Security IT/Methods
Current methods
[edit | edit source]The system blocks content by preventing IP addresses from being routed through. It consists of standard firewalls and proxy servers at the Internet gateways. The system also selectively engages in DNS poisoning when particular sites are requested. The government does not appear to be systematically examining Internet content, as this seems to be technically impractical.
Effectiveness of Internet censorship measures is never complete, as there are multiple ways of circumventing them (depending on the given measure).
Over-blocking occurs when a legal content that should not be blocked is accidentally blocked by a given censorship measure. Depending on the particular scheme chosen this might be a problem pronounced more or less, but it is always present and inevitable. It does not relate to situations where the block list intentionally contains certain content that should not officially be blocked.
Similarly, under-blocking is content that officially should be blocked, but accidentally isn't. It is not content accessible by circumvention, but simply content that is accessible without using any special techniques that "slipped through the fingers" of the particular censorship scheme.
Both the resources required (equipment, processing power, bandwidth) and the cost of handling the list of blocked content also vary between censorship schemes and depend on method used.
Whether or not a method employs deep packet inspection (DPI) is indicative of both how intrusive and how resource-intensive it is
Method | risk of over-blocking | risk under-blocking | resources required | A service charge list | Bypass | DPI |
---|---|---|---|---|---|---|
IP blocking | High | Medium | Low | Medium | Very easy | No |
DNS spoofing/DNS cache poisoning | High | Medium | Low | Medium | Very easy | No |
URL filtering | Low | High | Medium | High | medium demanding | Yes |
QoS filtering | Medium | Medium | High | High | hard | Yes |
Man-in-the-middle attack | High | High | Medium | Very high | required encrypted connection | Yes |
TCP connection reset | High | Medium | Medium | Medium | required encrypted connection | Yes |
Network disconnection | Very high | Very high | Medium | None | Satelite connection required. See also alternative for internet: packet radio and meshnet | No |
VPN blocking | high | medium | Low | medium | most servers is available to pay only | Yes |
Network enumeration | low | low | Very high | high | hard | Yes |
Keywords | high | high | Very high | Low | medium demanding | Yes |
Hash | low | high | Very high | High | medium demanding | Yes |
Dynamics (eg. image recognition) | high | high | Very high | low | medium demanding | Yes |
Hybrid (eg. based on IP adress + hash) | low | high | medium | High | medium demanding | Yes |
IP blocking
[edit | edit source]The access to a certain IP address is denied. If the target Web site is hosted in a shared hosting server, all Web sites on the same server will be blocked. This affects all IP protocols (mostly TCP) such as HTTP, FTP or POP. A typical circumvention method is to find proxies that have access to the target Web sites, but proxies may be jammed or blocked. Some large Web sites allocated additional IP addresses (for instance, an IPv6 address) to circumvent the block, but later the block may be extended to cover the new addresses.
DNS spoofing/DNS cache poisoning
[edit | edit source]The DNS doesn't resolve domain names or returns incorrect IP addresses.This affects all IP protocols such as HTTP, FTP or POP. A typical circumvention method is to find a domain name server that resolves domain names correctly, but domain name servers are subject to blockage as well, especially IP blocking. Another workaround is to bypass DNS if the IP address is obtainable from other sources and is not blocked. Examples are modifying the Hosts file or typing the IP address instead of the domain name in a Web browser.
- Easiest way it change DNS provider, best with DNSSEC. However, it should be remembered that simply using secure DNS servers, without the use of cryptography at the application level, still allows you to perform an attack of poisoning
- Use random ports
URL filtering
[edit | edit source]Scan the requested URL string for target keywords regardless of the domain name specified in the URL. This affects the Hypertext Transfer Protocol. Typical circumvention methods are to use escaped characters in the URL, or to use encrypted protocols such as VPN and SSL
MiTM
[edit | edit source]GFW can use a root certificate from CNNIC, which is found in most operating systems and browsers, to make a MITM attack. On 26 Jan 2013, the GitHub SSL certificate was replaced with a self-signed certificate in China by, generally believed, the GFW.
TCP reset attack
[edit | edit source]If a previous TCP connection is blocked by the filter, future connection attempts from both sides will also be blocked for up to 30 minutes. Depending on the location of the block, other users or Web sites may be also blocked if the communications are routed to the location of the block. A circumvention method is to ignore the reset packet sent by the firewall
Network disconnection
[edit | edit source]A technically simpler method of Internet censorship is to completely cut off all routers, either by software or by hardware (turning off machines, pulling out cables). This appears to have been the case on 27/28 January 2011 during the 2011 Egyptian protests, in what has been widely described as an "unprecedented" internet block. About 3500 Border Gateway Protocol (BGP) routes to Egyptian networks were shut down from about 22:10 to 22:35 UTC 27 January This full block was implemented without cutting off major intercontinental fibre-optic links, with Renesys stating on 27 January, "Critical European-Asian fiber-optic routes through Egypt appear to be unaffected for now. Full blocks also occurred in Myanmar/Burma in 2007, Libya in 2011 and Syria during the Syrian civil war. A circumvention method could be to use a satellite ISP to access Internet
VPN blocking
[edit | edit source]Beginning in 2011, users reported disruptions of VPN services In late 2012, the Great Firewall was able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems. China Unicom, one of the biggest telecoms providers in the country was terminating connections where a VPN is detected, according to one company with a number of users in China.
Network enumerating
[edit | edit source]It has been reported that unknown entities within China, likely with DPI capabilities, have initiated unsolicited TCP/IP connections to computers within the United States for the purported purpose of network enumeration of services, in particular TLS/SSL and Tor services, with the aim of facilitating IP blocking. A circumvention method is hard and knowledge about networks and operating systems is required. The probably easiest way to use fail2ban in the beginning.
Keywords
[edit | edit source]This method uses deep packet inspection to read the contents of data being transmitted, and compares it with a list of keywords, or with image samples or video (depending on the content type).
It has a very serious potential for over-blocking (consider blocking all references to "Essex" based on the keyword "sex"; consider blocking Wikipedia articles or biology texts related to human reproduction), and of under-blocking (website operators can simply avoid using known keywords, or use strange spelling, for instance: "s3x").
Combating under-blocking with extending keyword lists only exacerbates the over-blocking problem. Combating over-blocking with complicated keyword rule-sets (i.e. "sex, but only if there are white-space characters around it") only makes it easier to circumvent it for website operators (i.e. "sexuality" instead of "sexual").
List handling costs are low, but this method requires huge computing and bandwidth resources, as each and every data-stream on the network needs to be inspected, scanned and compared to keywords and samples. It is especially costly for images, videos and other non-text media.
This method is often combined with silent post - It consists of that post which stay on eg. social service is visible just for you, not for other.
Dynamics
[edit | edit source]This method uses deep packet inspection to read the contents of data being transmitted, and compares it with a list of keywords, or with image samples or video (depending on the content type).
It has a very serious potential for over-blocking (consider blocking all references to "Essex" based on the keyword "sex"; consider blocking Wikipedia articles or biology texts related to human reproduction), and of under-blocking (website operators can simply avoid using known keywords, or use strange spelling, for instance: "s3x").
Combating under-blocking with extending keyword lists only exacerbates the over-blocking problem. Combating over-blocking with complicated keyword rule-sets (i.e. "sex, but only if there are white-space characters around it") only makes it easier to circumvent it for website operators (i.e. "sexuality" instead of "sexual").
List handling costs are low, but this method requires huge computing and bandwidth resources, as each and every data-stream on the network needs to be inspected, scanned and compared to keywords and samples. It is especially costly for images, videos and other non-text media.
Users still can circumvent the block in several ways.
Hash
[edit | edit source]Hash-based blocking uses deep packet inspection to inspect the contents of data-streams, hashes them with cryptographic hash functions and compares to a known database of hashes to be blocked. It has a low potential for over-blocking (depending on the quality of hash functions used), but a very high potential for under-blocking, as a single small change to the content entails a change of the hash, and hence content not being blocked.
Resource needs here are very high, as not only all the data-streams need to be inspected in real-time, they also need to be hashed (hash functions are computationally costly) and the hashes compared against a database. Costs of handling the hash-lists are also considerable.
Hybrid
[edit | edit source]In order to compromise between high-resource, low-over-blocking hash-based blocking and low-resource, high-over-blocking IP- or DNS-based solutions, a hybrid solution might be proposed. Usually it means that there is a list of IP addresses or domain names for which the hash-based blocking is enabled, hence only operating for a small part of content. This method does employ deep packet inspection.
Required resources and list handling costs are still considerable, and under-blocking probability is high, while circumvention by users is not any harder than for hash-based block.
DPI
[edit | edit source]As Internet censorship requires deep packet inspection, once such a system is deployed, there are no technical issues stopping those in control to modify the communications in transit. That opens the door to even broader set of possibilities for a willing politician, including false flag operations, sowing dissent among the ranks of opposition, and similar actions.
- Easy way to bypass is use SSH tunnel
- The encapsulation of SSL control protocols by the record protocol means that if an active session is renegotiated the control protocols will be transmitted securely. If there was no previous session, the Null cipher suite is used, which means there will be no encryption and messages will have no integrity digests, until the session has been established.