AmericanKitty-FirewalledI taught a lesson on SIP and the DNS, and had the following question asked by a student, “How is China handling their DNS requests? Is that how they are able to filter the net?”.

It was a tad off topic, but a great question. I had a feeling that China’s Golden Shield project (The Great Firewall), was a tad more involved than just controlling zone files, so I deferred the question till the next day, until I could research a proper answer. Here’s a brief summary of what I found.

Why did China feel a need for the Golden Shield Project?

The Golden Shield was the Community Party of China (CPC) response to the China Democracy Party (CDP). The CDP was finding a voice on the internet, and the CPC wasn’t really all ‘cray-cray’ about democracy spreading in Communist China, so it was decided that China would simply filter all of the internet.

Who is effected by the Golden Shield Project?

Design began in 1998, and ‘finished’ in 2003, but ‘major project updates’ occurred to the program from 2006 to 2008. As I write this, the project controls info for 1.3 billion Chinese and requires roughly 30,000 employees to ‘monitor’ internet. Chat, blogs, websites, podcasts and Weibo (Chinese Twitter), are all constantly being watched and censored by Chinese authorities. If you are found to be using the internet to communicate thoughts that, “defame the government”, “split the nation”, or “leak government secrets”, than you may be subject to censorship, fines, or jail sentences. Further content restrictions were imposed in 2000, when China passed laws forbidding a Chinese ISP to provide access to any foreign media without government approval.

Yes, yes, it all sounds quite horrible. I get it. Now, how does it work?

China’s web is connected via government-licensed ISPs that must comply with government standards. All ISPs funnel traffic to a single international-level router called at the IP

From this single logical node, the government can monitor and control all the country’s traffic. Despite strict control, tech savvy Chinese dissidents have managed to overcome the following many government internet control mechanisms. The control mechanism, and the employed tactic to defeat those mechanisms are as follows:

  • IP Blocking – Defeated by using proxy servers
  • DNS ‘tricks’ (DNS redirection) – Defeated by using IP addresses to access web
  • URL filtering – Defeated using SSL or VPN to obfuscate traffic
  • Deep packet inspection – Defeated using SSL or VPN to obfuscate traffic
  • Connection resets – When client request data, a SYN packet is sent, and you receive back a SYN-ACK packet. China authorties will follow this up with a RST packet, stopping your connection for 10 sec. This is one of the more popular ways China stops data requests. It is defeated by filtering all incoming RST packets
  • Green Dam Youth Escort software (filters pornography, installed on all computers sold in mainland China) – Defeated buying a computer not sold in mainland China or by removing software from the computer (this may be illegal, I’m not sure)

What are the results of China’s race to build an Orwellian distopia?

While it is an impressive technical accomplishment, China has the largest number of jailed “cyberdissidents” in the world. While the average citizen cannot get access all over the web, those with means and training to defeat the Great Firewall can. Therefore, it is not really as effective as China would have the world believe… it is less analogous to the Great Wall, and more analogous to a Great Sponge. Certainly absorbing lots, but still leaving plenty behind.