British researchers break China's firewall
Researchers at Cambridge University in the United Kingdom have found
some interesting holes in the "Great Firewall of China," a massive
data filtering system that censors Internet content on the Chinese
mainland. Whereas users in China generally resort to proxy servers in
order to get around the firewall, the Cambridge researchers used
"relatively trivial" packet filtering to achieve the same effect.
The researchers found that it was possible to circumvent the Chinese
intrusion detection systems (IDS) by ignoring the forged transmission
control protocol (TCP) resets injected by the Chinese routers, which
would normally force the endpoints to abandon the connection.
"The machines in China allow data packets in and out, but send a burst
of resets to shut connections if they spot particular keywords,"
explained Richard Clayton of the University of Cambridge computer
laboratory. "If you drop all the reset packets at both ends of the
connection, which is relatively trivial to do, the Web page is
transferred just fine."
Being able to bypass the Great Firewall is only one aspect of the
researchers' findings, though. China's Intrusion Detection System can
also be tricked by forging the source IP address of packets containing
banned keywords, thereby shielding the source IP from a particular
destination for "up to an hour at a time." As such, were an attacker to
learn the IP addresses of, say, Chinese government systems, they could
block access to sites like Windows Update and even internal
Chinese sites. According to the researchers, a user with a simple
dial-up connection could prevent over 100,000 systems from accessing
specific destinations at any one time. A detailed whitepaper of the
researchers' findings can be downloaded in PDF form here