conferences | speakers | series

How the Great Firewall discovers hidden circumvention servers

home

How the Great Firewall discovers hidden circumvention servers
32. Chaos Communication Congress

Several years ago, the Great Firewall of China was silently upgraded to find and block circumvention servers that employ encryption to defeat deep packet inspection. The system is now used to block protocols such as Tor, SoftEther, and SSH. In this talk, we will give an overview of how this system works, and how it can be circumvented.

The GFW's reactive probing system scans egress network traffic for circumvention protocol signatures, and then launches short-lived probes to verify if the suspected server is, in fact, speaking the circumvention protocol. If that is the case, the GFW adds the IP address and port of the server to a country-wide blacklist, preventing people in China from connecting to it. We recently finished a multi-month research project in which we looked at the system from different angles to answer several open questions. In particular, we will talk about:

  • How the reactive probing system makes use of thousands of unique IP addresses to launch its probes.
  • We discuss our hypotheses on the physical design of the reactive probing system. Our evidence shows that all these IP addresses are either hijacked, or that the GFW operates a large, geographically distributed network of proxies.
  • We show patterns in the IP, TCP, and TLS headers that suggest that the thousands of reactive probing IP addresses we harvested are controlled by few centralized systems.
  • How the system seems to flush its blacklist regularly, providing a short window for circumvention.
  • The effectiveness of the system, i.e., how good is it at blocking servers and how well does it scale?
  • How the GFW seems to treat science and education networks different from consumer networks.
  • Ways to troll the Great Firewall of China.

Speakers: Philipp Winter