Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
China Censorship Privacy Security Your Rights Online

Inside the Great Firewall of China's Tor Blocking 160

Trailrunner7 writes with an article at Threat Post about China's ability to block Tor. From the article: "The much-discussed Great Firewall of China is meant to prevent Chinese citizens from getting to Web sites and content that the country's government doesn't approve of, and it's been endowed with some near-mythical powers by observers over the years. But it's somewhat rare to get a look at the way that the system actually works in practice. Researchers at Team Cymru got just that recently when they were asked by the folks at the Tor Project to help investigate why a user in China was having his connections to a bridge relay outside of China terminated so quickly. Not only is China able to identify Tor sessions, it can do so in near real-time and then probe the Tor bridge relay and terminate the session within a couple of minutes."
This discussion has been archived. No new comments can be posted.

Inside the Great Firewall of China's Tor Blocking

Comments Filter:
  • by DCTech ( 2545590 ) on Monday January 09, 2012 @06:58PM (#38644634)
    Clearly they're one of the best software engineers in the world when they want to, being capable of real-time packet inspection and probing. China has over 1.7 billion people who almost all want to work in IT. They will rule the world.
    • by Anonymous Coward on Monday January 09, 2012 @07:01PM (#38644674)
      Where did they pick up the extra 400 million people from?
      • Re: (Score:3, Interesting)

        by axx ( 1000412 )

        Do you really believe that a census on over one billion people, who have (who had?) an incentive to lie about their progeny, is credible?

        Hell, I might be wildly off the mark but for all we know there could be two billion people in China, I wouldn't be that surprised.

        Hopefully someone more aware of the reality of the situation will chime in.

        • Wikipedia cites 1.3 billion [wikipedia.org]

          The margin of error in the US census is 0.009%. [census.gov]

          Even allowing for China to have a margin of error a hundred times that of America's, you're looking at a maximum inaccuracy of ~12 million people, not 300.

          • by QQBoss ( 2527196 )
            It isn't an issue of error bars, it is more an issue of outright fraud in the census.

            Illegal aliens (both internal and external... do you know anything about the hukou system?) have an extremely high incentive to remain uncounted, particularly if they have children.

            From 2008:

            http://www.china-briefing.com/news/2008/09/01/is-china%E2%80%99s-population-really-13-billion.html [china-briefing.com]

            • by swalve ( 1980968 )
              Where did these 400 million people come from? That would basically be the entire population of the rest of Asia, besides India.
              • by QQBoss ( 2527196 ) on Tuesday January 10, 2012 @03:10AM (#38648388)

                How many people are actually in China, I am in no position to guess. But I am in a position to know that census undercounting does occur and why.

                As I mentioned, the "uncounteds" are both internal and external illegal aliens. Unlike most of the Western world, where the right of free travel is assumed, within China you are only legally allowed to live/work/"own" property in the place where you have a hukou (this is a gross oversimplification, but it is the beginning of a discussion). Many of the presumed 400M illegals are native Chinese who have chosen to live where they have no permission to live, doing so under the radar to avoid sanctions which in the past could have been quite onerous. They aren't at their home city to be counted (though children usually are, staying with grandparents, since without a local hukou they have no right to go to school where their parents are living) and they avoid being counted in the city where they are living because they could be forced to return to their officially registered home.

                About 6 or 7 years ago, the hukou laws were supposedly eliminated, but anyone who says they have been completely abolished is wrong. Decentralized, perhaps, but they still exist and are enforced whenever the right government official gets their panties in a wad. Unless and until the hukou laws are actually abolished, the charade will continue.

        • The reality of the situation in China is that the government is under _huge_ pressure to drop the draconian population control policy, aka one-child policy. However, there is no sign from the regime that it would even consider budging on this issue. So if anything, they have an incentive to _overstate_ the population, rather than understate it.

          The other reality is that hundreds of elementary schools rural areas were closed down over the past few years due to not having enough school kids. Class rooms that o

          • by Bert64 ( 520050 )

            Why is their policy draconian? Over population is a HUGE problem that needs to be dealt with, can you think of any alternative methods that are less "draconian"?

            • by Troed ( 102527 )

              Why do you claim that over population is a huge problem? The rate of human population growth has been declining for decades. It currently seems as we'll never even hit 10 billion before we drop in total numbers.

              I recommend Hans Rosling on the subject: http://www.ted.com/talks/hans_rosling_on_global_population_growth.html [ted.com]

              • by tlhIngan ( 30335 )

                Why do you claim that over population is a huge problem? The rate of human population growth has been declining for decades. It currently seems as we'll never even hit 10 billion before we drop in total numbers.

                I recommend Hans Rosling on the subject: http://www.ted.com/talks/hans_rosling_on_global_population_growth.html [ted.com]

                Population growth has to slow down, bacause it's been excessively high for the past centure.

                Just scant century ago, the population of the world was under 2 billion. Now it's 7. In just 100

                • by Troed ( 102527 )

                  Feel free to watch the link I gave you, and understand that we're already on a growth limiting curve. There is no "population explosion". The exponential is declining. You can stop worrying.

                  (Pollution was an issue centuries ago in London as well, as it is in wood stoves in India today. Technological development does wonders for air quality)

            • by Toonol ( 1057698 )
              Education and wealth. It's worked in every western country, and in advanced eastern countries.
    • Haw, I might believe you if you can prove to us that it's solely Chinese technology doing the filtering, and not solutions from Western vendors such as Naurus [narus.com] or Procera. [proceranetworks.com]

      All of the big links provide only details about the type of filtering and not the hardware used.
    • by cp.tar ( 871488 ) <cp.tar.bz2@gmail.com> on Monday January 09, 2012 @08:17PM (#38645554) Journal

      Despite the error in your numbers, your post reminded me of Focus in Vernor Vinge’s A Deepness in the Sky.
      Spooky.

    • Or they paid some round-eye to implement this for them. They certainly have the resources.

    • by saleenS281 ( 859657 ) on Monday January 09, 2012 @09:36PM (#38646442) Homepage
      You're assuming they're building it themselves. Given the recent accusations and lawsuit against Cisco, it's entirely possible that a US or some other country based company is writing the code they're using.

      http://www.huffingtonpost.com/2011/05/23/cisco-falun-gong-lawsuit_n_865585.html [huffingtonpost.com]
      • by ron_ivi ( 607351 )
        Sure, but Cisco probably outsourced the work to China.
      • by Anonymous Coward on Tuesday January 10, 2012 @09:48AM (#38650704)

        I left my job at a major router company around 2004 specifically because Chungwah Telecom was asking for us to implement features to aid spying. Although, interestingly enough, you had to read between the lines to understand that it was for spying... A lot of the techniques that do it are essentially system testing-sounding features like "clone traffic matching this IP to a second address on a different port."

        At that time, deep packet inspection was not yet a reality, but any engineer could easily see that, as the data/traffic moves through numerous custom ASICs and FPGAs, and the headers get inspected, why not examine more of the data in the packet? The first stage I saw of it in the public at large was detection of layer 5 and up protocols, e.g. traffic-limiting bittorrent.

        Last time I was in Taiwan (which has a grumpy relationship w/ China), one of my younger student friends in a University there demonstrated, as his Master's project, an algorithm to detect images without (fully) decoding them. The secret there was to extract, from JPGs only, the DC blocks representing the average RGB values of each 8x8 block. If you know JPG you'll recognize that. The system then ran conventional "porn detection" algorithms, etc. on the extracted mini-images.

        So, yes, I can verify that 1. American companies are writing code to spy on the rest of the world and ourselves. 2. Chinese are asking for it, just like any other feature. 3. The requests for capabilities are often subtle, such that most engineers don't realize what the algorithms are doing and 4. capabilities to do this are steadily growing more powerful.

        So, now, what are you going to do about, boys?

    • by wisty ( 1335733 )

      Are they actually capable of real time packet encryption; or do they just run it like a proxy? The lag can be horrific, like there's some server at the border waiting for the whole page to download, before they forward it to you.

    • Is it perhapa a combination of quality software engineers and the quantity of software engineers that China can put to the monitoring function? With quantity and quality, one can divide and conquer.

    • by rtb61 ( 674572 ) on Tuesday January 10, 2012 @04:02AM (#38648646) Homepage

      Reality is by far the majority of Chinese in China work as near slave labour in factories or as peasants on farms working for a pittance. Don't get confused by numbers and percentages, plus independent thinking, striving for their voice, Chinese tend to be the ones who have already left and live elsewhere in the world. That is aproximately 40 million people http://en.wikipedia.org/wiki/Overseas_Chinese [wikipedia.org] which you blithely reduce nothing.

      The numbers of Chinese who have a voice in China and are in a position to control anything only number in the tens of thousands, it is an corporo-Fascist Autocracy after all.

      Internet censorship in China is made significantly easier because by far the majority can not afford and must gain access through a limited number of internet cafe's. As time progresses and the majority of people living in China release how backward they are in their rights and how cowardly they have been in failing to fight for them, will of course start to baulk at passing that future on to their children and grandchildren and strive to break the autocracy that controls them.

      So in a future China where 1.3 billion want internet access, we will see how effective the government is at censoring them and keeping them cowed.

      • So in a future China where 1.3 billion want internet access, we will see how effective the government is at censoring them and keeping them cowed.

        Censoring people on the Internet is quite easy. You can simply whitelist five pages (Ilovethepremier.com, ChinaRocks.com, etc.)

        But beyond that, technical measures will only take you so far. There's no "reasonable doubt", after all. Chinese official, "We blocked a Tor connection from 123 fake street, go arrest and execute everyone there."

    • by Max_W ( 812974 )
      Since they are isolated from the world the soft will reflect it by being limited and boring.
  • by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Monday January 09, 2012 @07:09PM (#38644756) Homepage

    Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks.

    At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.

    • Whoops, looks like they're called "directory servers". Not sure if I remember it wrong or if I really did think they were called "dictionary servers".
    • by TSHTF ( 953742 ) on Monday January 09, 2012 @07:23PM (#38644914) Homepage

      Tor has changed since you read last... "Bridges" were added to Tor and are not listed in any central directory.

      Tor bridges [torproject.org]

      • by Anonymous Coward

        Any SSL connection from China to outside is tracked and they attempt to connect to it in a few minutes after original connection is made. They try to establish a tor handshaking and if it succeeds, the IP is blocked in the great firewall.

    • by Anonymous Coward

      You can use Tor without connecting to directory servers. That's the point of bridge nodes, which this article is about...

      • But... but, if you have an unlisted / unknown proxy server that accepts YOUR connections, wtf is the point of TOR lol? Just start channeling through it over the designated ports. I mean it just uses SOCKS along w the other proxies, tor's gold lies in obfuscating your connection by sending it through relays around the world. Not sure what else is going on that would prevent the above. Either way you set with what tor calls a bridged node :)

    • by xiando ( 770382 ) on Monday January 09, 2012 @07:35PM (#38645014) Homepage Journal

      Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks. At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.

      This was the situation. Countries did download the entire Tor directory and block all the nodes listed in it. This is why bridge relays were invented, and there is no public list off all bridge relays. It works like this: You get a bridge address, you connect to a bridge and the bridge then connects to the Tor network. This changed the arms-race. GFW is now able to detect the Tor bridges and this is a set-back for the Tor-project. They will find a solution which fools the GFW and the Chinese will lose face.

    • by BitterOak ( 537666 ) on Monday January 09, 2012 @07:50PM (#38645236)

      Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks.

      At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.

      We have to remember though what Tor was designed to do and what it was not designed to do. Tor was designed to protect the privacy of individuals who don't want their browsing habits revealed. It does this by preventing your IP address from being available to the web server you connect to, and additionally it encrypts traffic so intermediaries, such as your ISP can't snoop on your traffic. It was NOT designed as a means of bypassing firewalls that are actively try to block Tor. That was never its purpose.

      • by Fluffeh ( 1273756 ) on Monday January 09, 2012 @09:27PM (#38646356)

        It was NOT designed as a means of bypassing firewalls that are actively try to block Tor. That was never its purpose.

        Totally agree that it was not the original purpose, but I would add to your comment and congratulate the folks behind Tor for taking a stand and trying to allow their software to get past the GFW. Sometimes when you realize that your software is being used for something more important (possibly something much more important than not letting your ISP know what you are doing) then it is a great opportunity to change your purpose somewhat. If the purpose itself isn't being changed, then it is still heart warming to see the effort being made anyhow.

      • my understanding is that connections to and from entry and exit nodes are unencrypted . only connections between relays are encrypted.
        • Yes, but the entry node runs on your machine.

        • my understanding is that connections to and from entry and exit nodes are unencrypted . only connections between relays are encrypted.

          Out of the exit node: not encrypted, but your IP address is hidden, which is what is important at that end. Traffic to the entry node IS encrypted, otherwise your ISP would be able to snoop your browsing habits!

  • SSH (Score:2, Interesting)

    by axx ( 1000412 )

    Does this mean people should start tunnelling their Tor connexions through SSH, at this point?

    Bugged planet indeed, I wonder if any of our lovely "free world" companies like Amesys or Siemens are selling the DPI gear, or if China is using a fully homebaked solution.

    And if so, does it run (Red Flag) Linux, obviously.

    • Re:SSH (Score:5, Informative)

      by xiando ( 770382 ) on Monday January 09, 2012 @07:38PM (#38645056) Homepage Journal

      Bugged planet indeed, I wonder if any of our lovely "free world" companies like Amesys or Siemens are selling the DPI gear, or if China is using a fully homebaked solution.

      If you watch the 28c3 Torproject presentation available at http://tinyurl.com/7c893sl [tinyurl.com] then you will learn that western corporations like Intel, Nokia and Cisco are heavily involved in Internet surveillance and censorship around the world.

  • by wierd_w ( 1375923 ) on Monday January 09, 2012 @07:11PM (#38644778)

    If we learned more about how they detect the tor session, couldn't we obfuscate the data to combat detection?

    I mean, encrypted data stands out from normal traffic like a sore thumb, and unless the user is a bank, transacting large amounts of it puts up a red flag. But, what if we obfuscated the data so that it looks like ordinary unencrypted/uncoded data?

    • Re:obfuscation? (Score:4, Interesting)

      by DCTech ( 2545590 ) on Monday January 09, 2012 @07:31PM (#38644988)
      And Chinese will just block it again. And unlike slower cat-and-mouse game in western countries, Chinese can react quickly without going thru all the hierarchies and courts. At the same time, Tor project needs to keep updating their clients and servers, and it probably doesn't take anything at all for Chinese to block new changes. They have the advantage here.
    • Re: (Score:3, Insightful)

      by mSparks43 ( 757109 )

      I mean, encrypted data stands out from normal traffic like a sore thumb.

      Actually, I think this is something of a myth.
      "normal traffic" these days is mostly compressed.
      Since the goal of both encryption and compression is to achieve a byte stream that is otherwise indistinguishable from random noise, I don't think one set of random noise stands out much more than another set of random noise.

      Only thing that really separates traffic these days is imperfections in these algs and the negotiation protocols.
      ____
      My

  • And then terminate the offender in under an hour. ( and his family )

  • for helping us build more robust Tor protocols

    Oh, you thought you were going to actually kill the average Chinese citizen's desire for free access to information? You didn't understand that a stronger Tor protocol or something even better than Tor is the actual result of your escalation of the arms race?

    You're pretty ignorant about basic human nature, aren't you, you authoritarian assholes.

    Oh, and btw you grumpy old shitbags:

    http://www.nytimes.com/2012/01/04/world/asia/chinas-president-pushes-back-against-western-culture.html [nytimes.com]

    The reason you are lamenting the influence of Western culture on China, and not basking in pride at the influence of Chinese culture on the West, is because YOU CENSOR EVERYTHING IN YOUR CULTURE. So Chinese Culture is hobbled and decimated. Because you think you can control, nevermind why you think you should control, Chinese thought. Instead of a great big strong tree, you have a demented little broken bush. Because of YOUR efforts at preventing Chinese culture from growing, by censoring everything, you morons

    You ignorant controlling douchebags. Your average Chinese citizen understands this, why don't you you stupid old and decrepit paranoid control freaks?

    • by Anonymous Coward on Monday January 09, 2012 @07:35PM (#38645010)

      And how you do really feel?

      • Question: what is the greatest ally in the growth of Western Cultural influence in China?

        Answer: The Chinese Central Government, for working so hard to make sure that Chinese Culture can't grow.

        They think that controlling culture, and growing it, are compatible concepts. Culture grows when it freely crosspollinates with other world cultures. Japanese culture has freely been assimilating culture from around the world and we still recognize a distinctly Japanese culture. The game of controlling culture and "protecting" culture from "illegitimate" influences is the game of the insecure little person who believes Chinese culture is inferior. The person proud of being Chinese is freely dabbling in world culture, infusing their own thoughts, and defining Chinese culture as strong and new. Culture needs to crosspollinate to survive and grow. Sit on it, control it, keep it in a box, and your culture dies.

        Look at what these ignorant insecure douchebags are doing:

        http://www.nytimes.com/2012/01/01/world/asia/censors-pull-reins-as-china-tv-chasing-profit-gets-racy.html?pagewanted=all [nytimes.com]

        I know: I can hear the typical snobby Western voice now: "I wish my government would censor the Kardashians and Jersey Shore."

        And for thinking that way, you have merely identified yourself as knowing nothing about how culture actually works, and have allied yourself with authoritarianism. congratulations, you're ignorant and you're an asshole. i'd much rather have people watching jersey shore than some government entity telling them what to see and watch. and there is nothing wrong with the pursuit of empty guilty pleasures, that's a PERFECTLY VALID SEGMENT OF CULTURE. think of it as creative ferment from which greater cultural products spring forth. without the base of empty silly nonsense, the "higher" cultural products have nothing to grow out of.

        • I have no idea why you are on a tangent accusing someone else of wanting censorship. The point was that your rant (now two of them) is being directed at technical people in the US, not the Chinese Government.

          How about writing mean letters to the Chinese Government, or getting involved in Politics instead of ranting here on /.?

          Trust me, personally I'm not for anything that China does. With out of control IP laws, rampant corruption, and pay-for-politics in the US we have a shitload to worry about at home.

    • I get it, we all do (or at least I hope). But do you really think that the Chinese government reads /.? We can hope, but sheesh if world leaders can't get them to open up why would they listen to someone vent on /. and say "Eureka! He's on to something!"

    • by f3rret ( 1776822 )

      I don't think the Chinese can hear you homie.
      Maybe you should try doing it in all caps, that's louder.

    • Why does all this remind me of the province of Quebec? Hmm.
    • You make the case that western culture will prevail over Chinese culture because it is free. The implication is that competition in the marketplace of ideas makes things better.

      So, taking my cue from your tagline, the Chinese government should just vigorously enforce US copyright law (which they do not currently), and the western threat will subside. Lets call it Sino-Offence Preventing America.

      Wake up people! Lack of copyright in China is not stifling US innovation and creativity!

  • Tor exit node based blocking has been used on various IRC servers to combat abuse for years and years now, The chinese might be doing something more fancy, but that only shows that they didn't go for the fairly easy and quick solution.
    • by xiando ( 770382 ) on Monday January 09, 2012 @07:45PM (#38645150) Homepage Journal

      Tor exit node based blocking has been used on various IRC servers to combat abuse for years and years now, The chinese might be doing something more fancy, but that only shows that they didn't go for the fairly easy and quick solution.

      The Torproject responded with bridges when countries started to block entire countries like those IRC servers do. The entire list of Bridges is not public. What GFW now does to detect and block those bridges is something new and it is something entirely different. The "download the entire list of Tor servers and block them" method was used and stopped being efficient thanks to Tor bridges.

      • Re: (Score:2, Informative)

        by dissy ( 172727 )

        I've used the previous method on my own IRC network, not to block Tor outright, but to prevent people from clicking 'refresh' to get a new IP and avoid channel bans or client side /ignores placed on them after spamming, harassing others, and generally trying to go where their behavior makes them unwanted.

        With a daemon linked to tor, my server can send some info to the tor network to ask if this is a tor connection. It needs my servers IP and port, as well as the users IP and source port.
        Upon a successful r

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      They're not blocking exit nodes -- they're blocking your first hop(s) into the tor network

  • Tor no more????
  • by xiando ( 770382 ) on Monday January 09, 2012 @08:07PM (#38645444) Homepage Journal
    I tell you, free speech and freedom in general in America is doomed. The NDAA2012 combined with SOPA is just another brick in the wall on the path towards a completely tyrannical fascist government. Some Americans argue that the USA is there already. Today we are talking about Tor being blocked by the Great Firewall of China. How long will it take before we are talking about the Great Firewall of the USA blocking websites, software like Tor, I2P, Freenet and so on? Beware that western corporations like Intel, Cisco, Nokia and Siemens are the ones who are delivering the technology used by countries like China. The US and the west already has this technology. I do not see it as a question of if but when these technologies will be used in the US and other "free" western countries. The Tor project should be supported. Why people in other countries need it today may be why you need it tomorrow.
    • by Anonymous Coward

      you have to understand though that tor in itself is not a longterm solution. Should the majority of users be in countries that have taken the path of USA or China, there would be no point left in using tor, which works on its user nodes.

  • by gatkinso ( 15975 ) on Monday January 09, 2012 @09:01PM (#38646102)

    This seems a bit obvious... does anybody know how much luck folks have had with this method?

  • by Anonymous Coward

    So if they can inspect in real time, is it possible that them letting the connection go for a few minutes means they are collecting the tor bridges data, and other data like exit points before they terminate?

  • It used to be that firewalls and filters would search out malicious connections attempting spam or attacks and drop them. But in Soviet China, it's the opposite. So disguise any connections to Falun Gong website as spam or worse, and they GFW will be sure to let it through.

  • As with any war, maneuvers lead to counter maneuvers. Escalation leads to further escalation. The only way to end a war is either by choice (as we did in Vietnam and now in Afghanistan), out maneuvering your enemy (siege of Stalingrad, battle of the Bulge), or if the enemy destroys its own credibility with the people (Iraq insurgency movement).

    So good going China, you've managed to shut down TOR. I'm sure you have shared your successes with other "Great Firewall" regimes and those who desire "Great Firew

If all else fails, lower your standards.

Working...