Great chinese golden shield. Part 2

In a previous post, we briefly reviewed the history of the Golden Shield Project. A significant part of it is the Great Firewall of China. What is the main goal? Literally, the control of all traffic, both in the country and abroad. No matter how it sounds, but this difficult task is performed in a very simple and effective way.

Mirror technology

The first thing that authorities use to control the activities of their Internet users is mirroring - i.e. what is usually used for simple copying or backup. Most Internet connections between China and the rest of the world are carried out by a very small number of fiber-optic cables that enter the country through three main points - Beijing-Qingdao-Tianjin (northern regions); Shanghai on the central coast and Guangzhou in the south of the country. Each of these gateways has devices called tapper or network sniffer.that reflect each single packet of data, incoming, or outgoing from the country. However, the reflection processes occurring in these gateways have very literal sides. The information gathered travels through fiber optic cables like small light pulses. These pulses pass through the Chinese gateway routers and at the same time, numerous small mirrors reflect them and make sure that the information reaches the surveillance (“Golden Shield”) of computers that “decide” whether this information should be blocked. But how did the Chinese side develop this “mirror” technology? It's simple - China bought it from one very famous company.

DNS blocking

In addition to the “mirror” technology, other methods that have been adopted by the Chinese authorities to block access to potentially dangerous information are also worth exploring.

The first problem that a regular user may encounter is DNS blocking. There is a list of sites whose contents are completely closed for viewing by a random Internet user. If you try to access any of these sites, you simply receive a “Site not found” message. Keep in mind that most sites are actively checked for potentially prohibited keywords, and lists of these words are constantly updated. One way to find out if your site will be blocked in China is to use our test - China Firewall Test .

If DNS is working correctly and deliveries are made to the correct IP address, mirroring starts. As long as you send an information request to the correct IP address, the information is reflected and the IP address is checked in the list of prohibited IP addresses. If the address matches the entry in this list, the gateway sends a “Reset” to both computers (to yours and to the one you want to reach). Roughly speaking, this is a forced disconnection, which makes it impossible for you to download the requested site. Instead, you will get “The connection has been reset” and, if you are very persistent, you can try to load the site again ... but with the same result.

Keyword block URL

If you manage to pass the first two blocking, there is one more check that needs to be passed in order to get to the resource you have chosen. This is the keyword block URL . If the IP of the site you are trying to access is not in the black list, then its domain name is checked for potentially dangerous keywords. If the requested URL contains forbidden terms, the connection will be reset. The forbidden list contains words in English, Chinese and other languages, and is frequently updated.

Other methods

Another popular method to prevent users from accessing prohibited content is the so-called black-hole loop . This means that the request falls into the trap from a series of delayed commands. When the browser detects an entry in this type of loop, it simply sends you an error message, stating that the request has been redirected to a path that cannot be completed.

Well, the last step involves checking the actual content, which is done, again, using mirroring. While you are browsing the page, the surveillance system scans the content, looking for words, phrases and terms that it does not like. If the system finds them, it disconnects and you can no longer make any further requests to this server. Then, Great Firewall blocks the connection between your computer and the site server. At first it is only for 2-3 minutes. But, if you try to access the site during this time, the next will be a five-minute time-out. On the third attempt, the time-out may already reach 30 minutes or more. In short, with every attempt that follows, the timeout will increase.

Conclusion

Recently, new technologies aimed at blocking access are beginning to appear in China. Many web-based service administrators with encrypted connections report a strange increase in activity from China. If a Chinese user tries to contact the server, the pseudo-random data line in some cases can cause a disconnection between the client and the server. One of the assumptions is that China's ISPs can thus test a new system that is trying to identify censorship circumvention tools ...

Despite all these obstacles, there are still several ways around the Great Firewall and we will discuss them in our next post in this series.

Part one: here