The Great Firewall of China

A few weeks ago, we received a request to publish an article on behalf of an author residing in China. After review of its content, we are sharing these insights on the CyberSmashup blog.

We hope you enjoy this post, learn something new about privacy and censorship, and if feeling compelled to respond or react, will not hesitate to post a comment, or contact us to contribute your opinion in a form of a blog post.

A lot of people heard about the so-called the Great Firewall of China, the famous censorship and surveillance project of the Chinese government, yet fewer are really aware of its impacts in day-to-day life for Chinese people. Although not officially admitted by the Government, the ordinary Chinese citizens feel the existence of the wall in their daily lives while surfing the “Chinese Intranet”, which does not allow access to Facebook, Twitter, YouTube, sometimes not even BBC or CNN.

Since its existence was never admitted officially, the information about the Firewall is mostly based on rumors, rather than documented. The Great Firewall is always associated with the Golden Shield Project, as both are supported by the central government financial system. Even Wikipedia considers both projects as the same. However, based on reliable sources, they are in fact two separate projects. The Great Firewall is aiming to filter the “unhealthy” information from oversea resources, while the Golden Shield Project is aiming to provide the Chinese police “useful information” for “internal usage”. With the Great Firewall, the Chinese are forced to use “kaixin001” or “renren” to replace Facebook, and “Sina Weibo” as Twitter. Then monitored by the “Golden Shield Project”, the Government might be able to access personal information very easily and can arrest people for the comments or blogs they published on the Internet.

Some personal experiences could be used as good examples of how the system is working. A friend published some “unhealthy posts” on his anonymous “Sina Weibo”, and received a call from the police within 2 hours. The only personal information linked with that post was his IP address, but the police could track his mobile, name, and address, which is only a rent one, in such a short time, thanks to the “Golden Shield project”. Also, another friend published some comments on his own blog and flagged them as “private” because he was not ready to publish them, and wanted to rephrase them afterwards. The comments were soon deleted by the blog platform’s administrator and a private message stating that the post contained some “sensitive information” was left in his inbox. It was a small personal blog with only about 100 clicks per day, or in other words, “a dead blog”, but still the “administrator” was monitoring it. Besides, the content was not sensitive and contained only good feedback about an international meeting held in China. The example shows that an incredible number of human resources have been put to this “monitoring task”, and the rules are very strict.

Fang Binxing, the founder of the Great Firewall, is the former president of the Beijing University of Posts and Communications. Rumors state that the Firewall was built by Binxing, along with his master students separated from the political system. Orders from the Chinese Government are supposed to be “translated” into a technical format, such as a list of key words that must be blocked. Therefore, the firewall does not really “understand” the political concerns and sometimes makes nonsensical choices and blocks irrelevant websites or keywords.

It was rumored that Cisco participated in the hardware implementation of the Great Firewall. However, no evidence other than a 90-page internal presentation to support this claim have been disclosed. Also, a suit was filed by Chinese Falun Gong practitioners against Cisco in US Federal Court in San Jose. They insisted that Cisco had helped the Chinese Government persecute their religious movement, but the case did not come to a clear conclusion. Since Cisco is a U.S. company, it makes great sense that the Chinese Government does not allow it to participate in such core security project due to the political tensions existing between the two countries.

On the other hand, Dawning Information Industry Co., Ltd, (also known as Sugon Information Industry Co., Ltd website: http://www.sugon.com/en/), which is a national high-tech enterprise established under the powerful promotion of the Chinese Academy of Sciences, and based on the major scientific research results in the national “863” plan*, was believed to provide the major hardware part to the project.

Type 4000L Dawning Server cluster, which cannot be found on Dawning official website, along with Redhat OS, is providing the major infrastructure of the Great Firewall, and is said to be able to reach a computing speed of 650,000 packets per second at a single connection point. Besides the server products, (rack-mounted, tower, blade, high-density) the company is also providing storage products, cloud computing products and other infrastructure products (cabinet-level water, fluoride). With a very strong Government background, the major customers of the company are national owned enterprises, and very little cooperation is seen with international companies.

A server product of Dawning (not 4000L):

The major techniques used by the Great Firewall are the following**:
1) IP blocking: the blocking will not be applied to a certain destination IP address but will cover the whole range. Even if a proxy is used to anonymize a connection, the firewall will manage to identify it and block the concerned IP addresses.
2) DNS filtering and redirection
3) URL filtering
4) Packet filtering
5) Connection reset: If a previous TCP connection is blocked by the filter, future connection attempts from both sides will also be blocked for up to 30 minutes.

The popular ways of bypassing the Great Firewall are VPN and Tor.

The VPN servers, once they get popular, will soon be shut down or blocked by the Firewall. In other words, the Firewall is being adapted and developed. For Tor network, the normal “IP blocking” is not very efficient due to the fact that the IP address for Tor is dynamic, and changes all the time. A few Tor bridges are also built to help the Internet users in China mainland “jump over the wall”.
It is believed that a sniffer is placed into each connection between mainland China and overseas, through the port 443. Once a Tor connection is trying to connect with a bridge outside China, the sniffer will try to connect to Tor using SSL protocol, to stop the real connection in TCP. This sniffer technique has resulted in Tor network being inaccessible from China Mainland since Oct 2011.

It is believed that Government, on one side, and anti-blocking experts, on the other, are continuously working to improve their techniques to avoid or get access to the Tor network, respectively***.

As regards OpenVPN open source software, according to rumors, the Great Firewall allegedly has the ability to “disturb” the connection by changing the TCP connection into UDP and dropping the packages containing the necessary information for establishing an encrypted connection.
It must be taken into account that all the information above is based on non-official statements and unconfirmed speculation. However, for the common citizens, a strong feeling of the Great Firewall’s existence is undeniable. Considering the techniques involved in the “Great Firewall” and the human resources used in the daily monitoring of the Internet, this project is likely to consume a considerable amount of the Chinese national budget.

*”863 plan”: A plan designed in March, 1986, named by the last two digits of the year plus the month. This plan was driven by the famous Chinese reformer Deng Xiaoping, and aims to provide China with high techniques to develop its economy. The plan promotes projects related to quite a number of domains such as biology, aeronautics, and information techniques, and is considered as successful so far.

**Source: Wikipedia.

***Refer to https://www.usenix.org/conference/foci12/workshop-program/presentation/Winter for further technical details.