What is the Great Firewall of China and why you should care

What is the Great Firewall of China and why you should care
Know the enemy and know yourself. 知彼知己.

China is known to have one of the most repressive censoring regimes. They have been developing and deploying notoriously sophisticated censorship techniques since 2003. To achieve and maintain such results, the Chinese government has hired research institutes and technology providers around the world.

Many foreign companies played a crucial part in developing GFW by providing research, devices, routers and other hardware. Most known are Cisco, Nortel Networks, Motorola and Sun Microsystems.

Nowadays, most of the hardware comes from Chinese companies Huawei and Semptian.

GFWatch has tested over 534 million distinct domains and found out that China is blocking over 255 741 domains and it keeps growing every day.

But that's just the tip of the iceberg. There are more companies that help build censorship tools for the Chinese government. We would like to list all of them, but it will require us to do a proper investigation and a separate post.

Even with all the best technologies available, GFW will not provide enough control for the Chinese Communist Party (CCP). That's why they have strict laws that mandate Chinese companies to be responsible for user-generated/public content. Social networks, blogs and messengers have mostly automated moderation tools to the level that you won't even be able to spread any "forbidden" information in the first place.

Want to see an example yourself? Try using the popular Chinese search engine "Baidu" to search for "Tiananmen Square" and compare results with other search engines. Baidu will show you only nice pictures of the square with flowers. You can also compare results for "Falun Gong".

How does GFW work?

GFW uses active filtering with many different methods such as:

1. IP blocking

The Chinese firewall maintains a list of IP ranges that are automatically dropped (network black-holing).

2. DNS Spoofing, filtering and redirection

One part of the Chinese firewall is made of liar DNS servers and DNS hijackers returning incorrect IP addresses. Studies seems to point out that this censorship is keyword-based.

3. URL filtering using transparent proxies

The Chinese firewall is made of transparent proxies filtering web traffic. These proxies scan the requested URI, the "Host" Header and the content of the web page (for HTTP requests) or the Server Name Indication (for HTTPS requests) for target keywords.

4. Traffic Pattern Analysis

Since 2012, the GFW is able to "learn, filter and block" users based on traffic behavior, using deep packet inspection.

5. Packet forging and TCP reset attacks

The Chinese firewall may arbitrarily terminate TCP transmissions, using packet forging. The blocking is performed using a TCP reset attack. This attack does not block TCP requests nor TCP replies, but send a malicious TCP RST packet to the sender, simulating an end-of-connection. 

6. Man-in-the-middle attacks with TLS

The Chinese National Intelligence Law theoretically allows the Chinese government to request and use the root certificate from any Chinese certificate authority, such as CNNIC, to make MITM attacks with valid certificates. 

Is it possible to bypass GFW?

We asked the same question ourselves this year and the answer is yes. Our team started working on implementing proxy protocols this year. We hope that this will help the Chinese and other people with similar restrictive firewalls. We are almost ready and currently in the last testing phase. We aim to release a new update with stealth proxies support during January 2022.

What makes it hard to bypass is that GFW uses a combination of passive traffic analysis and active probing to detect and block VPN, Tor and even stealth proxy protocols such as Shadowsocks.

Shadowsocks is a lightweight socks5 proxy, originally written in Python by clowwindy.

GFW also scrapes and monitors VPN/Proxy providers and actively blocks their IP addresses. VPN/Proxy detection also varies between different ISP and cities. Some of them are more aggressive.

Currently, the minimum requirements are:

  • Censorship-resistant proxy protocols such as VLESS, TrojanGFW, and Vmess, which are superior compared to Shadowsocks.
  • Server obfuscation
  • Optimized servers and network for China / IPLC or CN2
  • Dynamic IP's if available in case your IP gets banned by GFW

Why should I care about this?

Internet is fragile and countries such as China are impacting on free internet more than you think. Authoritarian states take notes from China and want the same technology to control their citizens.

Combining this technology with internet shutdowns creates a perfect tool for any authoritarian state. Rights to free expression and privacy are violated and no one seems to care about it.

China has already started exporting its technology to other countries, f. ex. Belarus, Russia, Egypt, Venezuela, Bolivia, Cuba, Ecuador, Rwanda, Zimbabwe, Saudi Arabia, Pakistan and Iran.

In the worst-case scenario, more countries will join this list next year. One day it might be your country.

What should I do?

As an individual, one of the best things you can do is to share information about censorship. Teach other people how to bypass restrictive firewalls such as GFW and be prepared yourself in case it happens. Knowledge is power.

Sources and further reading.