Climbing China’s Great Firewall

Adam L. CaseyDivision of Science and Mathematics

University of Minnesota, MorrisMorris, Minnesota, USA 56267

casey369@morris.umn.edu

ABSTRACTMany different countries censor the internet within theirstate. Citizens frequently wish to avoid the state censor-ship. There are many different methods that have been de-veloped to achieve this. Governments and citizens are in aconstant arms race, with both developing opposing technolo-gies. China in particular has the largest population of peo-ple on the planet, and the Chinese government attempts tocensor the internet. This paper will investigate three meth-ods of navigating around state censorship: Cachebrowser,INTANG and Tor. Cachebrowser and INTANG were devel-oped specifically to navigate around state censorship whileTor was originally developed for anonymous browsing. Thispaper will analyze their effectiveness and viability to avoidcensorship.

KeywordsChina, Great Firewall, Tor, CDNs, INTANG

1. INTRODUCTIONThe largest group of people in the world with censored

access to the internet is the population of China, with up-wards of 1.3 billion people. The Chinese government stillactively censors the internet through a system of networkmonitoring and network manipulation, referred to broadlyas the Great Firewall of China (GFW) [11].

This paper will describe the methods and evaluate thesuccess of three separate ways of evading the censorshipof the GFW. These methods are Cachebrowser, INTANGand Tor. These methods each work in very different ways.Cachebrowser works by allowing the user to easily accessuncensored versions of websites that are usually blocked byaccessing the cached versions of these sites that the Chinesegovernment cannot feasibly block for reasons that will bediscussed in section 3.1. INTANG works by manipulatingthe internet traffic being sent by the user’s machine directlyto avoid censorship by manipulating packets which will bediscussed in depth in section 3.2. Tor works by bouncingthe user’s connection through multiple different nodes. Thismakes it difficult to track. How the Chinese governmentprobes for Tor servers will be discussed in section 3.3

This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy ofthis license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.UMM CSci Senior Seminar Conference, April 2018 Morris, MN.

2. BACKGROUNDIn order to understand how circumvention techniques work

a basic understanding of some internet protocols and con-cepts is required. In this section, background will first begiven on the basic frameworks of the internet. Also, back-ground is given on the Transport Control Protocol (TCP).This background information is necessary to understand howINTANG circumvents the GFW. Information is also givenon Content Delivery Networks (CDNs). A foundation inthis subject is necessary to understand how Cachebrowsercircumvents the GFW. An overview of Tor will also be givenin this section. Background on Tor is necessary to under-stand one of the most common ways of circumventing inter-net censorship and to understand how the Chinese govern-ment attempts to stop Tor traffic.

2.1 Internet BasicsIn order to understand how the Chinese government cen-

sors the internet and to understand the TCP protocol, firstsome internet frameworks must be explained. To begin withclient and server roles need to be explained. When you makea request to visit a website such as www.facebook.com yourcomputer talks to the server for facebook. This is referredto as the server because the user makes a request and theserver serves the content to the user. The user in this caseis referred to as the client.

Before the client actually makes a request to facebook.comit needs to know how to get to it. Each server on the internethas a unique address associated with it. This is called an IPaddress [10]. In order for the client to find the IP address fora server they are trying to access they must make a DomainName System (DNS) request. This is done by making arequest to a DNS server which has a list of IP addresses fordifferent websites in a cache. The client tells the DNS serverthe website they are trying to access. The server then sendsthe client the IP address of the website they are trying toaccess. Finally, the client can make a request to the serverthey are trying to access and send data to it and the servercan send data back to the client.

One way the Chinese government attempts to censor theinternet is by manipulating the records on DNS servers toreturn incorrect IPs for websites or to drop packets for re-quests to websites the government does not want clients tobe able to access. This practice is referred to broadly asDNS poisoning [3].

Another way the Chinese government attempts to censorthe internet is through a technique called IP address filtering[5]. This is where the IP of the website you are trying to

Figure 1: Diagram of a TCP packet taken from [9].

access is blocked at the hardware level, usually on your homerouter. This is different from DNS poisoning because evenif we know the IP address of the website we are attemptingto access we cannot get to it.

The final censorship technique that will be mentioned inthis paper is keyword censorship [11]. This is where theChinese government monitors the client’s internet traffic andwill terminate connections with keywords the governmenthas deemed sensitive. This is a way to block connectionsif the IP of the website is not blocked and its DNS recordshave not been poisoned.

Another concept that is necessary to understand circum-vention techniques is the idea of a proxy, sometimes referredto as a proxy server [7]. A proxy is essentially a server thatmakes web requests for you. Instead of talking directly tothe server the client wants to access, it talks to a differentserver, which talks to the server the client wants to talkto. Then the proxy server then takes the information theintended server sent it and sends it back to the client.

2.2 The TCP ProtocolTransport Control Protocol (TCP) [10] is one of the main

internet standards. The main data structure of TCP is thepacket. Data is sent in discrete pieces in order. One of thesepieces is referred to as packet. This order is maintainedby incrementing the sequence number with each new packetthat is sent. Packets are also sent to establish and end a con-nection. Figure 1 shows a diagram of a TCP packet. Thefirst 16 bits are reserved for the source port. The next 16 arereserved for the destination port. Bits 32 to 63 are reservedfor the sequence number. Bits 64 to 95 are reserved for theacknowledgement number if the packet is flagged as an ACK(acknowledgement) packet. The data offset bits serve a dualpurpose. They indicate the size of the TCP header and theoffset from the beginning of the header to the beginning ofthe actual data. The next three bits are reserved. Next, theflag bits begin. These indicate the type of packet. Bits 112to 128 indicate the windows size the sender of the packet iswilling to receive. The next section of bits is a checksumwhich is used for error checking. The next section is the ur-gent data if this is a flagged URG (urgent) packet. There aremultiple flags that can be set. Many of these are not relevant

to this paper the relevant ones are SYN/ACK/FIN/RST.The ACK flag indicates that the packet is an acknowledge-ment packet. The RST flag indicates that the connectionshould be reset. The SYN flag indicates that sequence num-bers should be synced. In practice this should only be usedat the beginning of the connection process. The FIN (finish)flag indicates that this is the last packet from the sender.

Another important aspect of the TCP protocol to knowfor this paper is Time to live (TTL). Each packet is givena TTL. The TTL indicates how long the packet will stay inthe network before it destroys itself. This is useful so thatpackets do not clog up network infrastructure forever if theydo not reach their intended destination.

There are three main steps to transmitting data using theTCP protocol. This first step is to establish the connectionusing a handshake process. A connection is a link betweenclient and host where data can be sent freely between clientand server. Next the actual data is sent. Finally the con-nection is terminated.

Connection establishment is a multistage process. Thefirst stage is when the user establishes a connection to theserver. Next the user sends a SYN (sync) packet to theserver. Once the server receives this SYN packet it sends anACK (Acknowledgement) packet back to the user along witha SYN packet. The next step to establish data exchangeis for the user to send an ACK packet back to the server.After this process has been completed regular data transfercan occur.

Closing a connection is also a multistage process. Closinga connection is different from establishing a connection inthat a client or a server can close the connection. Only aclient can establish a connection. The process for closing aconnection on the server end or the client end is the samebut the roles are reversed. As an example let’s consider aserver closing a connection with a client. The server willsend a FIN packet to the client with the sequence number ofthe next data packet the client is expecting to receive. Oncethe client receives the FIN packet from the sever it sendsan ACK packet with the sequence number increased by one.The client then sends the server its own FIN packet withsequence number relative to the amount of data it has sentto server thus far. The server will then send a final ACK

packet to the client and the connection will be terminatedon both ends.

Another part of the TCP protocol that is manipulatedto get around censorship is the TCP Control Block (TCB).The TCB is a data structure that is created by the TCPprotocol when a connection is established. This TCB is nor-mally created on the client and the server, but in the caseof the GFW one is also created by the GFW to monitorthe connection. The purpose of the TCB is to keep track ofall connections incoming and outgoing on the machine it iscreated on. The GFW uses the TCB it creates in combina-tion with packet inspection to terminate connections withsensitive keywords.

2.3 CDNs and cached contentCDNs [6] also known as content delivery networks are a

distributed set of servers hosting web content. The goal ofthis system is to decrease latency by redirecting users toservers hosting the content near them instead of one centralone that could possibly be across the globe. CDNs are notrun by the companies that have the actual content. Theyare run by a separate company and pay the company thatruns the CDN to host their content. There are many rea-sons to use a CDN. One reason is less stress on a singleserver. Since the network load is spread out between multi-ple servers hosting the cached content, no one server takesthe brunt of the load. The servers that host this cachedcontent that users access are referred to as edge servers.

A common way to implement a CDN for an already exist-ing website is through DNS modifications. When navigatingto the web address for a site, the client will be redirectedfor the CDN server for all content that does not frequentlychange on the site. This would be things like logos, head-ers that are always the same, etc. Content that changesfrequently will be served by the host server. In some casesfor very popular websites dynamic content is still hosted onCDN servers. This is accomplished by having a high speedpipeline from the host server to the CDN server which keepsthe CDN server up to date. When a CDN server has con-tent change on it, it relays this information to all other CDNservers hosting the site so that things are consistent. As aresult of the fact that CDNs are operated by companies sep-arate from the ones wanting their web content hosted, mul-tiple different websites content is stored on the same CDNserver. The client just requests the portion of the contentthat they actually need.

2.4 TorTor [8] gets its name from the project’s previous name

“The Onion Router”. Tor is a free piece of software that isused for anonymous internet browsing. It achieves this byredirecting the user’s connection through multiple differentnodes. Tor is referred to as ”The Onion Router” becauseeach data packet is wrapped in a layer of encryption foreach node that it passes through. Each node only decryptsone layer of information to know where to send the packetnext and does not have access to the actual data you aresending. This is because the actual data is only locatedin the last layer. Figure 2 illustrates this process of traffictraveling through multiple nodes. This makes it difficult totrack. Another important feature of Tor to understand isthe Tor bridge. A Tor bridge is essentially the same as aTor node. The difference is that the list of Tor bridges is

Figure 2: Diagram of Tor traffic through nodes.Taken from [1].

not publicly available, like it is for Tor nodes. One of theways the Chinese government blocks Tor traffic is to blockall IPs of the publicly listed Tor nodes.

Tor also has the ability to use multiple different pluggabletransports. A pluggable transport is a type of cipher suite,a set of encryption algorithms which the data is encryptedwith before being sent out. This allows users to access partsof the Tor network that are usually blocked by the Chinesegovernment using IP address filtering. Pluggable transportsalso work to disguise traffic from being identifiable as Tortraffic. This is because even if censors do not know whatwebsite you are trying to access they will terminate yourconnection if they recognize it as Tor. Not all pluggabletransports work well for avoiding the censorship of the GreatFirewall however. These pluggable transports often haveonly one layer of encryption and encrypt packets in an easilyrecognizable way, allowing the government to recognize Tortraffic and block it accordingly. The currently recommendedpluggable transport to use is meek-amazon. Meek-amazonworks by using a technique called domain fronting. Whiletoo complicated to explain in-depth in this paper, domainfronting makes it look like the client is accessing a differentwebsite than they actually are. The meek-amazon pluggabletransport accomplishes this by routing traffic through Ama-zon cloud servers, which then access the Tor network as aproxy. Figure 3 illustrates how the meek-amazon pluggabletransport works.

3. METHODS OF CIRCUMVENTION

3.1 CachebrowserCachebrowser [11] is a tool developed by John Holowczak

and Amir Houmansadr to bypass the censorship of the GreatFirewall of China. It uses CDNs and cached content, asmentioned in Section 2.3, to access web pages that would beinaccessible using the internet without a circumvention tool.Using cached content is way of circumventing common cen-sorship techniques such as IP address filtering. IP addressfiltering is the process of blocking access to certain IP ad-dresses. IP address filtering is ineffective at blocking CDNsbecause one website is spread across multiple different IPs,so the censors would have to blacklist all of them to blockthe site. Also, because of the way edge servers work, multi-

Figure 3: Diagram of meek-amazon domain fronting taken from [4].

ple sites are hosted on one server, so blocking access to oneserver will inadvertently block access to all websites on thatshared IP, not all of which the censor necessarily desires toblock.

DNS interference is another widely used censorship tech-nique and is most effective at blocking cached content. DNSinterference works by interfering with the name resolutionprocess when trying to access a blocked website. This is ef-fective at blocking cached content because it doesn’t matterhow many IPs the content is spread across or if more thanone site is hosted at that one IP. This is because the DNSinterference prevents the end user from knowing the IP ofthe content in the first place.

Cachebrowser works by keeping its own database of IPaddresses to CDN hosted alternatives to regular content.When Cachebrowser encounters a CDN domain it internallyenumerates and saves all other IP addresses for that CDNin case that one is censored. If Cachebrowser encountersa customer domain it will return the addresses of CDNswhich host that content. This is done by using the free DNSresolver www.digwebinterface.com. This site is currentlynot blocked in China.

As an alternative to this method, Cachebrowser also im-plements a remote bootstrapper using SWEET [2]. SWEETis a communications tool that encapsulates messages throughemails and sends them through standard email protocols.In the case of Cachebrowser, a web server is set up in theUnited States watching for emails. When a Cachebrowseruser makes a request for a site it does not have a CDN-hosted IP for a message is sent out through SWEET usingthe bootstrapper. This message is sent to a server in theUnited States. The server then makes the DNS lookup andsends the information back to the client to be added to itsdatabase.

3.2 INTANGINTANG [5] is a tool developed by Wang et al. to avoid the

censorship of the GFW. It combines many different strate-gies. A large portion of the paper [11] is dedicated to figuringout out how the GFW works using trial and error to gainknowledge of the system in order to help develop a tool toavoid it. ITANG works by implementing all of strategiesevaluated in the analysis section of the paper. There aretoo many individual strategies to go over all of them in thispaper, but they fall into 3 main categories: TCB creation,TCB teardown, and data reassembly.

TCB creation works by sending a SYN insertion packet

with the incorrect sequence number to create a false TCBon the GFW and then initiating the real connection with theserver, which the GFW will ignore because of the sequencenumber discrepancies.

TCB teardown works by by crafting RST,RST/ACK andFIN packets with a TTL constructed in a such that thepacket reaches the GFW and terminates the TCB but doesnot reach the server, thus keeping the server alive.

Data reassembly has two separate forms: Out-of-orderdata overlapping and In-order data overlapping. Out-of-order data overlapping works by sending garbage data frag-ments with the same offset and length as the real data.When the GFW encounters two packets with the same offsetand length it records the first one and ignores the second.In-order data overlapping works by filling up the GFWs in-put buffer until it is overloaded and can no longer read newdata. This done by crafting insertion packets with either awrong checksum or a very short Time to Live (TTL) so theyfill up the GFW buffer while still keeping the connection tothe server alive.

INTANG uses a combination of all these strategies to-gether with new strategies developed from analyzing theperformance of the old strategies to approach circumven-tion from multiple angles. INTANG is a measurement tool,which means that it keeps track of which strategies workwith regards to different IPs and adjusts strategies in usebased on that.

3.3 TorUnlike [5] and [11] which both developed tools to circum-

vent the GFW and tested them within their paper, [4] in-stead examines the GFW behavior and hypothesizes on howthis information can be used create Tor servers that canmore easily avoid blacklisting. Probing for Tor servers istriggered the the GFW sees traffic that carries the signatureof a cipher suite that Tor uses. Tor in its default configu-ration is essentially completely useless already since it haspublicly available list of IPs the government can blacklistoutright. Tor developed a pluggable transport layer in re-sponse. The suggested pluggable transport to use currentlyis meek-amazon or meek-azure. Neither of these transportswere tested in the paper as they were new and not yet pop-ular at the time.

For the study, two different infrastructures were createdand long running Tor servers’ logs were analyzed. One in-frastructure that was created was the shadow infrastructure.This infrastructure was built up of private Tor bridges that

Dataset Time spanShadow Dec 2014 – Feb 2015 (three months)Sybil Jan 29, 2015 – Jan 30, 2015 (20 hours)Log Jan 2010 – Aug 2015 (five years)Counterprobe Apr 22 – Apr 27 (six days)

Table 1: Timeline of our experiments. We created fourdatasets that span hours, days, months, and years.

Counter-Shadow Sybil Log probe

Probing rate !ISN patterns !

TSval patterns ! ! !obfs2/3 blocking ! !

Tor bootstrapping !Probing types !Architecture ! !

Topology !

Table 2: Observed phenomena and their visibility in ourdatasets.

4.1 Shadow InfrastructureWe built a “shadow infrastructure” of our own Tor clients

and bridges for a controlled experiment of active probingover time. These clients and bridges were not actually usedby any real users, but rather were dedicated exclusively toour own experimental purposes. The infrastructure testedvanilla Tor, obfs2, and obfs3 in equal measure, since activeprobing is known to target all three of these protocols. Fig-ure 3 illustrates this setup.

We had six Tor clients within China: three in China Uni-com, a large country-wide ISP; and three in CERNET, theChinese Research and Education Network. (We chose CER-NET because previous work suggested that censorship ofCERNET might differ from the rest of China [7].) Outsideof China, we ran six Tor bridges in Amazon’s EC2 cloud.Two of the bridges ran vanilla Tor, two ran obfs2, and tworan obfs3. We assigned each of our six clients in China to aunique EC2 machine; the clients never contacted any bridgeother than their own assigned one. Initially, all clients at-tempted to connect to their assigned bridge every 15 min-utes. After one month, we changed this to five minutes afterpreliminary analysis showed that finer granularity in timingmight be useful.

We also created a control group consisting of nine bridges(six in Amazon EC2, three in a US university) and a sin-gle client outside of China. We never connected to any ofthe control bridges from one of the clients within China; bycomparing the traffic received by our “active” and controlbridges, we can isolate general background scanning fromactive probing by the GFW. The three control bridges nothosted on EC2 allow us to determine whether the GFWtreats EC2-hosted servers differently from others. The con-trol client outside of China connects to all of the bridges.If our control client could not establish a Tor connection toone of the “active” bridges, we discarded the measurementwe did from China for that bridge.

We took various steps to prevent our bridges from beingdiscovered by any means other than active probing. We con-figured all of them to be private bridges, which means that

Figure 3: Experimental setup for the “Shadow” dataset.

they did not advertise themselves publicly, neither to thepublic Tor directory, nor to its database of secret bridges.As a result, no genuine Tor user should attempt to connectto one of our bridges. The bridges listened on random portsin the ephemeral range, to reduce the chance of their dis-covery by blind Internet scanning. Finally, we used anotherEC2 machine to proxy the communication between our Torbridges and the first public Tor relay in a circuit. This extraproxy hop is to prevent another potential bridge-discoveryattack, wherein a malicious Tor relay makes a list of all theIP addresses that connect to it (cf. [14, §III.D]).

4.2 Sybil InfrastructureTo obtain broader insight into the extent of the censor’s

active probing infrastructure, we designed another experi-ment to attract1 many active probers in a short period oftime.

We did so by constructing a “Sybil infrastructure,” sonamed because it seemingly consisted of hundreds of dis-tinct Tor servers. We used a virtual private server (VPS) inFrance and one in China. We ran a vanilla Tor bridge on theVPS in France and redirected the port range 30000–30600to our Tor port using firewall port redirection. The actualTor server ran on a separate port in the ephemeral range.

Then, from our VPS in China, we established Tor con-nections to every port in the port range in ascending or-der. This took approximately two hours, because we waitedseveral seconds in between connection attempts. Since theGFW blocks by IP:port tuple, not just IP address [32], theGFW interpreted every single port in the range as a distinctTor bridge and probed them separately. This experimentresulted in 622 active probing connections (and significantlymore TCP connections, as we will discuss later) to the VPSin France.

4.3 Server Log AnalysisThis dataset comes from the application logs of a server

operated by one of the authors, some stretching back toJanuary 2010. The server runs various common networkservices, including the three we use in the analysis: HTTP,HTTPS, and SSH. In addition to common networking ports,the server has hosted a Tor bridge since January 2011, anordinary vanilla bridge without pluggable transports. Bymining the application logs, we found that the server hasbeen receiving active probes from China for over 2.5 years.An important difference in the Log experiment compared

1Our earlier analysis confirmed that simply establishing aninitial TLS handshake with a server suffices to attract aprober.

448

Figure 4: Diagram of the Shadow dataset takenfrom [4].

DNS resolver IP except Tianjin All

DYN 1 216.146.35.35 98.6 % 92.7 &DYN 2 216.146.36.36 99.6 % 93.1 %

Figure 5: DNS server access success rates. Takenfrom [11].

only the researchers could access. Figure 4 is diagram ofhow the Tor clients and servers were set up for the shadowdata set.

The second infrastructure was the Sybil infrastructure.The Sybil infrastructure set up a Tor bridge in France thatredirected 600 ports to it using a firewall redirection, thenconnected to each of the ports in ascending order. TheLog dataset came from analyzing the logs a one of the re-searcher’s Tor servers that has been running since January2011. By looking at logs they found the server had been sub-ject to active probing from China for 2.5 years, first showingup in 2013. This was not the result of an attempt to induceprobing but seemingly the regular amount of probing by thegovernment. The logs were then used to evaluate how ef-fective probing was at disrupting Tor by looking at whetherthe TCP handshake was completed. They found that obfs2and obfs3, which are different types of pluggable transports,were very rarely disrupted and had high success rates whileTor without a pluggable transport was essentially unusable.

4. RESULTS

4.1 Cachebrowser ResultsCachebrowser [5] was able to successfully load facebook.com

on a client’s machine. This is a complex website with contenthosted on multiple CDNs that is completely inaccessible tousers not using some kind of circumvention technique. Re-search found that of the top 1000 Alexa websites, 82% werehosted on some CDN provider while 85% of news sites likewsj.com were hosted on CDNs.

The main issue with Cachebrowser is latency. Figure 6compares the latency times of Cahcebrowser and other al-ternative methods of circumvention within and outside ofChina. As you may notice facebook.com does not havea latency value for inside of China. This is because face-book.com is completely censored within China. Also, thereis no latency measurement for Tor within China. The re-searchers indicate that they were not allowed to run Toron their client in China and that is why it is not includedhere. Chachebrowser does have higher latency than non-

censored browsing in every case where non-censored brows-ing is available. The maximum difference between pagedownload times between Cachebrowser and a non-censoredversion inside of China is .725 seconds. Moving on to thelatency sample data from page access in the United States,Tor has higher latency than Cachebrowser in every case.This suggests that if Tor were to be tested within China itwould most likely also be slower than Cachebrowser there aswell. The privacy of Cachebrowser is also robust. Assumingthe CDN is using an encrypted pathway, which almost alldo, the state cannot see what content you are viewing. Thestate will also not know what website in particular you areviewing because multiple sites are hosted at the IP since theCDN serves multiple different sites off of the same server.The only possible leak in this situation is that the CDNitself has information about its visitors. However, sharingthis information with anyone is a violation of the CDNs useragreement therefore we can assume that they do not sharethis information.

4.2 INTANG ResultsINTANG [11] in general is very successful at avoiding the

censorship of the GFW. Research indicates that success ratesfor different strategies vary wildly. INTANG takes advan-tage of this by implementing multiple different packet ma-nipulation strategies and choosing the best one systemati-cally. Figure 7 shows the success rates of the multiple in-dividual strategies tested and the success rate of INTANGitself.

One side effect of INTANG is that because the governmentpoisons DNS requests in the same way it blocks TCP traffic,INTANG is also effective at evading DNS poisoning. Figure5 shows the success rate of accessing DNS servers using IN-TANG. The data was collected querying a DNS poisoneddomain, in this case www.dropbox.com, 100 times. The dis-crepancy in the DNS resolution table is because the areaof Tianjin is an outlier. Success rates are much lower inTianjin. The exact reason for this is unknown, but it is hy-pothesized that the GFW infrastructure is more developedin this area. Success rates in Tianjin were 38% for DYN 1and 24% for DYN 2. DYN 1 and DYN 2 are two differentDNS servers. In particular DYN 1 is Google’s DNS server8.8.8.8 and DYN 2 is Google’s DNS server 8.8.4.4. Normallyconnections to these DNS servers are terminated using aTCP connection termination. Research also indicates thattwo OpenDNS resolvers 208.67.222.222 and 208.67.220.220are uncensored even without the use of INTANG. This issimilar to the method that the bootstrapper uses of simplyrequest the DNS lookup from an uncensored address in thefirst place.

4.3 Tor ResultsResearch [4] found that while the GFW may not be able

to detect Tor traffic from clients using sufficiently advancedpluggable transports such as obfs2 and obfs3, it can effec-tively probe for and shut down Tor servers regardless of thecipher suite used. Research also indicated that the Chinesegovernment’s Tor probes are active in real-time, only stop-ping for short periods.

5. CONCLUSIONSAfter analyzing three circumvention techniques it is clear

that there are advantages and downsides to each. Tor is

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 200.0

0.5

1.0

1.5

2.0

2.5

Dow

nloa

dTi

me

(s)

0.0670.0720.073

0.277 0.1360.4360.3990.4150.389

0.5350.538 0.409

0.7260.849

1.9881.275

0.1671.040

0.4930.5350.536

Default Alt. Edge Server

(a) Akamai

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 200.0

0.2

0.4

0.6

0.8

1.0

1.2

1.4

1.6

Dow

nloa

dTi

me

(s)

0.0490.054

0.1110.049

0.4050.4050.405

0.0480.0490.049

0.7871.178

0.3360.333

0.9220.9110.915

0.0500.407

0.3400.049

Default Alt. Edge Server

(b) EdgeCast

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 200.0

0.5

1.0

1.5

2.0

Dow

nloa

dTi

me

(s)

0.2450.608

1.1591.675

0.6151.601

0.7210.736 0.572

1.7890.694

0.7150.7150.728

0.9360.260

0.3000.226

0.2450.283

0.233

Default Alt. Edge Server

(c) Amazon CloudFront

Figure 3: Comparing download time of a CDN content object from the “best” edge server returned by mapping system vs.other edge servers. The alternative edge servers are chosen to be geographically far distanced from the end-user.

istockphoto.com

nbc.com

facebook.com

Facebook Object

pinterest.com

theatlantic.com

0.0

0.5

1.0

1.5

2.0

2.5

3.0

Dow

nloa

dTi

me

(s)

0.910

0.479

0.000

1.124

0.245 0.049

1.397 1.204

0.467

1.329

0.704

0.340

Non-Censored CacheBrowser

(a) Client in China

istockphoto.com

nbc.com

facebook.com

Facebook Object

pinterest.com

theatlantic.com

0.0

0.5

1.0

1.5

2.0

2.5

3.0

Dow

nloa

dTi

me

(s)

0.424

0.067

0.193 0.011

0.245 0.049

0.878

0.493

0.477

0.457

0.704

0.704

2.534

2.381 2.218

1.504 1.349

1.349

Non-Censored CacheBrowser Tor

(b) Client in Amherst, MA, U.S.

Figure 4: Comparing download latency for several websites using three methods: non-censored (regular) download, usingCacheBrowser, and using Tor. We were not allowed to run Tor on our Chinese client. Also, in our China experiments, thereis no “Non-censored” measurement for facebook.com, which is blocked, and we use the HTTPS version of istockphoto.comfor its “Non-censored” measurement (it is blocked by keyword filtering only). All the other websites are not blocked in China.

in order to block forbidden content as well as to detect anddisable the use of any censorship circumvention system likeCacheBrowser. However, we assume that the censors are ra-tional, i.e., they refrain from any actions that will interferewith non-prohibited Internet activities of a significant num-ber of their non-circumvention citizens. In particular, weassume that the censors do not block all encrypted tra�cas encryption is essential for various popular non-forbiddenInternet services. Additionally, we assume that the cen-sors do not entirely block a commercial CDN provider (e.g.,by IP blacklisting all edge servers) merely because it servessome prohibited content publishers, since the CDN providerwill likely be hosting many non-forbidden content publish-ers as well. The censors, however, may perform —selective—blocking of CDN domain names and encrypted tra�c.

We assume that commercial CDN providers do not co-operate with censored users nor with content publishersin order to circumvent censorship, as this may jeopardizetheir business interests with economically-powerful state-level censors like China. A CDN provider may cooperatewith the censors, however, the cooperation is constrained tonot violate the jurisdiction of the CDN’s home country aswell as its business interests in other parts of the world. Forinstance, as we analyzed in Section 3, Akamai only partially

cooperates with the GFW in order to protect its business in-terests and reputation in other (non-censored) regions. Weassume that the CDN providers fully controlled by the cen-sors (e.g., Chinese CDN providers) will not even host anyforbidden content.

In this paper, we do not consider unobservability againstactive attacks and tra�c analysis, but discuss the challengesand possible solutions in the rest of this section.

6.2 PrivacyPrivacy form Circumvention Provider Proxy-basedcircumvention systems like Tor, Psiphon, and VPNs exposetheir users to significant privacy risks from the circumven-tion providers. For instance, malicious Tor relays can per-form a toolset of attacks [31] to comprise Tor users’ privacy,and a malicious VPN service (e.g., one run by a repres-sive government to spy on dissidents) can learn the users’browsing activities and even the content of their communi-cations. Such risks do not apply to CacheBrowser due to itspublisher-centric approach, i.e., no proxy is used.

A CacheBrowser client may use a remote Bootstrapper,e.g., the email-based system described earlier. The remoteBootstrapper can not see the content of the client’s commu-nications, but may learn the destinations she browses. Even

79

Figure 6: Cachebrowser latency compared to regular access latency and Tor latency inside China and outsideof China. Taken from [5].

IMC ’17, November 1–3, 2017, London, UK

Vantage Points Strategy Success Failure 1 Failure 2Min Max Avg. Min Max Avg. Min Max Avg.

Inside China

Improved TCB Teardown 89.2% 98.2% 95.8% 1.7% 6.7% 3.1% 0.0% 5.4% 1.1%Improved In-order Data Overlapping 86.7% 97.1% 94.5% 2.9% 8.9% 4.4% 0.0% 5.2% 1.1%TCB Creation + Resync/Desync 88.5% 98.1% 95.6% 1.9% 7.0% 3.3% 0.0% 5.5% 1.1%TCB Teardown + TCB Reversal 90.2% 98.2% 96.2% 1.7% 5.6% 2.6% 0.0% 5.7% 1.1%INTANG Performance 93.7% 100.0% 98.3% 0.0% 3.0% 0.9% 0.0% 3.5% 0.6%

Outside China

Improved TCB Teardown 85.6% 92.9% 89.8% 4.6% 7.6% 6.8% 0.3% 6.8% 3.5%Improved In-order Data Overlapping 89.4% 96.0% 92.7% 1.3% 6.2% 3.6% 0.6% 7.0% 3.7%TCB Creation + Resync/Desync 78.1% 95.6% 84.6% 2.4% 18.6% 12.9% 0.9% 4.0% 2.6%TCB Teardown + TCB Reversal 84.6% 93.1% 89.5% 5.5% 8.7% 7.1% 0.1% 7.9% 3.3%

Table 4: Success rate of new strategies

evolved GFW devices to “re-transition” into the resynchronizationstate.

We combine the TCB Reversal strategy with the TCB Teardownwith RST strategy. Speci�cally, as shown in Fig. 4, we �rst send afake SYN/ACK packet from the client to the server to create a falseTCB on the evolved GFW device. Next, we establish the legitimate3-way handshake, which invalid with respect to the evolved GFWdue to the existing TCB. Then we send a RST insertion packet toteardown the TCB on the old GFW model, followed by the HTTPrequest.

Avoiding interference from middleboxes or server. Whencrafting “insertion” packet, we choose the insertion packets wiselyso as to not experience interference from the middleboxes, and notresult in side-e�ects on the server. We primarily use TTL-basedinsertion packets since it is generally applicable. The key challengehere is to choose an accurate TTL value to hit the GFW, whilenot hitting server-side middleboxes or servers. We do that by �rstmeasuring the hop count from the client to the server using away similar as tcptraceroute. Then, we subtract a small � from themeasured hop count, to try and prevent the insertion packet fromreaching (hitting) the server-side middleboxes or the server. Inour evaluation, we heuristically choose � = 2, but INTANG caniteratively change this to converge to a good value.

In addition, we exploit the new MD5 and old timestamp insertionpackets, which allow the bypassing of the GFW without interferingwith middelboxes or the server. Table 5 summarizes how we chooseinsertion packets for each type of TCP packet.

Packet Type TTL MD5 Bad ACK TimestampSYN �RST � �Data � � � �

Table 5: Preferred construction of insertion packets

Results. We �rst analyze the results for individual evasion strate-gies. As seen from Table 4, the overall “Failure 2” rate is as low as1% for all the strategies, which (a) show that our new strategieshave a high success rate on the GFW which suggests that (b) ourhypotheses with regards to the GFW evolution seem accurate.

We �nd that both the Failures 1 and Failures 2 always happenwith regards to a few speci�c websites/IPs. One can presume that

this is caused by some unknown GFW behavior or middlebox in-terference. However, since these cases are not sustained (are veryrare), we argue that this is more likely to be due to middleboxinterference.

Overall, we �nd that high Failure 1 rates is the major reasonfor overall low success rates. An introspective look suggests thatbecause some servers/middleboxes accept packets regardless of the(wrong) ACK number or the presence of the MD5 option header,Failures 1 happen. Further, the TTL chosen is sometimes inaccuratedue to (a) network dynamics or (b) hitting server-side middleboxes;this results in undesired side-e�ects that increase “Failures 1”.

In addition, we �nd that for vantage points outside China, theTTL discrepancy unfortunately has a signi�cant drawback. Whenaccessing the servers in China, the GFW devices and the desiredservers are usually within a few hops of each other (sometimes co-located). As a result it is extremely hard to converge to a TTL valuefor the insertion packet, that satis�es the requirement of hitting theGFW but not the server. As a consequence, in these scenarios, useof this discrepancy can cause either type of failures. We see fromTable 4 that both the Failure 1 and Failure 2 rates are on average abit higher than for the vantage points inside China.

Finally, because INTANG can choose the best strategy and in-sertion packets for each server IP based on historic results, we alsoevaluated INTANG performance in an additional row in Table 4 forvantage points inside China. It shows an average success rate of98.3% which represents the performance with the optimal strategyspeci�c to each website and network path. This is without furtheroptimizing our implementation (e.g., measuring packet losses andadjusting the level of redundancy for insertion packets).

Take away: While we do magnify the causes for failures, thebiggest take away from this section is that our new hypothesizedbehaviors of the GFW seem to be fairly accurate, and that thenew strategies are seemingly very e�ective in realizing the goal ofevading the GFW, especially when the best strategies are chosenaccording to websites and network paths.

7.2 Evading TCP DNS CensorshipThe GFW censors UDP DNS requests with DNS poisoning. It cen-sors TCP DNS requests by injecting RST packets just like how itcensors HTTP connections. Thus, our evasion strategies can alsobe used to help evade TCP DNS censorship. As discussed in §6,INTANG converts UDP DNS requests into TCP DNS requests. To

124

Figure 7: INTANG success rates taken from [11].

proven to be effective and has an active development com-munity. It is, however, slow and prone to frequent shut-downs. This is due to the government identifying Tor serversthrough probing. Cachebrowser is an effective way of view-ing websites that would normally be censored by the Chinesegovernment, but it has downsides as well. If a website is nothosted on a CDN it cannot be accessed using Cachebrowserat all. INTANG is useful for navigating around keywordcensorship, however it is prone to updates to the GFW. Ifthe government implements changes that negate the packetmanipulations done by INTANG the entire tool is rendereduseless. I would suggest using a combination of INTANGand Cachebroswer to avoid censorship first, as they havelower latency than Tor. If the content you are trying to viewcannot be accessed using this strategy, Tor can be used as abackup.

AcknowledgmentsI would like to thank Elena Machkasova and Nic McPhee forhelpful feedback on drafts of this paper. I would also like tothank UMM alumni Jeff Lindblom for their useful feedbackas well.

References[1] Nandan Desai. Unclosing the Dark Web - Post 2. June

2016. url: https://knowledgetransmitter.quora.com/Unclosing-the-Dark-Web-Post-2.

[2] G. Dludla, M. Bembe, T. Olwal, and Jun Kyun Choi.“Enhanced SWEET protocol for energy efficient wire-less sensor networks”. In: 2013 International Confer-ence on ICT Convergence (ICTC). Oct. 2013, pp. 332–335.

[3] DNS spoofing. Apr. 2018. url: https://en.wikipedia.org/wiki/DNS_spoofing.

[4] Roya Ensafi, David Fifield, Philipp Winter, Nick Feam-ster, Nicholas Weaver, and Vern Paxson. “Examin-ing How the Great Firewall Discovers Hidden Circum-vention Servers”. In: Proceedings of the 2015 Inter-net Measurement Conference. IMC ’15. Tokyo, Japan:ACM, 2015, pp. 445–458. isbn: 978-1-4503-3848-6.

[5] John Holowczak and Amir Houmansadr.“CacheBrowser:Bypassing Chinese Censorship Without Proxies UsingCached Content”. In: Proceedings of the 22Nd ACMSIGSAC Conference on Computer and Communica-tions Security. CCS ’15. Denver, Colorado, USA: ACM,2015, pp. 70–83. isbn: 978-1-4503-3832-5.

[6] How Content Delivery Networks Work. url: https:

/ / www . cdnetworks . com / en / news / how - content -

delivery-networks-work/4258.

[7] Proxy server. Apr. 2018. url: https://en.wikipedia.org/wiki/Proxy_server.

[8] Tor. url: https : / / www . torproject . org / about /

overview.html.en.

[9] Transmission Control Protocol. Mar. 2018. url: https://en.wikipedia.org/wiki/Transmission_Control_

Protocol.

[10] Transmission Control Protocol. url: https://tools.ietf.org/html/rfc793.

[11] Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song,and Srikanth V. Krishnamurthy. “Your State is NotMine: A Closer Look at Evading Stateful Internet Cen-sorship”. In: Proceedings of the 2017 Internet Measure-ment Conference. IMC ’17. London, United Kingdom:ACM, 2017, pp. 114–127. isbn: 978-1-4503-5118-8.