Pages

Saturday, 29 September 2012

Principles and Technique to Bypass The GFW


Ding Xuan
(Department of Computer Science and Technology, Tsinghua University, Beijing, 100084)
Abstract: GFW controversial, a few happy tears. In this paper, examples, discusses the GFW works, summarizes the current breakthrough technology for the GFW, and these breakthrough technologies are compared and analyzed.
Keywords: Great Firewall, GFW, Censorship, Anti-Censorship, over the wall
1 Introduction
GFW, the Great Firewall of China, the Chinese government to monitor and filter Internet content of a set of software and hardware systems commonly known, was originally named after a computer expert Charles R. Smith published in 2002, net assessment, intended to take with the Great Wall (Great Wall) with harmonic effect, after the widespread use of the public followed so far.
GFW’s main role is to analyze and filter information networks inside and outside China to visit each other, that is, GFW’s visit to China not only for the domestic audience sites outside interference, and interference of foreign readers access to the host sites in China. As the network constraints, this paper is to explore the former case.
Follow-up article is organized as follows: Chapter 2 gives the text of terms and conventions used; Chapter 3 of GFW work page10 principle; Chapter 4 summarizes the current breakthrough technology for the GFW; Chapter 5 of these breakthroughs in technology comparison and analysis ; Chapter 6 concludes the paper; Acknowledgements and references, respectively, in Chapters 7 and 8.
2 Terminology and conventions
Shield wall: GFW another name.
Is Shield: GFW to access the content to be shielded, but also for “is the wall.”
Over the wall: break GFW to access blocked content, but also for the “wall.”
Google.com: the emergence of this “Google.com” all refer to http://www.google.com/ncr (do not use the state to redirect), visit http://www.google.com automatically redirected rather than domestic The http://www.google.cn.
Google.cn: specific to http://www.google.cn.
3. GFW works
It works for GFW speculation never stopped too, so even though its actual implementation details are still unknown, some scholars have a strong curiosity and domestic wall fans or caught a glimpse of some of the clues. General view is that, GFW’s work mechanism includes IP blacklists, content review and DNS hijacking, three, here we discuss some examples of each.
3.1 IP blacklist
3.1.1 An example of
http://www.youtube.com/ video sharing site YouTube has been banned in the country is well known fact that there will be the use of the domain name to access DNS hijacking problem (see Section 3.3 for discussion), its IP address directly here 208.65.153.238 to illustrate one of GFW’s IP blacklist mechanism.
http://208.65.153.238/ browser http://208.65.153.238 with the following results:

Also the ping timeout phenomenon:
The above two images show that the target host can not (or not) a timely response to our request, in order to find out, we further implementation of the tracert command is as follows:
The results show that the path off the host 202.112.61.214 in place.
3.1.2 Another example
Visit the International Bullog same problem, the implementation of its IP address has a similar tracert results:
3.1.3 speculation
Based on these results we speculate, GFW is likely to maintain a piece of IP blacklist, blacklist once sent to the address found in the request packet, it will be discarded directly, this will not lead to the source host of a timely response to the target host arising out, so as to achieve the target host shielding purpose of the visit.
Further, we have reason to believe that GFW host 202.112.61.214 is one of the devices, in order to confirm this speculation, we use Nmap to scan them:
The scans showed the device 202.112.61.214 most likely a Cisco router, which is GFW equipment form is consistent.
3.1.4 IP blacklist shortcomings
Obviously, this site being banned the use of blacklist and not being allowed to access the site through the use of white list filter http://www.youtube.com/ mechanism, the presence of inevitable slip through the net, Youtube, other an address 208.117.240.37 is a good example (up until this writing, the address can be accessed directly):
3.2 content review
3.2.1 A simple example
Google.com search using key words “freegate”, at first we were also able to get search results:
But at the same time, we received a large number of “sent from Google’s” TCP connection reset packets. The figure is the result of using the Wireshark packet capture:
Refresh the page has been unable to find access to:
And become unable to access Google.com:
3.2.2 An extreme example
Similar to the previous example, access http://chinagfw.org/search/label/anti-censorship will receive hundreds of TCP connection reset packets:
3.2.3 speculation
We guess, GFW of HTTP packets were scanned, and GFW house may contain a list of sensitive words, if it is found to be sensitive scan data packets appear in vocabulary, immediately to the source host and destination host sends a TCP masquerading as the other address connection reset packets, in order to achieve the purpose of disconnect.
Further, GFW will be in a temporary blacklist records were banned in the source host and destination host address, and save for a limited period of time. Once the source host to be banned again during the sealed request the target host, will return directly to a TCP connection reset packets (in this case may be one-way), without having to scan the new request packet.
Another finding is that the content review mechanism does not work for all sites, for example, use Google.cn search the same keywords “freegate” does not appear to be contradictory phenomenon. One possible reason is that, GFW enabled a list of IP surveillance, and the address of Google.com is one of them; Another possibility is that the visit will not go through GFW Google.cn equipment, will not trigger TCP connection reset, while Google.com is located outside the GFW escape Katrina.
3.3 DNS hijacking
3.3.1 An example of
In addition to Section 3.1 above IP blacklist technology outside, GFW also uses DNS hijacking means to achieve the purpose of YouTube’s banned.
To illustrate this point, we execute the nslookup command as follows:
The results show that the figure “www.youtube.com” to be resolved through DNS server 166.111.8.28 to the address 202.106.1.2, but in fact, that address is not in any YouTube a real address.
Further, even if the use of foreign DNS server, such as OpenDNS to be resolved, we can not get the real address of YouTube:
And results may differ each time you return:
However, if you use nslookup online services, such as http://www.kloth.net/services/nslookup.php, then YouTube http://www.youtube.com/ can get the real address:
3.3.2 speculation
GFW DNS hijacking at least two mechanisms: on the one hand, GFW domestic caching DNS server Contamination is reflected in the use of YouTube for internal DNS server resolve will be stable, false IP address; the other hand, GFW will attempt to intercept and response sent from the domestic foreign DNS resolution request (it may be of foreign DNS server http://www.opendns.com/ responses were tampered with), which is reflected in the use OpenDNS to parse observed variable, false IP address.
4 break through GFW
4.1 On-line agent
Proxy is a proxy running on the web server program, they would usually use some complex scripting to bypass filters and firewalls (such as GFW) to access blocked or blocked sites. Users using a Web proxy service is very simple, do not need to set your browser does not need to install additional software, simply go online proxy site, then enter to access the web site, you can enjoy a free proxy service.
4.1.1 The ordinary online agent
If SneakME, Cspeed and so on.
Google App Engine 4.1.2 on-line agent
Such as Go2, Mirror, Quick-Proxy and so on.
Relative to the aforementioned common line agent, based on Google App Engine’s online agent is characterized by: first, thanks to Google’s powerful server capabilities, such agents have fast response, good stability and other advantages; Secondly, these online agents generally support the HTTPS protocol, so they have a stronger ability over the wall.
4.1.3 Automatic Online Agent
Although the open-line agent, enter the URL, Qiaoxia Enter this step and can not be considered complex, but absolutely can not be called easy. In fact, this way of using the online agent used to disrupt the people’s address bar to access mode, if the browser can automatically based on user input the URL to decide whether to use online proxy, online proxy and the use of which the world will a better place.
Gladder is to meet this demand and the birth of the auto-line agent software, or more accurately, is a Firefox-based browser plug-ins, its main function is to be based on a customizable sites list shield to judge and decide whether accessed through the proxy will visit the page.
4.2 Proxy Tool
4.2.1 Freegate
According to Wikipedia’s argument, Freegate series of addresses on the Internet using a dynamic variable of open proxy servers to provide services, including HTTP proxy and HTTPS proxy. There are indications that, Freegate through a complex set of internal mechanisms a proxy server to hide the details of the user to achieve a more reliable transport protocol.
4.2.2 GPass
GPass will further encapsulate application layer data packets, and then through various forms of dynamic channel encrypted transmission to locations around the world GPass servers that unpack the data and then transmitted to the destination site after, over the wall so as to achieve the purpose.
4.2.3 Tor
Tor is a distributed anonymous routing software, a distributed routing protocol, the Internet is built on top of a virtual network, the purpose is to protect users’ privacy against traffic analysis. Although its purpose is not to design over the wall, but because of its routing specificity, making it much over the wall with the ability.
Tor works is more complex, sum, Tor provides data encryption services through a network to the middle of the source and destination hosts to complete the communication, which aims to achieve over the wall. However, since Tor will not only encrypt data, but also to protect privacy by dispersing traffic, it can not achieve the ideal speed, it has been criticized by others (in fact nothing wrong, Tor This is not to exist over the wall).
4.2.4 GAppProxy
GAppProxy is a proxy based on Google App Engine tool is designed to provide free education network of international agents, after being widely used as a wall tool. For the same with Google App Engine as a platform, as over the wall tool GAppProxy breakthrough capacity and the first-line agent as described in section 4.1.2 or less the same, but more convenient to use.
GAppProxy works is a request by the browser in the Google App Engine platform proxy service script for processing, thus bypassing the GFW.
Outside edge to remove Google’s servers, GAppProxy another prominent advantage is its open source nature, the use of the Google App Engine platform, open, ordinary users can easily set up their own proxy server.
4.3 VPN
And abroad by the user host VPN tunnel between the remote host, to achieve full transparency over the wall effect. If there are no conditions set up your own VPN server, not willing to spend money to buy VPN account, and can endure much advertising on the page or traffic limits, you can try the following two VPN services.
4.3.1 AnchorFree
AnchorFree, the United States free VPN service, do not apply for an account you can use, the cost of advertising on the page there will be big.
4.3.2 Alonweb
Alonweb Dutch free VPN service, need to apply for a personal account, only 1G of free traffic per month.
4.4 SSH Tunnel
SSH Tunnel, in essence, is the host and foreign remote users to establish a secure channel between hosts over the wall to achieve the purpose. Similar to a VPN, SSH Tunnel is not anywhere you can get free service. Of course, there are exceptions.
4.4.1 MyEnTunnel
MyEnTunnel use PuTTY’s Plink components with the remote host to establish SSH Tunnel, for applications (such as a browser), the only need to support SOCKS proxy can come over the wall by MyEnTunnel.
4.5 RSS Subscribe
In the Web2.0 era, not only over the wall to take the initiative to obtain information, as more and more websites started to provide support for the RSS format, RSS reader is gradually gaining in popularity. If a suitable shield website RSS feed, you can use RSS to easily bypass a subscription basis GFW.
4.5.1 Google Reader
Google’s Google Reader is an online RSS reader, good support HTTPS, the GFW is everywhere today, this is a valuable advantage.
4.6 Others
4.6.1 Google Language Tools
Surprising is, Google’s language tools can be used over the wall. Still Youtube, for example, http://www.google.cn/language_tools open Google’s language tool, in the “Translate a Web Page” section enter the website Youtube, and select the language from the “Chinese” translated to “Chinese (Simplified ) “, as shown below:
Click on the “Translate” button to successfully access Youtube:
5 Comparison of several breakthrough technologies
5.1 Test Project
Set the test are as follows:
  1. Visit http://208.65.153.238
  2. Visit http://www.google.com/search?hl=en&q=freegate&aq=f&oq = (twice)
  3. Visit the http://chinagfw.org/search/label/anti-censorship
  4. visit http://www.youtube.com
  5. visit http://www.youtube.com/watch?v=tG7cM5Yvhz4&feature=channel_page2
5.2 Comparison
Method
Item1 Item2 Item3 Item4 Item5 Notes

SneakME OK Blocked Blocked OK OK

Cspeed OK Blocked OK OK Can’t View
Online Proxy Go2 OK OK OK OK Can’t View HTTPS

Mirror OK OK OK OK Can’t View HTTPS

Quick-Proxy OK OK OK OK Can’t View HTTPS

Freegate OK OK OK OK OK

Gpass OK OK Slow OK Slow
Proxy Tools Tor OK OK Slow OK Can’t View

GAppProxy OK OK OK OK Can’t View
VPN 4 n/a n/a n/a n/a n/a n/a
SSH Tunnel MyEnTunnel OK OK OK OK OK
RSS Subscribe n/a n/a n/a n/a n/a n/a
Others Language Tools OK OK OK OK Can’t View
5.3 Analysis of results
  1. Items 1 and 4 can be easily exceeded, reflecting the IP blacklists and DNS hijacking mechanism shielding lack of capacity;
  2. Freegate and MyEnTunnel is the only five test tools;
  3. Based on Google’s breakthrough approach, including online agents, agent tools and language tools, the first four tests showed excellent, Google is likely to become GFW key targets;
  4. Only supports HTTP protocol proxy may be the shield;
  5. Most methods do not support breaking online video viewing, or poor performance (item 5), on this point, GFW on Youtube hit is successful.
6 Conclusion
Overall, while the real works GFW unknown, but there are indications that the current GFW is not complicated. On the one hand, this is due to current technical limitations of hardware and software; the other hand, completely banned in need, much too. However, we have to admit, in terms of their motivation, GFW present the results achieved to be successful, have a strong curiosity of scholars and enthusiasts over the wall, only a minority, the vast majority of people or less likely to understand and flexible use of Section 4 described in Chapter breakthrough technology, not to mention these technologies in the confrontation with the GFW is obviously weak, may be blocked at any time.
Finally, note that this only from the perspective of web surfers the current GFW breakthrough technology, a number of server-side counter-measures, such as dynamically changing IP, enable HTTPS support, and ignore the GFW TCP connection reset packet technology , has not been explored. On the other hand, this does not involve the use of these breakthrough technologies may be exposed to the privacy issues. These elements may be in the future to tell you, it may not.
7 Acknowledgements
http://cspeed.net/ thank Duan new teachers to provide online agency Cspeed.
Thank fuckGFW friends as part of this experiment provide free SSH account.
8 References
  1. 维基百科:防火长城, http://zh.wikipedia.org/wiki/GFW
  2. Charles R. Smith, “The Great Firewall of China”, http://archive.newsmax.com/archives/articles/2002/5/17/25858.shtm
  3. 周曙光,“中国政府的网络封锁技术方案与网民的反网络封锁技术方案”, http://www.zuola.com/weblog/?p=1353
  4. Jason Ng,“什么是GFW?图解GFW”, http://www.kenengba.com/post/430.html
  5. Sarah Lai Stirland, “Cisco Leak: ‘Great Firewall’ of China Was a Chance to Sell More Routers”, http://www.wired.com/threatlevel/2008/05/leaked-cisco-do/
  6. Nmap, http://nmap.org
  7. Wireshark, http://www.wireshark.org
  8. OpenDNS, http://www.opendns.com
  9. 维基百科:DNS Cache Poisoning, http://en.wikipedia.org/wiki/DNS_cache_poisoning
  10. http://chinagfw.org/search/label/anti-censorship
  11. 维基百科:在线代理, http://zh.wikipedia.org/wiki/在线代理
  12. SneakME, http://www.sneakme.net
  13. Cspeed, http://cspeed.net
  14. Go2, https://go2http.appspot.com
  15. Mirror, https://soproxy.appspot.com
  16. Quick-Proxy, https://quick-proxy.appspot.com
  17. Gladder, http://gneheix.googlepages.com/gladder
  18. Freegate, http://www.dongtaiwang.com
  19. 维基百科:Freegate, http://en.wikipedia.org/wiki/Freegate
  20. GPass, http://gpass1.com/gpass
  21. Tor, https://www.torproject.org
  22. Tor概述, https://www.torproject.org/overview.html
  23. GAppProxy, http://code.google.com/p/gappproxy
  24. AnchorFree, http://www.anchorfree.com
  25. Alonweb, http://alonweb.com
  26. MyEnTunnel, http://nemesis2.qx.net/pages/MyEnTunnel
  27. PuTTY: A Free Telnet/SSH Client, http://www.chiark.greenend.org.uk/~sgtatham/putty
  28. fuckGFW,“Be Free to SSH-D”, https://dl.getdropbox.com/u/873345/index.html
  29. Google Reader, https://www.google.com/reader
  30. NetPuter,“用 Google 的梯子翻墙吧”, http://orzdream.cn/2008/09/use-google-language-tools-to-skip-gfw
  31. Google语言工具, http://www.google.cn/language_tools
  32. R. Clayton, S. J. Murdoch, and R. N. M. Watson, “Ignoring the Great Firewall of China”, I/S: A Journal of Law and Policy for the Information Society, 2007
来自 http://gfw.rixtox.com/?p=155