Forgot your password?
typodupeerror
AI Censorship China Communications Encryption Your Rights Online

VPN Providers Say China Blocks Encryption Using Machine Learning Algorithms 111

Posted by timothy
from the man-vs-state-with-a-cast-of-millions dept.
An anonymous reader writes "The internet control in China seems to have been tightened recently, according to the Guardian. Several VPN providers claimed that the censorship system can 'learn, discover and block' encrypted VPN protocols. Using machine learning algorithms in protocol classification is not exactly a new topic in the field. And given the fact that even the founding father of the 'Great Firewall,' Fan Bingxing himself, has also written a paper about utilizing machine learning algorithm in encrypted traffic analysis, it would be not surprising at all if they are now starting to identify suspicious encrypted traffic using numerically efficient classifiers. So the arm race between anti-censorship and surveillance technology goes on."
This discussion has been archived. No new comments can be posted.

VPN Providers Say China Blocks Encryption Using Machine Learning Algorithms

Comments Filter:
  • Havoc (Score:5, Interesting)

    by Anonymous Coward on Thursday December 20, 2012 @10:14AM (#42347811)
    This has been causing havoc and reduces availability and integrity of our VPN access to our Chinese clients. The insane part is, most of them are in the aerospace and defense industry and are usually mostly owned by the Chinese government. It's indiscriminate. So far steganography techniques have worked, at the reduction of speed and standardisation, but it's hard to explain to clients why they suddenly can't access network resources and expect your company to fix everything.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      What steganography techniques? Like masking your VPN link as streaming audio/video?

      • Re:Havoc (Score:5, Interesting)

        by Anonymous Coward on Thursday December 20, 2012 @10:55AM (#42348339)
        Yes, basically. We created software which encapsulates the connection in another protocol and re-encodes the data, shoved it in a VM and put one here and over there. We made it modularised so we can create support for new protocols and encoding easily. It's slower and usually requires a higher tolerance latency and bandwidth configuration for the protocol you are tunnelling but I'm surprised we whipped it up so quickly and it works.
        • by Anonymous Coward

          Sun-Tzu: "The best defense is when your enemy does not know where to attack"

          Seems like you're blowing it there

    • It certainly sucks, and is bad for business, but slowing down or shutting down VPN links is one thing, decrypting them is another.

      But honestly, I've heard of ISPs in the West using deep packet inspection to weed out encrypted traffic and shape it down into the mud.

      • Whoa there.. Your implying the Chinese are buying the tech from Western Capitalists? But they LOVE FREEDOM.

        Of course if said companies don't work with China, China will just keep the software, lock their sales guys in jail, and still not pay anything.

        We need to get "Voice of America" to help out with Chinese censors!!!

        • by AK Marc (707885)

          Of course if said companies don't work with China, China will just keep the software, lock their sales guys in jail, and still not pay anything.

          So selling things illegally is ok, so long as you suspect they might steal it if you don't sell it to them?

          And yes, the west sells it to anyone, even if they wouldn't steal it. How else did Blue Coats end up doing national firewalls for oppressive middle-east regimes?

          • There is no law that says citizens of the USA can't sell Internet filtering software to oppressive countries. China has "most favored nation" status, so other than military goods, they actually have higher status than Canada or Mexico (because we use that status to bully their lawmakers around on IP issues).

            It's not like US companies are selling systems to catalog people for the gas chamber or anything. Hell, the "illegal" chemical weapons Saddam used on rioting Kurds were SOLD to him by the US military sup

  • by Anonymous Coward

    bits will copy, packets will route.

    • by Anonymous Coward

      "The network interprets censorship as damage and routes around it" and all that, eh?

  • This is true (Score:5, Informative)

    by sadboyzz (1190877) on Thursday December 20, 2012 @10:24AM (#42347947)

    I was just in Beijing for two weeks. I have access to two OpenVPN servers, one in New York another in California. These are personal servers so they aren't on the IP based blacklist. However, my connection from Beijing to either of the two would crap out after a day or two, and the only remedy was to change the OpenVPN server port.

    It seems right now they update their blacklist every 24~48 hours. I did not test whether the amount of traffic (idle vs. busy) would affect the time it takes them to block you. Blacklists last longer than two weeks, as the original ports I used was still blocked by the time I left. SSH connections does not seem to be affected at this time.

    • Re: (Score:3, Funny)

      by GameboyRMH (1153867)

      SSH connections does not seem to be affected at this time.

      Can you find a solution to your problem then?

      *Jeopardy music*

      • by Anonymous Coward on Thursday December 20, 2012 @10:36AM (#42348117)

        The interesting question is if they man-in-the-middle it.

        • by PlusFiveTroll (754249) on Thursday December 20, 2012 @10:43AM (#42348209) Homepage

          Being that his computer already knows the signature of his server, it would show up very quickly.

        • Providing you do your key exchange in a secure manner, that shouldn't be a problem. While I usually use OpenVPN for infrastructure VPN, I've used SSH tunneling for quick and dirty connections at airports and hotels and the like.

        • Deep packet inspection can turn up lots of easily identifiable behavior. Port scrambling, intentional service misidentification, mixing bogus streams with encrypted ones, bursting traffic over multiple IPv6s, all can make a difference.

          But an ssh link is easily identifiable. They don't have to read anything, just block stuff. Experience as a teacher, 100% of what you do gets seen; what goes through is an algorithm that changes as they like it to.

          They'll perform one block, but it seems tough for them to have

      • by VortexCortex (1117377) <VortexCortex@Nos ... t-retrograde.com> on Thursday December 20, 2012 @10:43AM (#42348213)

        SSH connections does not seem to be affected at this time.

        Can you find a solution to your problem then?

        *Jeopardy music*

        Let's see what Tim has. You've written, "Don't do business in China", I'm sorry, we were looking for "SSH tunneling". Susan, you've written, "Port Changing Cron Job", no, that's incorrect as well. Yiu? You've written, "There is no Problem"... No, that's incorr--- Wait, the judges say we'll accept that answer, Yiu Wins!

        • LOL! XD

        • by Anonymous Coward

          SSH connections does not seem to be affected at this time.

          Can you find a solution to your problem then?

          *Jeopardy music*

          Yiu? You've written, "There is no Problem"... No, that's incorr--- Wait, the judges say we'll accept that answer, Yiu Wins!

          Wait, what's that? Oh, I'm sorry Yiu, the judges correctly point out that you failed to use the form of a question! I'm sorry, and better luck next time.

        • Oh man you just made my day.

        • by Vexler (127353)

          You forgot to indicate how much each contestant wagered... oh wait, Yiu would just make the other two pay for him. Sorry, my bad.

        • Yiu wins!

          Sucks to be Yiu.

        • Steganography will drive the analysis bot programmers absolutely nuts, they'll either have to shut everything down, or let some amount of stego traffic through.

      • Re:This is true (Score:5, Insightful)

        by sadboyzz (1190877) on Thursday December 20, 2012 @12:13PM (#42349455)

        I find SSH tunneling to be much less efficient than OpenVPN. With OpenVPN I can have a more-or-less usable remote VNC desktop from Beijing to New York, which is not possible using SSH tunneling.

        Anyway, that is not a real solution, as there is nothing to prevent them from cutting off SSH connections when they feel like it. There is no technical solution to a political problem.

        • by Pav (4298)
          X2Go works well for me via SSH (though I haven't tried it internationally), and it allows file sharing, proxying RDP, local printing and a number of other useful features.
    • by CastrTroy (595695)
      I imagine that it would be quite easy to identify what traffic is going over VPN links. The network equipment in between knows the port you are connecting to, and the IP Address. Also, encrypted data looks a lot different than unencrypted data. VPN was never designed to be hard to detect, just hard to decrypt. It's a direct end-to-end connection.
      • Why not run OpenVPN (An SSL vpn) over TCP 443? I mean, unless they intend to block SSL as well...

      • by AK Marc (707885)
        The ports should be encrypted. The port of VPN traffic should be ESP port or something like that. The 25/110 port inside the packet is encapsulated and encrypted. But you could do something insane like tunnel IPSEC over GRE over random ports, but the VPN packets are easy to identify, just look for packets with payload that's random. That's why stenography should work. If they know what to look for, it won't be as much help, but it's the most convenient form of non-random (but still secure) encryption.
    • by dickens (31040)

      What about SSL? We're looking into expanding our use of an SaaS ERP system into China. If it requires SSL will it stop working some day?

    • by tlhIngan (30335)

      I was just in Beijing for two weeks. I have access to two OpenVPN servers, one in New York another in California. These are personal servers so they aren't on the IP based blacklist. However, my connection from Beijing to either of the two would crap out after a day or two, and the only remedy was to change the OpenVPN server port.

      It seems right now they update their blacklist every 24~48 hours. I did not test whether the amount of traffic (idle vs. busy) would affect the time it takes them to block you. Bl

    • Im kind of curious whether running OpenVPN over TCP 443 might avoid the block by appearing as standard HTTPS traffic. Anyone tried this?

      • Re:This is true (Score:5, Informative)

        by sadboyzz (1190877) on Thursday December 20, 2012 @01:13PM (#42350213)

        Yes, I did, it does not work, they are able to distinguish VPN from HTTPS traffic. Their detection scheme doesn't seem to care about the port number.

        • by dargaud (518470)
          Can't you encapsulate VPN within https ? Sure the server has to be aware of the scheme but it shouldn't be too hard...
          • In theory OpenVPN is SUPPOSED to be SSL, but from what Im reading something about the handshake and the way traffic is transmitted is tipping the Chinese GFC admins off. I did a little reasearch after I posted above and others report the same as he does-- that theyre really good about distinguishing VPN from non VPN traffic.

    • by beefsack (1172479)

      I've been living in southern China for the past year and the last month has been a nightmare. It seems if you're pumping a significant amount of traffic over an encrypted channel, they block the remote server but only for the specific port.

      I have a handful of personal OpenVPN servers and made the mistake of transferring a lot of data over 22 (SSH) and port 22 for that server was blocked. As the parent post suggests, it seems to be updated every 24-48 hours, usually every 24 hours though.

      I found a good tec

  • Noise. (Score:5, Insightful)

    by Anonymous Coward on Thursday December 20, 2012 @10:29AM (#42348021)

    Raise the noise floor, hide your encrypted data among legitimate looking traffic. For various meanings of legitimate. One can only fathom the amount of useless garbage that gets passed on backbone links. From malfunctioning programs, unknown millions of installations of random programs phoning home for updates, spam, web bots, ddos, facebook. An endless sea of data for your subversive little packets to get lost in.

    Less efficient? Sure. But a lot harder to find.

    So what if they have adaptive learning sniffers. We can invent adaptive learning garbage a whole lot faster than they can keep up.

    • by cpghost (719344)

      So what if they have adaptive learning sniffers.

      If they had this, they would have solved the spam problem by now... Speaking of spam: by intelligently encoding your encrypted data as spam, you could pass through the sniffers too.

      • a funny thought: tunneling 'IP over ebay'. ha!

        chinese are big sellers on ebay, now. that comms path WILL stay open, no matter what. they need to keep selling dangerous things to us. we all know that.

        and so, format your data as fake replies to a fake seller in china. sure, the frag/reassem logic is going to be a bitch, but you'll get your data tunneled thru there, and even better, ebay pays the comms cost!

        • by slew (2918)

          Ebay is something like the 150th most popular site in China. It is dwarfed by TaoBao. The typical chinese user wouldn't probably notice much...

      • by snemarch (1086057)
        So, we encode the bitstreams as "viagra" for 1, "penis!" for 0? (same length strings, obviously, to make the processing more efficient).
    • by nurb432 (527695)

      That used to be a good idea, but as more and more governments get access to supercomputers that they can dedicate to 'monitoring', it wont work for long. Its really not hard to pick out that needle in the haystack if you have the resources.

      And remember in countries like china, they dont care what you are transmitting, the act of hiding is enough to get you jailed or executed.

  • by bigtrike (904535) on Thursday December 20, 2012 @10:31AM (#42348061)

    You might be able to use this to simulate encrypted traffic to something legitimate and cause it to be blocked.

    • by Necroman (61604)

      I would imagine they are watching the handshaking and looking for certain patterns at the start of TCP sessions. If the streams match a certain pattern (VPN connection handshake), then the connection will be added to the global blacklist at the next update. For VPNs that do their negotiation fully over UDP, the firewall probably just has to look for a specific set of packets between 2 systems over a short period of time.

      Protocol/Application detection isn't all that hard with the right tools.

      • by bigtrike (904535)

        I may be making bad assumptions here, my TCP and UDP knowledge is pretty rusty. It seems like if the algorithm wasn't smart enough to keep track of the full connection state, you could spoof a protocol appropriate TCP or UDP packet from the remote IP and port to avoid a block. Alternately, you might be able to avoid detection by using a common port like 53 for your UDP VPN and spoofing valid DNS response packets. If that caused problems for your VPN client, you could set a flag on them that causes them t

        • by slew (2918)

          Seems unlikely to avoid detection using a port like 53 (DNS services, something that filter all the time). Actually it's probably pretty easy to look at most standard port traffic and infer that they are being used for non-standard purposes.

          To make matters worse, even non-chinese ISPs have been known to intercept DNS requests [dnsleaktest.com] and substitute their own responses

        • by aaarrrgggh (9205)

          Oooh... handshake via ad network!!

      • by aaarrrgggh (9205)

        Is there a way to port-knock the handshake? Or perform the handshake through stenography?

    • That's why they force all the major companies to locate servers in China. I'd venture there is minimal cross-talk between Chinese sites like Yahoo and their American counterparts.

      Yahoo certainly isn't internally redirecting Chinese to Yahoo.com even if they ask... Where in Europe, local country sites might all have the same "front door" server.

  • by Keruo (771880) on Thursday December 20, 2012 @10:42AM (#42348189)
    I'm assuming they're targetting commercial vpn providers rather than companies using VPN?
    If not, I'd like to get some address where to register corporate endpoints which should be excluded from filtering.
    Otherwise managing workstations and servers located in China might become rather tedious.
    Atleast this IPSEC VPN to China which I'm using to post this message seems to work just fine right now.
    • by Anonymous Coward

      Man, you wasted a perfectly good post that should have ended with "NO CARRIER" :)

  • by cpghost (719344) on Thursday December 20, 2012 @10:51AM (#42348297) Homepage
    If you need a narrow band VPN, you could always encrypt it in such a way that it can't be detected by the sniffers. For example, use something like the technique used by port knocking, i.e. utilize the time domain for your encrypted channel. In other words, don't send encrypted data directly, just send regular data and modulate the time intervals between the packets to reflect your encrypted data.
    • by slew (2918)

      If you need a narrow band VPN, you could always encrypt it in such a way that it can't be detected by the sniffers. For example, use something like the technique used by port knocking, i.e. utilize the time domain for your encrypted channel. In other words, don't send encrypted data directly, just send regular data and modulate the time intervals between the packets to reflect your encrypted data.

      That's likely to be really low bandwidth and a bright target for thier firewall learning algorithms. Modulating the time intervals on a high-latency connection with the typically large amount of buffering will be troublesome if the just randomly drop packets on suspicious connections and wait for TCP/IP retransmit. Of course you could hack your TCP/IP stack to be aware of this, but that's quite a bit of work.

  • Good luck blocking pairs of devices with entangled quantum particles. They travel through the fabric of reality or whatever, not copper cables. Place one inside the country and one outside and that's point to point and untraceable as far as we know.
    • So you've found a way to violate causality and transmit information FTL? Please do share the details of how this works.

      • Read any single article ever posted on slashdot about entangled particles maybe? They all end promising instant transmissions across the Earth or to other planets.
        • And they're all bullshit. Entanglement can't transmit information, that's one of the fundamental properties of entangled systems!
    • by Anonymous Coward

      LOL. From the future are we?

  • The biggest mistake made in design of the web protocol was starting out with a non encrypted protocol http. In 20/20 hindsight it should have always been https and nothing else. I look for the day when browser makers disable http.

    • by swb (14022)

      When HTTP was first developed, wouldn't continuous encryption have been considered too expensive, computationally?

      I am not a web site guru, but IIRC there was a good market for encryption offload cards at one time but I don't know how common they are anymore given the use of virtualization and the general increase in CPU power over past systems.

      It was probably also a headache from a certificate perspective. You can use it with self-signed certificates, but you have to generate them, etc and traditionally

  • by Revotron (1115029) on Thursday December 20, 2012 @11:37AM (#42348923)
    All I think of when I hear that phrase is something akin to a leg race. I imagine a bunch of Chinese nationals racing each other on a track while doing handstands.

    It's kind of funny, the things one can extrapolate from a simple grammatical error.
  • Two dialup modems on each end of a VoIP session. It could totally work. Totally.
  • by Anonymous Coward

    The Chinese are wasting there time, buying a year or two of incomplete censorship at the cost of giving everyone the means to defeat such methods afterwards, when new software methods are developed and become universally available.

    Consider the problem. You wish to kill the use of encryption so you have the capability of inspecting any data block that travels across the Internet. Luckily, such censorship is fighting maths, and will always lose accordingly. Here's why.

    Attempts to block encryption are actually

  • Just post some nice pictures on a forum and embed your message. Put your data in plain sight.
    • by slew (2918)

      Just post some nice pictures on a forum...

      and after that forum becomed a popular route for circumvention, they block that whole website in China via IP filtering, DNS and connection blacklisting...

      Certainly anything might for a while, but then there are countermeasures...

  • by jafo (11982) on Thursday December 20, 2012 @01:14PM (#42350219) Homepage

    Over about the last 2 weeks, one of our hosting clients OpenVPN connections to their machines in China have been failing. We can still SSH into the machine in China, glad they haven't blocked that. We ended up setting up a block of several hundred ports with DNAT to the normal OpenVPN port, and then set up 64 (the max allowed) servers in the client config so it can cycle between them. That's been effective so far.

    It took a while to figure out, because I was able to send test traffic via "date | nc -u server 1194", and that would go through, but the OpenVPN connection wouldn't.

    Sean

  • Crap; the Borg have learned our 'rotate the frequencies' trick.
  • by kawabago (551139) on Thursday December 20, 2012 @01:59PM (#42350955)
    When an authority suppresses a minority, the minority builds resentment. If there is no outlet, the resentment grows into rebellion. If the authority suppresses the dissent it doesn't go away. It festers. Eventually all of the minorities in China will all be unhappy and ready for a full revolt. If authority tightens it's grip, the country will explode. Angry upset minorities rebelling simultaneously across all of China would be more than the authority can suppress. It will become like Syria. If China does not change course, Syria is it's future.
    • by Anonymous Coward

      In the subject of rebellion: You are forgetting something. China is not Syria and they are a nuclear power. They have too many people already.
      If rebellion becomes widespread, A few 50 megaton thermonuclear bombs detonated in selected problem areas would solve the problem very quickly.

  • by Anonymous Coward

    The only effective way to fight this is just to let China go. They don't want traffic they don't like? Fine, f 'em. Drop ALL traffic into their ISPs. Companies who keep playing ball with them will only have themselves to blame when the cost of doing business is so high that it's infeasible.

  • Swapping steganographic images with an acoustic coupler & Kermit could be fun.

    Or perhaps create a fake conversation over a normal VOIP channel, using WAV / VOC files padded with data, using, for example:

    http://www.heinz-repp.onlinehome.de/Hide4PGP.htm [onlinehome.de]

    • Hell, actually, thinking about it; the ultimate solution is to ship my mother in law over to China. Have my wife call her for a 'quick chat' (This will ensure the line is pretty much open non-stop with perfectly generated random speech) then pass my data over the line using real-time Steganography [wordpress.com] with ZRTP

  • I don't live in China so I haven't had a chance to test this, but I would guess Tor/Onion is more or less the ideal way of keeping a stable connection out of China. Just run a private exit node outside China. Tor change the tunnel connections regularly to obscure it's existence.

    • by ryocoon (2466182)
      They have figured out basic TOR handshakes, along with blocking all registered bridges. They run scan tests against any suspected port/ip combo thought to host a TOR bridge/inlet . If it accepts a TOR or VPN handshake, then they inject tons of RESET packets and then block routing to that IP/port (sometimes the IP in its entirety) for a few days. If you stop trying to get at it, it will eventually open back up, but you'll only get a day or two ( or less if unlucky) of getting back through on it. Yes, this

When I left you, I was but the pupil. Now, I am the master. - Darth Vader

Working...