• On The Insider: Sexiest Magazine Covers of All Time
advertisementAT&T Tech Support 360

July 3, 2006 9:06 AM PDT

Academics break the Great Firewall of China

By Tom Espiner
Special to CNET News.com

Related Stories

Keeping an eye on MySpace

 June 29, 2006

Youth centers grapple with MySpace

 June 23, 2006

School filters vs. home proxies

 May 3, 2006

Google in China: The big disconnect

 April 21, 2006

China's Hu meets Gates as U.S. trip begins

 April 18, 2006
Computer experts from the University of Cambridge claim not only to have breached the Great Firewall of China, but have found a way to use the firewall to launch denial-of-service attacks against specific Internet Protocol addresses in the country.

The firewall, which uses routers supplied by Cisco Systems, works in part by inspecting Web traffic for certain keywords that the Chinese government wishes to censor, including political ideologies and groups it finds unacceptable.

The Cambridge research group tested the firewall by firing data packets containing the word "Falun" at it, a reference to the Falun Gong religious group, which is banned in China.

The researchers found that it was possible to circumvent the Chinese intrusion detection systems by ignoring the forged transmission control protocol resets injected by the Chinese routers, which would normally force the endpoints to abandon the connection.

"The machines in China allow data packets in and out, but send a burst of resets to shut connections if they spot particular keywords," explained Richard Clayton of the University of Cambridge computer laboratory. "If you drop all the reset packets at both ends of the connection, which is relatively trivial to do, the Web page is transferred just fine."

Clayton added that this means the Chinese firewall can be used to launch denial-of-service attacks against specific IP addresses within China, including those of the Chinese government itself.

The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a "sensitive" keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time.

If an attacker had identified the machines used by regional government offices, they could block access to Windows Update, or prevent Chinese embassies abroad from accessing specific Chinese Web content.

"Due to the design of the firewall, a single packet addressed from a high party official could block their Web access," said Clayton.

Even though this technique would block communication between only two particular points on the Internet, the researchers calculated that a lone attacker using a single dial-up connection could still generate a "reasonably effective" denial-of-service attack. If an attacker generated 100 triggering packets per second, and each packet caused 20 minutes of disruption, 120,000 pairs of endpoints could be prevented from communicating at any one time.

Clayton, speaking at the Sixth Workshop on Privacy Enhancing Technologies in Cambridge last week, said that the researchers had reported their findings to the Chinese Computer Emergency Response Team.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
packet, firewall, denial of service, computer expert, China

Add a Comment (Log in or register) 32 comments (Showing first 20 comments)
Let's help them improve their censorship!
by E B July 3, 2006 9:50 AM PDT
Great -- so now the Chinese government can work on improving their firewall, to make it harder for their citizens to access information. That's a big step forward! Congratulations, Cambridge, on aiding censorship and totalitarianism!
Reply to this comment View all 2 replies
Let's help them improve their censorship!
by E B July 3, 2006 9:50 AM PDT
Great -- so now the Chinese government can work on improving their firewall, to make it harder for their citizens to access information. That's a big step forward! Congratulations, Cambridge, on aiding censorship and totalitarianism!
Reply to this comment View all 2 replies
Can someone please write a script for this DOS?
by kamwmail-cnet1 July 3, 2006 10:18 AM PDT
It would be fun to have 4 of my machines constantly DOSing those thieving commies.

Ooops. Redundancy here. Thieves and Commies are two faces of the same coin. With thieves being the more honorable face.
Reply to this comment View reply
Can someone please write a script for this DOS?
by kamwmail-cnet1 July 3, 2006 10:18 AM PDT
It would be fun to have 4 of my machines constantly DOSing those thieving commies.

Ooops. Redundancy here. Thieves and Commies are two faces of the same coin. With thieves being the more honorable face.
Reply to this comment View reply
(almost) a script kiddie, lawl
by osbjmg July 3, 2006 2:49 PM PDT
4 whole machines of yours working on a DOS attack, good idea, they might just make a difference, champ.

By the way, if anyone sent you a script, there is a very good chance they just sent you a virus instead for being a wannabe script kiddie.
Reply to this comment
(almost) a script kiddie, lawl
by osbjmg July 3, 2006 2:49 PM PDT
4 whole machines of yours working on a DOS attack, good idea, they might just make a difference, champ.

By the way, if anyone sent you a script, there is a very good chance they just sent you a virus instead for being a wannabe script kiddie.
Reply to this comment
Never claimed to be a programmer. Duh.
by kamwmail-cnet1 July 3, 2006 2:54 PM PDT
Sigh. Another stuck up programmer wanna-be. Scripts are the easiest thing to use. And you can always monitor what the scripts does. And as to four machines... well if they're on four seperate fiber optic lines and they run 6 hours at night while no one is using it. And China is 12 hours differential, yeah, I would say it would make a diff.

Now stay in your bedroom and continue to be master of the universe / know it all.
Reply to this comment View all 3 replies
Never claimed to be a programmer. Duh.
by kamwmail-cnet1 July 3, 2006 2:54 PM PDT
Sigh. Another stuck up programmer wanna-be. Scripts are the easiest thing to use. And you can always monitor what the scripts does. And as to four machines... well if they're on four seperate fiber optic lines and they run 6 hours at night while no one is using it. And China is 12 hours differential, yeah, I would say it would make a diff.

Now stay in your bedroom and continue to be master of the universe / know it all.
Reply to this comment View all 3 replies
Yeah, great going guys!
by robbtuck July 3, 2006 4:51 PM PDT
Way to go to help overcome an oppressive and restrictive regime - show them their faults and help them fix them to keep their people under control.
Reply to this comment
Yeah, great going guys!
by robbtuck July 3, 2006 4:51 PM PDT
Way to go to help overcome an oppressive and restrictive regime - show them their faults and help them fix them to keep their people under control.
Reply to this comment
As if you are the first to discover it, dumb ass...
by deeptii July 3, 2006 7:05 PM PDT
There are a few known methods to break through the firewall a long time ago, and yet to use it to DoS attack is only a theory!

Did you try to use it? If you have not proved that your DoS theory works, don't claim to the world like that.

To name one of the methods that I know and use to break through the firewall of China: use SSL Proxy tunnel.

This is no freaking news... heh!
Reply to this comment
As if you are the first to discover it, dumb ass...
by deeptii July 3, 2006 7:05 PM PDT
There are a few known methods to break through the firewall a long time ago, and yet to use it to DoS attack is only a theory!

Did you try to use it? If you have not proved that your DoS theory works, don't claim to the world like that.

To name one of the methods that I know and use to break through the firewall of China: use SSL Proxy tunnel.

This is no freaking news... heh!
Reply to this comment
This is news? You gotta be kidding...
by deeptii July 3, 2006 7:08 PM PDT
There are a few known methods to break through the firewall a long time ago, and yet to use it to DoS attack is only a theory!

Did you try to use it? If you have not proved that your DoS theory works, don't claim it to the world like that.

To name one of the methods that I know and use to break through the firewall of China: use SSL Proxy tunnel.

This is no freaking news... heh!
Reply to this comment
This is news? You gotta be kidding...
by deeptii July 3, 2006 7:08 PM PDT
There are a few known methods to break through the firewall a long time ago, and yet to use it to DoS attack is only a theory!

Did you try to use it? If you have not proved that your DoS theory works, don't claim it to the world like that.

To name one of the methods that I know and use to break through the firewall of China: use SSL Proxy tunnel.

This is no freaking news... heh!
Reply to this comment
This is news? You gotta be kidding...
by deeptii July 3, 2006 7:12 PM PDT
There are a few known methods to break through the firewall a long time ago, and yet to use it to DoS attack is only a theory!

Did you try to use it? If you have not proved that your DoS theory works, don't claim to the world like that.

To name one of the methods that I know and use to break through the firewall of China: use SSL Proxy tunnel.

This is no freaking news... heh!
Reply to this comment
This is news? You gotta be kidding...
by deeptii July 3, 2006 7:12 PM PDT
There are a few known methods to break through the firewall a long time ago, and yet to use it to DoS attack is only a theory!

Did you try to use it? If you have not proved that your DoS theory works, don't claim to the world like that.

To name one of the methods that I know and use to break through the firewall of China: use SSL Proxy tunnel.

This is no freaking news... heh!
Reply to this comment
ah so much fun
by sirfragalot July 4, 2006 7:14 AM PDT
man how awsome would that be to take down chinas internet infastructure im sure a 1337 h4x0r and his buddys with drone computers could really do alot of damage but thats what you get for not being smart china
Reply to this comment
ah so much fun
by sirfragalot July 4, 2006 7:14 AM PDT
man how awsome would that be to take down chinas internet infastructure im sure a 1337 h4x0r and his buddys with drone computers could really do alot of damage but thats what you get for not being smart china
Reply to this comment
 See all 32 Comments >>
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security™2009

Click Here!
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

Click Here!
The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET