China's "Great Cannon"

Interesting research: “An Analysis of China’s ‘Great Cannon.’”

Abstract: On March 16th, 2015, the Chinese censorship apparatus employed a new tool, the “Great Cannon”, to engineer a denial-of-service attack on GreatFire.org, an organization dedicated to resisting China’s censorship. We present a technical analysis of the attack and what it reveals about the Great Cannon’s working, underscoring that in essence it constitutes a selective nation-state Man-in-the-Middle attack tool. Although sharing some code similarities and network locations with the Great Firewall, the Great Cannon is a distinct tool, designed to compromise foreign visitors to Chinese sites. We identify the Great Cannon’s operational behavior, localize it in the network topology, verify its distinctive side-channel, and attribute the system as likely operated by the Chinese government. We also discuss the substantial policy implications raised by its use, including the potential imposition on any user whose browser might visit (even inadvertently) a Chinese web site.

Tags: academic papers, China, denial of service, Internet, man-in-the-middle attacks

Posted on September 4, 2015 at 8:16 AM • 6 Comments

Comments

Daniel • September 4, 2015 9:20 AM

As background, how is one supposed to know if one is visiting a Chinese website other than if it has the country’s TLD? I am admitting my ignorance here but to me Chinese and Japanese characters all look the same. So if I were to inadvertently click on a link and find myself on a Chinese site, how would I know?

Clive Robinson • September 4, 2015 9:54 AM

@ Daniel,

So if I were to inadvertently click on a link and find myself on a Chinese site, how would I know?

Simple answer, you would not.

People often make the mistake of thinking there is some geographical corespondance to not just where a site is but how packets get there. Whilst there is sometimes an appearance of corespondance, this is more an accident of engineering conveviance than political design.

The best you can do in most cases is before you click on the link run a traceroute to it and lookup where the nodes are. However this assumes that nothing upstream of you is misleading you. Further it does not mean that someone has not set up a router to do different things based on the TTL in the header. Or that the site operator has not set up HTML / JavaScript to “re-direct” your browser to a totaly different site.

The sooner the population in general realises thet an “IP address” is not an address but just a ‘lookup index’ into a distributed database the better.

Clive Robinson • September 4, 2015 10:45 AM

Non PDF version at,

https://citizenlab.org/2015/04/chinas-great-cannon/

For those having probs with the Usnix download site.

Military Net • September 4, 2015 12:57 PM

Video Killed The Radio Star
Internet Killed The Video Star
Stasi Killed The Internet Star….

rgaff • September 4, 2015 4:04 PM

This was already linked to over here at:

https://www.schneier.com/blog/archives/2015/04/chinas_great_ca.html

only it was the non-pdf version (which Clive linked)

Bruce, getting old? starting to repeat yourself? 😉

Mike Barno • September 5, 2015 2:27 PM