Slashdot Mirror
China Cuts Off Some VPNs
jaa101 writes The Register (UK) and the Global Times (China) report that foreign VPN services are unavailable in China. A quote sourced to "one of the founders of an overseas website which monitors the Internet in China" claimed 'The Great Firewall is blocking the VPN on the protocol level. It means that the firewall does not need to identify each VPN provider and block its IP addresses. Rather, it can spot VPN traffic during transit and block it.' An upgrade of the Great Firewall of China is blamed and China appears to be backing the need for the move to maintain cyberspace sovereignty.
So it's no surprise.
That's one way to keep international business out of china, I guess...
So China decides to block websites which encourage violences and mayhems to happen in China and you guys in the West cry foul
But when your own Western countries decide to block IS websites which encourage violence and mayhems to Europe / America why you guys never cry foul?
Western hypocrisy at work?
Pretty sure I could run an OpenVPN server on port 443 (or some other port they wouldn't dare block) on a foreign vps for dirt cheap. It would probably take me less time to fix my vpn to get around their block than it took for them to think of the block. It won't stop the determined user, though it will take some time for the general vpn using population to find their way to a workaround. Silly government.
It doesn't help that most VPNs are so easy to detect and block at the IP header level. PPTP depends on the GRE IP protocol (47), and L2TP is usually tunneled over IPSec, which depends on the ESP IP protocol (50). By using different protocol numbers in the IP headers, the designers of these protocols made it mindlessly easy to block them, and made them harder to support, because routers have to explicitly know how to handle those nonstandard protocol numbers.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Here I am!
Rock you like a Hurricane!
Whatever happened to them? Drugs? Booze? Nothing?
How many slashdotters think that they could easily establish a vpn connection to get behind the Great Firewall of China, then using that VPN, create a second VPN route from the inside back out? Okay, let's make it interesting... you have 1 hour. Bonus points if you can do it for free. Anyone else having random urges to go hop the great firewall of China over and back?
I was in China until yesterday, and while VPN connections often randomly stop, they are not blocked most of the time.
What kind of vile scum are you to equate free speech for political change with videos of people chopping heads off and incitement to murder?
It is easy to call people names, isn't it? It is easy to label people ' vile scums ', isn't it?
Is cutting off the head of non-Muslims and then mounting the decapitated heads of their children on highway posts ' FREE SPEECH ' ?
http://wikiislam.net/wiki/Persecution_of_Non-Muslims_(China)
You guys will accuse the Chinese for anything and everything, you guys are never interested in the truth. You guy are happy to lend your support to monsters who perpetrating violence against innocent victims, as long as the victims happen to be Chinese!
You guys are sick, really really sick !
Since you are so interested in vile scum , I'll tell you where to look
Take a look in the mirror, you ain't gonna miss it !
The oriental is wily and cunning. You must get up early and be crafty to outwit him.
Look up packet inspection.
You don't have to look at much of a packet to see if it belongs to one of the common VPN implementations. You may not even have to go that far, a lot of volume on a port that doesn't belong to expected traffic is a bit of a giveaway.
Yes you could do something weird and roll your own VPN protocol, based on email traffic or whatever way you hide, but that's a lot harder than just changing ports.
Then think of the mindset of who you are dealing with. It's not so hard to deny everything you don't recognise so long as you don't care about blocking legit traffic by mistake.
well, just as it happens china chose the certain line to be such which makes it hard for overseas businesses to operate in China.
It makes things like payments and everything like that harder for them.
besides though, it's an arms race. I'm sure there will very shortly be vpn software that wraps the stuff in something else to fool the protocol detection. and then they'll try to block that. and then they'll do something else.
world was created 5 seconds before this post as it is.
tell that to the people in prison in China for writing something on Weibo...
world was created 5 seconds before this post as it is.
...and blaming it on the Chinese, as usual?
Oh, my bad. I read port number blocking, not protocol level blocking. I concede, I am a noob.
I use Mullvad and live in the UK. I suspect it won't be very long before they start blo...
Ya theres no dif... Video chat is great with these people. :)
I was just in China a few days ago. Was there for 3 weeks prior to that. I have a VPN setup in my apartment back in the US and I typically dial in to it. It was great for the first two weeks and a half weeks. After that, it would fail to authenticate or work really slowly, randomly drop traffic, then disconnect after a minute. I was using a relatively insecure PPTP system with 128 bit encryption. I wasn't worried about getting spied on, I just wanted news, youtube, and social media unblocked.
Frustrated, I had a friend set up a PPTP link at his apartment, using different keys and a different IP. That worked perfectly for the last few days I was in the country. So they're definitely doing some kind of long-term traffic analysis over many days, and then blocking close to real time after that (30-60 seconds).
Basically I got to witness the blockage go into effect. Yes it's real. Yes it's general purpose, not a high level block on specific free websites. Yes it was a huge pain the the ass.
I am a Chinese who constantly browse the Internet with VPN. My VPN service is certainly disrupted: for example, the web site of my provider is no longer accessible, and about half of the VPN servers cannot be connected to either. But I can still connect to VPN (I'm using one now). Some of the servers are still accessible, and *PPTP protocol itself is not blocked, at least for the current being.* There is no telling what the Chinese government is going to do next.
If they can't play nice, they shouldn't be allowed to play. I vote we disconnect China from the internet completely. This would significantly reduce the spam and DDOS problems spewing from that sh*t-hole. The US and EU should set the rules. If a country wants to be part of the civilized world, they must allow freedom and neutrality on their connection to the rest of the world.
I am in China an can confirm this. All 4 of my VPN providers have been having intermittent blocking and throttling for the last few months. In the the last 48hrs, almost all of my US VPN servers have been completely blocked, with confirmation from the providers. This will last a few weeks, until the custom protocols are updated. The corrupt communist criminals will really get their panties in a twist when the development of distributed proxies advances.
I'm in Beijing and don't have any trouble connecting to my VPN. However the timing doesn't really surprise me. Not very many (non-foreign) people here use Facebook or Twitter or Dropbox or read NY Times so there is no clamor to access them. There are passable alternatives to Google search (e.g., Bing not to mention the much more widely used Chinese ones like Baidu). However when Gmail IMAP access was cut off last month a large group of locals (small vs the population but probably in the millions) was severely affected. So I'm sure VPN subscriptions shot up this month, and the government is responding accordingly.
It also could be that all those hackers from China logged in via such VPN, and that's discovered now.
If China blocks US VPNs (our exports), why isn't the US considering blocking Chinese goods in return?
If nothing else, it is our own long-term best interests to force China to become more free, as it is the only thing that will prevent them winning a race-to-the-bottom competition on wages.
It's alright bro, I understand your frustration on reading all those ridiculous accusations on everything Chinese
Them white-ghosts always think that they are superior, always look down on us Chinese, let them be, brother, let them keep on having their 'superiority wet dreams'
We can see that they are living way past their prime, that their countries and societies are in serious decline, but they don't know that, they are all in their collective denial --- I say let them deny, let them dream, let them think that they are superior to us, the Chinese
To win the game we must have all the patience we can gather, we must continue to strive forward, to make our family, our society, our culture and our country stronger, wealthier and become much much more vibrant
It won't be long, brother. 50 years is what we need to be patience for. In 50 years their society will crumble, in 50 years the so-called 'West' will be a mere shadow of what they used to be, but if we Chinese keep on going forward, keep on making sure that our culture, our nation grow stronger, in 50 years we will be ahead of them
Remember, brother, time is our ally and patience is our virtue
Be Patience, Brother !
... the United States government wants to prohibit encryption.
It little behooves the best of us to comment on the rest of us.
I'm a Canadian expat and I've been in China almost 3 years now. They started blocking VPNs over 2 years ago.
I've tried StrongVPN, Astrill, and PIA and found StrongVPN with PPTP usually works pretty well.
OpenVPN will work for about 10 min before becoming unusably slow. L2TP sometimes works but recently (in the last year) becomes too slow.
My guess is they like PPTP because it's flawed and they can break it easily, which I don't care about as long as I can access youtube, facebook, ect. The PRC doesn't care about what expats are doing as long as it's not harming them.
The speed hit would suck but steganographic protocols for getting things like encrypted email back and forth may be badly needed for countries like China.
http://www.seeminglyinnoculous...
might contain a bunch of images of pink ponies, which each contain stenographicly-encoded encrypted emails. If you want to send an email, you upload what appears to China's Firewall to be just another Pink Pony.
I can't be sure, but I think this may have already been done :).
While you could do a full-blown VPN with this technology, I would hate to think how long it would take to load a typical 0.1-5MB web page over such a VPN.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
TFA says:
VPN services that wish to operate within China are required to register with Ministry of Industry and Information Technology for permission
Would it make sense for corporate VPN to register? I mean the situation where the VPN service is only accessible for non Chineese employees visiting mainland for business purpose.
And if it makes sense, what is the procedure?
Bah.... Old news.There are MANY companies and ISPs that throttle the traffic... They just don't advertise it...
I work for a large university system in the US and we use several Bluecoat Packeteer S500/10GH devices to throttle and control traffic, including VPN and other nuisance traffic.
Expensive to initially implement, but it saves us millions in data charges while still allowing the legitimate traffic to be usable.....