Clayton, Murdoch, and Watson have an interesting new paper describing technical mechanisms that the Great Firewall of China uses to block online access to content the Chinese government doesn’t like.
The Great Firewall works in two parts. One part inspects data packets that cross the border between China and the rest of the world, looking for “bad” content. The other part tries to shut down cross-border connections that have contained “bad” content. I’ll focus here on the shutdown part.
The shutdown part attacks the TCP protocol, which is used (among many other things) to transfer Web pages and email. TCP allows two computers on the Net to establish a virtual “connection” and then send data over that connection. The technical specification for TCP says that either of the two computers can send a so-called Reset packet, which informs the computer on the other end that some unspecified error has occurred so the connection should be shut down immediately.
The Great Firewall tries to sever TCP connections by forging Reset packets. Each endpoint machine is sent a series of Reset packets purporting to come from the other machine (but really coming from the Great Firewall). The endpoints usually respond by shutting down the connection. If they try to connect again, they’ll get more forged Reset packets, and so on.
This trick of forging Reset packets has been used by denial-of-service attackers in the past, and there are well-known defenses against it that have been built into popular networking software. However, these defenses generally don’t work against an attacker who can see legitimate traffic between the target machines, as the Great Firewall can.
What the Great Firewall is doing, really, is launching a targeted denial of service attack on both ends of the connection. If I visit a Chinese website and access certain content, the Great Firewall will send denial of service packets to a machine in China, which probably doesn’t violate Chinese law. But it will also send denial of service packets to my machine, here in the United States. Which would seem to implicate U.S. law.
The relevant U.S. statute is the Computer Fraud and Abuse Act (18 U.S.C. 1030), which makes it an offense to “knowingly cause[] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause[] damage without authorization, to a protected computer”, as long as certain other conditions are met (about which more below). Unpacking this, and noting that any computer that can communicate with China will meet the definition of “protected computer”, the only part of this requirement that requires any discussion is “damage”. The statute defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information”, so that the unavailability to me of the information on the Chinese website I tried to visit would count as damage.
But the offense has another requirement, which is intended to ensure that it is serious enough to merit legal attention. The offense must also cause, or attempt to cause, one of the following types of harm:
(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;
This probably wouldn’t apply to an attack on my computer, but attacks on certain U.S. government entities would trigger part (v), and there is a decent argument that the aggregate effect of such attacks on U.S. persons could add up to more than $5000 in damage, which would trigger part (i). I don’t know whether this argument would succeed. And I’m not a lawyer, so I’m relying on real lawyers to correct me in the comments if I’m missing something here.
But even if the Great Firewall doesn’t violate U.S. law now, the law could be changed so that it did. A law banning the sending of forged packets to the U.S. with intent to deny availability of content lawful in the U.S., would put the Great Firewall on the wrong side of U.S. law. And it would do so without reaching across the border to regulate how the Chinese government interacts with its citizens. If we can’t stop the Chinese government from censoring their own citizens’ access to the Net, maybe we can stop them from launching denial of service attacks against us.
(link via Bruce Schneier)
It’s an intersting debate, but I have to agree with Skala. China does what they want to do. Having lived there, I’ve missed out on news and taken it as “daily life in China”. However, due to the ease of libel laws in the UK, they also filter some content to avoid publishing lawsuits.
Yes this is totally ridiculous. I’m getting 50k download speeds and maybe it’s because of the reset connections? What speeds are other users getting? I’m also on a VPN service [URL removed — EF] but that’s not the slow down, I’ve tried it without the VPN.
ok i think the chinese government is being ridiculous about the whole internet blocking . the chinese people and everyone in that matter tshokld have the right to view what ever they please. that governtment should not filter what and what not the people should view.
ISPs hacking customers? That’s not anything I’ve heard of before. Where’s the big news scandal this ought to’ve caused?
You think this is just between the PRC and US. Well in the UK ISP’s are doing this to there customers. Take your standard sofware firewall, this is a thing of the past. UK ISP’s can and will gain access to customers machines to attack, monitor do what ever they want, I know it’s happened to me. Hence I have had to install a NAT Firewall as well as a software one. US companies are also playing silly billies with UK internet connections, tell me why TWTELECOM.COM are probing ports on a daily basis.
(Arggh… messed up closing blockquote tag. Ed or Alex, please nuke my immediately previous post.)
[…] I think you’re attributing too strong a claim to me.
Perhaps I misread your earlier post. I was responding specifically to what I thought was your assertion that an ISP’s sending of “crafted packets†is “suspectâ€. Indeed, that seemed to me like an excessively strong claim.
When you’re reading and interpreting the RFCs—especially standards track RFCs—there are some “rules of construction†that should be kept in mind. For instance, there’s the often-repeated Robustness Principle: Be conservative in what you send, and liberal in what you accept. Like rules of legal intepretation, these rules of engineering interpretation can’t just be applied blindly and mechanically. In some cases, the application of a default rule may be wrong. Again for instance, RFC 1812 (Proposed Standard) 7 .1.1 “Routing Security Considerations†states:
Another interpretory rule—perhaps less-often repeated, but at least as important in reading Internet protocol standards—is the “As-If†rule: If an implementation behaves “as-if†it is a conforming implementation, then it is a conforming implementation. In other words, the Internet standards are protocol specifications for interopability that do not specify actual mechanism. The RFCs say what behavior should look like externally—not internal details of machinery.
More directly to the point here, when an outside observor looks into my network from outside the border, and sees conforming behavior of gateways and hosts, then I’m running a conforming network. Doesn’t matter whether I might “really†have a bunch of three-toed sloths sparking wires together to “craft†packets.
A number of the RFCs specify TCP RST behavior. If, from outside a network, that behavior looks like it was generated by RFC-conforming gateways and hosts, then I think it’s unreasonable to classify that behavior “suspect†based merely upon arbitrary details of the mechanism used to generate that behavior.
Lesson: If you’re an ISP, blocking connections at the firewall is less suspect than sending crafted packets to remote websites to enforce your policies.
Paul Ohm,
I don’t think that’s reasonable.
Especially with NAT (including PAT) boxes, but also with other proxies, there’s a non-trivial interaction between the requirements for internet gateways (routers) and the requirements for internet hosts. Now, my masquerading firewall actually does vary from the TCP RST behaviour set out in STD 3 (RFC 1122): I have a token-bucket filter which rate-limits outgoing RSTs.
But if you want to argue that RFC-conforming behavior is “suspect”, then where exactly is that written down?
In addition to the obvious jurisdictional issues (since China could, by the same reasoning, enact laws making it unlawful for US computers to send certain kinds of content into their country to interfere with the thought processes of their citizens), the 1986 act has for a long time been pretty much a dead letter. Otherwise everyone from spammers to authors of sites that kill your browser to the Windows Software Update folks would be facing jail time.
The Firewall may run afoul of “(iv) a threat to public health or safety” too. China tried to cover up SARS for a while, rather than let world health experts study and try to contain it. Deaths resulted as far away as Canada and the United States. Supposing someone in the US tried to use the net to check whether China had detected more cases and not bothered to notify the world, intending to sound the alarm locally if necessary, only to be stymied by the Great Firewall. Given that SARS damage proved to be very limitable with certain precautions in the original outbreak, the stopping of an early warning of another outbreak would indeed create a threat to public health or safety.
All of which seems to be moot, given that the Great Firewall is outside the jurisdiction of the US law in question. It could be an issue to raise at treaty negotiations however, or even a cause of action in some future war (let’s hope not, given that both sides would be armed with nukes).
Suppose it would be illegal under US law. So what? The Chinese government already does lots of other things that would be illegal under US law. The key phrase there is “would be”. Those guys in Beijing are a sovereign national government. US law is completely irrelevant to them.
I’m more interested in whether the current proposals to prevent US citizens and corporations (which *are* subject to US law) from helping the Chinese government impose Net censorship, can be turned around to prevent those same citizens and corporations from helping with the US government’s own Net censorship efforts, such as the ones it targets at children and libraries. Students in US schools are routinely and by law subjected to Net filtering at least as problematic as what’s applied to Chinese citizens. Where’s the indignation for that?
Sending resets to bring down undesirable connections is a trick that many off the shelf IDS (Intrusion Detection Systems) use. IDS system actively monitor traffic but unlike firewalls may not be in the data path, so to break the connection they forge a reset to both parties.
This is all a bit fanciful. Whatever one might think of this morally, legally, the interception of traffic coming in to China by the Chinese authorities can have nothing to do with US law. If I maintain a server in a non-US country, and arbitrarily decide to refuse or terminate connections to US-based terminals that might be very strange behaviour, but it’s remarkably hard to see on what rational basis this could be made an offence under US law.
The connection with denial of service attacks is also pretty specious. The fact that the techniques involved are similar doesn’t make it a denial of service. The firewall is, as you say, sending reset packets: that’s terminating a connection, not attacking the would-be connector.
And finally, there is a simple matter of practicality. Supposing US law did purport to make the actions of the Chinese authorities acting within China illegal, what then? Gunboats up the Yangtse? A hit squad of marines to take the politburo to Guantanomo?
And it shouldn’t need repeating, but probably does, that none of the above is intended to suggest that the great firewall is a good thing.
I don’t think so.
First consider this hypothetical: I’m browsing Freedom-To-Tinker, and I decide, for whatever reason, to log into my firewall and reset the connection at both ends. Externally, how is that any different from choosing to reset the connection from this machine? Either way, it would be unreasonable to outlaw that.
Next: Suppose that I log into the firewall and reset a connection for one of my users. Presume that I have full authority to operate my network. Presume specifically that I have complete authority to take any action which in my own opinion might be necessary for the security of my network and/or users. Again, no outside party should have a beef.
Now: Consider China. It could be argued that the PRC is operating their national internet structure under parens patriae authority. You can yell about the PRC violating the rights of its nationals, but it’s hard to argue that they’re violating the CFAA.
And finally, if the PRC were to somehow initiate a DoS attack against communicatiions between the U.S. and Taiwan, then arguably that would be an act of war, and the courts should defer to Congress and the Executive.