How the Great Firewall of China Blocks Tor

Governments in some countries have not been shy about trying to block their citizens from using the Tor network to access censored or sensitive Web content. The Chinese government has become quite proficient at this, and a recent analysis of the methods the country is using to accomplish this shows that officials are able to identify Tor connections in near real-time and shut them off basically at will.

ChinaGovernments in some countries have not been shy about trying to block their citizens from using the Tor network to access censored or sensitive Web content. The Chinese government has become quite proficient at this, and a recent analysis of the methods the country is using to accomplish this shows that officials are able to identify Tor connections in near real-time and shut them off basically at will.

That country’s much-discussed Great Firewall of China is meant to prevent Chinese citizens from getting to Web sites and content that the country’s government doesn’t approve of, and it’s been endowed with some near-mythical powers by observers over the years. But it’s somewhat rare to get a look at the way that the system actually works in practice. Researchers at Team Cymru got just that recently when they were asked by the folks at the Tor Project to help investigate why a user in China was having his connections to a bridge relay outside of China terminated so quickly.

After looking into it, the researchers determined that within just a few minutes of the user connecting to the bridge relay, the Chinese firewall was able to find and shut off the connection. How this was happening was the question. The Team Cymru researchers found that there were two kinds of probes coming into the bridge relay, one of which seemed to be unrelated to the Tor session and the other of which clearly was directly targeted at the Tor user.

“When a Tor client within China connected to a US-based bridge relay, we consistently found that at the next round 15 minute interval (HH:00, HH:15, HH:30, HH:45), the bridge relay would receive a probe from hosts within China that not only established a TCP connection, but performed an SSL negotiation, an SSL renegotiation, and then spoke the Tor protocol sufficiently to build a one-hop circuit and send a BEGIN_DIR cell. No matter what TCP port the bridge was listening on, once a Tor client from China connected, within 3 minutes of the next 15 minute interval we saw a series of probes including at least one connection speaking the Tor protocol,” Tim Wilde, a software engineer at Team Cymru, wrote in an analysis of the incident, which he helped investigate.

Wilde was able to find that the method the firewall was using to identify which sessions to go after had something to do with the list of SSL ciphers contained in the SSL packet the client sends at the beginning of a session. By changing that list, he was able to evade the blocking of the Chinese firewall. More long-term solutions are in the works, as well, including password protection for bridge relays and the establishment of another layer on top of the session that simply looks like binary data.

“This probe again implies sophisticated near-line-rate DPI technology, coupled with a system that is aimed directly at Tor, using code that actually speaks the Tor protocol. Clearly there is a target painted firmly on Tor, and it is quite likely that the Chinese will continue to adapt their censorship technology as the Tor Project adapts to them,” Wilde wrote.

Homepage composite image via Eric Beato‘s Flickr photostream

Suggested articles

Discussion

  • Anonymous on

    steganography

  • GP on

    many thanks to cisco/cisco shareholders/john chambers for providing china with deep packet inspection capabilties and technology. we are forever in your debt for creating this virtual prison that will soon encompass this entire goddamned planet.

     

  • Anonymous on

    Not sure how steganography would do anything. There's no real problems getting data out of China to the point of needing to use stego. The problem is China blocking WEB CONTENT.

  • Anonymous on

    Someone had to do it (corporations will do _anything_ for money, and the american ones are known to accept even mass genocide as a second option, and selling their home country over a few extra megabucks for the directors board as the first option), and China was willing to pay for it. Not that the chinese need any help to build their own engines. Just because their first option is to sell crap to the idiots in the western hemisphere doesn't mean their engineers are incompetent, and unlike the idiots in the west, they are building the proper factories instead of shutting them down, and will ignore idiotic notions of IP ownership any time it is of advantage to them. Maybe americans should be a bit more worried by the fact that their corporate state government is already well into the process of adopting the same censorship measures "to protect IP and the children"... I mean, you already have no long-term future, but you should at least try to make it so that the fall won't hurt that much...
  • Anonymous on

    @GP: I don't think that cisco is involved. Maybe Vedicis, Narus, Ipoque, Qosmos or some other dpi company...
  • Anonymous on

    Breaking the Great Wall of china, now that's something Anonymous should takle.

  • Anonymous on

    @GP: 

    Blaming Cisco for China's cenorship of the Internet and basic human rights violations is like accusing Ford for making a car that is used by a drunk to run over grandma at the crosswalk.

    Without Cisco and other networking companies whos products are misused by China and other countries, you wouldn't even have an Internet to protect.  Get some perspective.

     

    @Anonymous -1/10/12-8:52am

    American companies are willing to accept mass genocide for a few extra bucks?  I guess you've done an analysis of US corporations vs...oh, nevermind, keep your tin-foil hat on.

  • Dankoozy on

    The dirty evil Chinese bastards

  • Dankoozy on

    The dirty evil Chinese bastards

  • Anonymous on

    @Anonymous

    "Breaking the Great Wall of china, now that's something Anonymous should takle."

     

    Wow, that would be... revolutionary.  I can't imagine the effects of only 1 week of open interwebs access for the Chinese...

  • Hank on

    Anonymous have proven to be little more than credit card thieves - certainly not freedom fighters.  Cymru did the heavy lifting here; a more clever Tor is needed.

  • JackOfShadows on

    One technique that could be used, and probably most successfully, is to use the frequency agility concept from military communications. Basically each bridge would have a hand-off partner that would be scheduled, and would pass to the client the next handler, So long as the cycle-time was sufficiently shorter than the time for polling by the GFWoC, they'd be left in the dust. If you really want to be vicious, toss in port agility as well which would really confuse things (assuming AWS would even allow it). Of course there would have to negotiation logic/hand-shaking between the bridges, it still seems doable within the free-account limitations on AWS. I been sitting on this idea for quite a long while. [Before the birth of the web, as a matter of fact and before you ask, yes I'm ex-military.] Perhaps it is time to release it into the wild. Have fun, and be safe out there.
  • Abad Faerie on

    The next generation beyond TOR is i2p.

  • Anonymous on

    Greed, Opression, Arrogance, Selfishness and Pride

    Who will be the next country to apply it ?

  • Anonymous on

    @Anonymous (not verified) on Tue, 01/10/2012

    The difference is that Ford do not actively try to sell cars to drunks.

  • Anonymous on

    When US forced Amazon to remove host servers for wikileaks and block the domain, and forbidden any military people see certain videos and documents, and the western country detained Assange for 407 days without charge (do you really believe he raped prostitute?!),

    where are you guys???!! Where are your comments then?!!!

    So you watch CNN, BBC, USA Today, abc News etc. every day, and you think you know China or other countries?!!!!!

    What a joke!

    We are all the puppets of a small group of rich people, or D party or R party! They show what we can see, and they speak what we can hear!

    No goverments are perfect, and no man is perfect. Just accept the truth.



  • Anonymous on

    I wonder what would actually happen if the Chinese people had total connectivity to the internet? 

    Personally, I just don't think government is nessisary anymore.

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.