Great Chinese golden shield. Part 2

In a previous post, we briefly reviewed the history of the Golden Shield Project. A large part of it is the Great Firewall of China. What is the main goal? Literally, control of all traffic, both in the country and abroad. It may sound like this, but this difficult task is performed in a very simple and effective way.

Mirror technology

The first thing that the authorities use to control the activities of their Internet users is mirroring - i.e. what is usually used for simple copying or backup. Most of the Internet connections between China and the rest of the world are made by a very small number of fiber-optic cables, which are introduced into the country through three main points - Beijing-Qingdao-Tianjin (northern regions); Shanghai on the central coast and Guangzhou in the south of the country. On each of these gateways, there are devices called tapper or network sniffer , which reflect each single packet of data coming in or out of the country. However, the reflection processes taking place in these gateways have very literal sides. The collected information goes through optical fiber cables as small light pulses. These impulses pass through the Chinese gateway routers and at the same time, numerous small mirrors reflect them and make the information reach the surveillance (“Golden Shield”) of computers that “decide” whether this information should be blocked. Well, how did the Chinese side develop this “mirror” technology? It's simple - China bought it from one very famous company.

DNS blocking

In addition to the “mirror” technology, other methods adopted by the Chinese authorities to prevent access to potentially dangerous information are also worth exploring.

The first problem that a regular user may encounter is DNS blocking. There is a list of sites whose content is completely closed for viewing by a random Internet user. If you try to access any of these sites, you just get a “Site not found” message. Keep in mind that most sites are actively checked for potentially forbidden keywords, and the lists of these words are constantly updated. One way to find out if your site will be blocked in China is to use our test, the China Firewall Test .
')
If DNS is working correctly and delivery occurs at the correct IP address, mirroring starts. As long as you send an information request to the correct IP address, the information is reflected and the IP address is checked in the lists of prohibited IP addresses. If the address matches an entry in this list, the gateway sends a “Reset” to both computers (to yours and the one you want to reach). Roughly speaking, this is a forced disconnection that makes it impossible for you to download the requested site. Instead, you will get “The connection has been reset” and, if you are very persistent, you can try to download the site again ... but with the same result.

URL keyword block

If you manage to get through the first blocking, there is one more check that you need to go through in order to get to your chosen resource. This is the URL of the keyword block . If the IP of the site to which you are trying to access is not in the blacklist, then its domain name is checked for the presence of potentially dangerous keywords. If the requested URL contains prohibited terms, the connection will be reset. The Forbidden List contains words in English, Chinese, and other languages, and is frequently updated.

Other methods

Another popular method for preventing users from accessing prohibited content is the so-called black-hole loop . This means that the request falls into the trap of a series of delayed commands. When the browser detects an entry in this type of loop, it simply sends you an error message, stating that the request is redirected to a path that cannot be completed.

Well, the last stage involves checking the actual content, which is done, again, with the help of mirroring. As you browse the page, the surveillance system scans the content, searching for words, phrases and terms that it doesn’t like. If the system finds them - it breaks the connection and you can no longer make any further requests to this server. Then, Great Firewall blocks the connection between your computer and the site server. At first it is only for 2-3 minutes. But, if you try to access the site during this time, the next one will be a five-minute time-out. On the third attempt, the time-out may already reach 30 minutes, or more. In short, with each attempt that follows, the timeout will increase.

Conclusion

Recently, new technologies aimed at blocking access have begun to appear in China. Many web service administrators with encrypted connections report a strange increase in activity from China. If a Chinese user tries to contact the server, the pseudo-random data string in some cases can be the reason for breaking the connection between the client and the server. One assumption is that China's ISPs can thus test new systems that are trying to identify circumvention tools ...

Despite all these obstacles, there are still several ways to get around the Great Firewall and we will discuss them in our next post in this series.

Part One: here