The Digital Huns

["Dude VanWinkle" <dudevanwinkle () gmail com>]

Academics break the Great Firewall of China
By Tom Espiner
Special to CNET News.com
Published: July 3, 2006, 9:06 AM PDT

from: http://news.com.com/2100-7348_3-6090437.html?part=rss&tag=6090437&subj=news

Computer experts from the University of Cambridge claim not only to
have breached the Great Firewall of China, but have found a way to use
the firewall to launch denial-of-service attacks against specific
Internet Protocol addresses in the country.

The firewall, which uses routers supplied by Cisco, works in part by
inspecting Web traffic for certain keywords that the Chinese
government wishes to censor, including political ideologies and groups
it finds unacceptable.

The Cambridge research group tested the firewall by firing data
packets containing the word "Falun" at it, a reference to the Falun
Gong religious group, which is banned in China.

The researchers found that it was possible to circumvent the Chinese
intrusion detection systems by ignoring the forged transmission
control protocol resets injected by the Chinese routers, which would
normally force the endpoints to abandon the connection.

"The machines in China allow data packets in and out, but send a burst
of resets to shut connections if they spot particular keywords,"
explained Richard Clayton of the University of Cambridge computer
laboratory. "If you drop all the reset packets at both ends of the
connection, which is relatively trivial to do, the Web page is
transferred just fine."

Clayton added that this means the Chinese firewall can be used to
launch denial-of-service attacks against specific IP addresses within
China, including those of the Chinese government itself.

The IDS uses a stateless server, which examines each data packet both
going in and out of the firewall individually, unrelated to any
previous request. By forging the source address of a packet containing
a "sensitive" keyword, people could trigger the firewall to block
access between source and destination addresses for up to an hour at a
time.

If an attacker had identified the machines used by regional government
offices, they could block access to Windows Update, or prevent Chinese
embassies abroad from accessing specific Chinese Web content.

"Due to the design of the firewall, a single packet addressed from a
high party official could block their Web access," said Clayton.

Even though this technique would block communication between only two
particular points on the Internet, the researchers calculated that a
lone attacker using a single dial-up connection could still generate a
"reasonably effective" denial-of-service attack. If an attacker
generated 100 triggering packets per second, and each packet caused 20
minutes of disruption, 120,000 pairs of endpoints could be prevented
from communicating at any one time.

Clayton, speaking at the Sixth Workshop on Privacy Enhancing
Technologies in Cambridge last week, said that the researchers had
reported their findings to the Chinese Computer Emergency Response
Team.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.