What’s commonly referred to as the Great Firewall of China isn’t really a firewall at all. I recently came across an Atlantic Monthly article investigating how the Great Firewall works and what it does (see The Connection has been Reset).
The official name of what is often called the Great Firewall of China is the Golden Shield project. Rather than acting as a firewall, it’s actually mirroring content and manipulating DNS, connection management, and URL redirection to implement its goal of restricting what internet users inside China can access.
This project has been widely criticized on political and social fronts – I won’t repeat them here. It’s also been widely criticized on technical grounds as ineffective, weak, and easy to thwart. Again, not my focus. This article simply caught my interest technically as content filtering at this scale is an incredibly difficult task. What techniques are employed?
Like many software security problems, no single solution solves the problem fully and the main goal of the Golden Shield project is to add friction. If it’s painful enough to get to the content they are trying to prevent from being accessed, few will bother to access it. Essentially the goal of the four levels of protection they are using is to add friction and it’s friction rather than prevention that ensures that few Chinese internet users see restricted content in any quantity. The four levels of protection/restriction are:
1. DNS Block: sites that are on the current blacklist get DNS resolution failure or get redirected to other content. This was the technique employed against google.cn to force them add filtering to their web index. For some time , all access to google.cn was redirected to their larger Chinese competitor baidu. The other application of this technique is to return DNS lookup failure so, for example, searches for http://www.illegalsite.com will return “not found”.
2. Connect: In parallel with connection requests leaving China, they are inspected. If the IP address is on the current IP blacklist, connection reset will be sent which will cause the connection to fail.
3. URL Block: If the URL contains words on the illegal word blacklist, the connection is redirected infinitely. I’m not sure if they are only sniffing the URL or also doing reverse DNS to get the site name as well but, if unacceptable words are found in the URL, they redirect the connection repeated. Some browsers hang while others return an error message.
4. Content Block: At this level the DNS lookup has been successful and the connection has been made and content is being returned to the user. As the content is returned to the requesting user inside China, it’s being scanned in parallel for unapproved keywords and phrases. If any are found, the connection is broken immediately. As well as breaking the connection mid-way, subsequent requests from that client IP to that destination IP are blocked. The first block is short, but consecutive attempts drive up the length of the IP-to-IP connect block period and may eventually draw official scrutiny.
In addition to these techniques to block access to content outside-of-China, an estimate 30,000 censors scan and get removed unapproved content posted within within China (see http://en.wikipedia.org/wiki/Internet_censorship_in_the_People%27s_Republic_of_China).
The Golden Shield project is reportedly also being used in the opposite direction to prevent access to some content inside of China from outside the country.
There are many means of subverting the Golden Shield including using a proxy server outside of China or setting up a VPN connection to a server outside of the country. Encrypted connections will also get through as well encrypted email. However, all these techniques are non-default and require some work on behalf of the user. Most users don’t bother so, for the most part, the goals of the Golden Shield are attained even though it’s technically not that strong.
The Atlantic Monthly article: http://www.theatlantic.com/doc/200803/chinese-firewall?reddit
Thanks to Jennifer Hamilton and Mitch Wyle for pointing out the Atlantic Monthly article.
James Hamilton, Windows Live Platform Services
Bldg RedW-D/2072, One Microsoft Way, Redmond, Washington, 98052
W:+1(425)703-9972 | C:+1(206)910-4692 | H:+1(206)201-1859 | JamesRH@microsoft.com