

Identifying IP address of filtering devices in the Great Firewall of China - mediumdeviation
https://github.com/mothran/mongol

======
xfs
The GFW doesn't really have filtering devices with IP addresses.

For filtering in literal sense, i.e. address based packet null routing, all
you can find is general carrier routers with their routing tables being
dynamically manipulated by BGP commands sent by the GFW. You can't know where
the commands come from.

For "filtering" described in this research, it's active connection disruption
with spoofed tcp reset packets. The GFW mirrors traffic via some routers for
detection and sends spoofed traffic for disruption. It doesn't have an IP
address per se. This tool can find out from which router the GFW mirrors
traffic, but not the GFW itself.

Here is a previous illustration on the topology of GFW networks:
[https://media.torproject.org/image/community-
images/topology...](https://media.torproject.org/image/community-
images/topology.svg)

~~~
mothran
It could be modified to detect both ends of the mirror devices. I would warn
against trusting that model of the GFW because devices are not all placed at
the inbound international connections. I have found that most devices are
deployed farther down the network chain into the regional level last 10-100
miles ish. For example I have detected a GFW mirror or device in Tibet.

------
epynonymous
way to get github banned for life from china! i guess it's time to use gitcafe
which is a terrible clone...

~~~
hunvreus
Exactly what I thought. Hopefully it won't get too much attention and Github
will gay gloriously unblocked. Internet has gotten painfully censored lately
and I'd rather not to have to rely on SSH tunnels for github.

~~~
aneth4
SSH tunnels are detected and throttled in China.

If you use a proper VPN, e.g. PPTP, you'll have much better luck. All of my
traffic is routed through an ec2 instance, which unfortunately means I can't
access stackoverflow or some other sites since they've blocked ec2.

The lag is hardly noticeable. Actually I think encrypted traffic is faster
since it can't be scanned.

~~~
kyllo
They can block SSH now? Wow.

SSH tunneling to a proxy server worked flawlessly for me when I was living in
China back in 2006. I guess the GFW has gotten a bit more sophisticated since
then.

~~~
aneth4
They have some way of detecting long running ssh proxies. Your connection will
degrade and then disconnect. No idea how they do it. For all I know, they
break your key and figure out it's just a proxy.

They've recently launched a major upgrade that is also taking down most of the
major VPNs popular with expats, and warning expats that unauthorized VPNs are
illegal and encouraging the use of "local" providers.

It's a little ridiculous. Expats would be severely hampered without access to
man of the sites that are blocked.

------
stcredzero
Someone could publish a DB of the IP addresses and locations. It would be a DB
for Mongol...

