A closer look at the Great Firewall of China

by phw | October 6, 2014

Over the last years, we learned a lot about how the Great Firewall of China is blocking Tor. Some questions remained unanswered, however. Roya, Mueen, Jed, and I just published a project which seeks to answer some of these open questions. Being curious as we are, we tried to find answers to the following questions:

  • Is the filtering decentralised (i.e., happening in provinces) or centralised (i.e., happening in Internet exchange points (IXP))?
  • Are there any temporal patterns in the filtering? Or in other words, are there certain times when people are more likely to be able to connect to Tor?
  • Similarly, are there any spatial patterns? Are folks in some special regions of China able to connect to Tor while others cannot?
  • When a computer in China tries to connect to a Tor relay, what part of the TCP handshake is blocked?

It turns out that some of these questions are quite tricky to answer. For example, to find spatial patterns, we need to be able to measure the connectivity between many Tor relays and many clients in China. However, we are not able to control even a single one of these machines. So how do we proceed from here? As so often, side channels come to the rescue! In particular, we made use of two neat network measurement side channels which are the hybrid idle scan and the SYN backlog scan. The backlog scan is a new side channel we discovered and discuss in our paper. Equipped with these two powerful techniques, we were able to infer if there is packet loss between relay A and client B even though we cannot control A and B.

You might notice that our measurement techniques are quite different from most other Internet censorship studies which rely on machines inside the censoring country. While our techniques give us a lot more geographical coverage, they come at a price which is flexibility; we are limited to measuring Internet filtering on the IP layer. More sophisticated filtering techniques such as deep packet inspection remain outside our scope.

Now what we did was to measure the connectivity between several dozen Tor relays and computers in China over four weeks which means that we collected plenty of data points, each of which telling us "was A able to talk to B at time T?". These data points reveal a number of interesting things:

  • It appears that many IP addresses inside the China Education and Research Network (CERNET) are able to connect to at least our Tor relay.
  • Apart from the CERNET netblock, the filtering seems to be quite effective despite occasional country-wide downtimes.
  • It seems like the filtering is centralised at the IXP level instead of being decentralised at the provincial level. That makes sense from the censor's point of view because it is cheap, effective, and easy to control.

Now what does all of this mean for Tor users? Our results show that China still has a tight grip on its communication infrastructure, especially on the IP and TCP layer. That is why our circumvention efforts mostly focus on the application layer (with meek being an exception) and pluggable transport protocols such as ScrambleSuit (which is now part of the experimental version of TorBrowser) and obfs4 are specifically designed to thwart the firewall's active probing attacks.

Comments

Please note that the comment area below has been archived.

October 06, 2014

Permalink

So which PT is able to circumvent the great firewall? is the next release able to do that out of the box?

ScrambleSuit and obfs4 should be able to. In general, meek also should but the Google infrastructure isn't accessible at the moment, as far as I know.

The current experimental version of TorBrowser already contains ScrambleSuit and meek but obfs4 is still missing.

I'm a Chinese student, I want to use OrBot but it's not working in Hong Kong, and there's no data surrounding it, not even on the official GuardianProject website, and they don't answer when you chat with on #guadianproject, and sending an email is not an option. I have no thoughts on what to do.

Tor for mobile is now more important than ever, even more than desktop,but until the guardian project get their shit together and start focusing on the important things, one project at a time,before distributig their resources on numerous but barely-working projects (reading orbot's official page is like reading the "one weird trick to make your arbs grow faster" nothing but marketing with no actual info), you could easily set up a tor hotspot on a desktop for mobile users, but you'd probably need tails to do that if you want a fully torrified system, but as far as I know, unfortuntely tails only supports obfs3 (I'm not sure, I tried asking on #tails and searching the official tails website, and found no info, apparently not even the devs know what pt is supported by tails) which as I understand is blocked in China.

Tails only supports obfs3. it doesn't support any other pluggable transport. I'm not sure why the tails devs are way behind concerning tails' core "engine" which is tor. but they're not exactly known to be your no-nonsense top developer either, tails experienced so much ip leaks disasters even in stable releases, which most were actually reported by third parties instead of being discovered by tails' people...

The latest version should, as it is tor-0.2.5.x based. The primary blocker to getting ScrambleSuit support in Orbot has been that it was shipping with tor-0.2.4.x.

The actual ScrambleSuit support code has been in obfsclient (what is used on Android) for a while. Note that I haven't tested this in quite a while (been busy with other things), but if it's broken please let us know.

Well, that's odd. Since this is important to me (because I wrote the implementation they use), I went and tested it on my cellphone with one of the TBB 4.0 default ScrambleSuit bridges, and it bootstrapped to 100% fine, and I can browse the web through the bridge.

Granted, I tried a few bridges on my desktop before I found one that I knew was up before I went and plugged it into Orbot because the UX is somewhat painful.

So, at least with Orbot 14.0.8.1, ScrambleSuit bridges indeed work fine. If it doesn't work for you, it is likely that you are running an old version, the bridge itself is down/unreachable, or there was user error when entering the bridge config. If you can positively rule out all of those things, file a ticket.

October 07, 2014

Permalink

What concrete IP addresses are whitelist by GFW in China Education and Research Network? Can we utilize those IP block of whitelist to bypass GFW in China?

The IP addresses were randomly determined. While we only ran traceroutes to a subset of CERNET, the machines we selected were consistently reachable. As for circumvention, it might be possible to run a Tor relay inside CERNET but we haven't tried that yet.

October 07, 2014

Permalink

I'm in China. Besides flashproxy, fte, meek-google, obfs3, ScrambleSuit, only meek-amazon can work. But it's quite slow.

If those integrated bridges don't work for you, please get and add some bridges by your own using the following methods:

1) Email:

obfs3 bridges: send an email to bridges@torproject.org and the body should be "get transport obfs3" (without quotes).

fte bridges: send an email to bridges@torproject.org and the body should be "get transport fte" (without quotes).

Note: if you use this method then you need to use one of the following email providers: Riseup, Gmail or Yahoo.

2) Website:

obfs3 bridges: https://bridges.torproject.org/bridges?transport=obfs3
fte bridges: https://bridges.torproject.org/bridges?transport=fte

October 07, 2014

Permalink

I you want to legally check the traffic outgoing from China you might consider renting a China-based VPS or VPN with exit in China;)

October 08, 2014

Permalink

this is great!

are there similar studies/metrics available or being planned for Iran?

October 09, 2014

Permalink

There is a lot of Asians who studied in the US/USA in computer science and cryptography who have gone back to China and now work for China. Why don't you go talk to the institutions about computer science and cryptography and maybe they can provide some light on how to go around this Great Firewall of China. Also, China is a politically dominant structure, so the ones blocking and censoring is within the government infrastructure. Just some thought for you all about this post.

October 09, 2014

Permalink

As a Chinese student , I don't like TorBrowser .
The TorBrowser connected slowly , and working for several minuts. Then Tor is blocked by GFW, I couldn't feel it in time.

I like Vidalia very much . It can show me the Network Map , and Advanced log.

Please release tor-Vidalia-pluggable-transports bundle as soon as possible

我也是中国人,我只想说你第一段中文相当不礼貌。
对于生活在中国内地的普通人,我对与TOR相关的每一款产品对充满敬意与感激。

Sorry, my english isn't good enough. I love Tor , and use it everyday. Lots of thanks for developers.

I just want to say, TorBrowser is not suitable in China. The Vidalia Bundle is the best .

Because the GFW filter rules is optimised everyday , the Plugable Bridges go to failure often. Once TorBrowser start success, after some minutes is will disconnected. It's hard to know when its down, and must restart whole Firefox, no matter how many tabs are open. So its not easy to use in China.

That's why Tor is rarely used outside CERNET. I used Tor in many city, There is no significant difference of GFW Filter between CERNET and other ChinaNets. Just because most Tor users should be Master degree or above. These guys understand Bridge, and know how to use Bridge. Other people outside univerty, mostly use GoAgent / FreeGate / Wujie etc.

According to my experience, The Vidalia Bundle is more suitable for Chinese. They user Chrome/Firefox, and install SwitchySharp/Autoproxy, and subscribe GFWList , then use Tor/Vidalia as proxy.

So, please release Tor-Vidalia-pluggable-transports bundle, following each TorBrowser release cycle.

Thanks a lot for everybody in Tor team.

TorBrowser does connect to the bridges. But after a few minutes, it cannot receive any data anymore. It just keeps sending data out. I need to restart the TorBrowser to make it work. It looks like the connections were closed ( I do not know the exact reason, I can reproduce the simliar result by disconnecting the Internet and connect again.) But meek is exception.
some parts of china throttle non http/https connection.

October 10, 2014

Permalink

Until now,TorBrowser is working very well here,no problem.Thanks for developing and Maintenance team

October 11, 2014

Permalink

Thank you very much for your work on GFW.
I am from China.
After I use new obf3 bridges I am more likely to be able to Tor.
It seems that bridges can only work for period of time. Then they are blocked by someone.
Sometimes Torbrower works very fast. When I was looking for more information about this exit relay at Atlas. There is no information for the relays.
I guess someone forges bridges and tor relay to inspect tor users in China. Then they decided how to block tor.
And there is a very interesting thing. Many in China use Freegate which is more popular than tor in China to visite blocked site. That software always works smoothly except some things happened in China. So GFW may aim at Tor. and has some cooperation with Freegate. I guess.

October 12, 2014

Permalink

Why does Tor "doesn't try to hide the fact you are using tor"? an *anonymity* network should prioritize hiding the fact you are using tor. For example by always seeming to be TLS1.2 and only using port 443. among other features.

October 12, 2014

Permalink

I've noticed that with the latest Tor update the same entry node is used across multiple sessions. If I'm not mistaken this was not the case earlier. Why & when was this done and how do I force the selection of a different entry node, if I'm getting low bandwidth with the current one?

October 14, 2014

In reply to arma

Permalink

I'm not well versed with data security, privacy, and related areas. It seems to me to be a balance between the risk to a few and the risk to many. In the new scheme, the group of people unfortunate enough to select a compromised entry guard could have all their traffic potentially de-anonymized until the breach is discovered, whereas in the earlier scheme, such a risk would be mitigated by guard rotation? How should one calculate this greater risk (if it is), when deciding to use Tor?

I had Vidalia running as well and I deleted few circuits to seek bandwidth improvement to no avail. When I exited TBB, deleted the "state" file and restarted TBB, however, there was a several-fold improvement with a new entry guard.

October 13, 2014

Permalink

It's decided better to have some users cursed to use XXX entry guards forever to help others to evade them.

October 13, 2014

Permalink

if the torproject succeeds in making torbrowser work by default out of the box in china they're going to receive so much funding they won't even know what to do with

October 14, 2014

Permalink

I was in China for two weeks this summer, obfs3 bridges worked perfectly for me. I used the same 6 bridges on Orbot and on my desktop and they worked for my entire stay. It was easy to set up, although Orbot could do with a more documentation, both in-app and on the website.

I think a lot of people don't realize that because they are in China they *must* get their own bridges and the ones bundles with the browser will be blocked, so instead assume that obfs3 doesn't work any more (it may well be the case that it is blocked now). The way the interface is written makes it sound like setting custom bridges are an advanced complicated thing to do.

Indeed it's partially a user education problem, though as you noted the current user experience is also far from ideal (more so with the ScrambleSuit/obfs4 due to the password/cert). The rate at which they block the default bridges appears to be somewhat variable, which doesn't help the situation either.

Last I heard the Guardian Project folks had some neat ideas on how to simplify this process, but that was a bit ago and I haven't heard from them recently.

On a unrelated note, I'm glad that obfs3 on Orbot worked well for you, because if it was broken I would have to fix it.

October 14, 2014

Permalink

I live in China.
I don't agree that GFW as a whole is completely centralized. While the policy of blocking Tor might be the same, other blocking policies such as IP/keyword blacklists is different between provinces or even cities. Even if the physical infrastructure of GFW was centralized, they could just determine the policies to be used by GeoIP.
By the way, from the day Tor got bridge features, I noted that no matter what protocol a bridge host uses, it will be blocked after a while. At first I thought Fang and his minions use their manpower to actively make a list of bridges and blacklist them. However according to some papers I learned that they had automated this process by adding some triggers to their filtering servers.

October 14, 2014

Permalink

i am in china,torbrowser is work good but not in obfs3 bridge.in some setup in torc can speed up connect .Vidalia can not use.
but why china can brock tor ?perhaps in china many computer have spy soft install,if u test,can download qq.com the pop soft in china chat software.i gusess. and china made mobile phone have backdoor to report what you are visit in web site.
and epacially one ip in china is diffrent in counrty or outside china i tested.
so not only ixp but in evryone pc or mobile phone just have install the spy soft,can report what are u doing in internet.
but it's a guest,for when i intall firewall to block ip in china,i find my computer visit cn ip without my permision.when block cn ip i feel freely to surfer.
but some time i change bridge even ScrambleSuit ,some time can't access,
it show when hadnshake 25%,show can not aceccse xx.xx.xxx.xxx. tlc connect fail.
perhaps some brige adress they brocked.
can u make a wilder adress range ,not just only some little bridge in same subnet.

NumEntryGuards 8 ot NumEntryGuards 3 w\hich good ?
thanks tor team.

October 16, 2014

Permalink

for in china cumputer or mobile have spy software,if find someone visit the adress that is blocked but not direct and find meanwhile one internet ip is outside the china,they will brock that that ip ,for it msut a proxy ?it's my guest.when i use a firewall to block all china destiny ip,and use orbot just by prxoy connect with plain bridge ip, the speed to blocked web is fast.when i close firwwall ,for a little while the orbot is blocked.
you can buy a china made android phone to test it,what ever in us or china. just like levono a830,but must chinese version.

I am in China. I don't think it's spy softwares to cause those problem. The ISP(Internet Service Provider)s has their own DNS server and some servers to explain DNS and ip address.
The ISPs in China usually point domain name to their ad web site for money. They hijack DNS very offten in China. China Union and Great Wall Broad Band and China tietong they all do this things.
And they also hijack IP address.
I used Norton DNS to protect my computer from visit some websites years ago. Now it doesn't work. I also tried some other famous DNS to do the same thing. All those DNS can not function well. The computer still can visit sexy website and be direct to ad website. I guess they point some IP to their own DNS server.
And also I think every ISP can block websites they wanted. I have found that a foreign website blocked by one ISP company while it can be visited by using other Internet connection provided by other ISP.
GFW is notorious in China. Mr Fang who called the father of GFW had cancer last year. He got thousands curses on his weibo. So I think it is not safe to send people to universities to work for GFW. Usually the network in universities operated by teachers and students in computer science department.
It's good to arrange those to commercial ISPs secretly. I guess that is why those can hijack DNS for money many years. and Newspeople in China had reported those things because it is very serious now adding advertisement stealing commercial secrets and users information . And judicial authority did nothing to it.

October 19, 2014

Permalink

I'd like to answer this question.

When a computer in China tries to connect to a Tor relay, what part of the TCP handshake is blocked?

Usually if a computer in China tries to connect a ip address first time, the ISP first direct it to a advertisement then jump to the server the ip address points.

Sometime it allows people to connect to true ip address after the ads are visited and sometimes the ad server redirect ip to people wanted or the site they want people visiting after the ads visiting number and users' information they have got.

Several times I tried to visit an online shop and it goes to another online shop. It makes me very angry. I have to click go back button many times. then the website I wanted can be shown up.

So the first time TCP handshake is not to the relay. After the computer be allowed to connect to the true ip address it can connect to a Tor relay.

October 20, 2014

Permalink

I'm in China, and I use IPv6 non-obfuscated bridge relays and it works. It looks like GFW can't block encrypted IPv6 traffic.

December 23, 2014

Permalink

If you need to any test from China, just make it as a volunteer task. Simply write a clear instruction about how to do it. I am sure there will be a lot of people will be more than happy to help you on this.