China's "Great Cannon"

Interesting research: “An Analysis of China’s ‘Great Cannon.’

Abstract: On March 16th, 2015, the Chinese censorship apparatus employed a new tool, the “Great Cannon”, to engineer a denial-of-service attack on, an organization dedicated to resisting China’s censorship. We present a technical analysis of the attack and what it reveals about the Great Cannon’s working, underscoring that in essence it constitutes a selective nation-state Man-in-the-Middle attack tool. Although sharing some code similarities and network locations with the Great Firewall, the Great Cannon is a distinct tool, designed to compromise foreign visitors to Chinese sites. We identify the Great Cannon’s operational behavior, localize it in the network topology, verify its distinctive side-channel, and attribute the system as likely operated by the Chinese government. We also discuss the substantial policy implications raised by its use, including the potential imposition on any user whose browser might visit (even inadvertently) a Chinese web site.

Posted on September 4, 2015 at 8:16 AM6 Comments


Daniel September 4, 2015 9:20 AM

As background, how is one supposed to know if one is visiting a Chinese website other than if it has the country’s TLD? I am admitting my ignorance here but to me Chinese and Japanese characters all look the same. So if I were to inadvertently click on a link and find myself on a Chinese site, how would I know?

Clive Robinson September 4, 2015 9:54 AM

@ Daniel,

So if I were to inadvertently click on a link and find myself on a Chinese site, how would I know?

Simple answer, you would not.

People often make the mistake of thinking there is some geographical corespondance to not just where a site is but how packets get there. Whilst there is sometimes an appearance of corespondance, this is more an accident of engineering conveviance than political design.

The best you can do in most cases is before you click on the link run a traceroute to it and lookup where the nodes are. However this assumes that nothing upstream of you is misleading you. Further it does not mean that someone has not set up a router to do different things based on the TTL in the header. Or that the site operator has not set up HTML / JavaScript to “re-direct” your browser to a totaly different site.

The sooner the population in general realises thet an “IP address” is not an address but just a ‘lookup index’ into a distributed database the better.

Mike Barno September 5, 2015 2:27 PM

@ rgaff :

Bruce, getting old? starting to repeat yourself? 😉

See this week’s daily strips of the Between Friends comic. Bruce is just doing a “Best Of” posting.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.