bbs
bbs copied to clipboard
net4people
GFW can be regarded as no longer bidirectional now?
Just before the annual Tiananmen Square Massacre anniversary, China blocked the domain name mtalk.google.com, which is used by Google's cloud push service (Firebase Cloud Messaging).
However, unlike the last time when all google.com subdomains were blocked (#128), it seems that this is only targeting this one domain.
I wanted to confirm this block on a Chinese speed test website, but it was offline for some reason. I had to SSH into an overseas virtual host and tried to initiate a TLS request to China's google.cn (203.208.41.98) to trigger censorship, but surprisingly, no injected RST was received. When the speed test website was restored, I saw signs of injected RST all over China, but I still couldn't see it from the overseas host at this time.
Considering that GFWeb and the recent Henan firewall have observed this asymmetric blocking, can we assume that the latest list or device no longer has this bidirectional feature?
Test script and captures with my IPs redacted.
#!/bin/bash
MTALK_IPS=(
"[2404:6800:4008:c04::bc]"
"[2607:f8b0:4023:c03::bc]"
"108.177.98.188"
"74.125.20.188"
)
PORTS=("80" "443" "5228" "5223")
DOMAINS=("mtalk.google.com" "alt1-mtalk.google.com")
for domain in "${DOMAINS[@]}"; do
for ip in "${MTALK_IPS[@]}"; do
for port in "${PORTS[@]}"; do
curl -v https://${domain}:${port} --connect-to ::${ip} --head --connect-timeout 3
sleep 3
done
done
done
Try 109.244.172.83 and 109.244.173.215 (wpa.qq.com) please, I can still trigger TCP RSTs with SNI mtalk.google.com from outside of China today.
Try
109.244.172.83and109.244.173.215(wpa.qq.com) please, I can still trigger TCP RSTs with SNImtalk.google.comfrom outside of China today.
No, it's another DPI to forbid domains without ICP filing from being accessed, which is only deployed in a few cloud providers. Even example.com can trigger it.
You are talking about RST injection, but I have the impression the situation has changed with respect to DNS injection. I don't have any systematic measurements, but it seems like outside→inside queries get injections for only a subset of names that would get injections if sent inside→outside. In #466 I experimented with some names and it seems the possibilities are more limited than they used to be.
but it seems like outside→inside queries get injections for only a subset of names that would get injections if sent inside→outside. In #466 I experimented with some names and it seems the possibilities are more limited than they used to be.
Yes, I've mentioned the possibility that only newer devices/software lost this feature; ~~that means it's possible for a well-known domain to be still observed being injected from outside, but not as many as injected packets as it will receive from the inside, lacking the newer injectors'.~~
Edit: Not sure if the censor would regard it as necessary to add the domains already blocked by older devices to the newer list again.
What names?
GFWeb:
Comparing the sets of domains that trigger the GFW from both sides, we found about 1K domains that only trigger the HTTPS filter to inject RST packets when probed from inside the country. The domains mostly belong to Google (e.g., google.com.hk*) or are related to circumvention tools (e.g., torproject.org, go-vpn.com, dr-wall.com, aihuiguo.com, and wallvpn.com). Probing these domains from outside China will not trigger any interference from the GFW’s HTTPS filter. This is also evident by the very low number of network anomalies detected by Censored Planet for these domains. As shown on the platform’s dashboard [7], most Unexpected Rates for these domains are below 20%, as opposed to ∼100% for domains that are symmetrically interfered with by the GFW’s HTTPS filtering middleboxes.
[7] Censored Planet Dashboard - Evidence of Asymmetric Interferenceof the Great Firewall’s HTTPS filter, Accessed: 2023-10-11. https://archive.ph/1PXS6.
The TCP and DNS injectors are independent, but if the censor decided somehow to forbid foreign probes to their system, they will upgrade their old devices (never did before) or add new ones for future domains to be blocked.
I wonder if the injectors will behave the same for TCP and DNS. Look at these asymmetrically TCP censored domains,
| name | DNS | TCP |
|---|---|---|
| google.com.hk | asymmetrical | |
| torproject.org | asymmetrical | |
| go-vpn.com | symmetrical | not censored |
| dr-wall.com | asymmetrical | asymmetrical |
| aihuiguo.com | asymmetrical | asymmetrical |
| wallvpn.com | not censored | asymmetrical |
Disappointingly, only the two of them dr-wall.com and aihuiguo.com will trigger the same asymmetrical censorship on both TCP and DNS.
I wish GFWeb authors to release these 1K domains list, or I haven't noticed they did already?
In fact, the GFW does not always block IPs or websites (we can describe them as "targets") bidrectionally. It could be up to its decision-maker, usually the CCP officials. In other words, to block a target is not a simple technical issue but a political one.
So sometimes GFW's behavior does not meet observed known routine & it's hard to analyze or summerize. Maybe ur discovery is just a mistake caused by this temporary change, which was deployed within just minutes.
It could be up to its decision-maker, usually the CCP officials. In other words, to block a target is not a simple technical issue but a political one.
I don't see any political reason on injecting RST to foreigner trying to access rfa.org to 101.6.15.66 (www.tsinghua.edu.cn), or letting foreign researchers to trigger and collect fake DNS response as much as they want (#466). The bidirectional blocking is more like a mistake, and the mistake now is likely aware.
But for the one-way blocking, I'd agree CCP officials you say... they don't want these censorship information freely observed from the outside.
I don't see any political reason on injecting RST to foreigner trying to access rfa.org to 101.6.15.66 (www.tsinghua.edu.cn), or letting foreign researchers to trigger and collect fake DNS response as much as they want (https://github.com/net4people/bbs/issues/466). The bidirectional blocking is more like a mistake, and the mistake now is likely aware.
According to Chinese Wikipedia(中文维基百科), the injection (DNS poisoning) is bidirectional. Every DNS request going through DNS servers located in Mainland China is filtered wherever the DNS request is initiated. Therefore GFW caused several worldwide DNS poisoning events (in 2010 & 2014), which finally made Netnod stopped thier "I" root name server in Mainland China.
「这种注入是双向的,不仅是在中国境内查询境外DNS时、境外的DNS查询途经中国时也会出现,这导致许多国外递归DNS服务器的缓存被污染[47]。」(Original Chinese text from Wikipedia: 防火长城)
The domain of the RFA rfa.org has been blocked in Mainland China for decades cuz it's a propaganda against CCP & its political position. If u know the history of PRC, it has blocked foreign radios (of course including VOA & RFA) since 1950s.