Map data © 2014 Google, INEGI

A nation-scale firewall, colloquially referred to as the “Great Firewall of China,” implements many different types of censorship and content filtering to control China‘s Internet traffic. However, the filtering does not seem to be perfect. Past work has shown that the firewall occasionally fails. In other words, sometimes clients in China are able to reach blacklisted servers outside of China. This phenomenon has not yet been documented because it is very difficult to find a large and geographically diverse set of clients in China from which to test connectivity.

In this project, we overcame this challenge by using hybrid idle scan techniques that are able to measure connectivity between a remote client and an arbitrary server, neither of which are under our control. In addition to hybrid idle scans, we present and employ a novel side channel in the Linux kernel‘s SYN backlog. We demonstrate both techniques by measuring the reachability of the Tor network which is known to be blocked in China. The image to the right illustrates the connectivity between randomly selected clients and Tor relays. Clients in China tend to be unable to connect to Tor relays as shown by the red lines. Clients outside of China, however, are able to connect to relays as shown by the green lines. Among other things, our measurements reveal that:

  1. Failures in the firewall occur throughout the entire country without any conspicuous geographical patterns.
  2. A network block in China appears to have unfiltered access to parts of the Tor network.
  3. The filtering seems to be mostly centralized at the level of Internet exchange points.
Our work also answers many other open questions about the Great Firewall‘s architecture and implementation.

In October 2014, we published a technical report which discusses our preliminary findings.

You can get a copy of our scanning tools from GitHub:

git clone

For questions or feedback, please contact Roya using (OpenPGP).

unm kau

Last updated: 2014-09-28