Results 1 to 3 of 3

Thread: The Decades Long War Over The Great Firewall Of China

  1. #1

    The Decades Long War Over The Great Firewall Of China

    https://forums.spacebattles.com/thre...china.1082472/


    So it looks like America is going to ban Tiktok. That sounds familiar.

    Gents, let me tell you about the greatest war you've never known. On the one side is the entirety of the Chinese communist party, wielding the force of the world's #2 economy. On the other side - a bunch of Chinese nerds who just wanted to watch porn.


    ----------The Enemy-------------

    So one of the "greatest" things China has created is arguably the largest IT infrastructure project in the world - the Great Firewall of China.

    No joke - China's probably spent more money and manpower on it than any other infrastructure project in the world.

    And it's a $#@!ing banger. It basically walled off every single internet routing node going in and out of China, with a sophisticated series of traffic analyzers and packet-level screeners.

    So at first it was a non-issue because every Chinese person just installed or setup their own openvpn.

    Then the firewall banned openvpn, which was like, whatever. OpenVPN traffic is easy to identify anyway.

    So the Chinese started obfuscating headers in OpenVPN traffic, which made it difficult to identify. And that was fine, for like 6 months.

    ----------The Opening Salvo-------------

    Then the firewall banned obfuscated openvpn traffic. That raised a few eyebrows. Team Nerd thought maybe they were just banning traffic based on ports, since OpenVPN uses a few non-standard ports. So they shifted ports to 443 and 80. Still banned. That was weird, said one of the nerds known only as "Clowwindy". Took a few days, but he theorized the firewall must be capable of deciphering openvpn traffic from the TLS handshake. This had implications - it meant the firewall was capable of pattern matching. Clowwindy created a program to deliberately mock a series of well designed packets to try to reverse engineer the firewall's pattern matcher. He found a problem - the firewall was capable of identifying all known encryption algos. It wasn't able to decrypt them - but somehow it knew what they were. So he put out a hiring call looking for volunteers who were well versed in cryptography.

    Turns out if you drew a venn diagram of Chinese math wizards and Chinese porn addicts, you get a circle. So he put together a team.

    They used PPTP protocol as a basis and began to experiment. First, they tried creating cocktails of known encryption. This would work initially, but it never took the firewall more than a week to adapt and block whatever cocktail they created. And they were running out of ingredients.

    Independently, a separate team of Chinese nerds were working on a different approach - by interlacing normal website traffic between encrypted payloads, they hoped to confuse the firewall. It didn't work. The firewall was able to identify which segments were VPN traffic, and killed those. If it couldn't - sometimes it would just cut off the entire session altogether, putting the client into a timeout period. But it was an interesting approach.

    The two teams met, and decided to combine their forces for the good of mankind.

    They created something wonderful.

    ----------The First Victory-------------

    By using a socks server as an accomplice outside of the firewall, they were able to obfucsate traffic over SSH. The thing is - they found that if you spend too much effort to encrypt the traffic, it became counter productive. Turns out the more you encrypt the traffic, the easier it was for the firewall to find out you're up to something nefarious.

    This came at a harsh lesson.

    There was another effort spearheaded by like-minded comrades to the west to stick it to the censors called "The TOR Project". TOR had a protocol called "Pluggable Transport" (PT). It used a patented method called Obfs4 to encrypt and in effect hide its true intentions.

    TOR traffic was identified and banned within a few days by the firewall.

    Chinese nerds studied TOR's banning like an autopsy. Combined with previous data, they figured out what the firewall was doing, and more importantly, what it was NOT doing. A few months later, they created an open source monster called Shadowsocks.

    This was a clever transport mechanism that basically hid vpn traffic in plain sight - mixing in traffic patterns you'd see from a routine SSH remote access session. The bet was the firewall would:

    A. Not be able to tell with precision what the payload is

    and

    B. Not risk banning legitimate SSH remote access which a lot of legitimate businessed relied on.

    He won that bet - for FOUR YEARS.

    Project Shadowsocks came out on 2012. It pwned the great firewall all the way up to 2016. In 2015, the man, the legend, Clowwindy, was contacted by the Chinese police and was forced to abandon the project. Clowwindy is still active today on Twitter, so he's still alive, but many have theorized he has now defected to the enemy.

    Others took up the mantle, however, and work continued.

    ----------The Setback -------------

    In 2016 Shadowsocks stopped working. Tunnels began to die and become blocked. New tunnels became banned anywhere from a few days to a few hours.


    The conclave of wise nerds theorized the firewall was using some sort of machine learning to train its traffic analyzers, and after four years, they finally had enough training data to accurately pick out Shadowsocks traffic from a police lineup.

    Part of the initial bet was that the firewall would not do active probing - or randomly initiate tcp/ip connections to map out potential nodes receiving questionable traffic and banning those nodes outright. The reasoning was - the chances of friendly fire - killing legitimate nodes which businesses relied on - was too high. But four years later, there was no friendly fire. The Firewall was able to precisely identify shadowsocks endpoints.

    The war was on again.

    Other VPN protocols have also tried to have a crack at the firewall. A western protocol called Wireguard saw some use in 2017. It was identified and banned after a few months.

    This failure was again studied with clinical precision.

    Two lessons were learned - rotation and diversification. There was no more point in trying to fool the firewall. It wasn't a stealth mission. It was a timed mission. You had a limited amount of time to do whatever you needed to do before the firewall adapted and caught up. You needed a protocol that was stateless and preferably without a handshake so as to not tip the firewall off on when to start analyzing your traffic.

    ----------The Comeback -------------

    This created a monster called Vmess.

    This thing was fierce.

    It was:

    1. Stateless. It transfers data directly between the client and the server without handshaking. Each transmission has no effect on the transmission of other datas before and after.

    2. Asymmetric. The request from the client and the response from the server can be in different formats.

    And it works.

    The firewall was blind again. It had no handshake to determine the start or the nature of the traffic, and it wasn't able to match requests to responses since the two were asymmetrical.

    Vmess was integrated into a larger project called Project V - which is a comprehensive toolkit composed of a variety of harnesses and variations to support protocols like Vmess - the most popular of which is V2Ray, which is the foundational module for most modern VPN services operating in China.

    Project V itself is a self-sustaining opensource framework with a healthy group of contributors constantly improving and enhancing its codebase.

    ----------The War Goes On -------------

    As of now, 2023, Vmess + V2ray is still working. Occasionally, the firewall will throw a curveball, but the team will adapt and typically come out with zero day updates to beat it back again.

    There are other methods and protocols besides Vmess, like the Trojan Protocol, which focuses more on obfuscation, showing that the scene is more active today than ever before.

    But the firewall is also evolving.

    It was recently theorized that the firewall was capable of identifying ChaCha20-Poly1305, a robust encryption algorithm created by Google. The firewall has also demonstrated some ability to identify different types of streaming data even when obfuscated. It's suspected the Firewall is a testing ground for quantum cryptography - as there have been some alarming proof presented demonstrating the firewall's capability of reverse engineering ciphertext and lift certain information from key exchanges.

    The war continues.

    ----------Reading Material -------------


    en.wikipedia.org
    Shadowsocks - Wikipedia
    en.wikipedia.org en.wikipedia.org

    VMess | V2Ray Beginner's Guide
    Step-by-step guide for first-timers' using V2Ray.
    guide.v2fly.org

    github.com
    GitHub - v2fly/v2ray-core: A platform for building proxies to bypass network restrictions.
    A platform for building proxies to bypass network restrictions. - GitHub - v2fly/v2ray-core: A platform for building proxies to bypass network restrictions.
    github.com github.com

    Trojan Documentation
    An unidentifiable mechanism that helps you bypass GFW.
    9/11 Thermate experiments

    Winston Churchhill on why the U.S. should have stayed OUT of World War I

    "I am so %^&*^ sick of this cult of Ron Paul. The Paulites. What is with these %^&*^ people? Why are there so many of them?" YouTube rant by "TheAmazingAtheist"

    "We as a country have lost faith and confidence in freedom." -- Ron Paul

    "It can be a challenge to follow the pronouncements of President Trump, as he often seems to change his position on any number of items from week to week, or from day to day, or even from minute to minute." -- Ron Paul
    Quote Originally Posted by Brian4Liberty View Post
    The road to hell is paved with good intentions. No need to make it a superhighway.
    Quote Originally Posted by osan View Post
    The only way I see Trump as likely to affect any real change would be through martial law, and that has zero chances of success without strong buy-in by the JCS at the very minimum.



  2. Remove this section of ads by registering.
  3. #2
    Turns out if you drew a venn diagram of Chinese math wizards and Chinese porn addicts, you get a circle. So he put together a team.
    Smart and motivated.
    "Trump was just a chuckle-headed sucker" is not an effective sales pitch.

  4. #3
    Quote Originally Posted by jmdrake View Post
    https://forums.spacebattles.com/thre...china.1082472/


    So it looks like America is going to ban Tiktok. That sounds familiar.

    Gents, let me tell you about the greatest war you've never known. On the one side is the entirety of the Chinese communist party, wielding the force of the world's #2 economy. On the other side - a bunch of Chinese nerds who just wanted to watch porn.


    ----------The Enemy-------------

    So one of the "greatest" things China has created is arguably the largest IT infrastructure project in the world - the Great Firewall of China.

    No joke - China's probably spent more money and manpower on it than any other infrastructure project in the world.

    And it's a $#@!ing banger. It basically walled off every single internet routing node going in and out of China, with a sophisticated series of traffic analyzers and packet-level screeners.

    So at first it was a non-issue because every Chinese person just installed or setup their own openvpn.

    Then the firewall banned openvpn, which was like, whatever. OpenVPN traffic is easy to identify anyway.

    So the Chinese started obfuscating headers in OpenVPN traffic, which made it difficult to identify. And that was fine, for like 6 months.

    ----------The Opening Salvo-------------

    Then the firewall banned obfuscated openvpn traffic. That raised a few eyebrows. Team Nerd thought maybe they were just banning traffic based on ports, since OpenVPN uses a few non-standard ports. So they shifted ports to 443 and 80. Still banned. That was weird, said one of the nerds known only as "Clowwindy". Took a few days, but he theorized the firewall must be capable of deciphering openvpn traffic from the TLS handshake. This had implications - it meant the firewall was capable of pattern matching. Clowwindy created a program to deliberately mock a series of well designed packets to try to reverse engineer the firewall's pattern matcher. He found a problem - the firewall was capable of identifying all known encryption algos. It wasn't able to decrypt them - but somehow it knew what they were. So he put out a hiring call looking for volunteers who were well versed in cryptography.

    Turns out if you drew a venn diagram of Chinese math wizards and Chinese porn addicts, you get a circle. So he put together a team.

    They used PPTP protocol as a basis and began to experiment. First, they tried creating cocktails of known encryption. This would work initially, but it never took the firewall more than a week to adapt and block whatever cocktail they created. And they were running out of ingredients.

    Independently, a separate team of Chinese nerds were working on a different approach - by interlacing normal website traffic between encrypted payloads, they hoped to confuse the firewall. It didn't work. The firewall was able to identify which segments were VPN traffic, and killed those. If it couldn't - sometimes it would just cut off the entire session altogether, putting the client into a timeout period. But it was an interesting approach.

    The two teams met, and decided to combine their forces for the good of mankind.

    They created something wonderful.

    ----------The First Victory-------------

    By using a socks server as an accomplice outside of the firewall, they were able to obfucsate traffic over SSH. The thing is - they found that if you spend too much effort to encrypt the traffic, it became counter productive. Turns out the more you encrypt the traffic, the easier it was for the firewall to find out you're up to something nefarious.

    This came at a harsh lesson.

    There was another effort spearheaded by like-minded comrades to the west to stick it to the censors called "The TOR Project". TOR had a protocol called "Pluggable Transport" (PT). It used a patented method called Obfs4 to encrypt and in effect hide its true intentions.

    TOR traffic was identified and banned within a few days by the firewall.

    Chinese nerds studied TOR's banning like an autopsy. Combined with previous data, they figured out what the firewall was doing, and more importantly, what it was NOT doing. A few months later, they created an open source monster called Shadowsocks.

    This was a clever transport mechanism that basically hid vpn traffic in plain sight - mixing in traffic patterns you'd see from a routine SSH remote access session. The bet was the firewall would:

    A. Not be able to tell with precision what the payload is

    and

    B. Not risk banning legitimate SSH remote access which a lot of legitimate businessed relied on.

    He won that bet - for FOUR YEARS.

    Project Shadowsocks came out on 2012. It pwned the great firewall all the way up to 2016. In 2015, the man, the legend, Clowwindy, was contacted by the Chinese police and was forced to abandon the project. Clowwindy is still active today on Twitter, so he's still alive, but many have theorized he has now defected to the enemy.

    Others took up the mantle, however, and work continued.

    ----------The Setback -------------

    In 2016 Shadowsocks stopped working. Tunnels began to die and become blocked. New tunnels became banned anywhere from a few days to a few hours.


    The conclave of wise nerds theorized the firewall was using some sort of machine learning to train its traffic analyzers, and after four years, they finally had enough training data to accurately pick out Shadowsocks traffic from a police lineup.

    Part of the initial bet was that the firewall would not do active probing - or randomly initiate tcp/ip connections to map out potential nodes receiving questionable traffic and banning those nodes outright. The reasoning was - the chances of friendly fire - killing legitimate nodes which businesses relied on - was too high. But four years later, there was no friendly fire. The Firewall was able to precisely identify shadowsocks endpoints.

    The war was on again.

    Other VPN protocols have also tried to have a crack at the firewall. A western protocol called Wireguard saw some use in 2017. It was identified and banned after a few months.

    This failure was again studied with clinical precision.

    Two lessons were learned - rotation and diversification. There was no more point in trying to fool the firewall. It wasn't a stealth mission. It was a timed mission. You had a limited amount of time to do whatever you needed to do before the firewall adapted and caught up. You needed a protocol that was stateless and preferably without a handshake so as to not tip the firewall off on when to start analyzing your traffic.

    ----------The Comeback -------------

    This created a monster called Vmess.

    This thing was fierce.

    It was:

    1. Stateless. It transfers data directly between the client and the server without handshaking. Each transmission has no effect on the transmission of other datas before and after.

    2. Asymmetric. The request from the client and the response from the server can be in different formats.

    And it works.

    The firewall was blind again. It had no handshake to determine the start or the nature of the traffic, and it wasn't able to match requests to responses since the two were asymmetrical.

    Vmess was integrated into a larger project called Project V - which is a comprehensive toolkit composed of a variety of harnesses and variations to support protocols like Vmess - the most popular of which is V2Ray, which is the foundational module for most modern VPN services operating in China.

    Project V itself is a self-sustaining opensource framework with a healthy group of contributors constantly improving and enhancing its codebase.

    ----------The War Goes On -------------

    As of now, 2023, Vmess + V2ray is still working. Occasionally, the firewall will throw a curveball, but the team will adapt and typically come out with zero day updates to beat it back again.

    There are other methods and protocols besides Vmess, like the Trojan Protocol, which focuses more on obfuscation, showing that the scene is more active today than ever before.

    But the firewall is also evolving.

    It was recently theorized that the firewall was capable of identifying ChaCha20-Poly1305, a robust encryption algorithm created by Google. The firewall has also demonstrated some ability to identify different types of streaming data even when obfuscated. It's suspected the Firewall is a testing ground for quantum cryptography - as there have been some alarming proof presented demonstrating the firewall's capability of reverse engineering ciphertext and lift certain information from key exchanges.

    The war continues.

    ----------Reading Material -------------


    en.wikipedia.org
    Shadowsocks - Wikipedia
    en.wikipedia.org en.wikipedia.org

    VMess | V2Ray Beginner's Guide
    Step-by-step guide for first-timers' using V2Ray.
    guide.v2fly.org

    github.com
    GitHub - v2fly/v2ray-core: A platform for building proxies to bypass network restrictions.
    A platform for building proxies to bypass network restrictions. - GitHub - v2fly/v2ray-core: A platform for building proxies to bypass network restrictions.
    github.com github.com

    Trojan Documentation
    An unidentifiable mechanism that helps you bypass GFW.
    Thanks for sharing this, great info!

    LLMs and generative AI (eg Stable Diffusion) place a new weapon in the hands of anti-censorship warriors. With an LLM, they can generate unlimited steganographic traffic which mimics legitimate web traffic in the same manner as SEO. In the end, the defenders always win this game, even if they are up against qUaNtuM CoMpUtErS. No amount of computation can crack the Vernam cipher, not even quantum computation. Such messages can then be steganographically embedded in AI-generated carrier traffic that is trained to mimic legitimate traffic. Literal definition of needle-in-a-haystack. No "filter" will ever be able to pick that needle out, even if they boil the oceans...
    The Kingdom of God has come upon you. -- Matthew 12:28



Similar Threads

  1. Replies: 1
    Last Post: 10-23-2013, 11:31 AM
  2. Newt Gingrich Gingrich debts a decades long problem
    By Dianne in forum 2012 Presidential Election
    Replies: 0
    Last Post: 12-08-2011, 02:52 PM
  3. China Justifies Great Firewall by Pointing @ UK Censorship
    By Kludge in forum World News & Affairs
    Replies: 0
    Last Post: 08-13-2011, 05:52 AM
  4. China's Great Internet Firewall of Censorship
    By Matt Collins in forum Individual Rights Violations: Case Studies
    Replies: 0
    Last Post: 11-25-2010, 08:59 PM
  5. Decades of Suicidal Policies Vis--vis Russia and China
    By FrankRep in forum World News & Affairs
    Replies: 1
    Last Post: 07-22-2009, 08:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •