My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Can you make the Great Chinese Firewall work for you?

Published: 2021-10-19. Last Updated: 2021-10-19 13:14:21 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

The "Great Chinese Firewall" has been well documented for its ability to block content from reaching users in China [1][2]. The firewall is implemented using various tools, inspecting traffic for blocked keywords or, in some cases, even scanning images or outright blocking specific sites.
One persistent rumor has it that it is possible to block traffic from China by embedding blocked keywords in traffic. I wanted to test this using my home mail server. As part of the server banner, I added a few banned words:


There is no authoritative list of blocked keywords. But the keywords above have often been cited as being blocked. Adding them to the mail server's banner should also expose them before, for example, STARTTLS is activated.

I used my mail server as an example for several reasons:

  1. It receives almost no actual email, but pretty much only spam.
  2. A large number of brute-forcing and other connections to the mail server originate from China.
  3. I could not find much about how the great Chinese firewall affects email. Email is often controlled on the mail server and may not be affected by the firewall to the same extend.

The pie charts display the top countries before and after making the change. While there was a slight change in the number of Chinese IP addresses (9% instead of 11% of the total number of connections), the difference is not what I would consider significant. So, for now, I call the rumor busted that you can get the Chinese firewall to block traffic to your system by injecting simple keywords.
I think this may require a more detailed investigation. For example, the keywords will likely matter. It may also matter in what context the keywords are sent. HTTP content is more likely going to be blocked (I think). Or maybe the SMTP content is ignored if it is part of the SMTP envelope?

 

[1] https://en.wikipedia.org/wiki/Great_Firewall
[2] https://isc.sans.edu/forums/diary/Why+Does+Emperor+Xi+Dislike+Winnie+the+Pooh+and+Scrambled+Eggs/23395/

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
1 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Here's a way that attackers can make the Great Firewall work for them: https://geneva.cs.umd.edu/posts/usenix21-weaponizing-censors/ Expect to see attacks using this vector soon.

Diary Archives