GFW or the Great Firewall of the Chinese Mainland is the subject of this article, basics you need to understand, how it works works- all you need to know about it. After reading this you should be able have a discussion about it or continue a deeper research on how to avoid colliding with it head on.
In this article, I would like to explain how Chinese Mainland is controlling their Internet.
As I would call it, Chinese Mainland is running a “Mainland Intranet” which is protected by The Great Firewall of China (GFW).
At Sesame Disk / Nihao Cloud we have had a long history of dealing with this “Beast” called the GFW. Give us a try.
Mini Office Firewall
We can compare this with your office or home where your router protects your computers. The router has local “Parental” like settings that gives access to the Internet but it also controls or blocks websites with possible harmful content for your kids. That’s how some companies block Facebook during office hours as well.
Bigger Router- Bigger Wall
The GFW works similar but on a much larger scale. Instead of just dealing with your small office, the GFW is filtering all the traffic going in and out of Chinese Mainland.
I will explain how Internet Traffic works in a short and simple way and no you don’t need to be a geek to understand it.
Understanding Internet Traffic Rules
So how does an actual E-Mail gets sent or received over the Internet? How can we browse websites or stream movies?
For the data to travel fast back and forth it has to follow Internet traffic rules. Using these rules all the data gets delivered in little IP packets. So lets imagine we want to look at a funny cat video on Youtube. We click to load the video, Youtube server dissembles that video into thousands of little packets and sends it to your laptop/PC/phone. Then these packets get reassembled back into a video again. This happens very fast.
All you need to know from this, that all Internet Traffic travels in little packets.
So how did Youtube know where to send those little packets? On the Internet every destination: computer, website or cellphone has to have an IP Address to send and receive data on the Internet. Google for “my IP” and you can see your own IP address. IP addresses are a bunch of numbers because computers can then convert them into 1’s and 0’s but we need domain names so we can memorise it.
Otherwise, instead of sesamedisk.com, you would see 22.214.171.124. Not the most memorable web address right?
Whats is DNS?
For the “Internet” to understand those Domains names, we have Domain Name Service (DNS). DNS servers translate domain names back into an IP address that.
(sesamedisk.com → 126.96.36.199). There are thousands of those DNS Servers that translate Domain Names into IP Addresses.
OK, enough of dry and boring theory and back to how does the Great Firewall of China and how it works.
The first and most efficient way to block websites is by DNS spoofing or “DNS Cache Poisoning”.
So let’s go back to our cat video. When we type youtube.com on the browser, DNS Server receives a request to check what youtube.com means and send you to the right IP address. This process happens to any Internet communication like web browsing etc.
Any DNS requests for websites outside of Chinese Mainland will be taken to a Deep Package Inspection (DPI) by the GFW. This means, that each little IP Package will be opened and checked for the content like a customs control.
If any pattern found in that Package matches unwanted content a bogus IP Address will be returned and the Website will not open …
That’s why if you are in China and try to reach Youtube.com you will receive this website:
What they do in many cases is that they take your request for let say nihaocloud.com and resend it to another IP that is also in their list of DNS poisining.
VPN & Encrypted Traffic
Even though GFW knows that this traffic is encrypted but it can only can guess what is inside. Here lies the biggest opportunity to get the traffic across the GFW. Now GFW is UNCERTAIN, whether this is a simple Youtube access which can be blocked, or this is the most important connection for the financial transactions where by cutting this connection could cause huge damage to the economy.
In other words you need an encryption that is good enough not to be penetrated by current algorithms, as the GFW has deep inspection algorithms. Uses AI to “guess” what is inside packages, etc.
UNCERTAINTY- that’s the biggest headache for the GFW.
The keyword here is “Collateral Damage” which could be caused by blocking encrypted packets. This Collateral Damage has to be kept to a minimum.
- understand collateral damage as the term invented by the Americans to describe questionable things that happened under their watch in the Middle East.
So what is the GFW is doing with this?
As we can imagine the staff behind the GFW are not stupid and came up with an “Active Probing” mechanism. The GFW is now looking for the encrypted traffic and guessing the encryption / VPN Protocols.
Then a Probing Servers at GFW takes encrypted packets and forwards the Package to the receiver then waits for the reply. From those replies, the GFW can decide what to do with that Package, drop it or let it go through.
So to sum it up the GFW is working in 2 ways:
One more interesting thing to know is that different networks in Chinese Mainland are running through different filtering. While public Networks like China Unicom or Telecom have strongest filters, Networks for Universities (eg the CERNet – China Education and Research Network) is filtered less harshly.
We should keep in mind that the GFW is a very dynamic Beast. It is always trying to find the optimal balance between Collateral Damage and efficiently blocking the Internet. So some Services can be blocked today, but not tomorrow and again blocked the day after.
Those who live in Chinese Mainland know that during big public events or holidays the GFW is controlling much tougher than usual. Also, the GFW is learning and being constantly developed and improved. So what we understand today might change tomorrow. The Chinese Government invests on it as if their lives dependents on it. At the end… Who knows?
All we know can be found by research and testing but nobody will explain how it really works. I would also like to mention that this article is not only based on my own 20 year IT experience in Chinese Mainland but also on a Research, presented at the annual Conference of the CCC –Chaos Computer Club Hamburg.
So there will be always a battle between the GFW and VPN Providers and there will always be the problem of Collateral Damage and nobody wants to hurt the economy.
The GFW is well prepared and will always be as far as the Chinese government is concerned. Also, do not forget that Chinese Mainland also has placed legal notices to fight this battle offline.
UPDATE: Sesame Disk / NiHao Cloud was interviewed by BBC Business daily, about China’s Internet Privacy Clampdown. You can listen to the full episode here.