Censorship Is In the Router



A recent article in Spectrum discusses Internet filtering in China and has some nice quotes from the OpenNet Initiative’s Derek Bambauer. The article is quite good, although the bit about China “using proxy servers to inspect URLs themselves for words that indicate banned topics” is not accurate in my opinion. I really like Seth’s quote:

“There’s a famous saying, ‘The Internet considers censorship to be damage, and routes around it.’ I say, what if censorship is in the router?” — Seth Finkelstein

This is a great quote. And I agree completely. In China, the censorship IS in the router. Nearly all modern routers come with the ability to configure Access Control Lists (ACLs). These are commonly used to combat Denial of Service (DoS) attacks, slow the spread of worms/viruses, to block phishing sites, and to block the addresses of known spammers. In addition to blocking IP addresses, routers can be configured to block specific strings in HTTP GET requests. For example, Cisco 12000 series routers, which have been sold to China in 1998 & 2004), have this capability. From my experience, this is precisely how China is implementing keyword filtering.

Here is how Cisco describes the keyword/packet filtering capabilty:

Among the rich feature set, the Cisco 12000 Series ISE provides security against DoS attacks. Using the service engine’s classification and rate-limiting features, service providers can also control the amount of control plane information at any point in the network and prevent some DoS attacks. ISE technology allows prevention and detection of DoS attacks through edge policing functions including ACLs, extended ACLs, unicast Reverse Packet Filtering (RPF), and rate-limiting. The Cisco 12000 Series is unique in its ability to deploy up to 750,000 filters to the traffic at line-rate. This feature enables service providers to configure bidirectional packet filter classification using any IP or MPLS packet header information at Layer 2 or Layer 3. Traffic can be classified with such granularity that a service provider can capture and even stop unpredictable “trigger” packets.

Thats right, up to 750,000 filters!

An applied use for this capabilty was to stop the spread of the Code Red worm in 2001. Here’s the GET request for one of the versions of Code Red:

GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u
7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 40

To block Code Red traffic, routers can be configured to block access to any GET requests that contain a keyword:

Router(config)#class-map match-any http-hacks
Router(config-cmap)#match protocol http url “*default.ida*”
Router(config-cmap)#match protocol http url “*cmd.exe*”
Router(config-cmap)#match protocol http url “*root.exe*”

Now and URL that contains “default.ida” in it will be blocked. China’s Computer Emergency Response Teams are aware of this technique. It’s just as easy to add match protocol http url “*falun*” or a domain “*voanews.com*” or match the host match protocol http host “*voanews.com*” . I belive that the edge or core routers near the international gateway connection employ this keyword filtering technique as well as blocking by IP address.

Here is a traceroute to HRIC:

China Traceroute
* Reverse DNS for 64.235.50.184 is (incorrectly) hrchina.org, forward DNS is hrichina.org.

The regional routers properly route the request, however, when it hits the edge router the packets are lost. In this example, the blocking is occuring by IP address — no 3-way TCP handshake is completed. No response is received from the server. The packets are discarded by the router. Here is an ethereal log from a computer in China trying to request

China IP block
*Source IP removed

In cases where the blocking occurs because of a keyword the TCP handshake occurs, and whan the GET request of the HOST: header is passed through the connection is terminated with an RST packet. Here’s a rquest to a non-blocked domain & ip that contains the domain voanews.com as a string in the URL path — this specific request is blocked.

China IP block
*IP’s removed, but you get the idea :)

When a “block” occurs, the connection is disrupted. The TCP connection is terminated with an RST packet, this almost usually creates a ZeroWindow condition — when the host advertises a non-zero window size. When the blocking is triggered by a “keyword” in URL (the host is otherwise accessible) the effect is that the requesting IP (the user) cannot connect to the host (the blocked website) untill the host advertises a non-zero window size. This is what is generally referred to as being “banned” or being in the “penalty box”, although people unfortunetly suggest that this applies to the user’s Internet access, when it does not — it only applies to connections to the specific IP which was subject to blocking. When single domains have multiple IP’s, Google for example, this can lead to weird behaviour where the connection to Google seems fine (because the conection was to a different IP) but later searching is disrupted (a connection is issued to the original “blocked” IP).

As mentioned in the Cisco documentation about the 12000 series router, the filtering can be emplyed bi-directionally. You can experiment with this on inbound connections to websites hosted in China.

7 comments.

  1. […] Εφτακόσιες πενήντα χιλιάδες φίλτρα… […]

  2. […] If you log onto a computer in downtown Beijing and try to access a Web site hosted on a server in Chicago, your Internet browser sends out a request for that specific Web page. The request travels over one of the Chinese pipelines until it hits the routers at the border, where it is then examined. If the request is for a site that is on the government’s blacklist — and there are lots of them — it won’t get through. If the site isn’t blocked wholesale, the routers then examine the words in the requested page’s Internet address for blacklisted terms. If the address contains a word like “falun” or even a coded term like “198964″ (which Chinese dissidents use to signify June 4, 1989, the date of the Tiananmen Square massacre), the router will block the signal. Back in the Internet cafe, your browser will display an error message. The filters can be surprisingly sophisticated, allowing certain pages from a site to slip through while blocking others. While I sat at one Internet cafe in Beijing, the government’s filters allowed me to surf the entertainment and sports pages of the BBC but not its news section. […]

  3. The Great Firewall of China…

  4. […] 纽约时报的网站上,这篇文章里的重要概念,都提供了链接(顺便赞一句,纽约时报的这种做法,充分体现了网络版对平面版的延伸和拓展)。关于GFW工作原理,有两个链接。一个是ONI(由哈佛法学院、剑桥牛津多伦多等大学互联网研究机构合作的网络监管研究项目)的中国网络监管状况报告。另一个是ICE关于CISCO路由器在中国网络过滤中技术实现原理的blog。 […]

  5. […] lots of them — it won’t get through. If the site isn’t blocked wholesale, the routers then examine the words in the requested page’s Internet address for blacklisted terms. If the address contains a word like “falun” or even a coded term like “198964″ (which […]

  6. […] i DNSach ogólnonarodowej sieci szkieletowej blokowane są pakiety z adresami z czarnej listy. Więcej na temat działania tego […]

  7. […] countries to connect to each other and the outside world.  Unfortunately American companies have eagerly provided technology that the Chinese government uses to block access to banned content and track down and […]

Post a comment.