I’ve been doing more research into what most people know as the ‘Great Firewall of China’ (introduction here). Commissioned by the Ministry of Public Security, the Golden Shield is actually a more comprehensive program than the censorship and surveillance systems it encompasses. Most the information systems developed for the programme seem reliant on the commercial infrastructure provided by China Telecom, which is the main ISP for that country.
While there’s always a ton of stuff on the subject by various campaign groups, there hasn’t been much in the way of technical research for the last five years, so the reports published by the Global Internet Freedom Consortium and the Harvard Law School remain the best sources available. The following is what I’ve been able to gather.
Three main types of Internet censorship have been identified:
* IP blocking
* TCP blocking
* DNS redirection
Readers might notice the similarity with another content filtering system I covered recently, and that’s because the Great Firewall works on the same principles on a much larger scale. Here, there are three layers:
* Border gateways
* Regional gateways
* Local public networks (either host or router)
A couple of the earlier reports published by the Global Internet Freedom Consortium state there are between five and nine border gateways for Internet traffic between China and the rest of the world. In fact, there are only three primary cable landing stations around the east coast, and they’re routed through the main (state owned) China Telecom data centres: one in Beijing, another in Shanghai, and the third somewhere around Shenzhen. A cursory look at Google Maps will also reveal China Telecom as operating primarily at those sites. Incidentally these locations also appear to be hubs for other Ministry of Public Security department comms.
I believe it’s mainly at these locations that IP blocking is deployed, since the vast majority of ‘subversive’ content is hosted outside the PRC. Because there are just three border gateways and more Internet users than the United States, TCP packet inspection wouldn’t work here. It would be more practical to distribute the load across regional data centres.
When a client enters the URL for whatever site, the DNS is checked to determine the IP address it’s mapped to. If the correct record exists for that address, the connection proceeds. If the user instead attempts to reach an IP address that’s recognised as blacklisted, one of the border gateways will reset the connection.
Sophisticated as it appears to other researchers, the system has a major flaw. The PRC employs a large workforce to sift through foreign sites and update the Access Control Lists manually, which means a given proxy server could be usable for weeks before it’s discovered.
In his excellent post on the Great Firewall, James Fallows describes how data passing through undersea cable landing stations are mirrored to storage systems and inpected, but I believe this was a simple misinterpretation of how cable distribution in the Submarine Branching Units work. Although the capabilities of Deep Packet Inspection (DPI) systems developed by Huawei Technologies (which has links to the Chinese military) are highly advanced, it’s unlikely any government outside the United States has the resources to store and inspect that volume of traffic in real time.
Domain Name System
The PRC’s main Domain Name System server (dns.cn, 22.214.171.124) is based at the China Internet Network Infomation Center, which is at, or very near the China Telecom data centre in Beijing. The DNS is replicated across a number of regional servers, and certain DNS records are altered to redirect banned domains to a handful of state-owned IP addresses. Since URLs are the primary means of locating servers, this can be effective when the correct IP address is unknown.
Researchers studied China’s DNS and published their findings in The Great DNS Wall of China (Lowe, Winters and Marcus, 2007). They believe domain requests are being manipulated by a router in addition to the root server itself, which agrees with my hypothesis that the DNS root is at the same physical location as one of the border gateways – the Beijing data centre.
Regional Routers and TCP Filtering
Within China, the internal filtering works on the traffic payload, as opposed to the IP routing. Since there are few, if any, servers hosting outlawed material within the country, it makes sense to concentrate instead on what’s being communicated domestically through email and messaging, rather than what’s published at static IP addresses.
Using DPI, the authories can either scan traffic for keywords, or strip out a specific connection and view the web site or content being accessed.
The major problem for the PRC is that Deep Packet Inspection is easily defeated by encryption and VPN links, which themselves can’t be outlawed since e-commerce, and therefore much of the nation’s economy, depends on the capability to conduct secure transactions. Internet communications are increasingly becoming encrypted by default. The PRC attempted (unsuccessfully) to get around this by compromising end points using the Green Dam software, which is pretty much in line with techniques being adopted across the commercial surveillance industry.
Roughly two years ago, members of the Falun Gong movement (outlawed in the PRC) and the Human Rights Law Foundation took legal action against Cisco in the United States, the claim being that Cisco’s involvement in the Golden Shield programme led to the arrest, imprisonment and torture of dissidents in China. During the course of that, a Cisco presentation file dating from 2002 was leaked (Overview of the Public Security Sector, 2002). Because of budget, training, security and project requirements, government communications tends to remain unchanged over long periods, so we could still derive much information from this about the PRC’s infrastructure, how the various agencies are organised, and the capabilities they were developing.