Ignoring the “Great Firewall of China”

Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson have released a paper “Ignoring the ‘Great Firewall of China‘” that looks at China’s keyword filtering. Previous ONI work discovered the way in which China uses tcp reset packets to terminate connections based on keywords, that after triggering the filtering mechanism further connections between the two hosts will also be blocked for a varying period of time and that the filtering was bi-directional — it affects in-bound traffic to China as well as outbound traffic from China.

But my technical analysis of the packet level filtering was less than comprehensive and this new research by our colleages at Cambride provides an amazing in-depth analysis of China’s keyword filtering at the packet level. The observed behaviours I previously reported have been explained in skillful detail and this paper has also has provided some new insights into the GFW:

1. China is likely using an Intrusion Detection System (IDS) – possibly Cisco’s “Secure
Intrusion Detection System” for keyword filtering seperate from their routers.

2. It is possible to “ignore” China’s keyword filtering. If both endpoints in a connection ignore tcp reset packets the data intended to be blocked by keyword will go through the GFW.

3. The way in which China filters by keyword can be exploited for Denial-of-Service atacks if one forges the source address and issues requests that contein banned keywords. In this way communication between two targeted endpoints can be blocked.

There are a few ways in which this research can be extended:

– Similar tests can be run from within China to see if the keyword filtering is entirely symetrical.

– Pad the request so that the bad packet appears at different points in the connection. This may help identify if China is only filtering by keyword in the URL path or in the body content of a page. Pehaps only the first X number of bytes are inspected?

– Build a list of terms that trigger the blocking mechanism (I have notice that domain names are often treated as “keywords”).

– While there may be some impact on circumvention technologies the problem is that both sides of the connection must be blocking tcp reset packets. Also, since the GFW blocks key sites by IP address — it is not just a keyword blocking system — these sites would remain blocked.

– It would be great to investigate with such expertise and detail the way in which China blocks IP addresses (and to correlate IP address blocking with the use of domain names hosted on that IP being used as keywords)


  1. Assume for the moment that you’re a website who knows you’re likely to be filtered in China – hrw.org, for instance. Might it make some sense to ignore tcp reset packets so that Chinese users who also disable resets on their linux boxes could get to the site? Or are the downsides of this approach so strong that it makes more sense to just encourage the use of proxies and other circumventors?

  2. It wouldn’t make any difference since hrw.org’s IP address is blocked.

    This only effects keyword blocking — sites that are normally available but have a keyword in a URL path.

    But google.com, for example, could do it and then people in China who are also blocking tcp reset packets would be able to search for words that would normally trigger blocking fom the GFW.

  3. Why does the article mention DoS attack 16 times? That’s about once per page. Is this a call-to-arms of sort?

  4. […] ICE: Internet Censorship Explorer » Blog Archive » Ignoring the “Great Firewall of China” “this new research by our colleages at Cambride provides an amazing in-depth analysis of China’s keyword filtering at the packet level.” (tags: censorship china chineseinternetresearch) […]

  5. […] Putting up roadblocks on the Internet isn’t always about keeping people away from things – even the most sophisticated firewall is Swiss cheese to the savvy. The goal of information control is often subtler: to channel Web users towards, or away from, certain content their country / employer / parents wouldn’t like them to see. Nudges can be nearly as powerful as shoves – and far less obvious. […]

  6. […] Ignoring the “Great Firewall of China” […]

Post a comment.