Security IT/Methods

Current methods

edit

The system blocks content by preventing IP addresses from being routed through. It consists of standard firewalls and proxy servers at the Internet gateways. The system also selectively engages in DNS poisoning when particular sites are requested. The government does not appear to be systematically examining Internet content, as this seems to be technically impractical.

Effectiveness of Internet censorship measures is never complete, as there are multiple ways of circumventing them (depending on the given measure).

Over-blocking occurs when a legal content that should not be blocked is accidentally blocked by a given censorship measure. Depending on the particular scheme chosen this might be a problem pronounced more or less, but it is always present and inevitable. It does not relate to situations where the block list intentionally contains certain content that should not officially be blocked.

Similarly, under-blocking is content that officially should be blocked, but accidentally isn't. It is not content accessible by circumvention, but simply content that is accessible without using any special techniques that "slipped through the fingers" of the particular censorship scheme.

Both the resources required (equipment, processing power, bandwidth) and the cost of handling the list of blocked content also vary between censorship schemes and depend on method used.

Whether or not a method employs deep packet inspection (DPI) is indicative of both how intrusive and how resource-intensive it is

Method risk of over-blocking risk under-blocking resources required A service charge list Bypass DPI
IP blocking High Medium Low Medium Very easy No
DNS spoofing/DNS cache poisoning High Medium Low Medium Very easy No
URL filtering Low High Medium High medium demanding Yes
QoS filtering Medium Medium High High hard Yes
Man-in-the-middle attack High High Medium Very high required encrypted connection Yes
TCP connection reset High Medium Medium Medium required encrypted connection Yes
Network disconnection Very high Very high Medium None Satelite connection required. See also alternative for internet: packet radio and meshnet No
VPN blocking high medium Low medium most servers is available to pay only Yes
Network enumeration low low Very high high hard Yes
Keywords high high Very high Low medium demanding Yes
Hash low high Very high High medium demanding Yes
Dynamics (eg. image recognition) high high Very high low medium demanding Yes
Hybrid (eg. based on IP adress + hash) low high medium High medium demanding Yes

IP blocking

edit

The access to a certain IP address is denied. If the target Web site is hosted in a shared hosting server, all Web sites on the same server will be blocked. This affects all IP protocols (mostly TCP) such as HTTP, FTP or POP. A typical circumvention method is to find proxies that have access to the target Web sites, but proxies may be jammed or blocked. Some large Web sites allocated additional IP addresses (for instance, an IPv6 address) to circumvent the block, but later the block may be extended to cover the new addresses.

DNS spoofing/DNS cache poisoning

edit

The DNS doesn't resolve domain names or returns incorrect IP addresses.This affects all IP protocols such as HTTP, FTP or POP. A typical circumvention method is to find a domain name server that resolves domain names correctly, but domain name servers are subject to blockage as well, especially IP blocking. Another workaround is to bypass DNS if the IP address is obtainable from other sources and is not blocked. Examples are modifying the Hosts file or typing the IP address instead of the domain name in a Web browser.

  1. Easiest way it change DNS provider, best with DNSSEC. However, it should be remembered that simply using secure DNS servers, without the use of cryptography at the application level, still allows you to perform an attack of poisoning
  2. Use random ports

URL filtering

edit

Scan the requested URL string for target keywords regardless of the domain name specified in the URL. This affects the Hypertext Transfer Protocol. Typical circumvention methods are to use escaped characters in the URL, or to use encrypted protocols such as VPN and SSL

MiTM

edit

GFW can use a root certificate from CNNIC, which is found in most operating systems and browsers, to make a MITM attack. On 26 Jan 2013, the GitHub SSL certificate was replaced with a self-signed certificate in China by, generally believed, the GFW.

TCP reset attack

edit

If a previous TCP connection is blocked by the filter, future connection attempts from both sides will also be blocked for up to 30 minutes. Depending on the location of the block, other users or Web sites may be also blocked if the communications are routed to the location of the block. A circumvention method is to ignore the reset packet sent by the firewall

Network disconnection

edit

A technically simpler method of Internet censorship is to completely cut off all routers, either by software or by hardware (turning off machines, pulling out cables). This appears to have been the case on 27/28 January 2011 during the 2011 Egyptian protests, in what has been widely described as an "unprecedented" internet block. About 3500 Border Gateway Protocol (BGP) routes to Egyptian networks were shut down from about 22:10 to 22:35 UTC 27 January This full block was implemented without cutting off major intercontinental fibre-optic links, with Renesys stating on 27 January, "Critical European-Asian fiber-optic routes through Egypt appear to be unaffected for now. Full blocks also occurred in Myanmar/Burma in 2007, Libya in 2011 and Syria during the Syrian civil war. A circumvention method could be to use a satellite ISP to access Internet

VPN blocking

edit

Beginning in 2011, users reported disruptions of VPN services In late 2012, the Great Firewall was able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems. China Unicom, one of the biggest telecoms providers in the country was terminating connections where a VPN is detected, according to one company with a number of users in China.

Network enumerating

edit

It has been reported that unknown entities within China, likely with DPI capabilities, have initiated unsolicited TCP/IP connections to computers within the United States for the purported purpose of network enumeration of services, in particular TLS/SSL and Tor services, with the aim of facilitating IP blocking. A circumvention method is hard and knowledge about networks and operating systems is required. The probably easiest way to use fail2ban in the beginning.

Keywords

edit

This method uses deep packet inspection to read the contents of data being transmitted, and compares it with a list of keywords, or with image samples or video (depending on the content type).

It has a very serious potential for over-blocking (consider blocking all references to "Essex" based on the keyword "sex"; consider blocking Wikipedia articles or biology texts related to human reproduction), and of under-blocking (website operators can simply avoid using known keywords, or use strange spelling, for instance: "s3x").

Combating under-blocking with extending keyword lists only exacerbates the over-blocking problem. Combating over-blocking with complicated keyword rule-sets (i.e. "sex, but only if there are white-space characters around it") only makes it easier to circumvent it for website operators (i.e. "sexuality" instead of "sexual").

List handling costs are low, but this method requires huge computing and bandwidth resources, as each and every data-stream on the network needs to be inspected, scanned and compared to keywords and samples. It is especially costly for images, videos and other non-text media.

This method is often combined with silent post - It consists of that post which stay on eg. social service is visible just for you, not for other.

Dynamics

edit

This method uses deep packet inspection to read the contents of data being transmitted, and compares it with a list of keywords, or with image samples or video (depending on the content type).

It has a very serious potential for over-blocking (consider blocking all references to "Essex" based on the keyword "sex"; consider blocking Wikipedia articles or biology texts related to human reproduction), and of under-blocking (website operators can simply avoid using known keywords, or use strange spelling, for instance: "s3x").

Combating under-blocking with extending keyword lists only exacerbates the over-blocking problem. Combating over-blocking with complicated keyword rule-sets (i.e. "sex, but only if there are white-space characters around it") only makes it easier to circumvent it for website operators (i.e. "sexuality" instead of "sexual").

List handling costs are low, but this method requires huge computing and bandwidth resources, as each and every data-stream on the network needs to be inspected, scanned and compared to keywords and samples. It is especially costly for images, videos and other non-text media.

Users still can circumvent the block in several ways.

Hash

edit

Hash-based blocking uses deep packet inspection to inspect the contents of data-streams, hashes them with cryptographic hash functions and compares to a known database of hashes to be blocked. It has a low potential for over-blocking (depending on the quality of hash functions used), but a very high potential for under-blocking, as a single small change to the content entails a change of the hash, and hence content not being blocked.

Resource needs here are very high, as not only all the data-streams need to be inspected in real-time, they also need to be hashed (hash functions are computationally costly) and the hashes compared against a database. Costs of handling the hash-lists are also considerable.

Hybrid

edit

In order to compromise between high-resource, low-over-blocking hash-based blocking and low-resource, high-over-blocking IP- or DNS-based solutions, a hybrid solution might be proposed. Usually it means that there is a list of IP addresses or domain names for which the hash-based blocking is enabled, hence only operating for a small part of content. This method does employ deep packet inspection.

Required resources and list handling costs are still considerable, and under-blocking probability is high, while circumvention by users is not any harder than for hash-based block.

As Internet censorship requires deep packet inspection, once such a system is deployed, there are no technical issues stopping those in control to modify the communications in transit. That opens the door to even broader set of possibilities for a willing politician, including false flag operations, sowing dissent among the ranks of opposition, and similar actions.

  1. Easy way to bypass is use SSH tunnel
  2. The encapsulation of SSL control protocols by the record protocol means that if an active session is renegotiated the control protocols will be transmitted securely. If there was no previous session, the Null cipher suite is used, which means there will be no encryption and messages will have no integrity digests, until the session has been established.