Very cool. So they don't actually run enormous transparent proxies? If so, how come mention of the blacklisted word 'freenet' on IRC is permitted?
Obviously the firewall will be "improved" in the future, and the TTL fix will not permanently fix the problem, as the TTL can be stolen from the packet containing the forbidden term. (It would help with more general DoSs of course). On Tue, Jun 27, 2006 at 09:51:57PM +0200, David 'Bombe' Roden wrote: > Bruce Schneier recently posted this: > > http://www.schneier.com/blog/archives/2006/06/ignoring_the_gr.html > > Richard Clayton is presenting a paper (blog post here) that discusses > how to defeat China's national firewall: > > ...the keyword detection is not actually being done in large routers > on the borders of the Chinese networks, but in nearby subsidiary > machines. When these machines detect the keyword, they do not actually > prevent the packet containing the keyword from passing through the main > router (this would be horribly complicated to achieve and still allow > the router to run at the necessary speed). Instead, these subsiduary > machines generate a series of TCP reset packets, which are sent to each > end of the connection. When the resets arrive, the end-points assume > they are genuine requests from the other end to close the connection -- > and obey. Hence the censorship occurs. > > However, because the original packets are passed through the > firewall unscathed, if both of the endpoints were to completely ignore > the firewall's reset packets, then the connection will proceed > unhindered! We've done some real experiments on this -- and it works > just fine!! Think of it as the Harry Potter approach to the Great > Firewall -- just shut your eyes and walk onto Platform 9??. > > Ignoring resets is trivial to achieve by applying simple firewall > rules??? and has no significant effect on ordinary working. If you want > to be a little more clever you can examine the hop count (TTL) in the > reset packets and determine whether the values are consistent with them > arriving from the far end, or if the value indicates they have come > from the intervening censorship device. We would argue that there is > much to commend examining TTL values when considering defences against > denial-of-service attacks using reset packets. Having operating system > vendors provide this new functionality as standard would also be of > practical use because Chinese citizens would not need to run special > firewall-busting code (which the authorities might attempt to outlaw) > but just off-the-shelf software (which they would necessarily > tolerate). > > --- > > Interesting. > > David > _______________________________________________ > chat mailing list > [email protected] > Archived: http://news.gmane.org/gmane.network.freenet.general > Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/chat > Or mailto:[EMAIL PROTECTED] -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so.
signature.asc
Description: Digital signature
_______________________________________________ chat mailing list [email protected] Archived: http://news.gmane.org/gmane.network.freenet.general Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/chat Or mailto:[EMAIL PROTECTED]
