Hacker News new | comments | ask | show | jobs | submit login
Identifying IP address of filtering devices in the Great Firewall of China (github.com)
64 points by mediumdeviation on Dec 17, 2012 | hide | past | web | favorite | 19 comments

The GFW doesn't really have filtering devices with IP addresses.

For filtering in literal sense, i.e. address based packet null routing, all you can find is general carrier routers with their routing tables being dynamically manipulated by BGP commands sent by the GFW. You can't know where the commands come from.

For "filtering" described in this research, it's active connection disruption with spoofed tcp reset packets. The GFW mirrors traffic via some routers for detection and sends spoofed traffic for disruption. It doesn't have an IP address per se. This tool can find out from which router the GFW mirrors traffic, but not the GFW itself.

Here is a previous illustration on the topology of GFW networks: https://media.torproject.org/image/community-images/topology...

It could be modified to detect both ends of the mirror devices. I would warn against trusting that model of the GFW because devices are not all placed at the inbound international connections. I have found that most devices are deployed farther down the network chain into the regional level last 10-100 miles ish. For example I have detected a GFW mirror or device in Tibet.

way to get github banned for life from china! i guess it's time to use gitcafe which is a terrible clone...

Exactly what I thought. Hopefully it won't get too much attention and Github will gay gloriously unblocked. Internet has gotten painfully censored lately and I'd rather not to have to rely on SSH tunnels for github.

It may be better to block it. In the long term the Chinese might learn that is better not to block internet than to loose the resources it provides. An interesting twist would be to make every popular site to be banned.

The Chinese government seems intelligent enough to understand that China will be better if they can use the resources provided by the rest of the world. They are not Syria.

Two things:

- "In the long term" doesn't make for a more favorable environment to the tech savvy users supposed to push that change.

- I'm not sure you quite understand how ballsy they are. If they've cut Facebook, Twitter, YouTube and find time to screw in a real sneaky fashion with Google, I think it's safe to say they'd block Github without even thinking twice.

Then put this type of info (and references to Tienanmen Square) on every important science and technology website in the world. At some point, the government either has to let go and start freeing things up, or end up isolating themselves further. At the very least, it'll highlight the problem to the populace.

My own government is seeking to restrict Internet openness. Sucks. Highlight it at every opportunity, I say.

Yep. If the gov has to block everything, they come closer to being compare to North Korea and Iran. I hate the blocking, and the VPN disruption lately is absolutely painful, but maybe if they piss enough people off, their will he some significant pushback.

Xi is not getting off to a good start.

And NYTimes, Bloomberg, UK Telegraph, and many others.

China actually blocks the services for many reasons other than just censorship. It's also a very effective method of protectionism. China now has its own thriving social networks - QQ, Weixin, and successful e-commerce and search sites. This may not have occurred if China did not use censorship as an excuse to block US based sites.

SSH tunnels are detected and throttled in China.

If you use a proper VPN, e.g. PPTP, you'll have much better luck. All of my traffic is routed through an ec2 instance, which unfortunately means I can't access stackoverflow or some other sites since they've blocked ec2.

The lag is hardly noticeable. Actually I think encrypted traffic is faster since it can't be scanned.

They can block SSH now? Wow.

SSH tunneling to a proxy server worked flawlessly for me when I was living in China back in 2006. I guess the GFW has gotten a bit more sophisticated since then.

They have some way of detecting long running ssh proxies. Your connection will degrade and then disconnect. No idea how they do it. For all I know, they break your key and figure out it's just a proxy.

They've recently launched a major upgrade that is also taking down most of the major VPNs popular with expats, and warning expats that unauthorized VPNs are illegal and encouraging the use of "local" providers.

It's a little ridiculous. Expats would be severely hampered without access to man of the sites that are blocked.

We actually are setting up IPsec between our LAN and a Linode box in Japan (we love Linode, especially for things we know will be bandwidth intensive). But this is not necessarily possible for everybody.

As for SSH tunneling: no issue so far. A few years back, my tunnels used to be reset on a regular basis but not recently.

GitHub is unlikely to be blocked because of this - many projects and pages associated with the Firewall already exists there. Just Google

    site:github.com great firewall of china
And anyway, if you're serious about surfing the net from inside China you'd already have a proxy or VPN set up.

Does your VPN still work? They've gotten incredibly efficient about screwing up VPNs lately.

That can hardly be an argument not to. Time to use a proxy?

plain text proxy was banned by GFW, like a decade ago.

perhaps but the real prize for an authoritarian is just this kind of fear.

Someone could publish a DB of the IP addresses and locations. It would be a DB for Mongol...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact