[Infowarrior] - Academics break the Great Firewall of China

[Richard Forno]

Academics break the Great Firewall of China

By Tom Espiner
http://news.com.com/Academics+break+the+Great+Firewall+of+China/2100-7348_3-
6090437.html

Story last modified Mon Jul 03 09:15:45 PDT 2006

Computer experts from the University of Cambridge claim not only to have
breached the Great Firewall of China, but have found a way to use the
firewall to launch denial-of-service attacks against specific Internet
Protocol addresses in the country.

The firewall, which uses routers supplied by Cisco, works in part by
inspecting Web traffic for certain keywords that the Chinese government
wishes to censor, including political ideologies and groups it finds
unacceptable.

The Cambridge research group tested the firewall by firing data packets
containing the word "Falun" at it, a reference to the Falun Gong religious
group, which is banned in China.

The researchers found that it was possible to circumvent the Chinese
intrusion detection systems by ignoring the forged transmission control
protocol resets injected by the Chinese routers, which would normally force
the endpoints to abandon the connection.

"The machines in China allow data packets in and out, but send a burst of
resets to shut connections if they spot particular keywords," explained
Richard Clayton of the University of Cambridge computer laboratory. "If you
drop all the reset packets at both ends of the connection, which is
relatively trivial to do, the Web page is transferred just fine."

Clayton added that this means the Chinese firewall can be used to launch
denial-of-service attacks against specific IP addresses within China,
including those of the Chinese government itself.

The IDS uses a stateless server, which examines each data packet both going
in and out of the firewall individually, unrelated to any previous request.
By forging the source address of a packet containing a "sensitive" keyword,
people could trigger the firewall to block access between source and
destination addresses for up to an hour at a time.

If an attacker had identified the machines used by regional government
offices, they could block access to Windows Update, or prevent Chinese
embassies abroad from accessing specific Chinese Web content.

"Due to the design of the firewall, a single packet addressed from a high
party official could block their Web access," said Clayton.

Even though this technique would block communication between only two
particular points on the Internet, the researchers calculated that a lone
attacker using a single dial-up connection could still generate a
"reasonably effective" denial-of-service attack. If an attacker generated
100 triggering packets per second, and each packet caused 20 minutes of
disruption, 120,000 pairs of endpoints could be prevented from communicating
at any one time.

Clayton, speaking at the Sixth Workshop on Privacy Enhancing Technologies in
Cambridge last week, said that the researchers had reported their findings
to the Chinese Computer Emergency Response Team.

Tom Espiner of ZDNet UK reported from London.