How great is the great firewall? Measuring China’s DNS censorship [pdf]

As someone living blissfully unaware of the struggles people go through in countries with rampant government censorship -- sorry, <i>control for the public good</i> -- of the Internet, it was a bit a of a shock when I got some first-hand experience.<p>I had a customer that wanted to set up some web servers in China so that they could sign up students for some classes at their school.<p>At first I just assumed that this is a straightforward matter of selecting a Chinese region in a public cloud, deploying a couple of web servers, and we&#x27;d be done by lunch. Easy!<p>Turns out... that this is actually technically achievable, as long as: You have a Chinese business registered in China, you have a photo ID that you register with the &quot;local authorities&quot; (in person!), pay in Renminbi from a Chinese bank account, and read and write Chinese.<p>No, really. That&#x27;s the process. <i>Really:</i> <a href="https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;azure&#x2F;china&#x2F;overview-checklist" rel="nofollow">https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;azure&#x2F;china&#x2F;overview-checkl...</a><p>They want to make sure they have <i>someone</i> by the balls. It&#x27;s either you personally, or someone willing to step up and take the risk of jailtime on your behalf if you publish anything the Grand Pooh Xi doesn&#x27;t like.<p>Meanwhile, I can spin up a server in Dubai or South Africa or Brazil like... <i>right now.</i> No paperwork. No prostrating myself in front of the Police to beg for permission to be able to post government-approved content.<p>Meanwhile, on the map of AWS or Azure regions -- or on any CDNs map -- there&#x27;s just a <i>hole</i> where China is. It&#x27;s like those photos of Earth from space, where you can see the city lights glowing brightly everywhere except for North Korea, where there&#x27;s just <i>darkness</i>.<p>Remind me, why do we do business with these people again? Why do we give them our money?

I was setting up a self-hosted VPN to work-around GFW. I tried everything. Some solutions would sort of work, but unreliably, with extremely minimal bandwidth and would suddenly stop working after some time. I can&#x27;t remember the combinations of transport and obfuscation tech that I tried, but they were considered best bets at the time. I would be very interested in finding out how commercial offerings do it. I&#x27;m not comfortable using them, since chances are that they&#x27;re honeypots.<p>Funnily enough I traveled to another part of China then, and the Airbnb wifi had practically no GFW-type blocking. GFW is made up of local or provider-specific implementations that vary a lot. It was a small, rural town.

Great paper! Things that stood while skimming:<p>- Bidirectional DNS poisoning: China can send forged DNS responses if you try to access certain Chinese domains from outside the GFW. This isn&#x27;t server-side enforced geoblocking.<p>- GFW uses a small space of forged IPs, some belonging to Facebook, Twitter, Dropbox which may be responsible for a non-negligible overhead in server costs responding to HTTP requests for irrelevant hostnames.<p>Can FB sue China in court for damages for the cost of serving these forged requests?

One of the details that I found really interesting is that the great firewall blocks any website that matches <i>*torproject.org</i> like the innocuous <i>mentorproject.org</i>.<p>The paper is also accompanied by an excellent presentation on the USENIX channel, <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=nPwsROLZrnc" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=nPwsROLZrnc</a>.

The researchers mentioned that they had &quot;controlled machines located in China&quot;. Given the number of requests sent by these machines everyday, how did they avoid being detected? Isn&#x27;t it very suspicious for a machine to send huge amount of requests to blocked domains every day?

So, what&#x27;s the conclusion? How great? If there is a censorship&#x2F;surveillance competition, who will win, GFW or NSA?

The Open Technology Fund is one of the most underrated government agencies out there.

IMHO, the most annoying thing about the great firewall is not the censorship - it&#x27;s the bandwidth. Every single night in China, right around the time Chinese people start streaming, for about 4-5 hours, the bandwidth from anywhere to China goes to complete shit. You can&#x27;t deploy anything or transfer data, it&#x27;ll just time out or get corrupted.<p>Interestingly, &quot;time in China&quot; is one time, because China has 1 official time zone. Even though it spans 5 geographical time zones. Unless you&#x27;re in Xinjiang, in which case if you&#x27;re talking to a Uyghur or Kazakh, they&#x27;re using Xinjiang time, which is 2 hours behind Beijing Time. Unless you&#x27;re watching a non-Uyghur&#x2F;Kazakh TV channel, in which case the time is back in Beijing Time.

i know its a massive PITA for corps trying to secure devices in that country.<p>the state of what&#x27;s allowed through TGFWC changes constantly.

Is there a paper or article about the economics of China&#x27;s Great Firewall?

What is the state of the art in GFW bypass, please?

Is there a way to group the &quot;forged IP address&quot; by class-C or class-B ?

to access the latest data <a href="https:&#x2F;&#x2F;gfwatch.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;gfwatch.org&#x2F;</a>

Discussions about the great firewall would be incomplete without mentioning the great cannon.<p><a href="https:&#x2F;&#x2F;citizenlab.ca&#x2F;2015&#x2F;04&#x2F;chinas-great-cannon&#x2F;" rel="nofollow">https:&#x2F;&#x2F;citizenlab.ca&#x2F;2015&#x2F;04&#x2F;chinas-great-cannon&#x2F;</a>

I want an in-and-out-app-specific firewall on linux and only then, I will be happy... something a lot like <a href="https:&#x2F;&#x2F;github.com&#x2F;evilsocket&#x2F;opensnitch&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;evilsocket&#x2F;opensnitch&#x2F;</a>