Ignoring the Great Firewall of China
Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson
University of Cambridge, Computer Laboratory, William Gates Building,
15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom
{richard.clayton, steven.murdoch, robert.watsong}@cl.cam.ac.uk
Abstract. The so-called "Great Firewall of China" operates, in part, by inspecting TCP packets for keywords that are to be blocked. If the keyword is present, TCP reset packets (viz: with the RST flag set) are sent to both endpoints of the connection, which then close. However, because the original packets are passed through the firewall unscathed, if the endpoints completely ignore the firewall's resets, then the connection will proceed unhindered. Once one connection has been blocked, the firewall makes further easy-to-evade attempts to block further connections from the same machine. This latter behavior can be leveraged into a denial-of-service attack on third-party machines.
摘要:所谓的“Great Firewall of China 伟大的中国防火墙”,部分是通过对TCP包进行(被禁用的)关键字审查而实现封锁的。如果有关键字存在于TCP包中,TCP重置数据包将发送至连接的两个终端,导致连接关闭。然而,原始数据包通过防火墙时未被修改,如果终端完全忽略防火墙的重置数据包,那么连接将畅通无阻。一旦某次连接被阻塞,防火墙将更容易回避来自同一台机器的更多的连接。而后者的行为能够被第三方的DoS攻击所利用。
1. Introduction 引言
The People's Republic of China operates an Internet filtering system which is widely considered to be one of the most sophisticated in the world [9]. It works, in part, by inspecting web (HTTP) traffic to determine if specific keywords are present [8]. These keywords relate to matters such as groups that the Chinese Government has banned, political ideologies that they consider unacceptable and historical events that the regime does not wish to have discussed.
中国(PRC)运营了一个因特网过滤系统,它被广泛认为是世界上最诡异的系统之一。它的工作原理,部分上通过检查网络的(HTTP)通信以确定是否存在特殊的关键字。这些关键字涉及到中国政府禁止的团体,他们认为不可接受的政治形态,以及当权者不希望讨论的历史事件。
It is straightforward to determine that the keyword-based blocking is occurring within the routers that handle the connections between China and the rest of the world [14]. These routers use devices based upon intrusion detection system (IDS) technology to determine whether the content of packets matches the Chinese Government's filtering rules. If a connection from a client to a web server is to be blocked then the router injects forged TCP resets (with the RST flag bit set) into the data streams so that the endpoints will abandon the connection. Once blocking has begun, it will remain in place for many minutes and further attempts by the same client to fetch material from same website will immediately be disallowed by the injection of further forged resets.
可以肯定基于关键字的封锁行为发生在路由器上,并由此来控制中国与世界其他地方的连接。这些路由器使用了基于入侵检测技术的设备以确定数据包的内容是否符合中国政府的过滤规则。如果要阻塞一个从客户端到web服务器的连接,那么路由器将会注入一个伪造的TCP重置包到数据流中,以至终端将抛弃连接。一旦阻塞发生,这个状态将维持数分钟,并且同一客户端为从相同的网站上获取资料而做的进一步的尝试将因为进一步的注入伪造重置而会被立即驳回。
In Section 2 of this paper we discuss the methods available to countries that wish to prevent their citizens from accessing particular Internet content and the strengths and weaknesses that have been identified by previous investigators. In Section 3 we present the packet traces we obtained from each endpoint of some connections that were blocked by the Chinese firewall system. In Section 4 we propose a model for the operation of this firewall to explain the results we have obtained. Then in Section 5 we show that by ignoring the TCP resets being issued by the firewall we are able to successfully transfer material that was supposed to be blocked, and discuss why this may prove difficult for the firewall operators to address. In Section 6 we show how the blocking action of the firewall can be leveraged into a denial-of-service attack on third party machines. Finally, in Section 7, we consider how websites outside of China might make their material easier to access despite the blocking, and we discuss the merits and demerits of this method of evading censorship.
这篇论文的第2部分,我们讨论了若干有用的方法给那些希望阻止他们的公民访问特殊的因特网内容的国家,以及先前的研究已确定的长处和弱处。在第3部分,我们呈献了获得的包追踪记录,它们来自中国防火墙系统所阻塞的一些连接的终端。第4部分,我们提出了一种防火墙的运营模型,用来解释我们所获取到的结果。然后,第5部分,我们展示了通过无视防火墙发出的TCP重置包的方法,能够成功的传送那些本应该被阻塞的资料,并且讨论了为什么对于防火墙运营商来说这些行为是难以被处理的。第6部分,我们展示了防火墙的阻塞行为如何能够被第三方利用为拒绝服务攻击。最后,第7部分,我们思考了中国以外的网站如何能够使其资料能够更容易被访问到(尽管被封锁),并且我们讨论了这种逃避检查的方法的优势和劣势。
2. Content Blocking Systems 内容阻塞系统
Three distinct methods of content blocking - packet dropping, DNS poisoning and content inspection - have been identified in previous papers by Dornseif [5], who studied the blocking of right-wing and Nazi material in Nordrhein-Westfalen and Clayton [3] who studied the hybrid blocking system deployed by BT in the United Kingdom to block access to paedophile websites.
内容阻塞的三种不同方法(分组掉包、DNS中毒、内容审查)已经在Dornseif和Clayton先前的论文中明确地分析过了。Dornseif主要研究对北莱茵-威斯特法伦州的右翼纳粹资料的阻塞,而Clayton致力于研究英国电信混合阻塞系统的部署,以用于阻塞对恋童癖者网站的访问。
2.1 Packet Dropping Schemes 分组掉包策略
In a packet dropping scheme, all traffic to specific IP addresses is discarded and the content hosted there becomes inaccessible. This scheme is low cost and easy to deploy - firewalls and routers offer the necessary features as standard.
在分组掉包策略中,通往特殊IP地址的所有通信都将被抛弃,并且托管的内容也变得不可访问。这种策略低成本,并且容易实施(按照标准提供给防火墙和路由必要的特征)。
Packet dropping schemes suffer from two main problems. Firstly, the list of IP addresses must be kept up-to-date, which could pose some difficulties if the content provider wishes to make it hard for an ISP to block their websites (for details of the complexity, see the extensive discussion in [4]). Secondly, the system can suffer from "overblocking" - all of the other websites that share the same IP address will also be blocked. Edelman [6] investigated the potential extent of overblocking and found that 69.8% of the websites for .com, .org and .net domains shared an IP address with 50 or more other websites. Although some of these domain names will have merely been "parked", and providing a generic webpage, the detailed figures show a continuum of differing numbers of websites per IP address, reflecting the prevailing commercial practice of hosting as many websites as possible on every physical machine.
分组掉包策略有两个主要的问题。首先,IP地址列表必须不断更新到最新,而这有一些困难,如果内容提供商希望英特网服务提供商对他们的网站的阻塞变得困难的话(对于复杂的细节,参见[4])。其次,系统可能因为过度阻塞而造成损害(其他所有使用共享该IP地址的网站也会被阻塞)。Edelman调查了过度阻塞带来的潜在威胁,他发现有69.8%域名为.com/.org/.net的网站共享IP地址(这样一个IP地址往往至少包含有50个网站,或者更多)。尽管这些域名中的一些仅仅被“放置”在那儿,并提供一个普通的网页,详细的数字用以表明每一个IP地址都有若干不同的网站,这也反映了在同一个物理机上尽可能多的托管网站已是普遍的商业实践。
2.2 DNS Poisoning Schemes DNS中毒策略
In a DNS poisoning scheme, it is arranged that when the Domain Name System (DNS) is consulted to translate a textual hostname into a numeric IP address, no answer is returned; or an incorrect answer is given that leads the user to a generic site that serves up a warning about accessing forbidden content.
在DNS中毒策略中,当DNS把文本化的主机名翻译为数字化的IP地址时,没有返回信息;或者是给出一个错误的返回引导用户到一个普通的网站,给予一个正在访问被禁止的内容的警告。
These schemes do not suffer from overblocking in that no other websites will be affected when access to a specific host is forbidden. However, it can be difficult to make them work correctly if all that is to be blocked is a website, and email contact is still to be permitted. Dornseif demonstrated that all of the ISPs in his sample had made at least one mistake in implementing DNS poisoning.
这些策略不会导致过度阻塞,因为当一个特定的主机被禁止时,没有其他的网站会受到影响。然而,如果所做的工作就是阻塞对一个网站的(访问)的话,很难保证能使得它们(译注:这里应该指的是DNS中毒策略)能够正确的工作,因为email的使用仍然是被允许的。Dornseif证明在他的例子中,所有的因特网供应服务商在他们实施DNS中毒的过程中至少出现过一次错误。
2.3 Content Inspection Schemes 内容审查策略
Most content inspection schemes work by arranging for all traffic to pass through a proxy which refuses to serve any results for forbidden material. These systems can be made extremely precise, potentially blocking single web pages or single images, and permitting everything else to pass through unhindered.
大多数的内容审查策略是这样工作的:编排所有的通信通过一个代理服务器,该服务器拒绝为任何包含有禁止内容的(网站或者用户)返回结果。这些系统能够被做得极其精确,强有力的阻塞单一的网页或者单个的图片,而让其他所有信息畅通无阻。
The reason that proxy-based systems are not universally employed is that a system that can cope with the traffic volumes of a major network - or an entire country - would be extremely expensive. In Pennsylvania USA, a state statute requiring the blocking of sites adjudged to contain child pornography was struck down as unconstitutional in September 2004 [13]. For cost reasons, the Pennsylvanian ISPs had been using a mixture of packet dropping and DNS poisoning. The resultant overblocking and "prior restraint" were significant factors in the court's decision.
基于代理的系统没有被广泛采用的原因是:一个用于处理主干(甚至是国家级的)网络通信量的系统,将会是极其昂贵的。2004年9月,美国的宾夕法尼亚州要求封锁儿童色情网站的法规被视为违反了宪法。出于成本的原因,宾夕法尼亚的因特网服务商一直在使用分组丢包和DNS中毒的混合策略。由此产生的过度阻塞和“预先制止”成为了法院判决的重要因素。
Nevertheless, proxy-based systems have been deployed in countries such as Saudi Arabia [7], Burma [10] and on specific network providers such as Telenor in Norway [12]. The UK-based BT system studied by Clayton was a hybrid design, utilising a low-cost cache, because only the packets destined for relevant IP addresses would be passed to it. Unfortunately, this permits users to “reverse-engineer" the list of blocked sites. Since these sites provide illegal images of children, this runs counter to the public policy aim of the system.
虽然如此,基于代理的系统已经部署了在沙特阿拉伯、缅甸等国家以及专用的网络供应商诸如挪威的Telenor公司。Clayton所研究的是总部位于英国的BT系统,其利用了低成本的高速缓存,只有注册了的相关IP地址的包才能够通过它。不幸的是,这允许用户进行逆向工程得到被禁止的网站列表。因为这些网站非法提供小孩子的图片,它的运营违反了系统的公共政策目标。
An alternative method of performing content inspection uses components from an Intrusion Detection System (IDS). The IDS equipment inspects the traffic as it passes by and determines whether or not the content is acceptable. When the content is to be blocked it will arrange for packets to be discarded at a nearby firewall or, in the case of the Chinese system, it will issue TCP reset packets so as to cause the offending connection to be closed.
执行内容检查的另一种方法是使用入侵检测系统(IDS)的组件。IDS设备检查通过它的包并决定其内容是否是可接受的。当内容是将被阻塞的时候,它将在就近的防火墙处抛弃该包。以中国的系统为例,它将发出TCP重置包,使(违反规则的)连接关闭。
An IDS-based system is significantly more flexible than the other schemes, and it is much less simple to circumvent. Both Dornseif [5] and Clayton [4] have extensive discussions on how to circumvent the different types of content blocking they identify. However, the IDS approach ought to be able to detect the traffic no matter what evasion scheme is tried, provided that the traffic remains in the clear and is not encrypted or obfuscated in a manner that the IDS cannot convert to a canonical form before coming to a decision.
一个基于IDS的系统比其它的计划需要更大的弹性,并且也难以被简单地绕开。Dornseif和Clayton关于他们所认同的不同类型的内容阻塞进行了广泛的讨论。无论如何,倘若通信仍然是明文的,而没有经过加密或某种程度上的混淆,IDS方法应该能够检测到任何尝试逃避的策略所产生的通信(IDS不能把数据转换为规范的格式,然后再做出决定)。
3 How the Chinese Firewall Blocks Connections 中国防火墙如何阻塞连接
In our experiments we were accessing a website based in China (within the Chinese firewall) from several machines based in Cambridge, England (outside the Chinese firewall). The Chinese firewall system, as currently deployed, is known to work entirely symmetrically - detecting content to be filtered as it passes in both directions - and by issuing all the commands from the Cambridge end we avoided any possibility of infringing Chinese law.
在我们的实验中,我们尝试从若干(位于防火墙外部的英格兰的)剑桥大学的计算机去访问(位于中国防火墙内部的)中国网站。中国防火墙系统,按照目前的部署,众所周知是处于完全对称的工作方式——在将被过滤的连接的两个方向上进行内容检测,并从剑桥的终端机上发出所有的命令。我们避免任何侵犯中国法律的可能性。
3.1 Blocking with Resets 重置阻塞
Initially we accessed a simple web page, which arrived in an entirely normal manner, just as would be expected. As can be seen from the packet dump below, after the initial TCP three-way handshake (SYN, SYN/ACK, ACK) the client (using port 53382 in this instance) issues an HTTP GET command to the server's http port (tcp/80) for the top level page (/), which is then transferred normally. We were using Netcat (nc) to issue the request, rather than a web browser, so that we might avoid extraneous detail. The packet traces were captured by ethereal, but we present them in a generic format.
首先我们访问一个简单的网页,正如预期那样,以完全正常的普通方式返回。正如以下包转储所展现的那样,在初始的三次握手之后,客户端(在本次例子中使用53382端口)发出了一个HTTP的GET命令,到服务器的HTTP端口(TCP/80)获取顶层页面(/),然后就是这种正常的跳转。我们使用了Netcat(nc)发出请求,而不是网页浏览器,因此我们可以避免不必要的细节。数据包被Ethereal捕获,但是我们使用了一种通用的格式来展现它们。
cam(53382) → china(http) [SYN]
china(http) → cam(53382) [SYN, ACK]
cam(53382) → china(http) [ACK]
cam(53382) → china(http) GET / HTTP/1.0<cr><lf><cr><lf>
china(http) → cam(53382) HTTP/1.1 200 OK (text/html)<cr><lf> etc. . .
china(http) → cam(53382) . . . more of the web page
cam(53382) → china(http) [ACK]
. . . and so on until the page was complete
We then issued a request which included a small fragment of text that we expected to cause the connection to be blocked, and this promptly occurred:
然后,我们发出一个请求,其中包括了一个短小的文本片段,我们期望引起连接的重置。而这迅速发生了:
cam(54190) → china(http) [SYN]
china(http) → cam(54190) [SYN, ACK] TTL=39
cam(54190) → china(http) [ACK]
cam(54190) → china(http) GET /?falun HTTP/1.0<cr><lf><cr><lf>
china(http) → cam(54190) [RST] TTL=47, seq=1, ack=1
china(http) → cam(54190) [RST] TTL=47, seq=1461, ack=1
china(http) → cam(54190) [RST] TTL=47, seq=4381, ack=1
china(http) → cam(54190) HTTP/1.1 200 OK (text/html)<cr><lf> etc. . .
cam(54190) → china(http) [RST] TTL=64, seq=25, ack zeroed
china(http) → cam(54190) . . . more of the web page
cam(54190) → china(http) [RST] TTL=64, seq=25, ack zeroed
china(http) → cam(54190) [RST] TTL=47, seq=2921, ack=25
The first three reset packets had sequence values that corresponded to the sequence number at the start of the GET packet, that value plus 1460 and that value plus 4380 (3 × 1460). We believe that the firewall sends three different values to try and ensure that the reset is accepted by the sender, even if the sender has already received ACKs for “full-size" (1460 byte) packets from the destination. Setting the sequence value of the reset packet “correctly" is necessary, because many implementations of TCP/IP now apply strict checks that the value is within the expected “window”. The vulnerabilities inherent in failing to check for a valid sequence value were first pointed out by Watson in 2004 [15].
第一组的三个重置数据包有序列值,其相当于GET包开始部分的对应的序列号(那个值加上了1460或者4380)。我们相信防火墙发送了三个不同的值来尝试,并确保该重置会被发送者所接受,即使发送者已经从目的地收到了满字节的应答包(ACKs)。“正确地”设置重置数据包的序列值是必要的,因为现在许多TCP/IP的实现实施了严格地检测以确保该值是在预期“窗口”的范围中。其固有的弱点——不能够检测出一个有效的序列值,由Watson在2004年第一次指出。
The trace also shows part of the web page arriving from the Chinese machine after the connection had already been aborted (we examine why this occurred below). The Cambridge machine therefore sent its own TCP resets in response to these two (now) unexpected packets. Note that it zeroed the acknowledgement fields, rather than using a value relative to the randomly chosen initial value.
追踪也显示了,当连接被中止后,从中国服务器返回的部分web页面(我们研究为什么发生如下的情况)。剑桥的终端机因此发出了自己的TCP重置包以响应这两个非预期的数据包。请注意:它清零了确认域,而不是使用的相对于初始值的一个随机值。
All of the reset packets arrived with a time-to-live (TTL) field value of 47, whereas the packets from the Chinese webserver always had a TTL value of 39, indicating that they were from a different source. If both sources set an initial value of 64, then this would indicate the resets were generated 8 hops away from the webserver, which traceroute indicates is the second router within the China Netcom Corporation network (AS9929) after the traffic is passed across from the Sprint network (AS1239).
所有的重置数据包的TTL值都是47,然而从中国的web服务器返回的包的TTL值总是39,这表明它们来自不同的来源。如果这两个来源的初始值是64,那么重置产生了8次远离web服务器的跳跃,路由跟踪表明通信跨越Sprint网络(AS1239)之后,第二个路由属于中国网通公司的网络(AS9929)。
We also examined this blocked connection from the point of view of the Chinese webserver:
我们也从中国的web服务器的角度来检查过这个阻塞的连接:
cam(54190) → china(http) [SYN] TTL=42
china(http) → cam(54190) [SYN, ACK]
cam(54190) → china(http) [ACK] TTL=42
cam(54190) → china(http) GET /?falun HTTP/1.0<cr><lf><cr><lf>
china(http) → cam(54190) HTTP/1.1 200 OK (text/html)<cr><lf> etc. . .
china(http) → cam(54190) . . . more of the web page
cam(54190) → china(http) [RST] TTL=61, seq=25, ack=1
cam(54190) → china(http) [RST] TTL=61, seq=1485, ack=1
cam(54190) → china(http) [RST] TTL=61, seq=4405, ack=1
cam(54190) → china(http) [RST] TTL=61, seq=25, ack=1
cam(54190) → china(http) [RST] TTL=61, seq=25, ack=2921
cam(54190) → china(http) [RST] TTL=42, seq=25, ack zeroed
cam(54190) → china(http) [RST] TTL=42, seq=25, ack zeroed
As can be seen, when the “bad" packet was detected, the firewall also sent resets to the Chinese machine, but these resets arrived after the GET packet (and after the response had commenced). The last two resets (with zeroed ack values), were the ones that were sent by the Cambridge machine.
可以看出,当被检测到“bad”包时,防火墙也发出重置包到中国的服务器,但是这些重置包在GET包之后抵达(响应已经开始)。后面的两个重置包是由剑桥的终端机发出的。
The other resets (generated because falun was present) arrived at the Chinese webserver with a TTL value of 61, which is consistent with them being generated 3 hops away with an initial count of 64. This differs from the 8-hop offset we observed from Cambridge. However, it is possible that there is more than one device that is generating resets - or the initial count may have been adjusted to be different from 64. We do not currently have any definitive explanation for the lack of symmetry that this observation represents.
其他的重置包(因为提交了“falun”而生成的)抵达中国的web服务器的TTL是61,为了与初始的64跳保持一致性,有3跳的差距。这种差距不同于我们从剑桥所看到的。但是,有可能不止一台设备发送这样的重置包,或者最初的计数已经进行了调整而不是64。我们目前对于这种观察中所发现的缺乏对称性的现象没有任何明确的解释。
The first three blocking resets were also set to a range (+25, +1485, +4405) of sequence numbers in an attempt to ensure that at least one was accepted, and in fact the +25 packet will have reset the connection. The fourth and fifth resets received can be seen, by examining their acknowledgement values, to be responses to the two packets that the server managed to send before the connection was reset.
第一组的三个重置包也设置了序列号的范围,试图以确保至少有一个被接受,而事实上+25的包将重置连接。通过检测它们的ACK值,第4和第5个收到的重置包可以看作对服务器(连接被重置之前发送的包)的响应的两个包。
(原文及翻译的完全版请到我的上传资源中下载!)
