How the Great Firewall of China Blocks Tor

ID THREATPOST:36C87FD21E6D2966741F01F1B702B022
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:33:01


ChinaGovernments in some countries have not been shy about trying to block their citizens from using the Tor network to access censored or sensitive Web content. The Chinese government has become quite proficient at this, and a recent analysis of the methods the country is using to accomplish this shows that officials are able to identify Tor connections in near real-time and shut them off basically at will.

That country’s much-discussed Great Firewall of China is meant to prevent Chinese citizens from getting to Web sites and content that the country’s government doesn’t approve of, and it’s been endowed with some near-mythical powers by observers over the years. But it’s somewhat rare to get a look at the way that the system actually works in practice. Researchers at Team Cymru got just that recently when they were asked by the folks at the Tor Project to help investigate why a user in China was having his connections to a bridge relay outside of China terminated so quickly.

After looking into it, the researchers determined that within just a few minutes of the user connecting to the bridge relay, the Chinese firewall was able to find and shut off the connection. How this was happening was the question. The Team Cymru researchers found that there were two kinds of probes coming into the bridge relay, one of which seemed to be unrelated to the Tor session and the other of which clearly was directly targeted at the Tor user.

“When a Tor client within China connected to a US-based bridge relay, we consistently found that at the next round 15 minute interval (HH:00, HH:15, HH:30, HH:45), the bridge relay would receive a probe from hosts within China that not only established a TCP connection, but performed an SSL negotiation, an SSL renegotiation, and then spoke the Tor protocol sufficiently to build a one-hop circuit and send a BEGIN_DIR cell. No matter what TCP port the bridge was listening on, once a Tor client from China connected, within 3 minutes of the next 15 minute interval we saw a series of probes including at least one connection speaking the Tor protocol,” Tim Wilde, a software engineer at Team Cymru, wrote in an analysis of the incident, which he helped investigate.

Wilde was able to find that the method the firewall was using to identify which sessions to go after had something to do with the list of SSL ciphers contained in the SSL packet the client sends at the beginning of a session. By changing that list, he was able to evade the blocking of the Chinese firewall. More long-term solutions are in the works, as well, including password protection for bridge relays and the establishment of another layer on top of the session that simply looks like binary data.

“This probe again implies sophisticated near-line-rate DPI technology, coupled with a system that is aimed directly at Tor, using code that actually speaks the Tor protocol. Clearly there is a target painted firmly on Tor, and it is quite likely that the Chinese will continue to adapt their censorship technology as the Tor Project adapts to them,” Wilde wrote.

Homepage composite image via Eric Beato‘s Flickr photostream