Hacker News new | past | comments | ask | show | jobs | submit login
How great is the great firewall? Measuring China’s DNS censorship [pdf] (usenix.org)
123 points by SerCe 27 days ago | hide | past | favorite | 60 comments



As someone living blissfully unaware of the struggles people go through in countries with rampant government censorship -- sorry, control for the public good -- of the Internet, it was a bit a of a shock when I got some first-hand experience.

I had a customer that wanted to set up some web servers in China so that they could sign up students for some classes at their school.

At first I just assumed that this is a straightforward matter of selecting a Chinese region in a public cloud, deploying a couple of web servers, and we'd be done by lunch. Easy!

Turns out... that this is actually technically achievable, as long as: You have a Chinese business registered in China, you have a photo ID that you register with the "local authorities" (in person!), pay in Renminbi from a Chinese bank account, and read and write Chinese.

No, really. That's the process. Really: https://docs.microsoft.com/en-us/azure/china/overview-checkl...

They want to make sure they have someone by the balls. It's either you personally, or someone willing to step up and take the risk of jailtime on your behalf if you publish anything the Grand Pooh Xi doesn't like.

Meanwhile, I can spin up a server in Dubai or South Africa or Brazil like... right now. No paperwork. No prostrating myself in front of the Police to beg for permission to be able to post government-approved content.

Meanwhile, on the map of AWS or Azure regions -- or on any CDNs map -- there's just a hole where China is. It's like those photos of Earth from space, where you can see the city lights glowing brightly everywhere except for North Korea, where there's just darkness.

Remind me, why do we do business with these people again? Why do we give them our money?


You have to get your ICP number registered by a Chinese national (like you say) and then display it on the footer of all your web pages (if you don't, your site will be taken down & you'll be fined). You've also got to store all data on Chinese citizens on a Chinese server.

And they don't mention this on that page, but for every publc IP you want to use in China, you have to re-submit your ICP filing/license paperwork, listing every public IP you will use, and what it is used for. So don't accidentally destroy your AWS load balancer, or you'll need to re-file all your paperwork before you can bring your site back up! (AWS load balancers can't be configured with static IPs)

> Remind me, why do we do business with these people again? Why do we give them our money?

Because then we get money. It's the largest "emerging" market in the world. If you have a product that makes 1 million dollars in the US, do some localization work and launch it in China, and you've doubled your money. Every major corporation is actively working on launching in China, because it's obvious that they're leaving money on the table by not being in China.


I may be unnecessarily cynical, but the only reason you can open up a server anywhere in the west is because you can be gotten by the balls anywhere in the west if you are breaking the laws here. And the issue with spam, child porn, tax evasion has the same probability of occurring in our world as the DNS breakthrough in theirs.

Of course the laws in China are different, but I don’t see why they would be less protective of those laws as we are, even though I would agree that I think that our world is better to live in than theirs.


China is not protecting laws with their firewall, what are you saying?


Clearly the CCP is looking out for Winnie the Pooh and Uyghurs' privacy, not dissent or genocide.


> As someone living blissfully unaware of the struggles people go through in countries with rampant government censorship

Where do you live? Because I know of no major country without rampant government censorship.

> They want to make sure they have someone by the balls. It's either you personally, or someone willing to step up and take the risk of jailtime on your behalf if you publish anything the Grand Pooh Xi doesn't like.

No offense but you make a good argument for why china restricts access. Your comment seems to come from a political operative than someone trying to spin up some web servers in china.

> Meanwhile, I can spin up a server in Dubai or South Africa or Brazil like... right now. No paperwork. No prostrating myself in front of the Police to beg for permission to be able to post government-approved content.

You make it sound like that's a good thing? It's not. Also, all those countries you listed have censorship...

> Remind me, why do we do business with these people again? Why do we give them our money?

I don't know. Why are you so desperate to do business in china? Shouldn't you be happy since you aren't doing business in china?

I don't understand people like you. You say we shouldn't do business with china. But you whine about not being able to do business in china.


> No offense but you make a good argument for why china restricts access.

Oh, I understand precisely why they do it. I don't think those reasons are good, and I don't like the GFW in general. This is the same criticism I level against the policies of North Korea, for example. The policies of NK are good for a small group of people in the "inner circle" of Kim Jong-un and no one else. Similarly, the current system in China is good for the people at the top of that system, and no one else.

> Why are you so desperate to do business in china?

I'm most certainly not desperate to do business in China. My customers are desperate, and I need to be able to provide services to them.

I have similar complaints about other limitations to smooth international trade and business. Some of these aren't even political.

- The lack of proper IPv6 support -- especially by cloud vendors -- makes it increasingly difficult to communicate with some areas of the world. Multiple layers of NAT aren't a permanent fix.

- No "regions" for the larger public clouds anywhere near central Africa or from Eastern Europe all the way to Siberia.

- Poor bandwidth even to some locations that are otherwise very friendly to foreign businesses. For example, Chennai had a submarine cable cut a few years ago that caused havoc for a bunch of my customers. Their outsourced staff just couldn't work half the day. It's not a politically motived firewall barrier, but a bandwidth barrier. The effect however is similar.


> Your comment seems to come from a political operative than someone trying to spin up some web servers in china.

Do you really believe this? Because this screams paranoia to me. I have no idea how you got from GP's comment to suggesting they might be a political operative. I am legitimately baffled by your conclusion. Please explain.


This is a rational response if you look at it from a governance perspective.

Pre-GFW, the government was basically in a position where if there was anything illegal online (not just political stuff, but everything from gambling to piracy) they had no recourse. If they sent a takedown notice the company can basically say "why don't you make me".

So it makes total sense to require a local presence if you want to interact with the local market. The GFW in this case is a tool that the government can hit any company who doesn't comply with...

Frankly, the thing that really is worrying is that because this is so rational from an Internet governance perspective we might well see more and more countries follow this path... Not censorship per se but building up mechanisms to create a more fragmented Internet.


You mean it is a rational thing to request if you want to excerce to total control over information in an unlawful dictatorship... I guess yes.

How strange it is to read such normalizing comment.


No? Even in a democracy laws need to be enforced and that has been really hard if a company violating local laws is not based locally.

It's the same problem why Russian ransomeware groups can roam free and piracy is hard to deal with online.

What the laws are, thats politics. How to enforce them is just a matter of technology.

What the GFW shows is a means to an end. You may not agree with the particular end in the case of China and the CCP (I don't either) but the means itself is a result of addressing a rational need that all governments have.

The danger of the GFW is not that China is using it for oppressive purposes. It's that it works and your local democracy may well also look to it to address the same need for governance it has.

Unless you're saying there's some going to be a "world government", different countries will continue to disagree on what is legal. And the path ahead is to either accept the impossibility of internet governance, or to build up more walls.


> the means itself is a result of addressing a rational need that all governments have.

This is untrue. China (to survive as a dictatorship) may need to suppress any content. Without respect for laws.

Most country i have been to don't have this need. They need their law to be followed and use different means.


Please do tell what other means there are?

There is no difference between suppressing arbitrary content and suppressing illegal content. It doesn't matter if the decision to block comes from a dictator or the people's vote. The technology doesn't care. You either have the ability to block content or you don't.


This is the point: different goals, different means.

One must erase any reference to an historical fact in a matter of hours.

The other need to dismentle a network of criminals.


Can you please not sentimentalise comments?

There’s a huge difference between a point made in Realpolitik fashion vs saying it’s a norm.

It’s like having long discussions about how bad rape is vs dicussing actual policies how that could be resolved and saying that you can’t discuss policy because “it’s sounds too cold to my ears”.


This one-sided view lists only the pluses from the "governance perspective". It can have minuses for them too, depending on how their subjects and the rest of the world take it. Most of us belong to one of those two groups and can try to shade our actions accordingly.


Sure, but this technology has only been spreading in recent years. S. Korea blocks adult websites behind an ID check. India has also been shutting down Internet access around protests and the such. Even the FBI has seized domains by requiring ISPs redirect the DNS name resolution (for anti piracy cases), which is not that different from how half of the GFW works.

Action wise, I'm personally gonna stock up on a diverse set of VPN technologies... I don't see this trend being bucked any time soon by the trend of where politics is going.


I was setting up a self-hosted VPN to work-around GFW. I tried everything. Some solutions would sort of work, but unreliably, with extremely minimal bandwidth and would suddenly stop working after some time. I can't remember the combinations of transport and obfuscation tech that I tried, but they were considered best bets at the time. I would be very interested in finding out how commercial offerings do it. I'm not comfortable using them, since chances are that they're honeypots.

Funnily enough I traveled to another part of China then, and the Airbnb wifi had practically no GFW-type blocking. GFW is made up of local or provider-specific implementations that vary a lot. It was a small, rural town.


The ecosystem of secure proxies are pretty advanced in China (Thanks to, you know ...), you can setup a home router that selectively reroute traffic through different proxies automatically and transparently based on latency, target IP and domain etc.

Since Airbnb is international, I guess if someone (assuming it's a small private operation) is offering rental service there, they might as well setup a proxy for foreign guests.

> Some solutions would sort of work, but unreliably, with extremely minimal bandwidth and would suddenly stop working after some time

The sad part is, anti proxy technology is also fairly advanced. Most of well-known VPN protocols such as OpenVPN, AnyConnect, IPSec and Wireguard etc can be identified via traffic analyze, once GFW detects suspicious traffic, it may launch probes to further investigate the service. That's why Chinese people use Shadowsocks, Clan and V2Ray, those proxies are designed to protect itself from these situations.

Shadowsocks and V2Ray require some know-hows to correctly setup. Notably, Shadowsocks requires AEAD ciphers to be relatively safe, and you should never run Tor through it due to flaws in it's transport protocol. As for V2Ray, avoid VMESS protocol since it's is known to be vulnerable to probe attacks.


Your description of the symptom was more or less the same with my personal experience, but the conclusion might be a little bit off IMO. I first tried to deploy proxies to google app engine and use PAC scripts to auto switch between them. It was super fast and worked for ONE day. I really meant one day here, the whole thing stopped working the next day obviously the maneuver was detected and busted. Then I tried both public and commercial VPN services but all of which were either unstable or slow, or even both. At the same time, I almost never had any problems with corporate VPNs but I did not want personal stuff to go through company networks so I hardly used them unless had no choice. Things did not change much until AWS/Azure emerged. I almost immediately deployed an Azure VM dedicated for VPN when it's available to my MSDN subscription. I was pretty comfortable with it as even if my VM got blocked, I could actually redeploy it to a different region in minutes. It turned out I worried too much, I never had any drama with it since I kept very low profile and the VPN was really for myself only.

DNS pollution was for sure only one means of the blocking. Even if the IP address of the site got resolved correctly, the site could not reached as a result of "Connection reset" or "Remote host closed the connection" errors. I thought the blocking was all the time and everywhere until I accidentally realized that I had just access some site without VPN connected and such state could last for from hours to days, as long as I did not access contents deemed sensitive, sites did not seem to matter that much as blocking would not be triggered until I clicked some links. HTTPS did not seem to help at all, so GFW must have the ability to do deep packet analysis. Such behaviors make sense to me as the network traffics in China are enormous even the government would not have enough resource to monitor everything all the time, so the practical approach would be using a little bit of heuristics and commencing blocking only when certain signals were triggered. Also I encountered a couple of times man-in-the-middle attacks as I noticed my browser were not happy with the site's certificates. Such attack might be carried out by the ISP as the certificates were self signed.


Same for me. While I was experimenting I noticed that my ability to connect without blockages was subject to how much attention I've drawn to myself. That part was pretty eerie.


I'm buying a China Mobile Hong Kong SIM. 10 eur for 10 gb, free roaming in mainland. I can access any blocked service in Mainland at full speed. Usually putting a vpn layer on top. no speed impact.

The sim can be purchased in any convince store in hk without identification.

That's the easiest solution in my eyes.



How can you laptop use it? Use the mobile as an hotspot?


yes, i did that


Last I checked, the v2ray project was state of the art for GFW bypass[0].

[0] https://guide.v2fly.org/en_US/basics/vmess.html


That's fascinating -- I'd never heard of it before. How does it compare in effectiveness at evading DPI and FW detection in comparison to, say, tor with the meek-azure obsproxy that reflects traffic off Microsoft's Azure service?


V2ray is a plugin used on top of shadowsocs

I believe Google's outline uses it


I had the same experience, trying to self-host my VPN or other evasion solutions only served to get my server and domains banned for all other purposes from inside the GFW. The symptoms were exactly the same as you described (at first, they "sort of work, but unreliably, with extremely minimal bandwidth and would suddenly stop working after some time").

In the end, I'm not going to try that anymore, I haven't been in China for 2+ years now due to COVID, but next time, I'll hope my server is out of the blacklist again and hope I can access my (self-hosted) emails and other normal services that don't try to evade it.

The student VPN of another Asian university or the employee VPN of a well established company seemed to work last time. Not sure if that can be counted on reliably though...


Selfhosted v2ray and shadowsocks with cloak addon were reliable in 2019.

Japan VPS location worked ok to access European sites, much better than Hongkong based, but I guess thats the peering.

https://www.v2ray.com/en/ https://github.com/cbeuw/Cloak


Did you try any public wifi in that small town? In China, much of GFW circumvention happens at the router level. You can easily buy special routers on taobao with shadowsocks built in. It's possible your AirBNB host simply had their internet set up to bypass the GFW by default as a convenience for their guests.


Great paper! Things that stood while skimming:

- Bidirectional DNS poisoning: China can send forged DNS responses if you try to access certain Chinese domains from outside the GFW. This isn't server-side enforced geoblocking.

- GFW uses a small space of forged IPs, some belonging to Facebook, Twitter, Dropbox which may be responsible for a non-negligible overhead in server costs responding to HTTP requests for irrelevant hostnames.

Can FB sue China in court for damages for the cost of serving these forged requests?


No they cannot https://en.m.wikipedia.org/wiki/Sovereign_immunity.

They had to pass a special law to allow the 9/11 families to sue https://en.m.wikipedia.org/wiki/Justice_Against_Sponsors_of_...


Sovereign Immunity would only apply to attempts to sue China in a Chinese court, other courts in other nations may well side with Facebook. Of course these other courts would have limited means to enforce their rulings.


No, it applies in foreign courts as well. That’s why the 9/11 families needed that US law, they didn’t sue in Saudi they sued in New York


> Can FB sue China in court for damages for the cost of serving these forged requests?

Sure they can. They can't win, but they can waste time and money.


Packets from the China mainland to these forged IPs are routed to blackhole at the international network outlet of China. So, normally there is no overhead for sites like Facebook.


Nope. For 2nd item, I don't see a reason why GFW would do that. I did see some domain names resolved to 0.0.0.0 or 127.0.0.1 which is nice and easy and unlikely going to cause a problem. And in most of cases, the host names were actually correctly resolved but the request either timed out or got a connection reset error etc. as such methods are the cheapest way to block accesses at scale.


you do realize that a concept of a court is completely country specific? what court do you mean?


Courts in China works just as well/bad as in, say, the US. A specific name doesn't change that.


i mean that china isn't an entity that you could sue, any foreign court has no power over china, and suing chineese government in chineese court is a joke(much more than doing the same in us, by the way)


Suing the US government in a US court is only possible insofar as the US government agrees to be sued. It's the principle of sovereign immunity.


One of the details that I found really interesting is that the great firewall blocks any website that matches *torproject.org like the innocuous mentorproject.org.

The paper is also accompanied by an excellent presentation on the USENIX channel, https://www.youtube.com/watch?v=nPwsROLZrnc.


Does that mean such domains don't get any spam/traffic from China?


The researchers mentioned that they had "controlled machines located in China". Given the number of requests sent by these machines everyday, how did they avoid being detected? Isn't it very suspicious for a machine to send huge amount of requests to blocked domains every day?


So, what's the conclusion? How great? If there is a censorship/surveillance competition, who will win, GFW or NSA?


>who will win, GFW or NSA

Both. Neither. (Is there a difference for us? I doubt it.)


i know its a massive PITA for corps trying to secure devices in that country.

the state of what's allowed through TGFWC changes constantly.


Semi-private under-the-radar solutions are reliable, affordable, and readily available, to anyone who cares to Google for a few minutes. Including Gigabit-size holes and very low [added] latency to Japan, HK, Singapore, and other places.


Yes, it's always easy to simply not comply with the law. That wasn't in question.


The Open Technology Fund is one of the most underrated government agencies out there.


Is there a paper or article about the economics of China's Great Firewall?


IMHO, the most annoying thing about the great firewall is not the censorship - it's the bandwidth. Every single night in China, right around the time Chinese people start streaming, for about 4-5 hours, the bandwidth from anywhere to China goes to complete shit. You can't deploy anything or transfer data, it'll just time out or get corrupted.

Interestingly, "time in China" is one time, because China has 1 official time zone. Even though it spans 5 geographical time zones. Unless you're in Xinjiang, in which case if you're talking to a Uyghur or Kazakh, they're using Xinjiang time, which is 2 hours behind Beijing Time. Unless you're watching a non-Uyghur/Kazakh TV channel, in which case the time is back in Beijing Time.


What is the state of the art in GFW bypass, please?


Is there a way to group the "forged IP address" by class-C or class-B ?


to access the latest data https://gfwatch.org/


Discussions about the great firewall would be incomplete without mentioning the great cannon.

https://citizenlab.ca/2015/04/chinas-great-cannon/


Did you even open the pdf? This research is done by citizen lab.


The report only mentions the cannon in passing, more than half way through. It would be easy to miss.


I want an in-and-out-app-specific firewall on linux and only then, I will be happy... something a lot like https://github.com/evilsocket/opensnitch/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: