The researchers found that it was possible to circumvent the Chinese intrusion detection systems (IDS) by ignoring the forged transmission control protocol (TCP) resets injected by the Chinese routers, which would normally force the endpoints to abandon the connection.Being able to bypass the Great Firewall is only one aspect of the researchers' findings, though. China's Intrusion Detection System can also be tricked by forging the source IP address of packets containing banned keywords, thereby shielding the source IP from a particular destination for "up to an hour at a time." As such, were an attacker to learn the IP addresses of, say, Chinese government systems, they could block access to sites like Windows Update and even internal Chinese sites. According to the researchers, a user with a simple dial-up connection could prevent over 100,000 systems from accessing specific destinations at any one time. A detailed whitepaper of the researchers' findings can be downloaded in PDF form here.
"The machines in China allow data packets in and out, but send a burst of resets to shut connections if they spot particular keywords," explained Richard Clayton of the University of Cambridge computer laboratory. "If you drop all the reset packets at both ends of the connection, which is relatively trivial to do, the Web page is transferred just fine."