Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
See all formats and pricing
More options …

Analyzing the Great Firewall of China Over Space and Time

Roya Ensafi / Philipp Winter / Abdullah Mueen / Jedidiah R. Crandall
Published Online: 2015-04-18 | DOI: https://doi.org/10.1515/popets-2015-0005


A nation-scale firewall, colloquially referred to as the “Great Firewall of China,” implements many different types of censorship and content filtering to control China’s Internet traffic. Past work has shown that the firewall occasionally fails. In other words, sometimes clients in China are able to reach blacklisted servers outside of China. This phenomenon has not yet been characterized because it is infeasible to find a large and geographically diverse set of clients in China from which to test connectivity. In this paper, we overcome this challenge by using a hybrid idle scan technique that is able to measure connectivity between a remote client and an arbitrary server, neither of which are under the control of the researcher performing measurements. In addition to hybrid idle scans, we present and employ a novel side channel in the Linux kernel’s SYN backlog. We show that both techniques are practical by measuring the reachability of the Tor network which is known to be blocked in China. Our measurements reveal that failures in the firewall occur throughout the entire country without any conspicuous geographical patterns.We give some evidence that routing plays a role, but other factors (such as how the GFW maintains its list of IP/port pairs to block) may also be important.

Keywords : Tor; GFW; censorship analysis; network measurement; idle scan


  • [1] Censorship Wiki. https://censorshipwiki.torproject.org.Google Scholar

  • [2] Linux kernel source tree. http://git.kernel. org/cgit/linux/kernel/git/torvalds/linux.git/ tree/net/ipv4/inet_connection_sock.c?h= 4d0fa8a0f01272d4de33704f20303dcecdb55df1#n562.Google Scholar

  • [3] tcp(7) - Linux man page. http://linux.die.net/man/7/tcp.Google Scholar

  • [4] Extensive Analysis and Large-Scale Empirical Evaluation of Tor Bridge Discovery. In INFOCOM, Orlando, FL, USA, 2012. IEEE.Google Scholar

  • [5] Alexa. Alexa top sites in China. http://www.alexa.com/ topsites/countries/CN.Google Scholar

  • [6] C. Anderson, P. Winter, and Roya. Global censorship detection over the RIPE Atlas network. In Free and Open Communications on the Internet. USENIX, 2014.Google Scholar

  • [7] Anonymous. Towards a comprehensive picture of the Great Firewall’s DNS censorship. In Free and Open Communications on the Internet. USENIX, 2014.Google Scholar

  • [8] Antirez. new TCP scan method, 1998.Google Scholar

  • [9] W. Chen, Y. Huang, B. F. Ribeiro, K. Suh, H. Zhang, E. de Souza e Silva, J. Kurose, and D. Towsley. Exploiting the IPID field to infer network path and end-system characteristics. In Passive and Active Network Measurement. Springer, 2005.Google Scholar

  • [10] China internet and mobile phone users. Available at http: //www.procurasia.com/china-industrial-sourcing/chinastatistics- corner/china-internet-users/.Google Scholar

  • [11] R. Clayton, S. J. Murdoch, and R. N. M. Watson. Ignoring the Great Firewall of China. In Privacy Enhancing Technologies. Springer, 2006.Google Scholar

  • [12] J. R. Crandall, D. Zinn, M. Byrd, E. Barr, and R. East. ConceptDoppler: A weather tracker for Internet censorship. In Computer and Communications Security. ACM, 2007.Google Scholar

  • [13] A. Dainotti, C. Squarcella, E. Aben, K. C. Claffy, M. Chiesa, M. Russo, and A. Pescapé. Analysis of country-wide Internet outages caused by censorship. In Internet Measurement Conference. ACM, 2011.Google Scholar

  • [14] J. Dalek, B. Haselton, H. Noman, A. Senft, M. Crete- Nishihata, P. Gill, and R. J. Deibert. A method for identifying and confirming the use of URL filtering products for censorship. In Internet Measurement Conference. ACM, 2013.Google Scholar

  • [15] R. Dingledine, N. Mathewson, and P. Syverson. Tor: the second-generation onion router. In USENIX Security Symposium. USENIX Association, 2004.Google Scholar

  • [16] Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: fast Internet-wide scanning and its security applications. In USENIX Security Symposium. USENIX Association, 2013.Google Scholar

  • [17] R. Ensafi, J. Knockel, G. Alexander, and J. R. Crandall. Detecting intentional packet drops on the Internet via TCP/IP side channels: Extended version. CoRR, abs/1312.5739, 2013. Available at http://arxiv.org/abs/1312.5739.Google Scholar

  • [18] R. Ensafi, J. Knockel, G. Alexander, and J. R. Crandall. Detecting intentional packet drops on the internet via TCP/IP side channels. In Passive and Active Measurement Conference. Springer, 2014.Google Scholar

  • [19] R. Ensafi, J. C. Park, D. Kapur, and J. R. Crandall. Idle port scanning and non-interference analysis of network protocol stacks using model checking. In USENIX Security Symposium. USENIX Association, 2010.Google Scholar

  • [20] E. Katz-Bassett, H. V. Madhyastha, V. K. Adhikari, C. Scott, J. Sherry, P. Van Wesep, T. Anderson, and A. Krishnamurthy. Reverse Traceroute. In Networked Systems Design & Implementation. USENIX Association, 2010.Google Scholar

  • [21] S. Khattak, M. Javed, P. D. Anderson, and V. Paxson. Towards illuminating a censorship monitor’s model to facilitate evasion. In Free and Open Communications on the Internet. USENIX Association, 2013.Google Scholar

  • [22] G. Lowe, P. Winters, and M. L. Marcus. The Great DNS wall of China. Technical report, New York University, 2007.Google Scholar

  • [23] G. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure.Org LLC, Sunnyvale, CA, USA, 2009.Google Scholar

  • [24] H. V. Madhyastha, T. Isdal, M. Piatek, C. Dixon, T. Anderson, A. Krishnamurthy, and A. Venkataramani. iPlane: An information plane for distributed services. In Operating Systems Design and Implementation. USENIX Association, 2006.Google Scholar

  • [25] Z. M. Mao, J. Rexford, J. Wang, and R. H. Katz. Towards an accurate AS-level traceroute tool. In SIGCOMM ’03: Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, pages 365-378, New York, NY, USA, 2003. ACM Press.Google Scholar

  • [26] Global RIPE Atlas Network Coverage. Available at https: //atlas.ripe.net/results/maps/network-coverage/.Google Scholar

  • [27] World map of PlanetLab nodes. Available at https://www. planet-lab.org/generated/World50.png.Google Scholar

  • [28] The DIMES project: Active Agents by Countries in Last 7 Days. Available at http://www.netdimes.org/new/?q= node/52.Google Scholar

  • [29] M-Lab Platform: Server Map. Available at http://www. measurementlab.net/infrastructure.Google Scholar

  • [30] MaxMind - GeoIP2 City Accuracy. Available at https:// www.maxmind.com/en/geoip2-city-database-accuracy.Google Scholar

  • [31] M. Morbitzer. TCP idle scans in IPv6. Master’s thesis, Radboud University Nijmegen, The Netherlands, 2013.Google Scholar

  • [32] D. Nobori and Y. Shinjo. VPN gate: A volunteer-organized public vpn relay system with blocking resistance for bypassing government censorship firewalls. In Networked Systems Design and Implementation. USENIX, 2014.Google Scholar

  • [33] J. C. Park and J. R. Crandall. Empirical study of a nationalscale distributed intrusion detection system: Backbone-level filtering of HTML responses in China. In Distributed Computing Systems. IEEE, 2010.Google Scholar

  • [34] T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., 1998.Google Scholar

  • [35] Z. Qian and Z. M. Mao. Off-path TCP sequence number inference attack. In Security & Privacy. IEEE, 2012.Google Scholar

  • [36] Z. Qian, Z. M. Mao, Y. Xie, and F. Yu. Investigation of triangular spamming: a stealthy and efficient spamming technique. In Symposium on Security and Privacy. IEEE, 2010.Google Scholar

  • [37] S. Sanfilippo. hping. http://www.hping.org, 2006.Google Scholar

  • [38] Sparks, Neo, Tank, Smith, and Dozer. The collateral damage of internet censorship by dns injection. SIGCOMM Computer Communication Review, 42(3):21-27, 2012.Web of ScienceGoogle Scholar

  • [39] The Tor Project. Relay descriptor archives. https://metrics. torproject.org/data.html#relaydesc.Google Scholar

  • [40] The Tor Project. Tor metrics - direct users by country. https://metrics.torproject.org/userstats-relay-country.html? graph=userstats-relay-country&start=2014-01-01&end= 2014-07-01&country=cn&events=off.Google Scholar

  • [41] Tokachu. The not-so-great firewall of China. 2600 Magazine, Winter 2006-2007.Google Scholar

  • [42] TorStatus. Tor network status. http://torstatus.blutmagie. de.Google Scholar

  • [43] G. Walton. China’s golden shield : corporations and the development of surveillance technology in the People’s Republic of China. International Centre for Human Rights and Democratic Development, 2001.Google Scholar

  • [44] Y. A. Wang, C. Huang, J. Li, and K. W. Ross. Queen: Estimating packet loss rate between arbitrary internet hosts. In Passive and Active Network Measurement. Springer, 2009.Google Scholar

  • [45] N. Weaver, R. Sommer, and V. Paxson. Detecting Forged TCP Reset Packets. In Network and Distributed System Security. The Internet Society, 2009.Google Scholar

  • [46] P. Winter and S. Lindskog. How the Great Firewall of China is blocking Tor. In Free and Open Communications on the Internet. USENIX Association, 2012.Google Scholar

  • [47] J. Wright. Regional variation in Chinese internet filtering. Technical report, University of Oxford, 2012.Google Scholar

  • [48] X. Xu, Z. M. Mao, and J. A. Halderman. Internet censorship in china: Where does the filtering occur? In Passive and Active Measurement Conference. Springer, 2011. Google Scholar

About the article

Received: 2014-11-22

Revised: 2015-02-12

Accepted: 2015-02-12

Published Online: 2015-04-18

Published in Print: 2015-04-01

Citation Information: Proceedings on Privacy Enhancing Technologies, Volume 2015, Issue 1, Pages 61–76, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2015-0005.

Export Citation

© 2015. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. BY-NC-ND 3.0

Citing Articles

Here you can find all Crossref-listed publications in which this article is cited. If you would like to receive automatic email messages as soon as this article is cited in other publications, simply activate the “Citation Alert” on the top of this page.

Paul Pearce, Roya Ensafi, Frank Li, Nick Feamster, and Vern Paxson
IEEE Security & Privacy, 2018, Volume 16, Number 1, Page 24
Joe Van Buskirk, Sundresan Naicker, Amanda Roxburgh, Raimondo Bruno, and Lucinda Burns
International Journal of Drug Policy, 2016, Volume 35, Page 16

Comments (0)

Please log in or register to comment.
Log in