Thanks for sharing this. I researched this for my A level project a few years ago, and this is a really neat cross reference. I didn't mention V2Ray as much.
How is traffic controlled inside PRC? Is GFW a central hub for all traffic between all hosts? Or between residential ASNs and commercial ones only? In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting. Maybe internal traffic is just all banned?
Unknown. I haven't seen any injected fake DNS or reset packets so far to domestic hosts. But there are rumors that Google's servers in Beijing (AS24424) was once black holed.
> Is GFW a central hub for all traffic between all hosts?
It's supposed to has centralized management system, but not a single hub.
> Or between residential ASNs and commercial ones only?
Yes, the injecting devices are deployed in IXPs, the AS borders. See <Internet censorship in China: Where does the filtering occur?>.
> In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting.
I believe Iran has more centralized system like China controlled by Tehran.
> Maybe internal traffic is just all banned?
No, internal HTTPS traffic is not banned in that hour.
Not only individuals, but also major companies were locked down. If this was a dry run for "certain measures" in the future, I can't believe how much of a blow it would cause to the economy. Therefore, I think this was more of a human error.
Determining the scope of the impact would also be part of such a dry run. And if it is meant to be used along some kind of military action then it's going to throw the economy into chaos anyway.
You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD
You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.
I laughed when I saw "Nginxia", thinking it was a portmanteau of, well, nginx and wuxia, a Chinese fiction genre. Reality is much less funny when I looked up NWCD, and you likely just made a typo of Ningxia.
> You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
Wait what? So I can DoS any Web site in China by creating a rogue DNS record that points to its IP address, even under a completely unrelated domain? How would they even find those records?
In fact, it’s a common tactic to do something unusual, in a recurrent way, so people aren’t alerted when it happens for real. (When the Mossad stole 7 boats from a French port (that they had fully paid), they prepared a few months in advance by having the pilots start the engines every night at 23:00, pretending they needed it against the cold temperatures. When they day came, they started the engines and left, no-one saw it coming).
Could you bring something like a starlink mini for backup i wonder? Id imagine this would be very worrying being stuck there as a foreigner in such a situation.
Starlink connects you to the internet via a ground station in the country where you are registered, and the antenna will also only operate in an approved zone (depending on your country and account type). You cannot use it in China.
The infrastructure for that kind of control clearly already exists. What's unclear is how coordinated or deliberate these events are versus being side effects of testing or internal changes
That's what's so great about LoRA. Decentralized txt msgs, ultra cheap radios people run at home or wherever. $10-35USD ON AMAZON. Least txts get through.
Local police already equipped with signal jammer cars. Usually only used in college entrance exam period. They also appeared in recent protest in Jiangyou city.
The most depressing is that what happens in China, will eventually happen in the west too. I'm sure certain US, UK, and EU bureaucrats are already crafting campaigns about how this ability will 'save the children' and that it should be implemented immediately (politicians and certain other selected people will be exempt of course).
There's nothing inevitable about this. Civil society needs to organize, coordinate, and spend money on PR about this.
Right now liberal people mostly sit back and wait for things to get better, it's not enough. (Also going and walking up and down is not really effective.)
It's inevitable because we've seen time and again that all it takes to get the public opinion behind this kind of thing is to talk about how it is needed to catch pedophiles and terrorists.
And if you talk back? Why, you must be a pedophile or a terrorist, otherwise why would you have anything to hide?
It's gotten bad enough that people here on HN - Hacker News! - non-ironically make more or less this argument.
It is inevitable, because the means by which civil society can organize, coordinate, and spend money on PR about this, are all firmly in the control of a very few people. These same people are generally on the side of more centralized control, because they are the ones who will wield it.
Think of how many people who have remote jobs with American companies couldn't connect to their meetings while they "work from home" while secretly being in China!
Normally they have to fight VPN issues anyway, but having a sovereign state inject your packets is certainly a fun new one.
Anyone operating in/around China who needs a real VPN has a service they pay for and use that isn't mainstream that isn't blocked (using V2ray or similar). There's a reason why Shadowrocket is the number 1 app on the app store. I'm sure there are a lot of cases of people using e.g., off-the-shelf VPN apps and have trouble, but power users in China are always running a VPN, usually to Japan, that doesn't have this problem.
There are special virtual SIM cards that provide access to services from mainland China, as well as VPNs that function normally without issues. I used both while I was in China.
Yeah, have used one. Mine was a downloadable eSIM and meant for foreign travelers with 1-week plan. It actually establishes an IPsec VPN to the origin country. Beijing dare not to block foreigners' roaming services.
I definitely appreciate that a percentage of so called "employees" are actually just full fledged Chinese nationals, living permanently in China, paid a salary to pretend to be an American who had their identity stolen.
But there absolutely is also a non-negligible number of Chinese and Indian nationals, who have some type of visa status in the US (especially a green card) who spend many months in their original countries making $200,000 or more per year while living like royalty in their home countries :)
I live in a popular Digital Nomad friendly country, and myself included, work with Europe/American companies roughly matching their time zones.
Now, the people I work with know that I'm not really located in the same time zone, but I know people who don't bother to mention it. I rarely get phone calls, but I have a roaming connection active for banking/OTP/etc. Plenty of cheap cafes with great WiFi (500mbps+ almost everywhere), and several times cheaper too.
Sadly much more common than it should be. The durations vary widely, but with the price of airline tickets and the nature of corporate software engineering jobs, it's extremely easy to self-justify a month abroad. The US government allows 6 months officially for green card holders.
If it wasn't literally 10x cheaper to live abroad than it is to live in Seattle/San Jose, it wouldn't be as prevalent. And not to mention, the quality of life is often better at the 10x cheaper price as well.
Well for starters recreate the situation and test out different approaches. Thanks to the detailed analysis that can be attempted.
If I understand right, a good next step would would be with eBPF or some type of proxy ignore the forged RST+ACK at the beginning.
Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
See <Ignoring the Great Firewall of China> in 2006. That won't work if RST/ACK was injected to both sides.
> Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
This is an interesting approach already being utilized, namely TCB desync. But currently most people tend to buy VPN/proxy services rather than studying this.
> A Brief, Incomplete, and Mostly Subjective History of Chinese Internet censorship and its countermeasures
https://news.ycombinator.com/item?id=44898892)
Thanks for sharing this. I researched this for my A level project a few years ago, and this is a really neat cross reference. I didn't mention V2Ray as much.
How is traffic controlled inside PRC? Is GFW a central hub for all traffic between all hosts? Or between residential ASNs and commercial ones only? In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting. Maybe internal traffic is just all banned?
> How is traffic controlled inside PRC?
Unknown. I haven't seen any injected fake DNS or reset packets so far to domestic hosts. But there are rumors that Google's servers in Beijing (AS24424) was once black holed.
> Is GFW a central hub for all traffic between all hosts?
It's supposed to has centralized management system, but not a single hub.
> Or between residential ASNs and commercial ones only?
Yes, the injecting devices are deployed in IXPs, the AS borders. See <Internet censorship in China: Where does the filtering occur?>.
> In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting.
I believe Iran has more centralized system like China controlled by Tehran.
> Maybe internal traffic is just all banned?
No, internal HTTPS traffic is not banned in that hour.
It's in operators but managed by the regional government.
So what's blocked differs by region
Not only individuals, but also major companies were locked down. If this was a dry run for "certain measures" in the future, I can't believe how much of a blow it would cause to the economy. Therefore, I think this was more of a human error.
Determining the scope of the impact would also be part of such a dry run. And if it is meant to be used along some kind of military action then it's going to throw the economy into chaos anyway.
As an aside, it’s incredible how many internal chinese websites are completely unsecured with a certificate and don’t use HTTPS and require login.
Terrible, this is Internet curfew. It's not uncommon to imagine they'd shutdown Internet across border during any war (like against Taiwan).
> Terrible, this is Internet curfew.
If you think this is bad...
You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD
You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.
I laughed when I saw "Nginxia", thinking it was a portmanteau of, well, nginx and wuxia, a Chinese fiction genre. Reality is much less funny when I looked up NWCD, and you likely just made a typo of Ningxia.
1 reply →
AWS in China also doesn't have the Key Management Service, which leads to me to conclude it must be pretty secure.
I added an A record for subdomain and pointed it at Chinese IP addresses. I wonder if I will get that angry email?
6 replies →
> You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
Wait what? So I can DoS any Web site in China by creating a rogue DNS record that points to its IP address, even under a completely unrelated domain? How would they even find those records?
3 replies →
What about other protocols, could you run eg Gopher or NNTP? I guess IMAP could work as well.
> It should also be displayed in the site, like a license plate.
https://de.wikipedia.org/wiki/Impressumspflicht (Mandatory real name & address, not only for business, but private persons with web presence, too.
Same for Domain/DNS(which applies to everything in the European Union))
Not all Western companies comply with Beijing, like Route53, a name I've never heard of; Cloudflare seems to be most popular in China.
But yeah, they can shutdown anything unless proxy server is widely used. as <Nearly 90% of Iranians now use a VPN to bypass internet censorship>.
9 replies →
In fact, it’s a common tactic to do something unusual, in a recurrent way, so people aren’t alerted when it happens for real. (When the Mossad stole 7 boats from a French port (that they had fully paid), they prepared a few months in advance by having the pilots start the engines every night at 23:00, pretending they needed it against the cold temperatures. When they day came, they started the engines and left, no-one saw it coming).
It could also be a test to look for surprising things that break, in case they want to do this permanently at some later point.
3 replies →
It was five boats [1], an good story nonetheless. Think whatever you want about Mossad, it can not be denied that these guys have balls.
[1] https://en.wikipedia.org/wiki/Cherbourg_Project
1 reply →
[dead]
Could you bring something like a starlink mini for backup i wonder? Id imagine this would be very worrying being stuck there as a foreigner in such a situation.
Starlink connects you to the internet via a ground station in the country where you are registered, and the antenna will also only operate in an approved zone (depending on your country and account type). You cannot use it in China.
5 replies →
You can still bring a foreign SIM card. 100% effective (via data roaming) at bypassing the firewall, but expensive.
1 reply →
A friend of mine tried, no signal.
27 replies →
https://www.theverge.com/2022/10/10/23397301/elon-musk-starl...
Depends a lot whether Starlink decides to let you.
6 replies →
The infrastructure for that kind of control clearly already exists. What's unclear is how coordinated or deliberate these events are versus being side effects of testing or internal changes
That's what's so great about LoRA. Decentralized txt msgs, ultra cheap radios people run at home or wherever. $10-35USD ON AMAZON. Least txts get through.
It won't get you from where you are to China though.
3 replies →
At a whole 3kbps and line of sight!
Local police already equipped with signal jammer cars. Usually only used in college entrance exam period. They also appeared in recent protest in Jiangyou city.
That would be LoRa. LoRA is a different thing.
1 reply →
Can you recommend a guide? I’m interested in trying it out.
3 replies →
The most depressing is that what happens in China, will eventually happen in the west too. I'm sure certain US, UK, and EU bureaucrats are already crafting campaigns about how this ability will 'save the children' and that it should be implemented immediately (politicians and certain other selected people will be exempt of course).
There's nothing inevitable about this. Civil society needs to organize, coordinate, and spend money on PR about this.
Right now liberal people mostly sit back and wait for things to get better, it's not enough. (Also going and walking up and down is not really effective.)
It's inevitable because we've seen time and again that all it takes to get the public opinion behind this kind of thing is to talk about how it is needed to catch pedophiles and terrorists.
And if you talk back? Why, you must be a pedophile or a terrorist, otherwise why would you have anything to hide?
It's gotten bad enough that people here on HN - Hacker News! - non-ironically make more or less this argument.
It is inevitable, because the means by which civil society can organize, coordinate, and spend money on PR about this, are all firmly in the control of a very few people. These same people are generally on the side of more centralized control, because they are the ones who will wield it.
> Right now liberal people mostly sit back and wait for things to get better
First they came for the socialists, and I did not speak out because I was not a socialist.
Then they came for the trade unionists, and I did not speak out because I was not a trade unionist.
Then they came for the Jews, and I did not speak out because I was not a Jew.
Then they came for me and there was no one left to speak for me.
2 replies →
Think of how many people who have remote jobs with American companies couldn't connect to their meetings while they "work from home" while secretly being in China!
Normally they have to fight VPN issues anyway, but having a sovereign state inject your packets is certainly a fun new one.
Anyone operating in/around China who needs a real VPN has a service they pay for and use that isn't mainstream that isn't blocked (using V2ray or similar). There's a reason why Shadowrocket is the number 1 app on the app store. I'm sure there are a lot of cases of people using e.g., off-the-shelf VPN apps and have trouble, but power users in China are always running a VPN, usually to Japan, that doesn't have this problem.
How do you propose users in China will magically get around a nation state injecting packets?
6 replies →
How many people suddenly "lost internet" mid-meeting and had to blame it on their router...
> Normally they have to fight VPN issues anyway
There are special virtual SIM cards that provide access to services from mainland China, as well as VPNs that function normally without issues. I used both while I was in China.
Yeah, have used one. Mine was a downloadable eSIM and meant for foreign travelers with 1-week plan. It actually establishes an IPsec VPN to the origin country. Beijing dare not to block foreigners' roaming services.
I suspect those connections worked fine.
It’s good to know the boss.
I definitely appreciate that a percentage of so called "employees" are actually just full fledged Chinese nationals, living permanently in China, paid a salary to pretend to be an American who had their identity stolen.
But there absolutely is also a non-negligible number of Chinese and Indian nationals, who have some type of visa status in the US (especially a green card) who spend many months in their original countries making $200,000 or more per year while living like royalty in their home countries :)
8 replies →
How common can this really be? And what kind of companies? I’m finding it really hard to imagine this to be widespread.
I live in a popular Digital Nomad friendly country, and myself included, work with Europe/American companies roughly matching their time zones.
Now, the people I work with know that I'm not really located in the same time zone, but I know people who don't bother to mention it. I rarely get phone calls, but I have a roaming connection active for banking/OTP/etc. Plenty of cheap cafes with great WiFi (500mbps+ almost everywhere), and several times cheaper too.
Microsoft was caught doing it for the US federal government, so presumably Chinese software engineers are working on other Microsoft products too.
I'll just say Microsoft is not the only company doing that, and there are also Chinese-owned SAASes which American companies pay for.
Sadly much more common than it should be. The durations vary widely, but with the price of airline tickets and the nature of corporate software engineering jobs, it's extremely easy to self-justify a month abroad. The US government allows 6 months officially for green card holders.
If it wasn't literally 10x cheaper to live abroad than it is to live in Seattle/San Jose, it wouldn't be as prevalent. And not to mention, the quality of life is often better at the 10x cheaper price as well.
I can give you as much proof as you would like!
Lookup the North Korean version of this with the laptop farms
Example: https://www.justice.gov/opa/pr/justice-department-announces-...
Yeah if I'd sneak off to work from another place I'd pick somewhere really nice. Not China.
9 replies →
Shouldn’t the rest of the world be blocking connections from China.
That'd be somewhat more workable than blocking importation of anything made in China. Somewhat.
How would one get around this if they found themselves in such a situation?
In this exact scenario, just use ports other than :443
But GFW certainly had the capability to block all ports. So no one really knew.
[dead]
Well for starters recreate the situation and test out different approaches. Thanks to the detailed analysis that can be attempted.
If I understand right, a good next step would would be with eBPF or some type of proxy ignore the forged RST+ACK at the beginning.
Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
> ignore the forged RST+ACK
See <Ignoring the Great Firewall of China> in 2006. That won't work if RST/ACK was injected to both sides.
> Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
This is an interesting approach already being utilized, namely TCB desync. But currently most people tend to buy VPN/proxy services rather than studying this.
1 reply →
[dead]
[flagged]
> Imagine what people would say about Cloudflare if they had an hour long outage
That Cloudflare had an outage. Not America.
> That Cloudflare had an outage. Not America.
You probably mean the USA? After all, it was China and not Asia which was responsible for the incident ;)
21 replies →
outage would mean a connection timeout
in this case, the connection works fine, some extra RST+ACK packets were delivered to your network on purpose
Which could easily be explained by a buggy rollout to their great firewall. What does China gain from intentionally blocking SSL for one hour?
2 replies →
I mean... it got blocked by their censorship infrastructure, does it really matter if it only got misconfigured?
[flagged]
There's no good reason to do that.
But "good reason" depends a lot on your perspective
Yeah, dont want their citizens to voice anti-CCP thoughts
Pretty sure it's an incident.
[flagged]