Back to Posts List

How the Great Firewall of China Works

Share this article




Last updated January 30th, 2012 by Victoria Pal in

The Great Firewall of China

China with its largest population of web users in the world, has one of the most restricted internets, making sure that netizens cannot post nor read about information the government deems threatening.

In the first post we reviewed briefly the history of the Golden Shield Project. A significant part of it is the Great Firewall of China. It’s main aim? To monitor, very literally, all traffic in or out of the country.

As complicated as this sounds, this formidable task is done in a very simple, yet effective way.

The first technique that the authorities use to monitor the activity of their netizens is “mirroring” – a term normally used for normal copying or backup operations. Almost all Internet connections between China and the rest of the world come from a very small number of fiber-optic cables that enter the country from three main points – the Beijing-Qingdao-Tianjin area in the North; Shanghai on the central coast and Guangzhou in the South. On each of these “gateways,” there is a device called “tapper” or “network sniffer” which mirrors every single packet of data going in or out of the country. The mirroring process that occurs at these gateways, however, has a very literal side as well. The gathered information goes through the fiber-optic cables as little pulses of light. These pulses travel through the Chinese gateway routers and at the same time numerous tiny mirrors bounce reflections of them and make sure that the information is delivered to a set of surveillance (“Golden Shield”) computers which “decide” whether the requested content should be blocked. And how did the Chinese develop this mirroring technology? They bought it from a very famous company.

While the mirroring technique is scary enough in itself, it is also worth looking into the other methods employed by the Chinese authorities to discourage the search for potentially dangerous information.

The first problem that a regular visitor may encounter is the DNS block. There is a list of sites whose content is completely off-limits for the randomly browsing Internet user. If you try to access any of these sites, you will simply get “Site not found” message on the screen. Keep in mind that most sites are vigorously scanned for potential banned keywords and the lists are regularly updated. One way to find out whether your site is blocked in China is to use our Website Test behind the Great Firewall of China.

If the DNS is working properly and delivering the correct IP address, the mirroring starts taking place. While you are sending the information request to the correct IP address, the information is mirrored and the IP address is checked in the list of forbidden IPs. If it matches an entry on this list, the gateway sends a “Reset” command to both computers (yours and the one you want to reach). This interception forces the connection to close and you are thus unable to load the site. Instead, you get a “The connection has been reset” message and, if you are very persistent, you can try to load the site again… with the same result.

If you have managed to not stumble upon the first two blocks, there is yet another check which you have to go through in order to get to the resource of your choice. It is the “URL keyword block”. If the IP of the site that you are trying to access is not blacklisted, the domain name is checked for potentially dangerous keywords. Should the requested URL contain forbidden terms, the connection will be reset. The forbidden list contains words in English, Chinese, and other languages, and is often updated.

Another popular technique to prevent the users from accessing this content is a “black-hole loop”. This means that the request gets trapped in a series of delaying commands. When browsers detect enter this kind of loop, they just issue an error message, saying that the request is redirected in a way that cannot be completed.

The last step involves actual content checking, which is done, again, with mirrors. While you are browsing the page, the surveillance system is scanning the content, looking for words, phrases and terms that it does not like. If it finds them – it breaks the connection and you cannot make any further requests to this server. The Great Firewall then blocks the connection between your computer and the site’s server. At first it is only for 2-3 minutes. If you try to access the site during this time, a five-minute time-out follows. On a third try, the time-out might go up to 30 minutes or more. In a word, with each attempt that follows, the time-out increases.

Recently, a new technique seems to be taking place. Lots of administrators of services with encrypted connections report that they are seeing strange activity coming from China. If a user from within China tries to reach the server, a string of pseudo-random data hits the destination computers before the user manages to connect. In some cases, the user’s communication drops mysteriously shortly afterwards. One of the theories is that China’s ISPs may be testing a new system which tries to identify censorship circumvention tools by preceding the user’s connection with a probe designed to reveal something about the type of service that the user is accessing.

Despite all of these setbacks, there are still several ways for you to circumvent the Great Firewall and we will discuss them our next post from the series.

To better visualize how the Great Firewall of China works, watch this short video:

Victoria Pal

She doesn't like queuing (particularly at Wimbledon). Likes traveling, tennis and reading. Loves working as a Project Manager at WebSitePulse.

comments powered by Disqus