Schneier on Security

Clever.

"Instead try to realize the truth."

"What truth?"

"There is no wall."

ok. is there any way the censors can tweak the hop count in their reset packets to make them appear as if they had originated at the far end of the channel?

Possibly, but would it be efficient? I kind of think that computing hop counts can be quite costly when dealing with lot of traffic.

It's certainly feasible to inject the reset packets with a correct-looking hop count; if you're sniffing the TCP packets going both directions then you already have all the information you need. (i.e, you just need to set the IP TTL field to the same value as in the packets you observed.)

@Mark

Well, looking for keywords does not really require any "state" information, or any connection tracking. Tracking the ttl fields of packets that you observed requires a bit more state information. And for routers processing lot of traffic, that can be an overhead.

That is what I'm thinking...unless someone can figure out a way to do it that is more stateless.

So how does the connection terminate when the RST packets are thrown away? With the FIN flag?? and if so doesn't that mean that the snipering routers just have to send 2 packets; one with a FIN and another with the RST packet?

Jurgen

You know, they can do a LOT better:

Inject a route for a /32 going to the questioned host. Now route the packets manually through your IDS fully, and start dropping/modifying traffic.

After a little while, revoke the injected route.

Actually, route updates would probably be too slow.

But its interesting that they are using the same basic trick Bro uses.

This is a very interesting discovery, but I think there is still a limitation to its practicality.

"these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection"

Even if the client-side installs a packet filter, websites would still be unaccessible, unless the web server also ignored the injected RSTs.

More importantly, it requires a presence on BOTH sides of the endpoints (the RSTs undoubtedly are sent in both directions).

As such, if you control BOTH endpoints, you can do a much more subtle job of firewall evasion.

Not only would route updates possibly be too slow, but can you imagine the size of the routing table if you're blocking /32s? No idea how many blocks they perform a day, but the internet-connected population is only growing.

so when do we ALL start to configure web servers to ignore resets from china?

An interesting followup. The authors hypothesize that the system is stateless, but without proving it.

Someone should do the followup test of fragmenting the request across multiple TCP packets or IP fragments, and see if it triggers the firewall.

If so, you can then evade for arbitrary sending of requests with software only on the sending side.

And you don't want to ignore RSTs. They are critical and important.

Let's not forget that the Chinese governement has access to the logs of these sessions. If you're consistantly triggering their censors, you might just get a visit from the authorities. An interesting discovery, but a long way to go before truly free speech.

That ignores the obvious - if standard OSs included methods to defeat the censorship, the government would just choose a different method to censor.

Yes, but you have to keep in mind that nothing ever ends the constant back-and-forth between attacker and defender, which is what this really is. Saying "oh, but they could come up with another way," isn't the point. The point is that, in the realm of attack trees, you've just increased the cost of China's attack on your connectivity. They can do more to counteract what you're doing, but it means more work for them.

Sorry, but how are they going to filter keywords in tcp packets that are being send through an ssl connection, on which a user can surf, or simply trough a 1,95$ shell, by using a remote webserver like say in the U.S.?

Bypassing this firewall system isn't that complicated as decribed in the paper, at least trivial to do it like that.

I am wondering if this will work against products like Websense as well. I know that, with Websense connected to a PIX firewall, the original outbound packet from the web client still gets passed by the firewall and the return packet is allowed. It's just that since the Websense enforcement point is in your local network, it can send you the blocked html page before the return comes back from the outside world. If you block traffic from the Websense enforcement point that sends out the "this page is blocked" html, can you still surf wherever you want? Might have to experiment with this a little. It probably wouldn't work with a proxy server if Websense is running on the proxy, but if not, it might.

Jungsonn summed up what I was about to say. If you have to control both ends than this isn't necessary since you can simply use encryption. I was thinking people outside China could provide proxies that either drop RST's or use encryption.

I was in China about 4-5 years ago. At the time you couldn't get to sites like cnn.com. I found an anonymous proxy 'https' and had no problem bringing up any site I wanted. I realize this only covers web server access but it was a breeze to get around their firewalls and anyone who wanted to was able to do it in less than 5 minutes.

So Falun-Gong.com and Free-Tibet.org need to ignore RST packets from China - they're not likely to mind. On other other hand, getting non-China-specific sites to ignore them is tougher.

SSL doesn't protect you from everything - if you're looking at https://censored.example.com/censored.stuff,
the firewall still knows from the headers what site you're looking at and can block it, without having to look at the content.

I think reset messages may be sent by American ISPs as well, to terminate some p2p file sharing connections.
I witnessed this while connecting with a person who was using a commercial cable ISP in New York state. Resets would happen to appear from his end, inexplicably, for they were not sent by the program being used. Chinese may wish to censor particular web sites. American internet companies censor protocols they detect on their lines.

I think it would be trivial, for the router sniffing the traffic/injecting the RST packets, to detect that the RST packets have been ignored and that the TCP session has actually not been stopped, just by looking at the TCP sequence number.

In other word, I tend to think that yes, you can bypass the firewall, but you can expect a visit from the authorities soon after!

Romain.

@Bill

http headers are easy to fake.

I'm suprised this actually works. I would consider this to be a bug that can be exploited at least into a DOS if not higher. The OS should protect against it (similar to packet injection).

Of course, if I misunderstand how RST is supposed to be handled, please ignore the above ;).

@Jungson

If you fake the http header saying you want to pull up the page "censored.html", you don't get the page you were trying to view.

Its like giving someone a map and then "faking" the address they're trying to go to -- they'll end up at the wrong place.

Question:
Would an ISP (domestic or otherwise) inserting their own packets "end transmission packets" into your datastream not be illegal?

Reason: They are not closing "their" connection they are affecting your hardware.

Example: It would be legal for them to close the connection on their equipment, but they do not want to do that because you would just open another connection. Instead they close the connection at YOUR hardware... sounds illegal to me.

"SSL doesn't protect you from everything - if you're looking at https://censored.example.com/censored.stuff,
the firewall still knows from the headers what site you're looking at and can block it, without having to look at the content."

Incorrect. Secure Socket Layer establishes an encrypted session with the remote system first, then requests resources. This essential because what data is requested is almost always as sensitive as the data itself. (By the way, this is the reason that web servers cannot offer SSL-enabled named virtual hosts from the same address. Connections are initiated before the HTTP request goes through.)

So your telling me that I could forge packets for any address that I wanted and send resets to say cnn.com and the person that I am pretending to be would henceforth stop being able to access cnn? That sounds like a dos waiting to happen.

[Si]dragon is correct - this is exactly why you can't put multiple SSL certificates on the same vhost. The initial request is at the IP address, then, after encryption starts, you send your host-specific request.

Of course, they could just censor based on IP address ...

@nathan,

enlighten me...

It was the indication that it could be done through ssl (tunneling), though i prefer shellaccess on a foreign server, Both cases beats the system, and do it without being to scientific about it.

people can learn using these systems (ssl, shells), but to put their tcp packet theory of the presented paper in practise requires a different kind of people and skills

The people's republic, yeah now we know ;-)

I note the comments about lack of "state". It is true (I'm one of the authors of the paper) that we've not proved its absence [that's hard really], but all the evidence points that way.

However, I'd caution against assuming that testing with fragmented packets would prove it one way or the other -- since the devices being used (which come from an IDS environment) are specifically designed to handle these cases.

Bottom line is that a firewall system with "state" would do a much more sophisticated job at blocking! and, for example, could easily get TTL values correct.

We accept that encryption also evades keyword blocking. However, it is also blockable in itself (by assessing the entropy of the packets passing the firewall) so it's not a panacea. We also comment (see the paper) that it could make a difference to the authorities approach to your case -- since the firewall can log everything -- to ensure that they can see what you're really doing. This may make you less (or maybe more) of a target. There's more than one round to this "game"!

What would make a difference is for vendors to change their TCP/IP stacks so that "out of the box" the firewall's "attacks" fail to work. If the code is "standard" it is hard for the authorities to "make an example" of people who are evading the firewall.

Re: [Si]dragon
"Incorrect. Secure Socket Layer establishes an encrypted session with the remote system first, then requests resources. This essential because what data is requested is almost always as sensitive as the data itself. (By the way, this is the reason that web servers cannot offer SSL-enabled named virtual hosts from the same address. Connections are initiated before the HTTP request goes through.)"

Actually, an attacker _can_ know what site you're looking at (though not what document within the site) for precisely this reason. As you said, before the HTTP headers are sent, the SSL connection is negotiated... which includes the server sending the (unencrypted) certificate which identifies it as censored.example.com, for example.

A different question: are there things that we can do with ordinary, not-censored-by-China, internet connections that would make their censorship more expensive for them? For instance, if we were always to send chopped up and out-of-order packets to China, would that hinder their filters? Seems like it would.

@Kile

I thought that was obvious. ;)

Kile said, "Actually, an attacker _can_ know what site you're looking at (though not what document within the site) for precisely this reason. As you said, before the HTTP headers are sent, the SSL connection is negotiated... which includes the server sending the (unencrypted) certificate which identifies it as censored.example.com, for example."

But _that_ part can be safely "wrong." The receiving browser would throw a warning (The cert says you are visiting blahblah.com, but you typed in foobar.com. Do you want to continue?) but the traffic would still be encrypted just fine. The only thing the firewall would "know" are the endpoint addresses and ports.

my cat's breath smells like catfood

I am living in China, and yes, they block by IP. So https does not help. The Great Firewall is vast and extremely annoying. I have taken to using tor+privoxy when I want to read someting from Wikipedia or Blogspot. It works but it is really slow.

I am living in China, and yes, they block by IP. So https does not help. The Great Firewall is vast and extremely annoying. I have taken to using tor+privoxy when I want to read someting from Wikipedia or Blogspot. It works but it is really slow.

I find it odd that no one has mentioned the one thing that I'd worry about using this technique for real in China: yes, the blocking sounds like the way Websense works. I wonder if it logs like Websense does?

Sure, you may find what you're looking for outside the firewall --- and then the people who set up the firewall come to find you....

No it doesn't work, at least for SMTP, POP3, IMAP4 and HTTP. See my earlier blog post:
http://spacehunt.info/2006/06/09/...

Problem is, original packets are *not* passed through the GFW unfiltered.

Hello,

Am I missing something? How about VPNs?
A little while ago, I created a tunnel between my own computer and a machine I had an account in shell with. The tunnel was encrypted. It was seen by my computer as a network interface, and it was my default route.
Result: my computer would always, and only, talk to the other end of the tunner. I didn't even have to be root!

The chinese government would know that you have this (encrypted) traffic with this other host. No more.

For more info: http://openvpn.net/

The only problem is that it does take a bit of skill to install/use. How long before it's easy enough so that the firewall dissolves?

Merc.

Hello,

Am I missing something? How about VPNs?
A little while ago, I created a tunnel between my own computer and a machine I had an account in shell with. The tunnel was encrypted. It was seen by my computer as a network interface, and it was my default route.
Result: my computer would always, and only, talk to the other end of the tunner. I didn't even have to be root!

The chinese government would know that you have this (encrypted) traffic with this other host. No more.

For more info: http://openvpn.net/

The only problem is that it does take a bit of skill to install/use. How long before it's easy enough so that the firewall dissolves?

Merc.

Actually private VPNs are illegal in China; you have to register your VPNs, together with decryption keys, with the government.

> Actually private VPNs are illegal in China;
> you have to register your VPNs, together
> with decryption keys, with the government.

Actually, that's Great Britain. China is otherwise.

Yes, it has always been trivial to bypass the GFW,
and no, the police do not go looking for people
who use STARTTLS. But most people can't do
trivial things. It's an issue of public safety,
as much as it is an issue of information control,
and trivial measures suffice to keep the vast majority
of users safe from bad information. Like drug laws,
that's considered good enough.

>> Actually private VPNs are illegal in China;
>> you have to register your VPNs, together
>> with decryption keys, with the government.

> Actually, that's Great Britain. China is otherwise.

Actually, that's nonsense. We don't need to register VPNs and we don't need to hand over encryption keys in the UK.

I point out that IPSEC (the basis of VPNs) is specifically designed to handle attacks involving injection of spurious packets and/or corruption or replay of legitimate ones. Sounds like a perfect application to me.

Wouldn't it be easier to not trigger the filter at all ? For example, fragment the packets in the middle of sensitive data (fragment 1 ends with "demo", fragment 2 starts with "cracy").

Web servers would just need to do the same on the way back. I don't think China can actually keep connection sequence for every open connection and check whether successive fragments match the filter.

Additionnally, the criterion of the filter can be determined easily by anyone who knows a reliable, accessible host on the other side of the GFW.

In fact the criterion list could be updated in real time by the bypassing software whenever it detects that a connection received bogus RST packets.

@neo:
> So your telling me that I could forge packets for any address that I wanted and send resets to say cnn.com and the person that I am pretending to be would henceforth stop being able to access cnn?

You need to know their TCP sequence numbers -- easy if you have a sniffer on their local network or route, hard otherwise. Even better, you could reset the client and then spoof it to the server; this is called TCP session hijacking. Once upon a time, when such numbers were easier to guess, this was a relatively common attack. This is the reason properly designed modern OSes generate hard-to-guess sequence numbers.

Register VPN decryption keys with the govornment in the UK? I live here, that's bollocks, we are free to privatise as we please... unlike poor China :-(

@ Richard Clayton

> ... encryption also evades ... also blockable in itself (by assessing the entropy of the packets ...

Wouldn't that also entail blocking all compressed traffic, also? I can't believe a non-stateful filter will be able to reliably differentiate between them.

Also, you must have heard about steganography, right? I'm pretty sure it's possible to artificially lower the entropy back down to whatever you want in a sophisticated enough way that detection would require more processing power than they can economically wield.

The "than they can economically wield" part of my last post was probably a bit too optimistic. Especially if (perhaps for other reasons) someone's communications get personal scrutiny.

The "than they can economically wield" part of my last post was probably a bit too optimistic. Especially if (perhaps for other reasons) someone's communications get personal scrutiny.

> we don't need to hand over encryption keys in the UK.

If the HO gets its way with RIP (cue the current consultation), then we'll have to hand them over at a request.

Without a warrant.

The encryption thing is a great idea, but at least as of 18 months ago, the Chinese government did not allow encrypted packets out of the country. I know this, because I worked as a consultant for a company that was providing e-mail for employees in China and we had to disable the encryption requirements in order to allow them access to the systems.

Aloha!

One question I have is if sending RSTs to hosts outside China makes it an offence? This really is a DoS-attack (as well as a form of session hijacking.)

Blocking the traffic on the border, and messing up the traffic within RPC is one thing. But distrupting traffic - which could mean disrupting services delivered by companies in the rest of the world, can't be ok, no?

Is there are need to register decryption keys with the Chinese government for anyone who wants to access information from within?

Yeah, These basic ideas like SLL and shells and all that just wont work. I was in China 2 months ago, and there was just no way around it, they didnt let any eencrypted traffic out. I couldnt do what I needed because my company uses a Remote Desktop Citrix solution and I couldnt even log in.

I use the following method when I need to use an insecure network which can also be used to bypass a firewall watching my connections. I connect my home computer through ssh and forward a VNC port to my remote desktop from my home computer. The connection is compressed and encrypted. The best of all my connection is always a ssh to my home computer; wherever I connect through VNC can not be monitored by my local network.

not even China can filter the human spirit. I suspect that international blogging, hackivism, and human ingenuity will continue to erode the effectiveness and relevance of the GFW.

elgoog may still be accessible by the Chinese citizens:
http://www.newscientist.com/article.ns?id=dn2768

New elgoog.com at:
http://elgoog.rb-hosting.de/index.cgi
more on elgoog - http://en.wikipedia.org/wiki/ElgooG

If encrypted packets are not allowed at all, this will not bypass the firewall in China :( Unencrypted VNC connection might work though, since it is only a compressed bitmap transmission.

@richard @Gordonjcp @RIP
In the UK under the Regulation of Investigatory Powers (2000) http://www.opsi.gov.uk/acts/acts2000/20000023.htm
(Section 51 I think)
gives the authorities the power to demand decryption keys, with a 2 year prison sentance if they are withheld (forgetting is no excuse unless you can prove it). They are also permitted to prevent you from disclosing that you have provided the keys.

At least we don;t have to worry they don't use this ofter (oh did i mention that its use can be kept secret).
Bother.

You can also encapsulate data in etags with base64... just get more people to support embedding such things.

Oh ... and you can also transfer messages using steganography in html, photos, wav files, etc...

And let us not forget freenet. 0.7 once more stable should help end the madness.

Then; there is also running SSL on port 80. That may have mixed results.

Oh and data transfers over ICMP, like icmp-shell.

Creating distribution hubs in China would also work. Tunnel the traffic through multiple routes into multiple locations, aggregate it and distribute from within.

Piggy-backing traffic from Chinese government officially accepted sites in the rest of the world with a hash payload to act as a proxy... That would be nifty. Maybe random looking user-agent tags being pointers to sites and etags carrying the payload. I know, requires a special client-server model.

How about reverse proxy? Is SSH/SSL allowed IN to China? Could route with port knocking or something more simple like a web interface...

How about shipping cheap AP's to China or convincing some of them to acquire some AP's and have them set up rogue access points with SSID disabled and route those over backdoor methods. Then the average person could surf unrestricted. The hard work would be done by Chinese techies. I know.... they will flood China with a satelite or high altitude plane to interrupt the AP's...

Last ditch effort would be to infiltrate the Film Actors Guild.... nm

It would not be a good move commercially for the chinese govt to ban or filter VPN's as many many overseas buyers like myself need to be able to connect back to the office when travelling in China.
If VPNs were filtered out trade would be somewhat restricted.

china will ban anything. Grr

@ adevadeh who said:

"I am living in China, and yes, they block by IP. So https does not help. The Great Firewall is vast and extremely annoying. I have taken to using tor+privoxy when I want to read someting from Wikipedia or Blogspot. It works but it is really slow."

Blocking IP's ? which? i can't imagine they have blocked all ip's on which ssl is utillized, for the reason that this is gobally impossible.

So the easiest way is if you open a shell account on a server in the U.S. or some murky east european country, you can surf trough that server.

I'm interested in which keywords they "filter" because then some people could make counter measures and replace those words in the httpstream to china, beating that weird system and messing up their filters, and have a piece of software which decodes back the words that are replced to bypass the filter.

Seems a good operation freedom 4 all project.

I live in Shanghai, and have no problem with encrypted traffic. OpenVPN, SSH, HTTPS all work fine (with some exceptions). People can do their banking without issues (except CitiBank - god knows why they're singled out!)

The TCP reset seems to be the theme du jour for this month - its affecting lots of international traffic, and its something that they added locally in the weeks coming up to the recent conference in Shanghai.

Usually you'll know when someone important is coming, because the blocking magically disappears for a week, so the visiting journalists don't have yet another article to write about the 'evil' firewall.

At least this reminds me to add this to my firewall rules both ends.

iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

Anyone going to make a list of the naughty routers so we can get more selective about this?

And .. quote-of-the-day goes to AG "... sounds illegal to me." ROFL!

2nd prize goes to Chode "And let us not forget freenet. 0.7, once more stable..." WEEHEHEHEE!

3rd prize for Toobs, "trade would be somewhat restricted". This is the *history* of China! HAHAHA! OH NO BWEAR RABBIT PWEAE DON FWOW ME IN THE BWYAR PATCH!

Sorry I meant "PWEASE" like tweety bird says ... not supposed to be mocking of chinese accent ..

This is virtually useless techno-babble to the average web surfer in China. Why can't anyone develop a user-installable, easy to configure application (platform independent would be an added bonus) that will open a hole in the firewall?

THANKS. Just thanks.

http://www.call2biz.com
How about launching your store on Call2biz.com with one of your smartest bets, I bet you your hot items will be sold out soon. With its protecting system, your business interest will be guard against those business scams, you wonder like me where to start your business on Call2biz.com, the Call2biz.com is your source of detail information need to do it. We would help you and marketing your products without any charges of fees! You will save up to 100% and earn more easy money on Call2biz.com. with a only computer and phone at your home, you can, while being successful, enjoy this easy-money-making experience online. A homebased business will begin at Call2biz.com.

After reading all this, am I right to assume that China does not block 443, 500 and the likes?

Hi, i actually live in china and must say i have seldom seen so many stupid remarks.
Id say like 90% of the ppl telling you how it "works" in china either have little understanding of computer tech or are making up some fantasy.

I *am* living here and can tell you that Lawrence sheed seems to be the only one who also does.
I can backup his posting to 100%.
and thanks to the author for this article. It helps a lot.

I've been able to bypass the firewall with http://www.strongvpn.com, ok but my problem is the speed of the connection once I'm past. I've asked and checked with strongvpn and the connection is clean, it's just slow with or without the firewall. I've got the fastest connection you can buy. What are the speed you guys are getting?

PB,

I have the same problem. I am in dongguan and using China Telecom VNET that provides the speed of 2M for Chinese sites. Accessing U.S. sites is so slow that it is just ridiculous. Did you have any luck getting the access speed to be any faster. Any tip is very much appreciated. I am so desperate.

Personalvpn from http://www.witopia.net works. it's openvpn-based (SSL) and is pretty fast from shanghai. only $40 annually.

this is very clever but ive done better with my grannys computer - 7 MB of memory and 1 MB of RAM its shit but better than bruce's !!!!!

dose any one know how to get around the schools internet securety quickly and easly as i am not great on a pc. e-mail me millsy340@hotmail.co.uk

Its happening again this year, sigh.

Always seems to tie in with the government conferences.

We have had discussion with China Telecom contacts, and they claim that there is nothing wrong. Unofficial discussion however says that this is likely to lift after the conference as we expect.



References:
(Chinese)
http://www.qiyeyouxiang.net/node/113
http://www.5dmail.net/bbs/archiver/...

(English Translation)
http://www.google.com/translate?... node%2F113&langpair=zh%7Cen&hl=en&ie=UTF8
http://spacehunt.info/2006/06/09/...
http://webnews.giga.net.tw/article/... .cn.exchangeserver/37002

how do i get around security at school

This is still happening right now, on a DSL line in Gansu province.

Many connections are RESET, including random resets of SSL connections to my private webmail server (so much so that it's unusable).

SSH tunneling (to the same server) is working, fwiw.

BJ

I find the hypocrisy of most Westerners in condemning China for censorship quite sickening. They condemn censorship and then turn around and support Copyright law, and accuse people of not paying artists when they try to assert their freedom by saying what they want through the Internet. The U.S. censors pretty much everything, I've never considered it a free country at all. It's just another variant of statism: for the greater good, you can't say what you want.