A nation-scale firewall, colloquially referred to as the “Great Firewall of China,” implements many different types of censorship and content filtering to control China‘s Internet traffic. However, the filtering does not seem to be perfect. Past work has shown that the firewall occasionally fails. In other words, sometimes clients in China are able to reach blacklisted servers outside of China. This phenomenon has not yet been documented because it is very difficult to find a large and geographically diverse set of clients in China from which to test connectivity.
In this project, we overcame this challenge by using hybrid idle scan techniques that are able to measure connectivity between a remote client and an arbitrary server, neither of which are under our control. In addition to hybrid idle scans, we present and employ a novel side channel in the Linux kernel‘s SYN backlog. We demonstrate both techniques by measuring the reachability of the Tor network which is known to be blocked in China. The image to the right illustrates the connectivity between randomly selected clients and Tor relays. Clients in China tend to be unable to connect to Tor relays as shown by the red lines. Clients outside of China, however, are able to connect to relays as shown by the green lines. Among other things, our measurements reveal that:
You can get a copy of our scanning tools from GitHub:
git clone https://github.com/NullHypothesis/tcpscans.git