The great firewall of China
The great firewall of China may be just an illusion in technical terms. This article describes the details of how things work…. Basically when “banned content” is detected, both ends of the connection are sent a flood of tcp reset packets. Which (if both sides are designed to pay attention to) means that the two computers “hang up” assuming the other side reset the connection. But, while most current PC operating systems obey the reset packets…. it’s not something that is imperative. (You might think of this as a targeted/surgical denial of service attack using TCP reset packets…) The article goes a bit deeper though….
What if the pcs ignored reset packets…. yes they could. There’s no rule that a tcp stack HAS to obey a reset packet. IF the packets were ignored the firewall would turn out to be nothing more than an illusion technically speaking. Because the pcs on either end would continue communicating. Essentially ALL the packets are passing through the “firewall” unhindered, the resets are just being used to target and force the endpoints to drop “unwanted” connections.
From the article…
Ignoring resets is trivial to achieve by applying simple firewall rules… and has no significant effect on ordinary working. If you want to be a little more clever you can examine the hop count (TTL) in the reset packets and determine whether the values are consistent with them arriving from the far end, or if the value indicates they have come from the intervening censorship device. We would argue that there is much to commend examining TTL values when considering defences against denial-of-service attacks using reset packets. Having operating system vendors provide this new functionality as standard would also be of practical use because Chinese citizens would not need to run special firewall-busting code (which the authorities might attempt to outlaw) but just off-the-shelf software (which they would necessarily tolerate).
Of course, there are OTHER blocks that the Chinese government has on sites, but according to the writeup, these static blocks are more expensive (tedious) to setup and maintain. So this method would not work for everything.
Popularity: 1% [?]
Related Posts - UDP problem... I found a peculiar problem while I was setting up an openvpn link the other day. The goal was a simple shared key setup and I started with the sample configuration and modified it a bit to fit the circumstances, I allowed the correct UDP port through the firewall (I......
- Network Security guide for the home or small business network - Part 7 - Wireless Networking OK - the last couple of entries got into some heavy lifting and some real learning on your part. Learning about what software needs to run, what services are running, updating them to keep current on security patches. We even talked about securing services listening for outside connections and limiting......
- Services.exe running at 100% CPU and using 100s of MB of memory - Windows XP SP3 I came across an interesting one in the last few days. This system was a Windows XP system with current updates - SP3, IE 8.... and among other things there was a complaint of very sluggish behavior. I updated the antimalware software installed and ran scans. Malware Bytes antimalware actually......
Related Websites - Ideas for Blogging Content Pt 1 Business blogging is rife with benefits for those who utilize it properly, as it adds significant value to a company's web presence, increasing search engine visibility and encouraging excellent and meaningful interaction from readers, driving an increase of traffic to your website in the process. But blogging for business is......
- The Key Advantages Of Using The Article Submission Service For Your Website Article Submission Service is really a fresh and reliable way to improve awareness, create high quality in content back links, develop word-of-mouth and hence draw in target viewers for your site. By writing and submitting a quality article, you are not just telling your potential prospects about your service, but......
- October Issue of BSD Magazine is Out! ARTICLES IN THIS ISSUE: iXsystems Announces Release of FreeNAS™ Version 8.0.1 Josh Paetzel Release features back end changes and bugfixes, as well as new front end user features More... Configuring a FreeBSD Stealth Logging Server Michael Shirk The collection of log files provides security administrators with the ability to have......
Similar Posts
- Free speech in contrast (or lack of it)
- x11vnc slow internet initial-connection performance – identd timeout
- Google explains Google China Decision
- Linksys BEFW11S4 ver. 4 wireless router locking up (default password and hard reset info too)
- TCP/IP networking strange problem