Large-scale Spatiotemporal Characterization of Inconsistencies in the World's Largest Firewall

TL;DR

This paper uses innovative measurement techniques to analyze the inconsistencies and architecture of China's Great Firewall, revealing widespread failures, partial unfiltered access to Tor, and centralized filtering at exchange points.

Contribution

It introduces hybrid idle scan and Linux kernel side channel techniques to measure firewall reachability at large scale and geographic diversity.

Findings

Firewall failures occur countrywide without geographic pattern

Unfiltered access to parts of the Tor network exists

Filtering is mainly centralized at Internet exchange points

Abstract

A nation-scale firewall, colloquially referred to as the "Great Firewall of China," implements many different types of censorship and content filtering to control China's Internet traffic. Past work has shown that the firewall occasionally fails. In other words, sometimes clients in China are able to reach blacklisted servers outside of China. This phenomenon has not yet been characterized because it is infeasible to find a large and geographically diverse set of clients in China from which to test connectivity. In this paper, we overcome this challenge by using hybrid idle scan techniques that are able to measure connectivity between a remote client and an arbitrary server, neither of which are under the control of the researcher performing measurements. In addition to hybrid idle scans, we present and employ a novel side channel in the Linux kernel's SYN backlog. We demonstrate both techniques by measuring the reachability of the Tor network which is known to be blocked in China. Our measurements reveal that 1) failures in the firewall occur throughout the entire country without any conspicuous geographical patterns, 2) a network block in China appears to have unfiltered access to parts of the Tor network, and 3) the filtering seems to be mostly centralized at the level of Internet exchange points. Our work also answers many other open questions about the Great Firewall's architecture and implementation.