

China's Great Firewall Tests Mysterious Scans On Encrypted Connections - bdr
http://www.forbes.com/sites/andygreenberg/2011/11/17/chinas-great-firewall-tests-mysterious-scans-on-encrypted-connections/

======
hendzen
Link to the posting of the original discovery with technical details included:
<http://www.nsc.liu.se/~nixon/sshprobes.html>

~~~
huetsch
How could such a technique actually give the firewall information pertinent to
whether or not the offending site was illegal? It's like a MITM attack where
they intercept the outgoing ssh connection, send seemingly arbitrary data to
the ssh server on the non-Chinese internet, and then sometimes disrupt the ssh
connection or allow it pass through.

What information could the response to garbage possibly convey beyond: "how
does this server respond to garbage"?

How would that even help with fingerprinting, which is his suggestion? Would
there even be much variation in how different sshds would respond to that? So
what could you do with that information? 30% of known Tor servers use sshd
version X, so let's ratchet up the frequency of RST packets for connections to
servers of version X? Seems like a long shot: that would be both a
sophisticated attack and have pretty hamfisted results. And how could this
information be used to find open relays? Just guilt by sshd version again,
since statistically machines with open relays have a tendency to run version X
of sshd?

I'd like to hear a security person come and talk instead of my wild
speculations.

~~~
dhx
TCP uses a 32bit sequence number that should be initially seeded to a
_securely generated_ random number. As each packet is sent back and forth
between endpoints, this number increments by 1. If an adversary wanted to
disrupt the connection (denial of service) they could obtain the sequence
number and other numbers such as the source and destination ports and spoof
some packets pretending to be the real client. It would then become a race
between the real and fake clients as to which packet is accepted first. There
is usually over 2^40 bits of entropy that an adversary would need to know to
hijack a TCP session.

If the adversary is in the middle (MITM) they can read all your traffic and
obtain the required entropy in real time. In this scenario, it doesn't matter
how much entropy is contained in each packet because the adversary knows that
information in real time. Thus the adversary will be able to inject packets to
reset/terminate the TCP session, causing a Denial of Service situation.

Cryptographic protocols including SSH and TLS are designed to solve the
majority of problems that MITM adversaries can cause. The notable exception is
that these protocols rely on unprotected TCP sessions. MITM adversaries are
still able to reset/terminate TCP sessions (when SSH/TLS protocols are
detected).

IPSec protects not only the information transmitted, but the IP packet headers
as well. An Authentication Header (AH)[1] is appended and verified to ensure
that packets haven't been tampered with or forged. MITM session
reset/termination attacks are therefore no longer possible because forged
packets will be ignored.

[1] <https://en.wikipedia.org/wiki/IPsec#Authentication_Header>

~~~
kahawe
While IPSec would solve the technical problem using it would make blocking
even easier unfortunately.

------
monkeypizza
china's ssh protection is getting really serious

vpns have been horribly bad the last few weeks

tunneling through ssh has also stopped working consistently.

I don't know anybody over here who has a good vpn anymore. It's got to be
hurting business that collaborate internationally - the net goes down for a
few minutes at a time, throughout the day.

~~~
neolefty
Using a commercial (but certainly not approved) VPN on a home DSL: It works
for a few minutes and then starts to degrade. I wonder if it's related to this
new tactic. It's a little hard to distinguish from old behavior,
unfortunately.

~~~
yinhm
Yes. I believe they start to degrade VPN/SSH, amazonaws.com, google couple of
months ago. Things may vary depends on which city you are and which ISP you
are using, eg: pptpd barely can connect on my DSL.

------
stupandaus
I've been in China recently and noticed I was having trouble establishing VPN
connections after just a few hours. I would have to find new VPN servers to
connect to every 3 or 4 days.

I have not noticed any drop off in connectivity when using my company's VPN,
but I'm sure this is because this is an authorized VPN.

The most notable blow here is that people using solutions like FreeGate are
getting heavily affected by this. Most Shanghainese people use this to connect
to the outside world.

------
NnamdiJr
This is pretty depressing. It seems like the Chinese government, in creating
new more powerful Internet censorship methods, is outpacing services to
circumvent it.

People like those of us reading this site probably won't have much trouble
finding ways around it, but it seems people (esp. Chinese) who would normally
hop the Great Firewall with ease using VPNs/proxy will have to put in more
effort/get more technical to do that successfully, and i'm afraid that they
won't want to bother.

~~~
wladimir
The thing I fear most is that if anti-ssh/ssl/tor/vpn measures start to be
somewhat effective, western governments will also see it as an excuse to
implement them in the guise of "crime prevention", just now that services such
as gmail are finally adopting it as default.

Which means we'd be forced back to a 90's level of internet security at least
for consumers, I'm sure corporations will be able to 'buy' the right to use
encryption...

------
chaosprophet
Appears to be down. Google Cache:
[http://webcache.googleusercontent.com/search?q=cache%3Awww.f...](http://webcache.googleusercontent.com/search?q=cache%3Awww.forbes.com%2Fsites%2Fandygreenberg%2F2011%2F11%2F17%2Fchinas-
great-firewall-tests-mysterious-scans-on-encrypted-
connections%2F&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-
US:official&client=firefox-a&pws=0)

------
nomdeplume
From <http://www.nsc.liu.se/~nixon/sshprobes.html> "So, to more precisely
describe what we have found: a small subset of the ssh logins from Chinese IPs
to two of our systems are preceded by one or two connections from unrelated
Chinese IP addresses, in which opaque binary data is thrown at sshd." "My
hypothesis is that just over a year ago, a new function in the firewall went
into limited beta test, where a sample of outgoing ssh connections from China
is carefully selected for secondary screening.""For the selected ssh
connections, the target system is probed from one or two IP addresses under
the control of the Chinese government. These may be otherwise innocent
addresses that are spoofed at the level of the great firewall, or they may be
actual computers under remote control by the government - I have no way to
tell.""In some cases, the legitimate ssh connections are unsuccessful; they
appear to be interrupted. This may be a result of the firewall deciding the
target system to be unsuitable and injecting RST packets into the TCP stream
to kill it.

The last few weeks, the frequency of the probing has increased. This might
mean the beta test period is nearing its end, and that this function is about
to become more widely deployed."

------
briandear
This is why I am moving my company back to the States and why the Chinese
startup scene is so depressingly obscure. The Chinese government can go to
hell. I'll take my business and dollars somewhere else.

~~~
danssig
Out of the frying pan...

~~~
briandear
At least it won't take me an hour to push to heroku and my aws access won't be
throttled.

~~~
danssig
Today. The US is getting closer to the China model by the day.

EDIT: Downvoters, do you disagree? With the continuous attempts at controlling
the internet and destroying people that get dirt on US corruption? SOPA is
just the latest attempt. It wasn't the first, and if we beat it it won't be
the last.

------
yaix
Oh well, that may be the reason I've problems connecting to my VPN and SSHing
to my server. Not every time, though.

Posting via https works, however.

~~~
nonomatch
There may be a reason Chinese gov't does not view SSL as a threat. Collusion
with CAs?

------
chrislomax
This is so pathetic, why do the Chinese government think they can tell users
what they should and shouldn't be looking at. I agree that this type of
measure should come into play if there was a guaranteed way of stopping people
looking at child pornography or something like that but it almost always
appear to be political.

I have not been on the Tor network before and I do not plan to but it should
be the persons choice of whether they access it or not.

China are like the dick head IT manager who turns off javascript at network
group policy level, just because he can.

~~~
PakG1
You're expecting a relatively new Communist government, formed only about half
a century ago and currently governs 1.3 billion people, to change its core
philosophies overnight. It's not so easy. I don't support this stuff, but I
recognize that it's not easy. I bet you it's harder than changing a country's
dependence on oil as an energy source (assuming that viable alternatives are
available). You have to change the world's largest population's philosophies,
governing structure and infrastructure, expectations, etc.

~~~
vorg
India and Japan generally don't censor foreign websites, and their governments
survive OK.

It's a big loss of face for the present leaders to change their policy. But we
keep on hearing the phrase from within China: "Perhaps the new generation of
leaders taking over in October 2012 will have different ideas about web
censorship". If the policy is going to change, it'll be soon after this time
when no government leaders "lose face".

The US and EU are also preparing to challenge China at the WTO claiming the
Great Firewall violates free trade. If the US and EU can get their timing and
level of prodding right, the Firewall might be dismantled. China's already
given their web businesses such as Baidu enough startup advantage from the
Firewall, and will probably find other ways to give advantage to subsequent
startups.

But... the infrastructure's already there in China to block foreign websites.
Anything that exists but isn't used will be used again sooner or later by some
politician, so thanks to Cisco et al the Firewall will always exist even if
"dismantled" under WTO enforcement. Just like the US military is there to
defend the integrity and borders of the Union, to be used as a last resort,
but gets used to invade Iraq for cheap oil.

~~~
PakG1
I think you misunderstood what I'm trying to say. I don't think it's about
losing face. Nor about whether the government survives. It's about cultural
momentum. Look at how hard it is to change policies in any government. Look at
how long it took the US to get socialized health care, despite people
clamoring for it for decades, and even then, that could be repealed by future
administrations, as some GOP folks are demanding.

For the same reasons a startup is nimbler than a big corporation for changing
things, larger countries are slower than smaller countries for making
significant change. India is lucky because it's had a tradition of democracy
and freedom for quite some time. They already had cultural momentum in that
direction, so they don't need to change anything to align with what you want.
Similar for Japan. China, you're asking them to reverse the pull of gravity.

I've worked in teams that were focused on creating big vision cultural and
organizational change in big corporations. I can't even begin to imagine how
difficult it would be in a big government, especially one of China's size, and
one where there is no easy allowance for diversity of opinions.

For example, China's central government is huge on trying to stamp out
corruption. However, despite the number of executions they continually carry
out for corruption matters and the dissatisfaction of the populace, it is
logistically impossible to keep a handle on all of the regional and local
governments. It's a huge complicated machine, and I'd warrant that it's even
more complicated than the US government's operations, judging from what I've
seen living in China.

