VPN Providers Say China Blocks Encryption Using Machine Learning Algorithms 111
An anonymous reader writes "The internet control in China seems to have been tightened recently, according to the Guardian. Several VPN providers claimed that the censorship system can 'learn, discover and block' encrypted VPN protocols. Using machine learning algorithms in protocol classification is not exactly a new topic in the field. And given the fact that even the founding father of the 'Great Firewall,' Fan Bingxing himself, has also written a paper about utilizing machine learning algorithm in encrypted traffic analysis, it would be not surprising at all if they are now starting to identify suspicious encrypted traffic using numerically efficient classifiers. So the arm race between anti-censorship and surveillance technology goes on."
Havoc (Score:5, Interesting)
Re: (Score:2, Interesting)
What steganography techniques? Like masking your VPN link as streaming audio/video?
Re:Havoc (Score:5, Interesting)
Re: (Score:1)
Sun-Tzu: "The best defense is when your enemy does not know where to attack"
Seems like you're blowing it there
It may be bad, but... (Score:2)
It certainly sucks, and is bad for business, but slowing down or shutting down VPN links is one thing, decrypting them is another.
But honestly, I've heard of ISPs in the West using deep packet inspection to weed out encrypted traffic and shape it down into the mud.
Re: (Score:2)
Whoa there.. Your implying the Chinese are buying the tech from Western Capitalists? But they LOVE FREEDOM.
Of course if said companies don't work with China, China will just keep the software, lock their sales guys in jail, and still not pay anything.
We need to get "Voice of America" to help out with Chinese censors!!!
Re: (Score:2)
Of course if said companies don't work with China, China will just keep the software, lock their sales guys in jail, and still not pay anything.
So selling things illegally is ok, so long as you suspect they might steal it if you don't sell it to them?
And yes, the west sells it to anyone, even if they wouldn't steal it. How else did Blue Coats end up doing national firewalls for oppressive middle-east regimes?
Re: (Score:2)
There is no law that says citizens of the USA can't sell Internet filtering software to oppressive countries. China has "most favored nation" status, so other than military goods, they actually have higher status than Canada or Mexico (because we use that status to bully their lawmakers around on IP issues).
It's not like US companies are selling systems to catalog people for the gas chamber or anything. Hell, the "illegal" chemical weapons Saddam used on rioting Kurds were SOLD to him by the US military sup
Re:"Arm race"? (Score:4, Funny)
It's actually a race between severed zombie limbs.
Re: (Score:1)
You can have an arm race too. [typepad.com]
good luck with that (Score:1)
bits will copy, packets will route.
Re: (Score:1)
"The network interprets censorship as damage and routes around it" and all that, eh?
Re: (Score:2)
Im gonna go out on a limb and say that the AC GP hasnt dealt with chinese ISPs or VPN inside the GF.
This is true (Score:5, Informative)
I was just in Beijing for two weeks. I have access to two OpenVPN servers, one in New York another in California. These are personal servers so they aren't on the IP based blacklist. However, my connection from Beijing to either of the two would crap out after a day or two, and the only remedy was to change the OpenVPN server port.
It seems right now they update their blacklist every 24~48 hours. I did not test whether the amount of traffic (idle vs. busy) would affect the time it takes them to block you. Blacklists last longer than two weeks, as the original ports I used was still blocked by the time I left. SSH connections does not seem to be affected at this time.
Re: (Score:3, Funny)
SSH connections does not seem to be affected at this time.
Can you find a solution to your problem then?
*Jeopardy music*
Tunneling through SSH comes to mind. (Score:5, Interesting)
The interesting question is if they man-in-the-middle it.
Re:Tunneling through SSH comes to mind. (Score:4, Informative)
Being that his computer already knows the signature of his server, it would show up very quickly.
Re: (Score:1)
Providing you do your key exchange in a secure manner, that shouldn't be a problem. While I usually use OpenVPN for infrastructure VPN, I've used SSH tunneling for quick and dirty connections at airports and hotels and the like.
Re: (Score:3)
Deep packet inspection can turn up lots of easily identifiable behavior. Port scrambling, intentional service misidentification, mixing bogus streams with encrypted ones, bursting traffic over multiple IPv6s, all can make a difference.
But an ssh link is easily identifiable. They don't have to read anything, just block stuff. Experience as a teacher, 100% of what you do gets seen; what goes through is an algorithm that changes as they like it to.
They'll perform one block, but it seems tough for them to have
Re: (Score:2)
There's no PROFITS in peace, so don't fund teaching.
Re:This is true (Score:5, Funny)
SSH connections does not seem to be affected at this time.
Can you find a solution to your problem then?
*Jeopardy music*
Let's see what Tim has. You've written, "Don't do business in China", I'm sorry, we were looking for "SSH tunneling". Susan, you've written, "Port Changing Cron Job", no, that's incorrect as well. Yiu? You've written, "There is no Problem"... No, that's incorr--- Wait, the judges say we'll accept that answer, Yiu Wins!
Re: (Score:2)
LOL! XD
Re: (Score:1)
SSH connections does not seem to be affected at this time.
Can you find a solution to your problem then?
*Jeopardy music*
Yiu? You've written, "There is no Problem"... No, that's incorr--- Wait, the judges say we'll accept that answer, Yiu Wins!
Wait, what's that? Oh, I'm sorry Yiu, the judges correctly point out that you failed to use the form of a question! I'm sorry, and better luck next time.
Re: (Score:2)
Oh man you just made my day.
Re: (Score:2)
You forgot to indicate how much each contestant wagered... oh wait, Yiu would just make the other two pay for him. Sorry, my bad.
Re: This is true (Score:2)
Yiu wins!
Sucks to be Yiu.
Re: (Score:1)
Steganography will drive the analysis bot programmers absolutely nuts, they'll either have to shut everything down, or let some amount of stego traffic through.
Re:This is true (Score:5, Insightful)
I find SSH tunneling to be much less efficient than OpenVPN. With OpenVPN I can have a more-or-less usable remote VNC desktop from Beijing to New York, which is not possible using SSH tunneling.
Anyway, that is not a real solution, as there is nothing to prevent them from cutting off SSH connections when they feel like it. There is no technical solution to a political problem.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Why not run OpenVPN (An SSL vpn) over TCP 443? I mean, unless they intend to block SSL as well...
Re: (Score:1)
SSL? (Score:2)
What about SSL? We're looking into expanding our use of an SaaS ERP system into China. If it requires SSL will it stop working some day?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Im kind of curious whether running OpenVPN over TCP 443 might avoid the block by appearing as standard HTTPS traffic. Anyone tried this?
Re:This is true (Score:5, Informative)
Yes, I did, it does not work, they are able to distinguish VPN from HTTPS traffic. Their detection scheme doesn't seem to care about the port number.
Re: (Score:2)
Re: (Score:2)
In theory OpenVPN is SUPPOSED to be SSL, but from what Im reading something about the handshake and the way traffic is transmitted is tipping the Chinese GFC admins off. I did a little reasearch after I posted above and others report the same as he does-- that theyre really good about distinguishing VPN from non VPN traffic.
Re: (Score:1)
I've been living in southern China for the past year and the last month has been a nightmare. It seems if you're pumping a significant amount of traffic over an encrypted channel, they block the remote server but only for the specific port.
I have a handful of personal OpenVPN servers and made the mistake of transferring a lot of data over 22 (SSH) and port 22 for that server was blocked. As the parent post suggests, it seems to be updated every 24-48 hours, usually every 24 hours though.
I found a good tec
Noise. (Score:5, Insightful)
Raise the noise floor, hide your encrypted data among legitimate looking traffic. For various meanings of legitimate. One can only fathom the amount of useless garbage that gets passed on backbone links. From malfunctioning programs, unknown millions of installations of random programs phoning home for updates, spam, web bots, ddos, facebook. An endless sea of data for your subversive little packets to get lost in.
Less efficient? Sure. But a lot harder to find.
So what if they have adaptive learning sniffers. We can invent adaptive learning garbage a whole lot faster than they can keep up.
Re: (Score:3)
If they had this, they would have solved the spam problem by now... Speaking of spam: by intelligently encoding your encrypted data as spam, you could pass through the sniffers too.
Re: (Score:2)
a funny thought: tunneling 'IP over ebay'. ha!
chinese are big sellers on ebay, now. that comms path WILL stay open, no matter what. they need to keep selling dangerous things to us. we all know that.
and so, format your data as fake replies to a fake seller in china. sure, the frag/reassem logic is going to be a bitch, but you'll get your data tunneled thru there, and even better, ebay pays the comms cost!
Re: (Score:2)
Ebay is something like the 150th most popular site in China. It is dwarfed by TaoBao. The typical chinese user wouldn't probably notice much...
Re: (Score:3)
Re: (Score:3)
That used to be a good idea, but as more and more governments get access to supercomputers that they can dedicate to 'monitoring', it wont work for long. Its really not hard to pick out that needle in the haystack if you have the resources.
And remember in countries like china, they dont care what you are transmitting, the act of hiding is enough to get you jailed or executed.
Is that a DOS vector? (Score:5, Interesting)
You might be able to use this to simulate encrypted traffic to something legitimate and cause it to be blocked.
Re: (Score:2)
I would imagine they are watching the handshaking and looking for certain patterns at the start of TCP sessions. If the streams match a certain pattern (VPN connection handshake), then the connection will be added to the global blacklist at the next update. For VPNs that do their negotiation fully over UDP, the firewall probably just has to look for a specific set of packets between 2 systems over a short period of time.
Protocol/Application detection isn't all that hard with the right tools.
Re: (Score:3)
I may be making bad assumptions here, my TCP and UDP knowledge is pretty rusty. It seems like if the algorithm wasn't smart enough to keep track of the full connection state, you could spoof a protocol appropriate TCP or UDP packet from the remote IP and port to avoid a block. Alternately, you might be able to avoid detection by using a common port like 53 for your UDP VPN and spoofing valid DNS response packets. If that caused problems for your VPN client, you could set a flag on them that causes them t
Re: (Score:2)
Seems unlikely to avoid detection using a port like 53 (DNS services, something that filter all the time). Actually it's probably pretty easy to look at most standard port traffic and infer that they are being used for non-standard purposes.
To make matters worse, even non-chinese ISPs have been known to intercept DNS requests [dnsleaktest.com] and substitute their own responses
Re: (Score:2)
Oooh... handshake via ad network!!
Re: (Score:2)
Is there a way to port-knock the handshake? Or perform the handshake through stenography?
Re: (Score:2)
That's why they force all the major companies to locate servers in China. I'd venture there is minimal cross-talk between Chinese sites like Yahoo and their American counterparts.
Yahoo certainly isn't internally redirecting Chinese to Yahoo.com even if they ask... Where in Europe, local country sites might all have the same "front door" server.
Targetting commercial VPN providers? (Score:4, Interesting)
If not, I'd like to get some address where to register corporate endpoints which should be excluded from filtering.
Otherwise managing workstations and servers located in China might become rather tedious.
Atleast this IPSEC VPN to China which I'm using to post this message seems to work just fine right now.
Re: (Score:1)
Man, you wasted a perfectly good post that should have ended with "NO CARRIER" :)
Only big pipes are affected (Score:5, Interesting)
Re: (Score:3)
If you need a narrow band VPN, you could always encrypt it in such a way that it can't be detected by the sniffers. For example, use something like the technique used by port knocking, i.e. utilize the time domain for your encrypted channel. In other words, don't send encrypted data directly, just send regular data and modulate the time intervals between the packets to reflect your encrypted data.
That's likely to be really low bandwidth and a bright target for thier firewall learning algorithms. Modulating the time intervals on a high-latency connection with the typically large amount of buffering will be troublesome if the just randomly drop packets on suspicious connections and wait for TCP/IP retransmit. Of course you could hack your TCP/IP stack to be aware of this, but that's quite a bit of work.
10 years from now... (Score:2)
Re: (Score:2)
So you've found a way to violate causality and transmit information FTL? Please do share the details of how this works.
Re: (Score:2)
Re: (Score:3)
gravity change waves
Now that you've summited Mt Stupid, I invite you to climb back down and join the rest of us on the Plane of Reality.
Re: (Score:2)
Re: (Score:2)
faster than the speed of light.
Bullshit. Your 5 minutes pseudo-intellectual masturbation session has failed to produce any legitimate results. Imagine that.
Einstein: 1
slashmydots: 0
BTW, where did you "learn physics"? I'd like to make sure never to send my children there.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
LOL. From the future are we?
Hindsight (Score:2)
The biggest mistake made in design of the web protocol was starting out with a non encrypted protocol http. In 20/20 hindsight it should have always been https and nothing else. I look for the day when browser makers disable http.
Re: (Score:2)
Plus encryption was highly restricted for export as an "ordnance" during the early days of the web and before.
I don't believe Switzerland ever had restrictions on exporting encryption.
Re: (Score:2)
Re: (Score:2)
When HTTP was first developed, wouldn't continuous encryption have been considered too expensive, computationally?
I am not a web site guru, but IIRC there was a good market for encryption offload cards at one time but I don't know how common they are anymore given the use of virtualization and the general increase in CPU power over past systems.
It was probably also a headache from a certificate perspective. You can use it with self-signed certificates, but you have to generate them, etc and traditionally
The Arm Race? (Score:3)
It's kind of funny, the things one can extrapolate from a simple grammatical error.
IPoVoIP (Score:1)
Ultimately a waste of time (Score:1)
The Chinese are wasting there time, buying a year or two of incomplete censorship at the cost of giving everyone the means to defeat such methods afterwards, when new software methods are developed and become universally available.
Consider the problem. You wish to kill the use of encryption so you have the capability of inspecting any data block that travels across the Internet. Luckily, such censorship is fighting maths, and will always lose accordingly. Here's why.
Attempts to block encryption are actually
Steganography still works (Score:1)
Re: (Score:2)
Just post some nice pictures on a forum...
and after that forum becomed a popular route for circumvention, they block that whole website in China via IP filtering, DNS and connection blacklisting...
Certainly anything might for a while, but then there are countermeasures...
We've also run into this. (Score:5, Interesting)
Over about the last 2 weeks, one of our hosting clients OpenVPN connections to their machines in China have been failing. We can still SSH into the machine in China, glad they haven't blocked that. We ended up setting up a block of several hundred ports with DNAT to the normal OpenVPN port, and then set up 64 (the max allowed) servers in the client config so it can cycle between them. That's been effective so far.
It took a while to figure out, because I was able to send test traffic via "date | nc -u server 1194", and that would go through, but the OpenVPN connection wouldn't.
Sean
Borg (Score:2)
The problem with information suppression (Score:3, Insightful)
Re: (Score:1)
In the subject of rebellion: You are forgetting something. China is not Syria and they are a nuclear power. They have too many people already.
If rebellion becomes widespread, A few 50 megaton thermonuclear bombs detonated in selected problem areas would solve the problem very quickly.
We need to stop playing cat 'n mouse here (Score:1)
The only effective way to fight this is just to let China go. They don't want traffic they don't like? Fine, f 'em. Drop ALL traffic into their ISPs. Companies who keep playing ball with them will only have themselves to blame when the cost of doing business is so high that it's infeasible.
Challenge Accepted. (Score:1)
Swapping steganographic images with an acoustic coupler & Kermit could be fun.
Or perhaps create a fake conversation over a normal VOIP channel, using WAV / VOC files padded with data, using, for example:
http://www.heinz-repp.onlinehome.de/Hide4PGP.htm [onlinehome.de]
Re: (Score:1)
Hell, actually, thinking about it; the ultimate solution is to ship my mother in law over to China. Have my wife call her for a 'quick chat' (This will ensure the line is pretty much open non-stop with perfectly generated random speech) then pass my data over the line using real-time Steganography [wordpress.com] with ZRTP
Tor/Onion? (Score:2)
I don't live in China so I haven't had a chance to test this, but I would guess Tor/Onion is more or less the ideal way of keeping a stable connection out of China. Just run a private exit node outside China. Tor change the tunnel connections regularly to obscure it's existence.
Re: (Score:1)