Researchers Claim Great Firewall Workaround

A group of researchers at the University of Cambridge claims to have found a way to circumvent China’s Internet content controls, but some doubt whether their findings really offer a breakthrough.

Their paper, titled “Ignoring the Great Firewall of China,” offers an insight into the workings of China’s complex filtering system, which Chinese officials rarely discuss in public. The paper was written by Richard Clayton, Steven Murdoch and Robert Watson of Cambridge’s Computer Laboratory.

The Chinese government filters content by looking for banned keywords contained in packets being transmitted over the Internet. Thus, a computer requesting a webpage that contains the word “falun,” a reference to a banned spiritual group, will be blocked from accessing the webpage, the researchers said.

The filtering is done using routers and intrusion-detection technology, the paper said. When a banned keyword is detected, the router sends reset connection (RST) packets to both the client computer and the Web server, prompting them to break their connection and block the user’s access to the site.

RST is one of six flags, or control bits, used to define the purpose of a packet sent using transfer control protocol (TCP), which allows computers to connect over a network. When a computer receives an RST packet, it breaks off the connection.

Once the connection is broken, the Great Firewall’s routers continue to block all connections between the two computers for a period of time using RST packets. The length of time varied, ranging from a few minutes to nearly an hour, the researchers said, putting the average at about 20 minutes.

The disclosures in the paper offered nothing new for those familiar with how the filtering system works. “There’s nothing in there I didn’t know two years ago,” said Michael Robinson, an information technology expert in Beijing.

He questioned whether the paper’s findings make any difference. “The connection reset system described in the paper is only one layer of a much larger multilayer content control system. Using encrypted proxy servers is the only way around all of them,” he said.

In their paper, the researchers proposed using special software or modifications to firewall software that would ignore RST packets to circumvent the Great Firewall. Robinson questioned whether this method offered an improvement over the use of proxy servers, which are commonly used by Chinese Internet users to skirt government controls.

“Any solution to the connection reset problem would involve just as much work for individual Chinese Internet users as it does to set up a proxy connection, and the proxies provide a complete solution, rather than a partial solution as described in the paper,” he said.

Clayton disagreed. He argued that encryption methods don’t typically encrypt the link to the proxies, and so traffic is clear when it crosses the firewall and subject to censorship.

In an interview, he also noted that authorities in China don’t look kindly on people who run encryption software. Ideally, operating system developers like Microsoft or security software makers like Zone Alarm will start building their TCP/IP stacks to discard the resets as an extra security layer in their products. “If it’s standard, then it’s harder for authorities to deal with it,” Clayton said.

Clayton has contacted Microsoft to ask if the company would ever build a mechanism like this into its software. Through its public relations department, the company declined to comment, he said. In order for the scheme to work, website operators would also have to support the mechanism on the servers that offer their sites, another hurdle to implementing the change, he said.

The paper is available online.

-Sumner Lemon and Nancy Gohring, IDG News Service (Beijing Bureau)

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.