Treehouse Cityguide

Login | Register | 中文 | DE/FR

Navigation

Search

User login

Who's new

Great Firewall Experiences

AuthorMessage
mod

Joined: 2005-04-24
Points: 648
*Posted: Submitted by wtanaka (648) on Wed, 2005-10-05 09:30. | Subject: Great Firewall Experiences

This post inspired by some questions I saw on a mailing list and this time magazine article. I'll share my personal experience with the chinese firewall as I've experienced it on my own DSL line in Yunnan. These are just my personal opinions, so I wouldn't rely on them as advice of any sort. Quote:

the government has also deployed tens of thousands of Internet police to investigate online crimes
People I talk to in the bar always seem surprised by this fact. Personally I don't see how else they could do it. Automated filtering is limited by the state of the art in Computer Science, which is still not all that great when it comes to figuring out what a piece of writing is actually talking about. The blocking as I've seen it implemented is multi-fold:
  1. The standard web-server based blocking. This is what most people are familiar with. Sites like news.bbc.co.uk are blocked all the time under all circumstances. This blocking sometimes shows up as "Document contains no data" in Firefox or some generic "Problem loading this website" error in Internet Explorer. Other times, the site appears to be loading, but just takes forever (until the web browser times out and gives up trying to download it)
  2. Name-service based blocking. For example: treehouse.dyndns.info or anything else in .dyndns.info. Domain name lookups to certain sites never receive responses. This shows up as "Looking up treehouse.dyndns.info..." showing up for a long time in Firefox, until finally an error message pops up saying "treehouse.dyndns.info could not be found. Please check the name and try again."
  3. Transient blocks. If you try to load certain URLs containing filtered words, you will be blocked from the whole website that you were trying to load for a few minutes. For example, if I load up www.google.com and type "falu n gon g" (without the extra spaces) into the search box, I will get "Document contains no data" in Firefox. Then, if I try to reload the page or search for something else like "Communism is awesome" I will continue t get "Document contains no data" for a few minutes. I've read somewhere that repeated "bad" searches will get you blocked from that website for longer periods of time. I can see how this one might be scary to the uninitiated, but it's all completely automatic. I still to this day get booted from my own site for a few minutes for searching for "Zhengzhou" in my own search box. When these transient blocks take effect, they also have the effect of closing any open connections to the particular server. For example, I had a command shell session open to my webserver, which also got shut down with the error message "Connection reset by peer" when I got cut off from my website.
  4. Transient blocks on other connections. Some of my friends here ran into an issue where, when one of them logged into their shared POP email account (hosted in the US) using Outlook, both of them got cut off from their email for a few minutes. The strange thing was only one of them would trigger the block, the other could use their email account just fine. I've also seen this behavior with gmail, hotmail, and yahoo free mail accounts. For example, my gmail account seems to get cut off (in this transient fashion) all the time, and i've had almost no problems with yahoo mail. Other people's situations are sometimes completely the opposite. It may be that different URLs get sent through different firewall machines based on a hash function, and different firewall machines have slightly different rules, but that's just speculation.
Quote:
What kinds of thresholds are considered significant when accessing foreign or "prohibited" sites from within China.
The restrictions, as far as I can tell, are pretty arbitrary. But that's mainly a technical problem. Even if the government has thousands of people adding and removing sites to the list all the time, it's really a losing battle, considering the number of webpages that get added to the internet every day and the number of times that content changes on pages. One improvement the govt could make (if they can purchase enough compute power to do it) would be to start filtering based on keywords instead of sites. I've seen the start of this with the transient filters mentioned above. I think they're moving toward that, but it will still be a "dumb" filter. i.e. a block on the word "Zhengzhou", the captial city of Henan, will be overly broad even when they're only trying to block news of some regional and recent event. Quote:
How are such "transgressions" by foreigners considered, relative to, say, a Chinese journalist? I've only heard of Chinese getting into trouble, for their own actions.
If they can be tracked, I think the foreigners can still get in trouble. I met someone in Oakland, CA who claimed to have been detained for 6 months for posting an article on a Duke University school newspaper website critical of the Chinese government while he was living in Beijing. If you post something (or especially if you're just reading a site) from an internet cafe, you're pretty small peanuts. The government is better served by focusing their efforts on the people that produce the content, rather than the ones that read it. There are far fewer of the former. Quote:
Would there be blowback to one's hotel, internet cafe, or friends whose private connections were used?
You'd have to post enough "objectionable" content to make it worthwhile going after you. And if websites need to keep logs (as claimed by the time article) it would be easy to combine those logs with China Telecom logs to figure out exactly the phone account (and thus the identity) of the location where the post came from. Quote:
Or are all of these concerns like many others in China - it depends on who's offended, when and how they're offended, etc.? Were one to write an email or travelogue saying "Guess what I learned that Chinese aren't allowed to read..." or "I visited another historical site of the Cultural Revolution. Let me tell you what I learned about Mao...", I wonder what the ramifications could be.
I think it all comes down to the practicalities. Even with 10,000 internet police to investigate posts, there's no way they can keep up with everything, especially English language content. I'm sure they'd like to filter everything (and there are a lot things going in China's favor for succeeding at this), but right now, there's just way more stuff on the Internet than any censorship ministry could keep up with. They'll go after the more important targets first, and probably add a few random people into the mix. Kind of like how the music industry is fighting piracy -- Go after the big pirate organizations, and sue a few random people here and there to instill fear. Quote:
The majority of Chinese go online at cybercafés, and in order to rent computer time users must register with their national ID numbers. Cybercafé employees watch what their customers are viewing, keep logs of sites visited and share that information with local Internet police departments, which have been set up in more than 700 cities and provinces.
This, like so many things in China, seems to be enforced differently from place to place. I've had to register my passport number once since this policy started up a few years ago. Then the cafe that took my passport number stopped taking IDs down a few weeks later.

Back to top
mod

Joined: 2005-06-03
Points: 748
*Posted: Thu, 2005-10-06 03:43 | Subject: Re:GREAT FireWALL Experiences

Thanks for the very interesting comments, wtanaka Cool

# Back to top
mod
avatar
Joined: 2005-09-21
Points: 179
*Posted: Thu, 2005-10-06 05:50 | Subject: Re:GREAT FireWALL Experiences

Great article!

I have reposted that in the following sites:

419eater

TheRanter

I have include links to your site and you as the author. Smile

# Back to top
mod

Joined: 2005-06-03
Points: 748
*Posted: Thu, 2005-10-06 10:09 | Subject: Re:GREAT FireWALL Experiences

Guess what?

This link 419eater works from Chong Qing

I'll also see if I can successfully access this site
when I return to Chengdu.

......

I have just posted mention of it on another site

# Back to top
mod
avatar
Joined: 2005-09-21
Points: 179
*Posted: Thu, 2005-10-06 13:13 | Subject: Re:GREAT FireWALL Experiences

Wocca, welcome to Eater. Do read the guidlines, FAQs and Sticky. We have a mentor system for you to sign up and is free! Oh, BTW kiss you free time goodbye....

*wait*

Hang on.. this is the Treehouse Cityguide! Razz

Well, you should also post a link back to here and I think Wesley will be happen. I think we have a couple of Eater members are from Asia and China. Smile

P.S. Can you access theRanter?

# Back to top
mod

Joined: 2005-04-24
Points: 648
*Posted: Fri, 2005-10-07 03:22 | Subject: Interesting

today, I tried visiting http://www.i2p.net/, which someone pointed out to me as a potential proxy solution. I downloaded about half of the page (till the point that it says "People should not use I2P prior to the 1.0 release without", and then the connection stopped working. Trying to hit reload gave me "transient block" behavior like described above. Perhaps this means that China's started also doing transient blocks based on the data that comes back from the webserver, in addition to the data that gets sent in the request.

# Back to top
mod

Joined: 2005-06-03
Points: 748
*Posted: Fri, 2005-10-07 15:10 | Subject: Re:GREAT FireWALL Experiences

I can NOT access theRanter Shocked

wilson888 wrote:

kiss you free time goodbye....

I'm already well-occupied with a number of sites, so
don't have much (if any) more free time available.

Occasionally, I work as well :-}}*

# Back to top
mod
avatar
Joined: 2005-09-21
Points: 179
*Posted: Sat, 2005-10-08 01:59 | Subject: Re:GREAT FireWALL Experiences

Wocca, try www.anonymouse.org ! A bit slow but will get you there. You really need to invest in a proxy software. Smile

# Back to top
mod

Joined: 2005-06-03
Points: 748
*Posted: Sat, 2005-10-08 04:59 | Subject: Re:GREAT FireWALL Experiences

Full points for persistence, wilson888 Mr. Green

I don't need access to any more sites, thanks

...

# Back to top
0
Nomad's picture

Joined: 2005-10-21
Points: 4
*Posted: Fri, 2005-10-21 14:40 | Subject: More observations on great wall

Interesting observations regarding the great wall. I'll add what I've seen in the Shenzhen area... In this area, a location of ours used an IPSec tunnel to maintain a VPN with other locations in the US and Taiwan. When in the area, I used to be able to open IPSec and ssh links to these other locations from my hotel room, as well as use Skype, Jabber and other IM systems.

About 8 months ago, it was no longer possible to establish IPSec, PPTP, ssh, Skype or Jabber connections to the locations outside China. It was however, possible to connect to the Shenzhen office via PPTP and IPSec. The implication seems to be that the local ISP is selectively blocking ESP, GRE, etc. at the connection/fixed address level. The hotel is not doing so, because when I complained and drew blank looks, I pursuaded the hotel staff to let me help check/configure their routers. There was nothing the matter with the routers, the blocks were not at the hotel level.

In the past, IMAP traffic between the Shenzhen location and the outside world travelled via IMAPS (port 993), this is no longer possible.

I'm guessing that there are active attempts to block encrypted traffic between China and the rest of the world.

# Back to top
mod

Joined: 2005-06-03
Points: 748
*Posted: Fri, 2005-10-21 14:53 | Subject: Re:GREAT FireWALL Experiences

# Back to top
mod

Joined: 2005-04-24
Points: 648
*Posted: Fri, 2005-10-21 15:27 | Subject: Re: More observations on great wall

Nomad, I would guess that the government wouldn't cut off encrypted traffic access, because that would prevent people from maintaining websites and prevent multinational companies with offices in China from accessing their corporate VPNs.

What happened in the end? Did complaining to the authorities have any effect, or did your China office just need to shut down?

# Back to top
0
Nomad's picture

Joined: 2005-10-21
Points: 4
*Posted: Fri, 2005-10-21 19:34 | Subject: encrypted traffic blocked?

We have enough trouble with every single government official in customs, utilities, etc.

I edited this post by mistake. Sorry. Embarassed --wtanaka

# Back to top
mod

Joined: 2005-04-24
Points: 648
*Posted: Sat, 2005-10-22 04:22 | Subject: Re:GREAT FireWALL Experiences

Like you say, VPNs are essential to international companies being able to operate in China. I can't imagine them shutting down VPN access without a huge uproar. For example, I don't think they could ever shut down access in Beijing (with Microsoft and IBM having big research labs there)

I'm curious, can you tell if they're just blocking traffic on the SSH port, or are they somehow detecting that it's SSH traffic (searching for the unencrypted SSH handshake perhaps?) If you run the ssh server on a different port, are you able to use it?

If they're actually detecting SSH traffic, the switch to port number 80 probably won't help you, but the fact that OpenVPN is more obscure and less used probably will.

Quote:


We have enough trouble with every single government official in customs, utilities, etc.

There's no obvert corruption here, but I know how these things can sometimes turn into a big "mafan."

# Back to top
0
Nomad's picture

Joined: 2005-10-21
Points: 4
*Posted: Sat, 2005-10-22 04:37 | Subject: Re:GREAT FireWALL Experiences

I'm not sure what they are doing yet. It isn't just a simple port block, because we don't run ssh on the standard port. I think it is more likely to be protocol detection since the first part of the handshake takes place, but then the rest is blocked.

As for overt corruption... I guess it depends on whether the things you are doing require approval of one authority or another. If it does, they will use their power to extract something from you.

# Back to top
mod

Joined: 2005-06-03
Points: 748
*Posted: Thu, 2005-10-27 01:49 | Subject: Re:GREAT FireWALL Experiences

Shocked

Berkman Center for Internet & Society,
Harvard Law School has collected data
on the methods, scope, and depth of
selective barriers to Internet access ...

Arrow Empirical Analysis of Internet Filtering

...

# Back to top
0
Nomad's picture

Joined: 2005-10-21
Points: 4
*Posted: Sat, 2005-11-05 21:10 | Subject: Re:GREAT FireWALL Experiences

Update from China... Just flew into China, so I thought I would post what I find.

On checking into hotel, for the first 12 hours or so I was able to use IPSec, IMAPS and ssh, as well as a Jabber server. Now, IPSec, IMAPS, Jabber and ssh are blocked. I do know that the hotel is not doing this because I have personally seen their router/firewall hardware and configuration.

Skype however, is unaffected on this trip. I suppose their p2p architecture helps harden it to blocks. Not always true though, since on other trips, it has been blocked.

ssh is to a non-standard port. On it fails with the error message: ssh_exchange_identification: read: Connection reset by peer

Similar error messages are given for IMAPS, etc.

On switching to IMAP for the same servers, connections are made as normal.

Blocking therefore seems to be on a protocol level, not port based.

However---and this is the thing that puzzles me---connections are possible on the odd occasion, almost as if the blocking isn't consistently applied, or that it only works when the hotel's traffic is routed to different routers in the Shenzhen area.

Traceroutes to identify the paths out of the country do not work, the intermediate routers return nothing.

This is all quite frustrating since it stops legitimate business-related activity. But I guess the authorities don't exactly care.

# Back to top
mod

Joined: 2005-06-03
Points: 748
*Posted: Sun, 2005-11-06 01:26 | Subject: Re:GREAT FireWALL Experiences

Nomad wrote:

Blocking therefore seems to be on a protocol level, not port based.
However---and this is the thing that puzzles me---connections are possible on the odd occasion, almost as if the blocking isn't consistently applied

Consistency could be the operative word Razz

# Back to top
0
penguintux's picture

Joined: 2005-11-29
Points: 0
*Posted: Tue, 2005-11-29 16:03 | Subject: Same situation

Hi, I faced the same thing(can't access pop, smtp, ssh, ipsec) occasionally, I feel very troublesome about this problem.  This post really solves my curiosity, my office in DongGuan TangXia access two servers in HK, one PCCW and one HGC, the former have this problem while the latter not.  I checked out using tracert the former one has hops that the latter one do not pass, and I think that is where the filters are!

# Back to top
mod
avatar
Joined: 2005-09-21
Points: 179
*Posted: Wed, 2005-11-30 08:55 | Subject: ^^^ This is interesting...

^^^ This is interesting... consider the owner of the above two companies.

 

# Back to top
mod

Joined: 2005-06-03
Points: 748
*Posted: Sun, 2006-01-22 07:30 | Subject: Try This ...

 

Try this suggestion

http://www.thechinazone.com/showthread.php?t=990

# Back to top
mod

Joined: 2005-04-24
Points: 648
*Posted: Thu, 2006-02-16 07:05 | Subject: A Day In The Life Of A Chinese Internet Police Officer

Here is a myth: there are 30,000 Internet police in China who sit around all day looking for harmful information.  30,000 is a big number, since it could fill a soccer stadium.  But with respect to 100 million Internet users, 30,000 is woefully inadequate to patrol all possible Internet content material (that is, one Internet police officer has to keep an eye on 3,333 users at the same time, or less than 10 seconds per user per day). 

Originally, the reporter thought that Internet police work was relaxed and simple.  It was just like searching for information on the Internet, and there may be some interesting stuff occasionally!  After this experience, the reporter realized how boring and unexciting their work was.  The reporter began to wonder: How can this experience be considered "fun-filled"?

link

# Back to top