About Us
Services
Our clients
Press Room
Careers
Policies
Buttons
Performance Tracking
Blog
Press Room  > In The News  > News Article


How To Geek

HTG Explains: How the Great Firewall of China Works

May 2, 2013, How To Geek

The Great Firewall of China, officially known the Golden Shield project, employs a variety of tricks to censor China’s Internet and block access to various foreign websites. We’ll be looking at some of the technical tricks the firewall uses to censor China’s Internet.

When SOPA was being discussed, CEO of the MPAA Chris Dodd held China’s website-blocking up as a model of how the US could implement its own Internet censorship:

“When the Chinese told Google that they had to block sites or they couldn’t do [business] in their country, they managed to figure out how to block sites.”

Understanding what the Great Firewall of China does can help us understand how certain organizations want to put Internet censorship into place throughout the world. If you think the Great Firewall just uses one method of censorship, think again — it uses a variety of tricks.
What is the Great Firewall of China?

If you haven’t been keeping track, China has a censored Internet. The Great Firewall of China is generally considered the largest, most extensive, and most advanced Internet censorship regime in the world.

China censors content for a variety of reasons, often because it’s critical of the Chinese government or contrary to Communist Party policy. China doesn’t just block individual websites — they use techniques to scan URLs and web page content for blacklisted keywords like “Tiananmen” and block such traffic.

By blocking foreign social networking sites like Twitter and forcing their citizens to use alternatives like Sina Weibo, China is able to control social-networking sites, gaining the ability to censor posts on them. China also hires people who are paid to post content favorable to Communist Party policy on the Internet, attempting to sway public opinion.

The Great Firewall isn’t perfect — it’s impossible to really hold back information and censor everything, although China is certainly trying. From using unofficial terms that aren’t blocked — effectively speaking in code — to using VPNs to tunnel out of the firewall, even the most extensive Internet censorship regime can be bypassed.


Technical Tricks

So just how is China censoring their Internet? Well, China controls the Internet gateways where traffic travels between China and the rest of the Internet. Through a combination of firewalls and proxy servers at these gateways, they can analyze and manipulate Internet traffic.

China’s censorship isn’t completely transparent. For example, if you try to access a blocked website, you may not see a message informing you that the website has been locked. You may just experience timeouts, blocked connections, and other error messages. Censorship can often be indistinguishable from website problems — did your VPN connection die because of a legitimate network problem or because the Great Firewall noticed and killed it? Is a website down or is the firewall blocking it? It’s hard to really know for sure behind the firewall.

Below are some of the tricks China uses to censor its Internet:
DNS Poisoning: When your try to connect to a website like twitter.com, your computer contacts its DNS servers and asks for the IP address associated with the website. If you receive an invalid response, you’ll look for the website at the wrong location and you won’t be able to connect. China intentionally poisons its DNS caches with wrong addresses for websites like Twitter, making them inaccessible. SOPA would have brought this technique to the USA.
Blocking Access to IPs: China’s Great Firewall can also block access to certain IP addresses. For example, to prevent people from accessing Twitter’s servers even by accessing it directly at a certain IP or by using unofficial DNS servers that haven’t been poisoned, China could block access to the IP address of Twitter’s servers. This technique would also block other websites located at the same address if they’re using shared hosting.
Analyzing and Filtering URLs: The firewall can scan URLs and block connections if they contain sensitive keywords. For example, Website Pulse shows us that http://en.wikipedia.org is accessible from within China, but http://en.wikipedia.org/wiki/Internet_censorship_in_the_People’s_Republic_of_China is not accessible — the firewall is looking at the URL and deciding to block web pages that appear to be about Internet censorship.
Inspecting and Filtering Packets: “Deep packet inspection” can be used to examine unencrypted packets, looking for sensitive content. For example, a search performed on a search engine may fail if you search for politically controversial keywords as the packets associated with the search are examined and blocked.
Resetting Connections: There are indications that, after the Great Firewall blocks such packets, it will block communication between both computers for a period of time. The firewall does this by sending a “reset packet,” essentially lying to both computers and telling them that the connection was reset so they can’t talk to each other.
Blocking VPNs: In late 2012, the Great Firewall started trying to block VPNs. VPNs were previously used to escape the Great Firewall. They’re also critical for many business users, so this was a surprising move. The firewall learns to identify what encrypted VPN traffic looks like and kills VPN connections.

This isn’t an exhaustive list — there isn’t complete transparency so we can’t know exactly how everything works.

You can see if a website is blocked using a tool like greatfirewallofchina.org or test whether a specific URL is blocked using the Website Pulse Great Firewall of China test tool.

Many of us often see the Internet as impossible to control based on its very structure, as it routes around points of failure and gives everyone access to a democratic form of communication free of government control. The Great Firewall of China shows us that it isn’t quite that simple — the Internet has its bottlenecks where censorship can be instituted and technologies like DNS can be abused to aid in censorship.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry.