China's "Great Cannon"

Interesting research: "An Analysis of China's 'Great Cannon.'"

Abstract: On March 16th, 2015, the Chinese censorship apparatus employed a new tool, the "Great Cannon", to engineer a denial-of-service attack on, an organization dedicated to resisting China's censorship. We present a technical analysis of the attack and what it reveals about the Great Cannon's working, underscoring that in essence it constitutes a selective nation-state Man-in-the-Middle attack tool. Although sharing some code similarities and network locations with the Great Firewall, the Great Cannon is a distinct tool, designed to compromise foreign visitors to Chinese sites. We identify the Great Cannon's operational behavior, localize it in the network topology, verify its distinctive side-channel, and attribute the system as likely operated by the Chinese government. We also discuss the substantial policy implications raised by its use, including the potential imposition on any user whose browser might visit (even inadvertently) a Chinese web site.

Posted on September 4, 2015 at 8:16 AM • 6 Comments


DanielSeptember 4, 2015 9:20 AM

As background, how is one supposed to know if one is visiting a Chinese website other than if it has the country's TLD? I am admitting my ignorance here but to me Chinese and Japanese characters all look the same. So if I were to inadvertently click on a link and find myself on a Chinese site, how would I know?

Clive RobinsonSeptember 4, 2015 9:54 AM

@ Daniel,

So if I were to inadvertently click on a link and find myself on a Chinese site, how would I know?

Simple answer, you would not.

People often make the mistake of thinking there is some geographical corespondance to not just where a site is but how packets get there. Whilst there is sometimes an appearance of corespondance, this is more an accident of engineering conveviance than political design.

The best you can do in most cases is before you click on the link run a traceroute to it and lookup where the nodes are. However this assumes that nothing upstream of you is misleading you. Further it does not mean that someone has not set up a router to do different things based on the TTL in the header. Or that the site operator has not set up HTML / JavaScript to "re-direct" your browser to a totaly different site.

The sooner the population in general realises thet an "IP address" is not an address but just a 'lookup index' into a distributed database the better.

Military NetSeptember 4, 2015 12:57 PM

Video Killed The Radio Star
Internet Killed The Video Star
Stasi Killed The Internet Star....

Mike BarnoSeptember 5, 2015 2:27 PM

@ rgaff :

Bruce, getting old? starting to repeat yourself? ;)

See this week's daily strips of the Between Friends comic. Bruce is just doing a "Best Of" posting.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.