Governments in some countries have not been shy about trying to block their citizens from using the Tor network to access censored or sensitive Web content. The Chinese government has become quite proficient at this, and a recent analysis of the methods the country is using to accomplish this shows that officials are able to identify Tor connections in near real-time and shut them off basically at will.
That country’s much-discussed Great Firewall of China is meant to prevent Chinese citizens from getting to Web sites and content that the country’s government doesn’t approve of, and it’s been endowed with some near-mythical powers by observers over the years. But it’s somewhat rare to get a look at the way that the system actually works in practice. Researchers at Team Cymru got just that recently when they were asked by the folks at the Tor Project to help investigate why a user in China was having his connections to a bridge relay outside of China terminated so quickly.
After looking into it, the researchers determined that within just a few minutes of the user connecting to the bridge relay, the Chinese firewall was able to find and shut off the connection. How this was happening was the question. The Team Cymru researchers found that there were two kinds of probes coming into the bridge relay, one of which seemed to be unrelated to the Tor session and the other of which clearly was directly targeted at the Tor user.
“When a Tor client within China connected to a US-based bridge relay, we consistently found that at the next round 15 minute interval (HH:00, HH:15, HH:30, HH:45), the bridge relay would receive a probe from hosts within China that not only established a TCP connection, but performed an SSL negotiation, an SSL renegotiation, and then spoke the Tor protocol sufficiently to build a one-hop circuit and send a BEGIN_DIR cell. No matter what TCP port the bridge was listening on, once a Tor client from China connected, within 3 minutes of the next 15 minute interval we saw a series of probes including at least one connection speaking the Tor protocol,” Tim Wilde, a software engineer at Team Cymru, wrote in an analysis of the incident, which he helped investigate.
Wilde was able to find that the method the firewall was using to identify which sessions to go after had something to do with the list of SSL ciphers contained in the SSL packet the client sends at the beginning of a session. By changing that list, he was able to evade the blocking of the Chinese firewall. More long-term solutions are in the works, as well, including password protection for bridge relays and the establishment of another layer on top of the session that simply looks like binary data.
“This probe again implies sophisticated near-line-rate DPI technology, coupled with a system that is aimed directly at Tor, using code that actually speaks the Tor protocol. Clearly there is a target painted firmly on Tor, and it is quite likely that the Chinese will continue to adapt their censorship technology as the Tor Project adapts to them,” Wilde wrote.
Homepage composite image via Eric Beato‘s Flickr photostream
steganography
many thanks to cisco/cisco shareholders/john chambers for providing china with deep packet inspection capabilties and technology. we are forever in your debt for creating this virtual prison that will soon encompass this entire goddamned planet.
Not sure how steganography would do anything. There’s no real problems getting data out of China to the point of needing to use stego. The problem is China blocking WEB CONTENT.
Someone had to do it (corporations will do _anything_ for money, and the american ones are known to accept even mass genocide as a second option, and selling their home country over a few extra megabucks for the directors board as the first option), and China was willing to pay for it.
Not that the chinese need any help to build their own engines. Just because their first option is to sell crap to the idiots in the western hemisphere doesn’t mean their engineers are incompetent, and unlike the idiots in the west, they are building the proper factories instead of shutting them down, and will ignore idiotic notions of IP ownership any time it is of advantage to them.
Maybe americans should be a bit more worried by the fact that their corporate state government is already well into the process of adopting the same censorship measures “to protect IP and the children”… I mean, you already have no long-term future, but you should at least try to make it so that the fall won’t hurt that much…
@GP:
I don’t think that cisco is involved.
Maybe Vedicis, Narus, Ipoque, Qosmos or some other dpi company…
Breaking the Great Wall of china, now that’s something Anonymous should takle.
@GP:
Blaming Cisco for China’s cenorship of the Internet and basic human rights violations is like accusing Ford for making a car that is used by a drunk to run over grandma at the crosswalk.
Without Cisco and other networking companies whos products are misused by China and other countries, you wouldn’t even have an Internet to protect. Get some perspective.
@Anonymous -1/10/12-8:52am
American companies are willing to accept mass genocide for a few extra bucks? I guess you’ve done an analysis of US corporations vs…oh, nevermind, keep your tin-foil hat on.
The dirty evil Chinese bastards
The dirty evil Chinese bastards
@Anonymous
“Breaking the Great Wall of china, now that’s something Anonymous should takle.”
Wow, that would be… revolutionary. I can’t imagine the effects of only 1 week of open interwebs access for the Chinese…
Anonymous have proven to be little more than credit card thieves – certainly not freedom fighters. Cymru did the heavy lifting here; a more clever Tor is needed.
One technique that could be used, and probably most successfully, is to use the frequency agility concept from military communications. Basically each bridge would have a hand-off partner that would be scheduled, and would pass to the client the next handler, So long as the cycle-time was sufficiently shorter than the time for polling by the GFWoC, they’d be left in the dust. If you really want to be vicious, toss in port agility as well which would really confuse things (assuming AWS would even allow it). Of course there would have to negotiation logic/hand-shaking between the bridges, it still seems doable within the free-account limitations on AWS.
I been sitting on this idea for quite a long while. [Before the birth of the web, as a matter of fact and before you ask, yes I'm ex-military.] Perhaps it is time to release it into the wild.
Have fun, and be safe out there.
The next generation beyond TOR is i2p.
Greed, Opression, Arrogance, Selfishness and Pride
Who will be the next country to apply it ?
@Anonymous (not verified) on Tue, 01/10/2012
The difference is that Ford do not actively try to sell cars to drunks.
When US forced Amazon to remove host servers for wikileaks and block the domain, and forbidden any military people see certain videos and documents, and the western country detained Assange for 407 days without charge (do you really believe he raped prostitute?!),
where are you guys???!! Where are your comments then?!!!
So you watch CNN, BBC, USA Today, abc News etc. every day, and you think you know China or other countries?!!!!!
What a joke!
We are all the puppets of a small group of rich people, or D party or R party! They show what we can see, and they speak what we can hear!
No goverments are perfect, and no man is perfect. Just accept the truth.
I wonder what would actually happen if the Chinese people had total connectivity to the internet?
Personally, I just don’t think government is nessisary anymore.
Take a good look. This will be us in the not too distant future, once SOPA/PIPA passes.
so narcissistic, to assume that China is relying on Cisco for its high-level censorship and security mechanisms. First, it’s factually not true, second, Chinese spokespersons themselves have openly said “do you think we would be stupid enough to use equipment from an American company? Huawei, GZP and other local companies can do the trick.
>we are forever in your debt for creating this virtual prison that will soon encompass this entire goddamned planet.
Amen.
Woah. Racism and the great firewall of China should not be in the same topic. First of all, every single country has their own problem. Second of all, we are one of the few countries who are actually handling the problems instead of tossing them aside.
Look at Africa. The place is messed up with compliments to western forces.
Look at America. The economy is quickly dying. The nation is swept in protests.
Look at Europe. Their economy is also dying.
Look at China and Iran. We may not do a lot of good things, but compared to many other countries, we do not force our children into war.
We protect and value our children.
-We give them good education (at least for the ones who are able to attend).
-When the government found out seven year old kids were walking 3.5 hours (you read that right) to school and 3.5 hours back over mountains, they got a bus to bring the students to school. For a developing country, those are good signs.
-The Great Firewall of China protects the youth from pornography. Pornography corrupts. Why do you think America has so many sex-related crimes.
-Also, no one stays in prison for long. (This can be good or bad because most probably, the prisoner might be receiving the death sentence. The good that comes out of this would be that society was rid of another violent/dangerous person.) For drug addicts, we offer them rehabilitation.
What has your country done. Place sanctions on N. Korea, Cuba, Iran, Iraq, Libya, Syria, Somalia, and other countries? Just because your country is crippled by the economy doesn’t mean you have to destroy everyone else’s economy.
Let’s try to be unbias for the sake of understanding.
Hello, I like to find out more on this field. Thank you for publishing this.
Actually,I’m a Chinese living in mainland China,i wont see any big difference if the chinese govenrment let the Internet go.In fact most of us really dont mind the government block websites that related to separatism ,terrorist and heresy(lots of them financially backed up by US ,Taiwan,Japan),but what really piss us off is that the GFW system is a big piece of crap operated in blackbox,which cause massive collateral damage.You can get a shot even you’ve laid down!
No no no,we are totally fullly connected(INSIDE a big LAN),except Facebook Youtube whaterver brings democracy to the Arabic bro wont work in China,yeah ,the Egyptian are so happy now,cause they got what they want—-the Gospel of the Egyptian—-chaos and democracy, and so do the Iraqi and Afganstan.
What do they always say?Be big brother’s good boy,or the US will bring DEMOCRACY to your country.