The Great Firewall of China: how it works, how to bypass it

[This week journalists arriving in Beijing for the Olympic Games discovered that the IOC had cut a deal with the Chinese government so that their Internet connection was censored. Crikey commissioned this article, which was first published yesterday. I've added further linkage at the end.]

Crikey logo

China’s “Great Firewall” (GFW), officially the Golden Shield Project (金盾工程) of the Ministry of Public Security, is both clever and stupid, subtle and blunt.

As with any Internet filtering system, there’s only two methods to block bad stuff: keep a list of “bad sites” and prevent access, or look at the content live and figure out whether it’s good or bad on the fly. GFW uses both.

Al Gore was mocked for calling the Internet the “Information Superhighway”, but the analogy works. Like the road network, a maze of suburban streets leads to relatively few freeways, all administered by a myriad of local authorities.

When your computer requests a website, imagine a truck driving out your front gate. The driver knows the site’s name but not how to get there. Normally, you’ll get directions.

Amnesty International? Sure, that’s 78.136.0.19,” says the domain name system (DNS).

“78.136.0.19? Go via Telstra, ask again once you’re in San Jose,” says your ISP’s router. In SJ, you’re told to go to New York and so on to Amnesty’s London office.

In China, though, your driver only gets blank looks.

“Amnesty? Never heard of it.”

“78.136.0.19? No, no such place.”

With relatively few links connecting China to the world, this block is easy. Unlike Senator Conroy’s porn filters, GFW doesn’t have to worry about collateral damage. It blindly blocks entire sites, as well every site sharing the same Internet address — not only Amnesty, but everyone in that office tower.

The GFW also looks at content, and here’s the true subtlety.

Researchers at the ConceptDoppler project have found that it can disrupt Internet traffic within China that even mentions touchy subjects. Imagine your truck encountering random checkpoints. If it contains banned concepts like “news blackout” (新闻封) or “gerontocracy” (老人政治) your delivery is simply burned, never to be seen again.

ConceptDoppler says the banned words still get through 28% of the time, and the blocking can’t keep up with heavy Internet traffic. But even partial blocking encourages self-censorship through the perception that you’re being watched. Perhaps that’s even more effective because it discourages offline conversation too.

Getting around GFW is easy enough for geeks — though perhaps beyond the skills of average Internet users like sports journalists. Wikipedia lists the techniques, and Reporters Without Borders has a handbook.

Using proxies is like first sending your truck to a benign destination so it gets those helpful directions. Once there, the package is opened and the secret instructions inside forward your message to the real destination. To avoid content filtering, just speak in code. Learn to say “duck-breeding club” rather than “student dissident meeting”.

Further Reading

I gathered these links during my research for this story:

  1. The Connection Has Been Reset: China’s Great Firewall is crude, slapdash, and surprisingly easy to breach (Atlantic Monthly).
  2. China’s All-Seeing Eye, Naomi Klein (Rolling Stone).
  3. Empirical Analysis of Internet Filtering in China, from Harvard Law School.
  4. Real-time test to see if your website is currently being blocked by the Great Firewall of China.
  5. Behind the Great Firewall, Net Nannies work overtime for companies, suggests self-censorship more the norm.
  6. fuzheado’s ongoing Great Firewall coverage on Twitter.

And a Crikey commenter called Justin added these, none of which I’ve checked out personally.

  1. HOWTO bypass Internet Censorship, a tutorial on getting around filters and blocked ports
  2. Proxy.org — The Proxy Authority
  3. Vtunnel.com is here to help you beat internet filtering! [Update 9 February 2013: Google is currently flagging this site as occasionally trying to install malware on visitors' computers. It makes sense. What better target for malware than people downloading anonymity software?]
  4. Ninja Proxy | Fast, free, anonymous web browsing with NinjaProxy.com
  5. Your Freedom
  6. Free Proxies: Freeproxies.org hosts the best cgi proxy servers on the web, for free.
  7. Free Anonymous Surfing, Free Surfing through a Proxy (thefreecountry.com)
  8. Stunnel.org

Tags: , , , ,

  1. Neerav’s avatar

    Cool you linked to that Atlantic article I sent you. :-)

    P.S. I’m surprised that Crikey lets you repost these stories. Most publishers would make freelancers give up all rights

    Reply

  2. Stilgherrian’s avatar

    @Neerav: It’s no secret that Crikey doesn’t exactly pay top rates, so it’s difficult for them to insist on exclusivity forever. To tell the truth, we’ve never spoken about it properly. However I always leave a day or more before re-posting, and they do get the occasional free story and other support.

    Reply

  3. yewenyi’s avatar

    I was at a Cisco conference recently and saw a feature being touted and thought, I’d bet they developed that in conjunction with the Chinese government for the Chinese government.

    Reply

  4. Daniel’s avatar

    Hi Stil!

    I’m writing from Beijing, and as you may know I’ve been here for 6 months studying Mandarin Chinese, and I’ll be here for about another year.

    The internet filter is a very interesting and variable thing to observe! My personal method of bypassing is to run an SSH connection to a shell server overseas, and establish a SOCKS proxy over the SSH connection. It’s very easy to do, the standard ssh client has this capability built in. I have set up keyfile authentication for my SSH session, so all I need to do is click one icon to bring up my SSH session and SOCKS tunnel. And from there all I need to do is set my application/s to use the SOCKS proxy. On my Mac it is very easy to do so, as there is a central preference setting for proxies.

    I soon found this a bit too slow for all my connections, however, so I wrote a Proxy Auto-Configuration File (.PAC) file which sends connections to only certain URLs via the SOCKS tunnel, and sends the rest direct. If the SOCKS tunnel is unavailable, it attempts to go direct.

    In case anyone is interested, here is my current PAC file.

    I have had no problem reading your article and accessing those links, I even downloaded RSF’s little “Blogger’s Handbook” without incident.

    I think some of the most interesting things that you raise are the elements of the system that encourage “self-censorship” as well as simple shifts in behaviour. For example, the seemingly random nature of some blocking does give the impression that someone is watching. I can talk for 30 minutes on MSN with a friend and mention topics like Tibet and Xinjiang / Urumqi etc, but then inexplicably, the connection might stop working… was it because I said something I shouldn’t have? And you think to yourself… well, to avoid the hassle next time, I’ll just talk about something else.

    Access to most overseas sites is very very slow here. I supposedly have a 512KB cable (ethernet) connection here, but accessing anything overseas is like dial-up speed. You eventually think “why bother waiting?” and look at more local content instead. This is probably particularly so if you’re Chinese, and you find it a whole lot easier to read Chinese than English (even if you’ve studied it). A good case is Google – the overseas editions of Google are painfully slow to access (even though Google use Akamai, so they should be well optimised), so even when searching in English I’ll often prefer to use Google’s local site, which has been censored.

    You do have to wonder how much the slow overseas access is due to congested links, and how much is on purpose. It certainly has an effect on behaviour.

    The practice of impairing your access for a short time after you do something “naughty” also encourages self censorship. For example, occasionally the BBC Chinese website is accessible through the firewall, and I can read a couple of articles. But if I happen to click on one of the articles that has some “controvertial” content, then my whole access to the entire site (including the English language pages) is gone for a while. It seems easier to avoid the trouble and just click on some less-controvertial article.

    Reply

    1. stan’s avatar

      Almighty Daniel,

      As a fellow Beijinger (going 18 years now) and sufferer of not being able to connect to facebook I beg you for help. I am a computer moron, I just bought my first Mac, and my HotSpotShield doesn’t work anymore. From your post I get that you dont have the same problems but the rest is rocket science to me. Please can you explain in simple english what the hell are you doing to get out from behind the wall!!!

      Cheers,
      Stan

      Reply

    2. Stilgherrian’s avatar

      @stan: I’m not sure whether Daniel is even in in China any more, as his comment is over a year old.

      However the technique he describes requires you having access to a Linux / Unix / OS X server outside China already set up to allow remote access to the command line via an encrypted link. That’s the “SSH” or “secure shell” he describes — the “shell” being the command line and the “secure” bit being the encryption. If you do not already have this in place, nothing else he refers to will help you.

      It’s possible to purchase an appropriate account on a shared server for a few dollars a month. It’s offered by most hosting companies, and the thing to ask is whether their accounts have “shell access”.

      The rest of the procedure has two parts, which are about setting up what’s called a “SOCKS proxy” to forward all your web requests to that remote server, which then passes them on to the website you’re trying to visit.

      1. Open a Terminal window on your Mac. You’ll find Terminal under “Applications” then “Utilities”. Choose a random number above 1024, say 9999. You’ll also need to know the address of your remote server and your username and password. Type the command ssh -ND 9999 username@yourremoteserver.com where yourremoteserver.com is the address of the server, and log in with your password on that server. You won’t see anything, but this creates an encrypted tunnel between port 9999 on your Mac and the remote computer. It lasts until you press control-C in the Terminal window to stop it, or the tunnel breaks for some reason.
      2. In your web browser’s network settings, tell it to use a SOCKS proxy using the SOCKS server localhost and port 9999. This tells the web browser to push all requests down that encrypted tunnel. Done.

      As Daniel notes, this will make all your web browsing slow as every web page is being requested via your remote server outside China. He therefore has a trick with that PAC file so only certain websites go through the SOCKS proxy. I’ve no idea how that is set up, though, as that’s even more advanced systems administration.

      If all of this is new language, well, this is how professional systems administrators and network engineers build things. There is a vast amount of material on these tools online if you search for their names.

      There are downloadable commercial tools like HotSpotShield, but if that’s stopped working then either you may just need to download a new version — or maybe China has simply blocked access to HotSpotShield’s servers since they’re now so well known.

      Reply

      1. Daniel’s avatar

        @Stilgherrian & @stan: Stil has done a great job of explaining what I was doing, however there’s one more trick that China started using late last year.

        They’re now screwing with DNS lookups for some sites, meaning that your web browser won’t be able to get correct IP addresses for the sites you want to visit, even if you are using a SOCKS proxy via SSH tunnel as Stil describes.

        A work-around exists in Firefox to send your DNS lookups via your SOCKS proxy (that is set up in the way that Stil describes above). Do this:

        1. In the address box, type about:config and press enter. You’ll get a warning message telling you to be careful. Click proceed (or whatever it says).
        2. In the “filter” box at the top, type network.proxy.socks_remote_dns
        3. Under preference name, you should then see network.proxy.socks_remote_dns. It should be set to default, boolean, false under the other headers respectively. Double-click it; it should change to user set, boolean, true. (If you have an earlier version of Firefox than I do, you might find you get a pop-up box, in this case use the pop-up box to change the value to “true”.)

        After making this change and the change that Stil describes above to your Firefox config, you’ll probably need to restart Firefox for the changes to take effect.

        You’ll find that if you disconnect the SSH session (or it drops by itself, which is common in China) you’ll no longer be able to browse anything. In this case either restart the SSH session; or reverse the configuration changes to Firefox (i.e. remove the SOCKS proxy settings from network settings, and re-set network.proxy.socks_remote_dns to false in about:config.

        Have fun ;)

        Reply

        1. Daniel’s avatar

          Also, I was doing this through a “virtual server” web host that I was renting from http://www.hub.org, but as Stil said, any UNIX-based hosting account that allows shell access via SSH should work.

          Reply

        2. Stilgherrian’s avatar

          @Daniel: You walk as a God amongst Men. The formatting of your comment goes astray thanks to WordPress’ over-smartness, will fix tomorrow. That is very valuable information, thank you.

          Reply

        3. Stilgherrian’s avatar

          I’ve edited Daniel’s comment to link to his .PAC file as a separate download.

          Also, a friend sent me another, different list of what’s blocked in China, this time from China Digital Times. Thanks, Stu.

          Reply

        4. Chris’s avatar

          Try freedur.com, it’s the easiest solution around.

          Reply

        5. Stilgherrian’s avatar

          @Chris: Even though you didn’t leave a valid email address, I’ll let your comment through and even link to Freedur because it’s further demonstration that there are plenty of ways to get around simplistic firewalls.

          However I will mention that a third-party system like this also gives that third party the potential to monitor all of your Internet traffic, so choose carefully!

          Reply

        6. Ricecracker’s avatar

          This is a very old thread, but I feel I ought to tack on more for anyone else who comes along. Take a penny, leave a penny, etc. If the GFC was really as monstrous and godlike as everyone thinks, my expat friend and myself would not be able to comment so freely, would we?

          Thank you for this information, fellows. This confirms what I always suspected, but of course, I shall behave in my usual manner all the same. I love China, and wouldn’t ever want to be a lousy guest. I don’t think the GFC is anything more than a method to keep an extra billion people from hurting their own selves. A lot of western criticism would have you believe that the majority of people here are miserable, or should be. Contrast will do that to a point of view. What I do think, though, is that the way it is set up right now looks too suspicious, even if it isn’t intended to be. It’s embarrassingly clunky, but it’s all they have to work with. The hard-headedness implies the illusion of sophistication.

          I couldn’t imagine any entity being able to monitor internet activity of a community 24/7. Even if there are devices put in place and even if there is a system designed to narrow their monitoring for specific “naughty” behaviour, there are just too many people in China.
          It is normally offline activity that gets someone in trouble for something they do online, unless it is something super-serious, or unless you’re completely careless.

          Catching the people behind the Google phishing snafu is something everyone can say is impossible, after all. They’re either super-evasive, or they’re the killers OJ has been looking for for over fifteen years. I don’t believe this country is directly responsible for that incident, but they are accountable, and they must set things right (I think they know it’s in their best interest to).

          • Proxies get zapped regularly, but they’re like buses. A new one comes along. Some suggest that the proxies themselves are gov’t-run, so they can really nail the careless folks, but I sincerely doubt it. Some suggest that you can get viruses easily through them, and that is something I am illiterate about. The one I am using gives me a mountain of pop-ups on Firefox, but Chrome stifles them (it does not “block” them in the parlance of making the non-existent).
          • YouTube might be banned, but there is a simple method to watching YouTube videos made available. Type “cn” after you type “www.youtube” and before “.com”. You cannot log in, you cannot comment (obviously), and you cannot click to continue onto other videos. You can, however, use the search engine, which opens in a new tab in your browser (Firefox and Chrome, at least).

          I don’t know about the legality of any of these things, mind you. Chinese law is cryptic to me, and I don’t know if any one local person can offer me sufficient second-hand information. One can stumble onto some sketchy content here, like in any country, and I wonder if it is only a matter of time if curiosity killed the cat. Considering my awareness and my self-control, I feel confident. I imagine accidental stumbling would be as likely dismissed here as it would anywhere else in the world, if it’s ever brought to light in the first place.

          I hope this helps, and if I am wrong on anything, I urge you to correct me. As I said, I am not here to cause a fuss. I love this country for many reasons; one of them being the incredible harmony for such a large populace.

          RC

          Reply

        7. Diana’s avatar

          I live in China and proxies did not work so good for me. VPN services however did a better job. Now I use http://www.sunvpn.com/ and it`s a steady ride.

          Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>