Abstract:
A nation-scale firewall, colloquially referred
to as the “Great Firewall of China,” implements many
different types of censorship and content filtering to control China’s Internet traffic. Past work has shown that
the firewall occasionally fails. In other words, sometimes
clients in China are able to reach blacklisted servers
outside of China. This phenomenon has not yet been characterized because it is infeasible to find a large and geographically diverse set of clients in China from which to test connectivity.
In this paper, we overcome this challenge by using a
hybrid idle scan technique that is able to measure connectivity between a remote client and an arbitrary server, neither of which are under the control of the researcher performing measurements. In addition to hybrid idle
scans, we present and employ a novel side channel
in the Linux kernel’s SYN backlog. We show that both techniques are practical by measuring the reachability of the Tor network which is known to be blocked in China. Our measurements reveal that failures in the firewall occur
throughout the entire country without any conspicuous geographical patterns. We give some evidence that routing plays a role, but other factors (such as how the GFW maintains its list of IP/port pairs to block) may also be important.
Key words: Great Firewall of China, Tor, censorship analysis, idle scan, network measurement, global IP identifier, and anonymity
Industry Focus:
Information & Telecommunication
Internet & Cyberspace