ignoring the wall

Via Bruce Schneier, an interesting paper about a technique to bypass the filtering technique currently employed by China’s Great Firewall. I am gonna get a little nerdy here — something I generally reserve for the CentreBlog — so bear with me here:

The way this firewall works is precisely the same as many commonly-available content-based filtering appliances available here. (I tested and evaluated a number of them for the TN K-12 school system back when I worked for ENA.) It’s not the routers or firewalls themselves that monitor for keywords and allow/drop connections, but rather servers that sit on an adjacent port on a switch and sniff the traffic. When they see a verboten word, they make an attempt to kill the connection. This is done utilizing a very simple technique.

In any TCP connection on the Internet, there is a packet with a certain flag that can be sent at any time by either end to reset the connection. The flag is called RST, which stands for .. you guessed it.. “reset”. So, in order to kill a connection, these servers merely spoof RST packets both to the source and the destination of the connection, effectively terminating the connection. More advanced products hijack the connection entirely — sending RST packets to the origin webserver and delivering a “block page” instead of the requested content to the client, letting them know that the content is forbidden, or perhaps in this case, that the storm troopers are en route to their house.

This is a fairly effective technique with one major drawback: it’s subject to race conditions. If the server monitoring traffic gets bogged down, it may not get around to issuing the RST packets before the connection has already proceeded and data has been transferred. At the time, this was a major reason we opted not to use this technology at ENA. The amount of hardware needed to ensure a “race” was never lost was exorbitant in the face of more cost-effective methods. Apparently this isn’t an issue for China.

But anyways, back to the paper. They are pointing out another obvious downside to this technique: if both sides of the connection ignore the RST packets, the connection won’t be terminated. So, theoretically, firewall administrators in China could simply configure their firewall to ignore RST packets and if the server on the other end did the same, there would be no censorship. But of course this is useless if the other end doesn’t cooperate. It raises an interesting possibility: a movement on the rest of the Internet to cooperate, and implement firewall rules to ignore RST packets on port 80 from IP addresses in China? Are there any possible negative side-effects of this? Other than some very dysfunctional situations in the event that a connection actually needs to be reset.

F1ght the P0w3r D00dZ!!

  • http://www.lesjones.com/ Les Jones

    If ignoring resets worked I’m guessing that pr0n sites and other commonly-blocked sites would have already used the technique. I could be wrong, though.

  • http://chris.quietlife.net Chris

    Well, it would require cooperation on both ends: the web (pr0n) server side, as well as the client side, and the client side is the one that would be running the filtering software to begin with..

    It does raise an interesting question though, of what would happen if the filtering software sent the resets to the webserver, were ignored, and then sent forged packets back to the client with the blockpage — since the webserver would *also* still send its reply (since it ignored the resets). I’m guessing TCP seqid mismatch/dupe errors and a dropped connection, but who knows.. Pretty whacky.

    In retrospect, I don’t really think it’s a very viable strategy for defeating censorship (there are more direct ways), but it’s interesting to contemplate..