[split] Chinese firewall
10-27-2010, 12:21 AM,
#1
[split] Chinese firewall
I don't quite know if this is able to bypass the great chinese firewall, but some years ago my ISP (Telenor) along with it's branches was judged to block all access to sites such as the pirate bay, mp3raid and such sites*. I never really used them, but i didn't like the fact that i was actually blocked from some sites. Therefore, I found out that i was able to change the DNS server to bypass the ISP firewalls. I also found that that i was able to bypass the school firewall with this method. I don't know whether this is able to bypass the chinese firewall, tho'.

There is two which i prefer to use:
- Google DNS:
  • 8.8.8.8
  • 8.8.4.4
- OpenDNS:
  • 208.67.222.222
  • 208.67.220.220

Alternatively, there some other DNS servers here:
http://www.tech-faq.com/public-dns-servers.html

Guides to changing the settings:
XP (Windows...): http://www.mediacollege.com/computer/network/dns.html
Linux: http://nixcraft.com/linux-software/507-s...twork.html

*Just want to clearly state, that I don't encourage piracy in any way.
Reply
10-27-2010, 01:20 AM, (This post was last modified: 10-27-2010, 01:27 AM by RichardGv.)
#2
RE: Web block confuse
(10-27-2010, 12:21 AM)Vanilla Wrote: I don't quite know if this is able to bypass the great chinese firewall, but some years ago my ISP (Telenor) along with it's branches was judged to block all access to sites such as the pirate bay, mp3raid and such sites*. I never really used them, but i didn't like the fact that i was actually blocked from some sites. Therefore, I found out that i was able to change the DNS server to bypass the ISP firewalls. I also found that that i was able to bypass the school firewall with this method. I don't know whether this is able to bypass the chinese firewall, tho'.

Unfortunately, you generally cannot bypass our Great Firewall with the method: (It couldn't so "great" if it can easily be bypassed.)
  1. The Great Firewall is known to search for DNS requests of the blocked domain, and generate a fake DNS response, with an inaccessible IP address returned. So regardless of which DNS server you are querying from China, if the request domain is blocked, you won't get the correct IP.
  2. DNS poisoning is not the only filtering method. Aggressive IP block, URL filtering + TCP reset, etc., are pretty common, too.
Gentoo Linux User (w/ fvwm) / Loyal Firefox User / Owner of a Stupid Old Computer - My PGP Public Key

No man is an island, entire of itself; every man is a piece of the continent, a part of the main; if a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friends or of thine own were; any man's death diminishes me, because I am involved in mankind; and therefore never send to know for whom the bell tolls; it tolls for thee.
-- Devotions Upon Emergent Occasions (1624), John Donn
Reply
10-27-2010, 01:26 AM,
#3
RE: Web block confuse
Well, i suppose a proxy is the only way then?
Reply
10-27-2010, 01:34 AM, (This post was last modified: 10-27-2010, 01:35 AM by RichardGv.)
#4
RE: Web block confuse
(10-27-2010, 01:26 AM)Vanilla Wrote: Well, i suppose a proxy is the only way then?

Huh, mostly. And most plain HTTP proxies or web proxies won't work. (HTTP proxies fail due to the TCP filtering; lots of web proxies are already blocked.) SSH and VPN proxies are two of the most stable methods. I use a VPN proxy myself.
An alpha-stage project "west-chamber" is partially able to get over TCP reset / DNS poisoning and gain access to YouTube (but super-unstable) in China. But it's way too far from maturity.
Gentoo Linux User (w/ fvwm) / Loyal Firefox User / Owner of a Stupid Old Computer - My PGP Public Key

No man is an island, entire of itself; every man is a piece of the continent, a part of the main; if a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friends or of thine own were; any man's death diminishes me, because I am involved in mankind; and therefore never send to know for whom the bell tolls; it tolls for thee.
-- Devotions Upon Emergent Occasions (1624), John Donn
Reply
10-27-2010, 01:39 AM,
#5
RE: Web block confuse
But you paid for the VPN, right?

The West Chamber project is quite interesting, how exactly does work?

- A third thing is, that this is probably getting a bit off-topic, and perhaps should be split into another thread?
Reply
10-27-2010, 12:25 PM, (This post was last modified: 10-27-2010, 12:29 PM by RichardGv.)
#6
RE: Web block confuse
(10-27-2010, 01:39 AM)Vanilla Wrote: But you paid for the VPN, right?

The West Chamber project is quite interesting, how exactly does work?

- A third thing is, that this is probably getting a bit off-topic, and perhaps should be split into another thread?

Huh, yeah, this is off-topic, but I have no permissions to split them to another thread (or I did not find the correct button?).
@Moderator/Admin Please split all replies since post #7 to a new thread. Thanks.

Yes, I payed for the VPN. $20 per year, it costs.

The mechanism of West Chamber is rather complicated and technical. I would try to explain it with my limited knowledge. Sorry if there's something wrong in my explanation.
The project is formed by 3 components: zhang, cui, and another component to look for corrupted DNS responses.
The zhang/cui component is primarily used to deal with TCP reset packets sent by Great Firewall. (zhang and cui are both names of chacters in Romance of the West Chamber, a novel from which the name of the project came.)
This is how Great Firewall detects and interrupts connections with TCP reset packets, firstly:
[Image: original_s2c.png]
[Image: original_c2s.png]
(Ignore the Chinese titles, please. Source of these graphs: https://twitter.com/gfwrev )
This is how "zhang" part works:
[Image: original_zhang.png]
  1. The client (Bob) sends a SYN segment to the server (Alice), Alice returns a SYN packet, as what normally would happen.
  2. West-chamber injects a RST packet on Bob's side with wrong sequence number (?), letting the firewall (Mallory) believe the connection from Bob to Alice is closed. (The firewall does not record the old TCP sequence numbers due to performance considerations, so it cannot detect whether a TCP packet is valid or not, while Bob and Alice can.)
  3. West-chamber (on Bob's side, of course) sends Alice a ACK segment with wrong acknowledgement number. According to TCP standard, Alice returns a RST segment. When Mallory discovers the RST segment, he thinks the connection is already closed, and stop monitoring the traffic between Bob and Alice, but in fact it's not closed.
  4. Bob then finishes the 3-way-handshake and continues to talk with Alice, without Mallory interrupting.
"cui" works in a similar way.
The DNS component detects fake DNS responses returned from the firewall with some sort of predefined fingerprints and discard them.
The explainations is mostly translated from a Chinese article: http://blog.youxu.info/2010/03/14/west-chamber/
Gentoo Linux User (w/ fvwm) / Loyal Firefox User / Owner of a Stupid Old Computer - My PGP Public Key

No man is an island, entire of itself; every man is a piece of the continent, a part of the main; if a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friends or of thine own were; any man's death diminishes me, because I am involved in mankind; and therefore never send to know for whom the bell tolls; it tolls for thee.
-- Devotions Upon Emergent Occasions (1624), John Donn
Reply
10-27-2010, 04:38 PM, (This post was last modified: 10-27-2010, 04:41 PM by Vanilla.)
#7
RE: [split] Chinese firewall
Well, it's definitely an interesting project. But you mentioned befor that it was super-unstable, why is that? How well does it work in praxis? I mean, wouldn't it miss some of the first packets when ie. browsing youtube (end up getting a corrupted video), or is that taken into account for?

Edit:
Quote:Huh, yeah, this is off-topic, but I have no permissions to split them to another thread (or I did not find the correct button?).
@Moderator/Admin Please split all replies since post #7 to a new thread. Thanks.
[Thread Splitted]
- The moderation option tools are at the bottom ;)
Reply
10-27-2010, 07:56 PM,
#8
RE: [split] Chinese firewall
uhmm well buddy i better prefer the proxy!
Reply
10-27-2010, 08:26 PM, (This post was last modified: 05-02-2011, 10:44 PM by RichardGv.)
#9
RE: [split] Chinese firewall
(10-27-2010, 04:38 PM)Vanilla Wrote: Well, it's definitely an interesting project. But you mentioned befor that it was super-unstable, why is that? How well does it work in praxis? I mean, wouldn't it miss some of the first packets when ie. browsing youtube (end up getting a corrupted video), or is that taken into account for?

Edit:
Quote:Huh, yeah, this is off-topic, but I have no permissions to split them to another thread (or I did not find the correct button?).
@Moderator/Admin Please split all replies since post #7 to a new thread. Thanks.
[Thread Splitted]
- The moderation option tools are at the bottom ;)

The reasons that is unstable include:
  1. There isn't a full list of IPs that needs special treatments available. Sites like YouTube uses too many different IPs.
  2. Fingerprints of the fake DNS responses can change (and do change) frequently, so the anti-DNS-poisoning component may often break.
  3. There could be other technical limitations that I don't know.
And the project has some major limitations, too, which I forgot to mention in the last reply:
  1. It cannot bypass a direct IP block. No technique can be used to bypass it, except for proxies. And a great of number of sites are blocked in this way, including Twitter.
  2. If the server does not explicitly follow RFC standards, it will possibly break connections. (Which is the reason the developers decided to use a predefined IP list for "zhang" and "cui".

In practice, at least at the time I tried it (10 months ago or so), it's not really practically usable, unless you can bear meeting a connection reset every some 20 seconds. Other people seems able to access Facebook, YouTube, and Blogger with it, moderately well, but I was not so lucky. I never successfully watched a YouTube video with it, since there's always something broken on the page. Probably it's caused by an incomplete IP blacklist.

By the way, the mod tools are invisible for me, somehow...
[Image: niftyhost-nomodtools.png]
Gentoo Linux User (w/ fvwm) / Loyal Firefox User / Owner of a Stupid Old Computer - My PGP Public Key

No man is an island, entire of itself; every man is a piece of the continent, a part of the main; if a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friends or of thine own were; any man's death diminishes me, because I am involved in mankind; and therefore never send to know for whom the bell tolls; it tolls for thee.
-- Devotions Upon Emergent Occasions (1624), John Donn
Reply
10-27-2010, 10:17 PM,
#10
RE: [split] Chinese firewall
I think tor would work, right? If you know a server that's not banned.
With love,
HiddenKnowledge
A.k.a. Yoruichi Shihouin

If you have any questions, feel free to contact me trough email or pm. :)
Reply


Forum Jump: