in China" claimed 'The Great Firewall is blocking the VPN on the protocol level. It means that the firewall does not need to identify each VPN provider and block its IP addresses. Rather, it can spot VPN traffic during transit and block it.' An upgrade of the Great Firewall of China is blamed and China appears to be backing the need for the move to maintain cyberspace sovereignty.

4 of 222 comments (clear)

  1. Defective by design. by dgatwood · · Score: 4, Informative

    It doesn't help that most VPNs are so easy to detect and block at the IP header level. PPTP depends on the GRE IP protocol (47), and L2TP is usually tunneled over IPSec, which depends on the ESP IP protocol (50). By using different protocol numbers in the IP headers, the designers of these protocols made it mindlessly easy to block them, and made them harder to support, because routers have to explicitly know how to handle those nonstandard protocol numbers.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. Re:Well by Zontar+The+Mindless · · Score: 4, Informative

    Where I work, you don't do anything with company-owned data unless it's on the corporate VPN.

    It's one of the world's 5 largest software companies, does billions in business in the PRC annually, and it's not Microsoft or Apple.

    I do not think when I visit China next month that I will find the corporate VPN blocked. It certainly isn't being blocked right now for my colleagues who live there.

    --
    Il n'y a pas de Planet B.
  3. The noob is you by dbIII · · Score: 4, Informative

    Look up packet inspection.
    You don't have to look at much of a packet to see if it belongs to one of the common VPN implementations. You may not even have to go that far, a lot of volume on a port that doesn't belong to expected traffic is a bit of a giveaway.
    Yes you could do something weird and roll your own VPN protocol, based on email traffic or whatever way you hide, but that's a lot harder than just changing ports.

    Then think of the mindset of who you are dealing with. It's not so hard to deny everything you don't recognise so long as you don't care about blocking legit traffic by mistake.

  4. I was just there, can verify this is the case. by ZackSchil · · Score: 4, Informative

    I was just in China a few days ago. Was there for 3 weeks prior to that. I have a VPN setup in my apartment back in the US and I typically dial in to it. It was great for the first two weeks and a half weeks. After that, it would fail to authenticate or work really slowly, randomly drop traffic, then disconnect after a minute. I was using a relatively insecure PPTP system with 128 bit encryption. I wasn't worried about getting spied on, I just wanted news, youtube, and social media unblocked.

    Frustrated, I had a friend set up a PPTP link at his apartment, using different keys and a different IP. That worked perfectly for the last few days I was in the country. So they're definitely doing some kind of long-term traffic analysis over many days, and then blocking close to real time after that (30-60 seconds).

    Basically I got to witness the blockage go into effect. Yes it's real. Yes it's general purpose, not a high level block on specific free websites. Yes it was a huge pain the the ass.