{"id":56,"date":"2017-06-14T23:17:11","date_gmt":"2017-06-14T21:17:11","guid":{"rendered":"https:\/\/caipirinha.spdns.org\/wp\/?p=56"},"modified":"2019-10-01T23:37:58","modified_gmt":"2019-10-01T21:37:58","slug":"internet-censorship-in-china","status":"publish","type":"post","link":"https:\/\/caipirinha.spdns.org\/wp\/?p=56","title":{"rendered":"Internet Censorship in China"},"content":{"rendered":"\n<p>Wikipedia offers an excellent technical overview of the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_censorship_in_the_People%27s_Republic_of_China\">Internet Censorship in China<\/a> as well as the underlying technical features of the \u201cfirewall\u201d (the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Golden_Shield_Project\">Golden Shield Project<\/a>) which is used to censor internet content and its principal architect <a href=\"http:\/\/en.wikipedia.org\/wiki\/Fang_Binxing\">Fang Binxing<\/a>.\n<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overview<\/h2>\n\n\n\n<p>This article concentrates on the effects of the internet censorship to work-related aspects, and so it currently does <strong>not cover<\/strong>:\n<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>political motivations, justifications or evaluations of the internet censorship<\/li><li>advanced strategies to circumvent internet censorship<\/li><li>internet censorship in Chinese social media and in the tainted <a href=\"http:\/\/skype.tom.com\/\">TOM-Skype<\/a> (which is phased out now)<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Seasonal and Geographic Dependencies<\/h3>\n\n\n\n<p>It is important to know that the degree of internet censorship in China is not unified, but depends on:\n<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Public holidays<\/strong>: During public holidays like <a href=\"http:\/\/en.wikipedia.org\/wiki\/Spring_Festival\">Chinese New Year<\/a> or the <a href=\"http:\/\/en.wikipedia.org\/wiki\/Golden_Week_%28China%29\">Golden Week<\/a>, more restrictions seem to apply and encrypted connections to overseas hosts are slower than otherwise.<\/li><li><strong>Important political events<\/strong>: During power transitions, politb\u00fcro sessions or important trials of cadres of the <a href=\"http:\/\/en.wikipedia.org\/wiki\/Chinese_Communist_Party\">Chinese Communist Party (CCP)<\/a>, tighter restrictions apply, more sites may be blocked, and the overall speed to overseas hosts is throttled.<\/li><li><strong>Network type<\/strong>: Mobile networks often have tighter restrictions than wired networks at home, and <a href=\"http:\/\/en.wikipedia.org\/wiki\/VPN\">VPN<\/a> clients that work well from a residential connection might be blocked at all in a mobile network.<\/li><li><strong>Operator<\/strong>: Some operators (typically smaller ones) have a more\n \u201clenient\u201d approach than others. Even the same operator can have \ndifferent rules depending on whether an <a href=\"http:\/\/en.wikipedia.org\/wiki\/ADSL\">ADSL<\/a> or an <a href=\"http:\/\/en.wikipedia.org\/wiki\/Ethernet\">Ethernet<\/a> connection in a residential apartment is used.<\/li><li><strong>Provinces<\/strong>: Some Chinese provinces have a more \u201clenient\u201d approach than others.<\/li><li><strong>Entity<\/strong>: Some entities get \u201cspecial attention\u201d from the Chinese authorities. The <a href=\"http:\/\/www.goethe.de\/ins\/cn\/pek\/\">Goethe Institut<\/a>\n in Beijing, for example, reportedly had experienced tighter \nrestrictions than residential internet accesses in Beijing during the \ntransition from <a href=\"http:\/\/en.wikipedia.org\/wiki\/Hu_Jintao\">Hu Jintao (\u80e1\u9526\u6d9b)<\/a> to <a href=\"http:\/\/en.wikipedia.org\/wiki\/Xi_Jinping\">Xi Jinping (\u4e60\u8fd1\u5e73)<\/a> in 2012.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Approach<\/h3>\n\n\n\n<p>Internet censorship in China is not an \u201call or nothing\u201d approach one \nas one might expect initially. Rather than that, it is categorized by:\n<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Some pages and services are <strong>completely blocked<\/strong>. Example: <a href=\"http:\/\/www.taiwan.gov.tw\/\">[1]<\/a>, <a href=\"http:\/\/www.nytimes.com\/\">[2]<\/a>, <a href=\"http:\/\/www.xing.de\/\">[3]<\/a>, <a href=\"http:\/\/www.facebook.com\/\">[4]<\/a><\/li><li>Some pages and services are <strong>hampered<\/strong> and might work \nsometimes, but sometimes not. Or they might work on a smartphone, but \nnot on a desktop to the same degree. Examples: <a href=\"http:\/\/www.google.com\/\">[5]<\/a>, <a href=\"http:\/\/maps.google.com\/\">[6]<\/a><\/li><li>Some pages and services work <strong>without problems<\/strong>. Examples: <a href=\"http:\/\/www.microsoft.com\">[7]<\/a>, <a href=\"http:\/\/www.philips.com\/\">[8]<\/a><\/li><li>Overseas <a href=\"http:\/\/en.wikipedia.org\/wiki\/VPN\">VPN<\/a> providers usually work (although using them in China is a \u201clegal grey area\u201d), but selected ones may experience <strong>temporary problems<\/strong>, especially if they have accumulated many clients from within China.<\/li><li>Some hosts may be <strong>blocked<\/strong> because they have services that contravene the ideas of the Chinese authorities, but they may be <strong>unblocked<\/strong> when the related service has been shut off.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Goal<\/h3>\n\n\n\n<p>The goal of this a bit ambiguous approach is to make it troublesome \nfor users in China to access certain services and to incentivize Chinese\n internet users to the domestic counterparts of internationally known \nservices like:\n<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"http:\/\/www.baidu.com\/\">Baidu (\u767e\u5ea6) Search<\/a> rather than <a href=\"http:\/\/www.google.com\/\">Google Search<\/a><\/li><li><a href=\"http:\/\/map.baidu.com\/\">Baidu Maps (\u7535\u5b50\u5730\u56fe-\u767e\u5ea6)<\/a> rather than <a href=\"http:\/\/maps.google.com\">Google Maps<\/a><\/li><li><a href=\"http:\/\/weibo.com\/\">Sina Weibo (\u65b0\u6d6a\u5fae\u535a)<\/a>, <a href=\"http:\/\/t.qq.com\">Tencent Weibo (\u817e\u8baf\u5fae\u535a)<\/a>, <a href=\"http:\/\/www.renren.com\/\">Ren Ren (\u4eba\u4eba\u7f51)<\/a>, etc. rather than <a href=\"http:\/\/plus.google.com\/\">Google+<\/a>, <a href=\"http:\/\/www.facebook.com\/\">Facebook<\/a>, <a href=\"http:\/\/www.twitter.com\/\">Twitter<\/a><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Technical Realization<\/h2>\n\n\n\n<p>Basically, there are three layers of filtering which are applied and which have different advantages and disadvantages:\n<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">DNS Spoofing<\/h3>\n\n\n\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/DNS_spoofing\"><strong>DNS Spoofing<\/strong><\/a>: When an <a href=\"https:\/\/en.wikipedia.org\/wiki\/URL\">uniform resource locator (URL)<\/a> (e.g. <a href=\"http:\/\/plus.google.com\/\">\u201cplus.google.com\u201d<\/a>) is entered into the address line of a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_browser\">web browser<\/a>, the user&#8217;s computer has to resolve this name into an <a href=\"https:\/\/en.wikipedia.org\/wiki\/Ip_address\">IP address<\/a>. This task is performed by a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Domain_name_server\">name server<\/a> via port UDP 53 or TCP 53. Then, the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_browser\">web browser<\/a> contacts the respective destination (as referenced by its <a href=\"https:\/\/en.wikipedia.org\/wiki\/Ip_address\">IP address<\/a>) and requests a web page. The whole procedure of address resolution is hidden from the user. Of course, the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Domain_name_server\">name server<\/a>\n itself must also be known to the user&#8217;s machine by its IP address, \neither because the machine has been configured to use a specific name \nserver (<a href=\"https:\/\/en.wikipedia.org\/wiki\/Static_IP#Static_IP\">static IP configuration<\/a>) or because the IP address has been transferred to the user&#8217;s machine in the course of the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Dhcp\">dynamic host configuration protocol (DHCP)<\/a>. When a user connects his computer to an internet connection inside China using <a href=\"https:\/\/en.wikipedia.org\/wiki\/Dhcp\">DHCP<\/a>, then he is assigned a Chinese <a href=\"https:\/\/en.wikipedia.org\/wiki\/Domain_name_server\">name server<\/a>, usually from an <a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_Service_Provider\">Internet Service Provider (ISP)<\/a>. All the Chinese <a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_Service_Provider\">ISPs<\/a> are given a list of domains which they <strong>must not resolve correctly<\/strong>, and their name servers typically hand back bogus or incorrect IP addresses then. An example shall highlight this:\n<\/p>\n\n\n\n<p>Asking for address resolution of \u201cwww.facebook.com\u201d with a Chinese <a href=\"https:\/\/en.wikipedia.org\/wiki\/Domain_name_server\">name server<\/a> (202.96.69.38) results in an incorrect address (93.46.8.89) belonging to an <a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_Service_Provider\">ISP<\/a> in Milan (Italy):\n<\/p>\n\n\n\n<p><code>caipirinha:~ # nslookup www.facebook.com 202.96.69.38<br> Server:         202.96.69.38<br> Address:        202.96.69.38#53<\/code><\/p>\n\n\n\n<p><code>Non-authoritative answer:<br> Name:   www.facebook.com<br> Address: 93.46.8.89<\/code><\/p>\n\n\n\n<p><code>caipirinha:~ # whois 93.46.8.89<br> % This is the RIPE Database query service.<br> % The objects are in RPSL format.<br> %<br> % The RIPE Database is subject to Terms and Conditions.<br> % See http:\/\/www.ripe.net\/db\/support\/db-terms-conditions.pdf<\/code><\/p>\n\n\n\n<p><code>% Note: this output has been filtered.<br> %       To receive output for a database update, use the \"-B\" flag.<\/code><\/p>\n\n\n\n<p><code>% Information related to '93.46.0.0 - 93.46.15.255'<\/code><\/p>\n\n\n\n<p><code>% Abuse contact for '93.46.0.0 - 93.46.15.255' is 'abuse@fastweb.it'<\/code><\/p>\n\n\n\n<p><code>inetnum:        93.46.0.0 - 93.46.15.255<br> netname:        FASTWEB-DPPU<br> descr:          Infrastructure for Fastwebs main location<br> descr:          NAT POOL 6 for residential customer POP 3602, public subnet<br> country:        IT<br> admin-c:        IRSN1-RIPE<br> tech-c:         IRSN1-RIPE<br> status:         ASSIGNED PA<br> mnt-by:         FASTWEB-MNT<br> remarks:        In case of improper use originating from our network,<br> remarks:        please mail customer or abuse@fastweb.it<br> source:         RIPE # Filtered<\/code><\/p>\n\n\n\n<p><code>person:         IP Registration Service NIS<br> address:        Via Caracciolo, 51<br> address:        20155 Milano MI<br> address:        Italy<br> phone:          +39 02 45451<br> fax-no:         +39 02 45451<br> nic-hdl:        IRSN1-RIPE<br> mnt-by:         FASTWEB-MNT<br> remarks:<br> remarks:        In case of improper use originating<br> remarks:        from our network,<br> remarks:        please mail customer or abuse@fastweb.it<br> remarks:<br> source:         RIPE # Filtered<\/code><\/p>\n\n\n\n<p><code>% Information related to '93.44.0.0\/14AS12874'<\/code><\/p>\n\n\n\n<p><code>route:          93.44.0.0\/14<br> descr:          Fastweb Networks block<br> origin:         AS12874<br> mnt-by:         FASTWEB-MNT<br> source:         RIPE # Filtered<\/code><\/p>\n\n\n\n<p><code>% This query was served by the RIPE Database Query Service version 1.70.1 (WHOIS1)<\/code><\/p>\n\n\n\n<p>The next example shows the correct address resolution by asking the <a href=\"https:\/\/developers.google.com\/speed\/public-dns\/docs\/using\">Google public name server<\/a> (8.8.8.8). The resolved address is 31.13.73.65 and really belongs to Facebook.\n<\/p>\n\n\n\n<p><code>caipirinha:~ # nslookup www.facebook.com 8.8.8.8<br> Server:         8.8.8.8<br> Address:        8.8.8.8#53<\/code><\/p>\n\n\n\n<p><code>Non-authoritative answer:<br> www.facebook.com        canonical name = star.c10r.facebook.com.<br> Name:   star.c10r.facebook.com<br> Address: 31.13.73.65<\/code><\/p>\n\n\n\n<p><code>caipirinha:~ # whois 31.13.73.65<br> % This is the RIPE Database query service.<br> % The objects are in RPSL format.<br> %<br> % The RIPE Database is subject to Terms and Conditions.<br> % See http:\/\/www.ripe.net\/db\/support\/db-terms-conditions.pdf<\/code><\/p>\n\n\n\n<p><code>% Note: this output has been filtered.<br> %       To receive output for a database update, use the \"-B\" flag.<\/code><\/p>\n\n\n\n<p><code>% Information related to '31.13.64.0 - 31.13.127.255'<\/code><\/p>\n\n\n\n<p><code>% Abuse contact for '31.13.64.0 - 31.13.127.255' is 'domain@fb.com'<\/code><\/p>\n\n\n\n<p><code>inetnum:        31.13.64.0 - 31.13.127.255<br> netname:        IE-FACEBOOK-20110418<br> descr:          Facebook Ireland Ltd<br> country:        IE<br> org:            ORG-FIL7-RIPE<br> admin-c:        RD4299-RIPE<br> tech-c:         RD4299-RIPE<br> status:         ALLOCATED PA<br> mnt-by:         RIPE-NCC-HM-MNT<br> mnt-lower:      fb-neteng<br> mnt-routes:     fb-neteng<br> source:         RIPE # Filtered<\/code><\/p>\n\n\n\n<p><code>organisation:   ORG-FIL7-RIPE<br> org-name:       Facebook Ireland Ltd<br> org-type:       LIR<br> address:        Facebook Ireland Ltd Hanover Reach, 5-7 Hanover Quay 2 Dublin Ireland<br> phone:          +0016505434800<br> fax-no:         +0016505435325<br> admin-c:        PH4972-RIPE<br> mnt-ref:        RIPE-NCC-HM-MNT<br> mnt-ref:        fb-neteng<br> mnt-by:         RIPE-NCC-HM-MNT<br> abuse-mailbox:  domain@fb.com<br> abuse-c:        RD4299-RIPE<br> source:         RIPE # Filtered<\/code><\/p>\n\n\n\n<p><code>role:           RIPE DBM<br> address:        1601 Willow Rd.<br> address:        Menlo Park, CA, 94025<br> admin-c:        PH4972-RIPE<br> tech-c:         PH4972-RIPE<br> nic-hdl:        RD4299-RIPE<br> mnt-by:         fb-neteng<br> source:         RIPE # Filtered<br> abuse-mailbox:  domain@fb.com<\/code><\/p>\n\n\n\n<p><code>% This query was served by the RIPE Database Query Service version 1.70.1 (WHOIS3)<\/code><\/p>\n\n\n\n<p>Now, the obvious circumvention of <a href=\"https:\/\/en.wikipedia.org\/wiki\/DNS_spoofing\"><strong>DNS Spoofing<\/strong><\/a> by the Chinese <a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_Service_Provider\">ISP<\/a> seems to be to use <a href=\"https:\/\/developers.google.com\/speed\/public-dns\/docs\/using\">Google&#8217;s public name server<\/a>. However, the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Golden_Shield_Project\">Golden Shield<\/a> clandestinely reroutes all DNS requests to outside China back to Chinese <a href=\"https:\/\/en.wikipedia.org\/wiki\/Domain_name_server\">name servers<\/a>. Hence, even if you try to access one of <a href=\"https:\/\/developers.google.com\/speed\/public-dns\/docs\/using\">Google&#8217;s public name server<\/a>, you and up with a Chinese <a href=\"https:\/\/developers.google.com\/speed\/public-dns\/docs\/using\">Google&#8217;s public name server<\/a>.\n<\/p>\n\n\n\n<p>From a <strong>censor&#8217;s viewpoint<\/strong>, this approach has the advantage\n that it is easy to implement and does not require additional \ninfrastructure. It also does not slow down connections between China and\n overseas hosts. The disadvantage is that it is easy to overcome <a href=\"http:\/\/campus.murraystate.edu\/academic\/faculty\/wlyle\/540\/2013\/Bu.pdf\">[9]<\/a>.\n<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IP Blocking<\/h3>\n\n\n\n<p>The next layer is a <strong>complete blocking of IP addresses<\/strong> or <strong>IP address ranges<\/strong>\n so that these machines simply become unavailable in China. This is \noften done with overseas VPN endpoints in order to avoid a connection to\n them from within China. On internet gateways, routing tables can be \nmodified by commands like these:\n<\/p>\n\n\n\n<p><code>iptables -t filter -A FORWARD -d 186.192.80.0\/20 -j DROP<\/code><\/p>\n\n\n\n<p><code>iptables -t filter -A FORWARD -d 201.7.176.0\/20 -j DROP<\/code><\/p>\n\n\n\n<p>In this example, all IP traffic to the Brazilian TV operator <a href=\"http:\/\/redeglobo.globo.com\/\">Rede Globo<\/a> would be dropped. From a <strong>censor&#8217;s viewpoint<\/strong>,\n the advantage is that this might accomplish complete blocking of all \noutgoing traffic from one country to the destination. However, there are\n serious drawbacks to this approach:\n<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>It might also affect web sites on a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Shared_web_hosting_service\">shared web hosting service<\/a> where many domains share a single IP address.<\/li><li>The gateway becomes slower as the filter table grows. For gateways \nwith a high data throughput, this is therefore not a good option.<\/li><\/ul>\n\n\n\n<p>The <a href=\"https:\/\/en.wikipedia.org\/wiki\/Golden_Shield_Project\">Golden Shield<\/a> therefore uses a different approach:\n<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Traffic is allowed to pass, but during the connection setup, the\n related connection header data {source_IP, source_port, destination_IP,\n destination_port} are copied to an inspection server.<\/li><li>If the inspection server determines that this is an \u201cunwanted\u201d connection, it sends <strong>reset packets (RST)<\/strong> to both endpoints of the TCP connection, and the endpoints will assume that the <a href=\"http:\/\/de.wikipedia.org\/wiki\/Transmission_Control_Protocol\">TCP<\/a> connection has been reset <a href=\"http:\/\/en.wikipedia.org\/wiki\/TCP_reset_attack\">[10]<\/a>.<\/li><\/ul>\n\n\n\n<p>The following blog entry examines this approach:\n<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Machine A (192.168.3.2 via a WLAN router) inside China is trying to connect to a VPN on machine B (178.7.249.240) outside of China, without success.\nAt first, it looks as if B is rejecting the packets from A, as the log file \/var\/log\/openvpn.log indicates:\n\nMon Nov 12 09:42:16 2012 TCP: connect to 178.7.249.240:8080 failed, will try again in 5 seconds: Connection reset by peer\nMon Nov 12 09:42:22 2012 TCP: connect to 178.7.249.240:8080 failed, will try again in 5 seconds: Connection reset by peer\nMon Nov 12 09:42:28 2012 TCP: connect to 178.7.249.240:8080 failed, will try again in 5 seconds: Connection reset by peer\nMon Nov 12 09:42:34 2012 TCP: connect to 178.7.249.240:8080 failed, will try again in 5 seconds: Connection reset by peer\n\nBut is that really the case? Let us look to the packets in detail:\n\n# tcpdump -v host 178.7.249.240\ntcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes\n09:46:22.398769 IP (tos 0x0, ttl 64, id 18152, offset 0, flags [DF], proto TCP (6), length 60)\n    192.168.3.2.5460 > dslb-178-007-249-240.pools.arcor-ip.net.http-alt: Flags [S], cksum 0x6fd1 (incorrect -> 0x8408), seq 2461736473, win 4380, options [mss 1460,sackOK,TS val 76503281 ecr 0,nop,wscale 7], length 0\n09:46:22.943121 IP (tos 0x0, ttl 49, id 0, offset 0, flags [DF], proto TCP (6), length 60)\n    dslb-178-007-249-240.pools.arcor-ip.net.http-alt > 192.168.3.2.5460: Flags [S.], cksum 0x5180 (correct), seq 369907903, ack 2461736474, win 4344, options [mss 1452,sackOK,TS val 39174536 ecr 76503281,nop,wscale 1], length 0\n09:46:22.943203 IP (tos 0x0, ttl 64, id 18153, offset 0, flags [DF], proto TCP (6), length 52)\n    192.168.3.2.5460 > dslb-178-007-249-240.pools.arcor-ip.net.http-alt: Flags [.], cksum 0x6fc9 (incorrect -> 0x8ef2), ack 1, win 35, options [nop,nop,TS val 76503826 ecr 39174536], length 0\n09:46:22.978993 IP (tos 0x0, ttl 115, id 24791, offset 0, flags [none], proto TCP (6), length 40)\n    dslb-178-007-249-240.pools.arcor-ip.net.http-alt > 192.168.3.2.5460: Flags [R], cksum 0x122e (correct), seq 369907904, win 35423, length 0\n09:46:28.399410 IP (tos 0x0, ttl 64, id 47187, offset 0, flags [DF], proto TCP (6), length 60)\n    192.168.3.2.5460 > dslb-178-007-249-240.pools.arcor-ip.net.http-alt: Flags [S], cksum 0x6fd1 (incorrect -> 0xbce8), seq 2555496497, win 4380, options [mss 1460,sackOK,TS val 76509282 ecr 0,nop,wscale 7], length 0\n09:46:28.884286 IP (tos 0x0, ttl 49, id 0, offset 0, flags [DF], proto TCP (6), length 60)\n    dslb-178-007-249-240.pools.arcor-ip.net.http-alt > 192.168.3.2.5460: Flags [S.], cksum 0x4db6 (correct), seq 462715053, ack 2555496498, win 4344, options [mss 1452,sackOK,TS val 39180476 ecr 76509282,nop,wscale 1], length 0\n09:46:28.884352 IP (tos 0x0, ttl 64, id 47188, offset 0, flags [DF], proto TCP (6), length 52)\n    192.168.3.2.5460 > dslb-178-007-249-240.pools.arcor-ip.net.http-alt: Flags [.], cksum 0x6fc9 (incorrect -> 0x8b64), ack 1, win 35, options [nop,nop,TS val 76509767 ecr 39180476], length 0\n09:46:28.921316 IP (tos 0x0, ttl 102, id 24791, offset 0, flags [none], proto TCP (6), length 40)\n    dslb-178-007-249-240.pools.arcor-ip.net.http-alt > 192.168.3.2.5460: Flags [R], cksum 0x659f (correct), seq 462715054, win 4472, length 0\n09:46:34.400101 IP (tos 0x0, ttl 64, id 62097, offset 0, flags [DF], proto TCP (6), length 60)\n    192.168.3.2.5460 > dslb-178-007-249-240.pools.arcor-ip.net.http-alt: Flags [S], cksum 0x6fd1 (incorrect -> 0xf2cf), seq 2649257282, win 4380, options [mss 1460,sackOK,TS val 76515283 ecr 0,nop,wscale 7], length 0\n09:46:34.922904 IP (tos 0x0, ttl 49, id 0, offset 0, flags [DF], proto TCP (6), length 60)\n    dslb-178-007-249-240.pools.arcor-ip.net.http-alt > 192.168.3.2.5460: Flags [S.], cksum 0x2db2 (correct), seq 557101407, ack 2649257283, win 4344, options [mss 1452,sackOK,TS val 39186517 ecr 76515283,nop,wscale 1], length 0\n09:46:34.922978 IP (tos 0x0, ttl 64, id 62098, offset 0, flags [DF], proto TCP (6), length 52)\n    192.168.3.2.5460 > dslb-178-007-249-240.pools.arcor-ip.net.http-alt: Flags [.], cksum 0x6fc9 (incorrect -> 0x6b3b), ack 1, win 35, options [nop,nop,TS val 76515805 ecr 39186517], length 0\n09:46:34.959184 IP (tos 0x0, ttl 61, id 24791, offset 0, flags [none], proto TCP (6), length 40)\n    dslb-178-007-249-240.pools.arcor-ip.net.http-alt > 192.168.3.2.5460: Flags [R], cksum 0xe129 (correct), seq 557101408, win 22427, length 0\n09:46:40.400746 IP (tos 0x0, ttl 64, id 32974, offset 0, flags [DF], proto TCP (6), length 60)\n    192.168.3.2.5460 > dslb-178-007-249-240.pools.arcor-ip.net.http-alt: Flags [S], cksum 0x6fd1 (incorrect -> 0x2b7e), seq 2743017357, win 4380, options [mss 1460,sackOK,TS val 76521283 ecr 0,nop,wscale 7], length 0\n09:46:40.966840 IP (tos 0x0, ttl 49, id 0, offset 0, flags [DF], proto TCP (6), length 60)\n    dslb-178-007-249-240.pools.arcor-ip.net.http-alt > 192.168.3.2.5460: Flags [S.], cksum 0xe3a0 (correct), seq 651499237, ack 2743017358, win 4344, options [mss 1452,sackOK,TS val 39192558 ecr 76521283,nop,wscale 1], length 0\n09:46:40.966915 IP (tos 0x0, ttl 64, id 32975, offset 0, flags [DF], proto TCP (6), length 52)\n    192.168.3.2.5460 > dslb-178-007-249-240.pools.arcor-ip.net.http-alt: Flags [.], cksum 0x6fc9 (incorrect -> 0x20fe), ack 1, win 35, options [nop,nop,TS val 76521849 ecr 39192558], length 0\n09:46:41.003368 IP (tos 0x0, ttl 103, id 24791, offset 0, flags [none], proto TCP (6), length 40)\n    dslb-178-007-249-240.pools.arcor-ip.net.http-alt > 192.168.3.2.5460: Flags [R], cksum 0x8ad3 (correct), seq 651499238, win 17099, length 0\n...\n\nNow observe the TTL values of the packets which seem to originate from machine B. The real packets [S.], (SYN\/ACK) seem to have a TTL of 49, but the [R] (RST) packets have random TTL values. This hints to the fact that the [R] (RST) packets do not come from machine B, but from various machines in a border firewall which is disturbing the setup of the VPN by faking that machine B resets the connection.?<\/pre>\n\n\n\n<p>From a <strong>censor&#8217;s viewpoint<\/strong>, the major advantage is that the \ngateways do not experience a performance loss as in the case of many \n\u201cDROP\u201d entries in their IP tables. Furthermore, the attempted connection\n can be logged on the inspection server and can be archived for \u201clegal \npurposes\u201d. If there is too much traffic on the gateway, the inspection \nserver may not be able to cope with all inspections. Then, some traffic \nwhich otherwise might be blocked may pass the gateway uninterrupted. \nThat situation, however, is more acceptable than a breakdown of the \nwhole gateway which would stop all cross-border internet traffic. This \napproach is consequently more safe with respect to sudden peaks in \ninternet traffic, especially, if the filters on the inspection server \ncan be scaled according to the traffic.\nThe disadvantage is that this approach can only reset <a href=\"http:\/\/en.wikipedia.org\/wiki\/Transmission_Control_Protocol\">TCP<\/a> connections and not <a href=\"http:\/\/en.wikipedia.org\/wiki\/User_Datagram_Protocol\">UDP<\/a> connections.\n<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Deep Packet Inspection<\/h3>\n\n\n\n<p>A system with <a href=\"http:\/\/en.wikipedia.org\/wiki\/Deep_packet_inspection\">Deep Packet Inspection<\/a> looks into the <a href=\"http:\/\/en.wikipedia.org\/wiki\/Payload\">payload<\/a> of the IP traffic and is thus an <strong>intrusive<\/strong>\n method. By reading the requested web pages and the content of the \ndelivered web page, the system can scan for unwanted keywords or text \nfragments. The possibilities are basically endless, but the complexity \nof the filtering algorithms and the computational demands are very high \nas the whole traffic must pass through inspection servers.\n<\/p>\n\n\n\n<p>A good example in China is Wikipedia itself: The page <a href=\"https:\/\/en.wikipedia.org\/wiki\/Golden_Shield_Project\">Golden Shield Project<\/a> can be accessed using an <strong>https<\/strong> header as then, even the request to the respective wiki site is already encrypted and hence cannot be read by the <a href=\"http:\/\/en.wikipedia.org\/wiki\/Deep_packet_inspection\">DPI<\/a> inspection server. However, calling the page with an <strong>http<\/strong> header only <a href=\"http:\/\/en.wikipedia.org\/wiki\/Golden_Shield_Project\">[11]<\/a> will lead to a <a href=\"http:\/\/en.wikipedia.org\/wiki\/TCP_reset_attack\">TCP Reset Attack<\/a>,\n and the web page, although it might seem to open up initially, will be \nreset. The reason is that with the http header, the connection is not \nencrypted, and the inspection server will encounter unwanted key words \nin the article itself. If the user is on a domestic or 3G connection, \nthe combination {User_IP_address, Wikipedia_IP_address_block} might be \nblocked for the subsequent 20 minutes penalizing the user for having \naccessed the \u201cwrong\u201d content. Theoretically, <a href=\"http:\/\/en.wikipedia.org\/wiki\/Deep_packet_inspection\">DPI<\/a>\n could also be used to replace \u201cunwanted\u201d content on non-encrypted \nconnections by \u201cwanted\u201d content thereby sending a modified content to \nthe user, different from what the web server actually had sent although \nso far, no such incident has been reported.\n<\/p>\n\n\n\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/Deep_packet_inspection\">DPI<\/a>\n inspection servers usually cannot look into the content of a reasonably\n well encrypted connection. However, weak encryption, incorrect \ncertificate verification, systems with backdoors and viruses may be lead\n to serious vulnerabilities and may then be exploited in a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Man-in-the-middle_attack\">Man-in-the-middle attack<\/a> so that ultimately, <a href=\"http:\/\/en.wikipedia.org\/wiki\/Deep_packet_inspection\">DPI<\/a> systems might be able to read encrypted traffic.\n<\/p>\n\n\n\n<p>As more and more web traffic is encrypted, <strong>fingerprinting<\/strong> \nis becoming more and more attractive to censors. This technology aims to\n determine what kind of traffic flows through a gateway. Chinese \nresearchers, for example, aim to detect (encrypted) <a href=\"http:\/\/en.wikipedia.org\/wiki\/Openvpn\">OpenVPN<\/a> traffic <a href=\"http:\/\/link.springer.com\/chapter\/10.1007%2F978-3-642-35795-4_56\">[12]<\/a> in order to be able to block <a href=\"http:\/\/en.wikipedia.org\/wiki\/Openvpn\">OpenVPN<\/a>\n at all. Fingerprinting is based either on the recognition of dedicated \npattern (signature) or on a statistical analysis of the data flow.\n<\/p>\n\n\n\n<p>The techniques described above are responsible for the fact that:\n<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>all connections from mainland China to overseas destinations are much slower than, for example, from Hong Kong or Macau<\/li><li>encrypted connections from China to overseas destinations are \nsometimes throttled and often even slower than unencrypted connections<\/li><\/ul>\n\n\n\n<p>From a <strong>censor&#8217;s viewpoint<\/strong>, the advantage of these techniques \nare that the internet in general remains \u201copen\u201d, but that \u201cunwanted\u201d \ntraffic can be blocked. As the list of unwanted topics and words in \nChina changes frequently and also depends on contemporary issues <a href=\"https:\/\/docs.google.com\/spreadsheet\/ccc?key=0Aqe87wrWj9w_dFpJWjZoM19BNkFfV2JrWS1pMEtYcEE&amp;hl=en_US#gid=0\">[13]<\/a>,\n this approach is best suited for such a dynamic censorship demand. \nAnother big advantage is that it allows blocking of domains like <a href=\"http:\/\/wordpress.com\/\">WordPress<\/a> or <a href=\"http:\/\/www.xing.de\/\">Xing<\/a> that do not have dedicated IP address blocks but that are hosted by large <a href=\"http:\/\/en.wikipedia.org\/wiki\/Content_delivery_network\">content delivery networks (CDN)<\/a> like <a href=\"http:\/\/www.akamai.com\/\">Akamai<\/a> or <a href=\"http:\/\/aws.amazon.com\/en\/cloudfront\/\">Amazon web services<\/a>. Blocking the IP ranges by these large <a href=\"http:\/\/en.wikipedia.org\/wiki\/Content_delivery_network\">CDN<\/a>\n would also block many other web sites in China and might have undesired\n side effects.\nThe disadvantage of this approach is the penalty on internet access \nspeed from China to overseas sites. It also requires substantial \ninvestment in <a href=\"http:\/\/en.wikipedia.org\/wiki\/Deep_packet_inspection\">DPI<\/a> equipment and into the configuration of that equipment.\n<\/p>\n\n\n\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/Deep_packet_inspection\">DPI<\/a> and fingerprinting are also used by non-Chinese <a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_Service_Provider\">ISPs<\/a>\n in order to \u201coptimize\u201d their traffic (means: slow down or disturb \nunwanted traffic in order to maximize their revenue stream). Example: <a href=\"http:\/\/www.skype.com\/\">Skype<\/a> traffic is blocked by the German <a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_Service_Provider\">ISP<\/a> <a href=\"http:\/\/www.congstar.de\/\">Congstar<\/a> as evidenced in <a href=\"http:\/\/www.congstar-forum.de\/mobilfunk\/postpaid\/22930-skype-unbrauchbar-bei-euch-auch\/\">[14]<\/a>\n<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Links<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_censorship_in_the_People%27s_Republic_of_China\">Internet Censorship in the PRC (Wikipedia)<\/a><\/li><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Golden_Shield_Project\">Golden Shield Project (Wikipedia)<\/a> and <a href=\"https:\/\/zh.wikipedia.org\/zh\/%E9%87%91%E7%9B%BE%E5%B7%A5%E7%A8%8B\">\u91d1\u76fe\u5de5\u7a0b (Wikipedia)<\/a><\/li><li><a href=\"http:\/\/www.certmag.com\/read.php?in=3906\">The Great Firewall: How China Polices Internet Traffic<\/a><\/li><li><a href=\"http:\/\/www.howtogeek.com\/162092\/htg-explains-how-the-great-firewall-of-china-works\/\">HTG Explains: How the Great Firewall of China Works<\/a><\/li><li><a href=\"http:\/\/www.theguardian.com\/technology\/2012\/dec\/14\/china-tightens-great-firewall-internet-control\">China tightens &#8216;Great Firewall&#8217; internet control with new technology (Guardian)<\/a><\/li><li><a href=\"http:\/\/www.theatlantic.com\/magazine\/archive\/2008\/03\/-the-connection-has-been-reset\/306650\/\">The Connection Has Been Reset (The Atlantic)<\/a><\/li><li><a href=\"http:\/\/cs.nyu.edu\/~pcw216\/work\/nds\/final.pdf\">The Great DNS Wall of China<\/a><\/li><li><a href=\"http:\/\/www.icir.org\/vern\/papers\/reset-injection.ndss09.pdf?\">Detecting forged TCP Reset Packets<\/a><\/li><li><a href=\"http:\/\/www.youtube.com\/watch?v=uoJfG6x0g9Q\">Illegal VPNs? (Podcast of the China Weekly Hangout)<\/a><\/li><li><a href=\"http:\/\/www.kuketz-blog.de\/internet-zensur-amazon-kindle-version\/\">Kuketz: Internet-Zensur, Teil 1<\/a>, <a href=\"http:\/\/www.kuketz-blog.de\/die-kontrollmassnahmen-der-zensoren-internet-zensur-teil2\/\">Kuketz: Internet-Zensur, Teil 2<\/a>, <a href=\"http:\/\/www.kuketz-blog.de\/internet-zensur-umgehen-internet-zensur-teil3\/\">Kuketz: Internet-Zensur, Teil 3<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This article concentrates on the effects of the internet censorship to work-related aspects.<\/p>\n","protected":false},"author":1,"featured_media":57,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[41,54,38],"class_list":["post-56","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it","tag-cn","tag-internet","tag-zensur"],"_links":{"self":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts\/56","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=56"}],"version-history":[{"count":3,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts\/56\/revisions"}],"predecessor-version":[{"id":126,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts\/56\/revisions\/126"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/media\/57"}],"wp:attachment":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=56"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=56"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}