A closer look at the Great Firewall of China / 对中国长城防火墙的近距离观察

2014年10月8日 | 分类: Network | 标签:

A closer look at the Great Firewall of China

对中国长城防火墙的近距离观察

 

原文已封锁    镜像:http://givv.org/recipients/the-tor-project

译文:http://xautlinux.net/blog/20141008/132205.htm

关键词:in       

Over the last years, we learned a lot about how the Great Firewall of China is blocking Tor. Some questions remained unanswered, however. Roya, Mueen, Jed, and I just published a project which seeks to answer some of these open questions. Being curious as we are, we tried to find answers to the following questions:

过去这些年,我们对中国长城防火墙如何阻止Tor的手段了解了很多(文档一文档二文档三)。还有一些问题仍然没有答案,所以Roya、Mueen、Jed和我,发表了一个项目用来寻找这些公开问题的答案。我们很好奇的想知道下列问题的答案:

  • Is the filtering decentralised (i.e., happening in provinces) or centralised (i.e., happening in Internet exchange points (IXP))?
  • 到底这些过滤器是去中心化的(比如每个省都有),还是集中式的(比如存在于因特网交换节点)?
  • Are there any temporal patterns in the filtering? Or in other words, are there certain times when people are more likely to be able to connect to Tor?
  • 在过滤器中是否存在暂定的模式?换句话说,在某些特定时间段用户能更好的连接到Tor网络?
  • Similarly, are there any spatial patterns? Are folks in some special regions of China able to connect to Tor while others cannot?
  • 同样的,是否存在地域空间模式?当中国某些地区的人能连接到Tor网络的时候,另外的人却不能连接到Tor网络?
  • When a computer in China tries to connect to a Tor relay, what part of the TCP handshake is blocked?
  • 当中国的某台计算机连接到Tor中继节点的时候,哪些TCP握手报文被阻止了?

It turns out that some of these questions are quite tricky to answer. For example, to find spatial patterns, we need to be able to measure the connectivity between many Tor relays and many clients in China. However, we are not able to control even a single one of these machines. So how do we proceed from here? As so often, side channels come to the rescue! In particular, we made use of two neat network measurement side channels which are the hybrid idle scan and the SYN backlog scan. The backlog scan is a new side channel we discovered and discuss in our paper. Equipped with these two powerful techniques, we were able to infer if there is packet loss between relay A and client B even though we cannot control A and B.

事实证明,这些问题相当难回答。例如,为了发现地域空间模式,我们需要能够测量在中国的许多Tor中继节点和许多clients客户端之间的连接。然而,我们连一台这样的电脑都无法控制。那么我们怎么从这里着手?和过去一样,侧通道能够派上用场!尤其是,我们利用两个干净的网络测量的侧通道:混合的空闲扫描和SYN存储扫描。存储扫描是一个新的侧通道,在我们的论文中已经揭示和讨论过了。配备了这两个强大的技术,哪怕是我们无法控制A和B,我们也能够推断,在中继器A和Client客户端B之间,是否有数据包丢失。

You might notice that our measurement techniques are quite different from most other Internet censorship studies which rely on machines inside the censoring country. While our techniques give us a lot more geographical coverage, they come at a price which is flexibility; we are limited to measuring Internet filtering on the IP layer. More sophisticated filtering techniques such as deep packet inspection remain outside our scope.

你可能注意到了,我们的测量技术与大多数审查研究不一样,大多数的互联网审查研究依赖于,在实施审查的国家内部有电脑可用。虽然我们的技术让我们能覆盖更多的地理范围,但它们的代价是多变的;我们仅限于测量在IP层实施的网络过滤。更先进的过滤技术,如深度包检测仍然不在我们的考虑范围内。

Now what we did was to measure the connectivity between several dozen Tor relays and computers in China over four weeks which means that we collected plenty of data points, each of which telling us “was A able to talk to B at time T?”. These data points reveal a number of interesting things:

在过去的四个星期,我们测量了几十台中国的Tor中继节点和计算机之间的连接,这意味着我们收集了大量的数据节点,每个节点告诉我们”在T时刻,A能否与 连接?”。这些数据节点揭示了一些有趣的东西:

  • It appears that many IP addresses inside the China Education and Research Network (CERNET) are able to connect to at least our Tor relay.
  • 在中国教育科研网(CERNET)中有大量的IP地址能够连接到我们的Tor中继节点。
  • Apart from the CERNET netblock, the filtering seems to be quite effective despite occasional country-wide downtimes.
  • 在CERNET网络之外的其他运营商网络中,除了有偶尔的全国性宕机之外,过滤器似乎非常有效。
  • It seems like the filtering is centralised at the IXP level instead of being decentralised at the provincial level. That makes sense from the censor’s point of view because it is cheap, effective, and easy to control.
  • 这表明过滤器是集中在IXP(因特网交换节点)的层面上,而不是分布在省级层面。这体现了审查者的着眼点,因为这样做比较廉价、有效、易于控制。

Now what does all of this mean for Tor users? Our results show that China still has a tight grip on its communication infrastructure, especially on the IP and TCP layer. That is why our circumvention efforts mostly focus on the application layer (with meek being an exception) and pluggable transport protocols such as ScrambleSuit (which is now part of the experimental version of TorBrowser) and obfs4 are specifically designed to thwart the firewall’s active probing attacks.

现在,这些研究对Tor用户有什么用呢?我们的研究结果表明,中国仍然在严格的控制着通信基础设施,尤其是在IP层和TCP层。这就是为什么我们规避封锁的努力主要集中在应用层(注:meek模式是个例外)和可插拔的传输协议,如ScrambleSuit(现在已经被集成在TorBrowser实验版中),还有obfs4是专门设计用来阻止防火墙的主动探测攻击

 

译者注:

1987年9月20日,中国第一封电子邮件成功发出,“Across the Great Wall we can reach every corner in the world”(越过长城,我们可以到达世界的每一个角落)“This is the First Electronic Mail from China to Germany”(这是第一封中国到德国的电子邮件)。但很不幸的是,进入21世纪后,每一个有头脑的人都被迫天天翻墙上网。

在北邮方校长等现代锦衣卫的撺掇下,在未经国家法律授权的情况下,在国际互联网出口非法建立了闭关锁国的国家防火墙。此等行径,堪比明朝末年宦官误国。好在改革开放的大方针没有变,所以还不至于沦落到像伊朗朝鲜等邪恶国家搞完全封锁的地步。也因为自古正邪誓不两立,有民间高手,包括海外华人和国际友人,提供了大量的翻墙手段和工具,只有蠢猪才学不会翻墙技术。

对Google、Wiki百科等网站的彻底封锁,充分暴露了所谓保护国家安全的口号都是骗人的,让普通民众不明真相才是最终目的。这已经造成了严重的后果,有些上过大学的人的智商还不如近日香港的中学生。优秀人才从中学就出国留学;富人及精英阶层争相逃离愚昧落后的祖国,宁愿背井离乡、移民海外。

随着反腐的深入,中国大陆即将迎来堪比“粉碎四人帮”那样的大变革,最终建立民主法治社会。你要做邪恶的帮凶,还是推动社会进步的人,请动脑筋想一想。

这个祸国殃民的破防火墙,总有一天会像柏林墙一样,被觉醒了的民众依法拆除。

祝病魔早日战胜方校长,祝每个为防火墙添砖加瓦的IT东厂高手,早登极乐。

 

目前还没有任何评论.