Each process handles a subset of the link’s connections, with all packets on a connection going to the same process. On any given physical link (e.g., a fiber optic cable), the GFW runs its reassembly and censorship logic in multiple parallel processes 9 (perhaps running on a cluster of many different computers). While a web request often fits within a single packet, web replies may be split across several packets, and the GFW needs to reassemble these packets to understand whether a web reply contains banned content. This reassembly process requires additional computational resources, as opposed to considering each packet in isolation, but allows better accuracy in blocking. The GFW keeps track of connections and reassembles the packets (“TCP bytestream reassembly”) to determine if it should block traffic. 7 Thus, one generally can identify the presence of an on-path system by observing anomalies resulting from the presence of both injected and legitimate traffic. 6 On-path systems have architectural advantages for censorship, but are less flexible and stealthy than in-path systems as attack tools, because while they can inject additional packets, they cannot prevent in-flight packets (packets that have already been sent) from reaching their destination.
In contrast, an on-path system like the Chinese “Great Firewall” (GFW) sits off to the side: it eavesdrops on traffic between China and the rest of the world ( TAP in Figure 1), and terminates requests for banned content (for example, upon seeing a request for “”, 5 regardless of actual destination server) by injecting a series of forged TCP Reset (RST) packets that tell both the requester and the destination to stop communicating ( INJECT RST in Figure 1). In general, a firewall serves as an in-path barrier between two networks: all traffic between the networks must flow through the firewall. Simplified logical topology of the Great Cannon and Great Firewall Section 2: The Firewall & The Cannon: Separate Systems, Significant Similaritiesįigure 1. Section 6 addresses the possibility of using the Great Cannon for targeted exploitation of individual users. Section 5 addresses the policy context and implications Section 4 presents our attribution of the Great Cannon to the Government of China Section 3 analyzes DDoS logs and characterizes the distribution of affected systems
Section 2 locates and characterizes the Great Cannon as a separate system
While employed for a highly visible attack in this case, the Great Cannon clearly has the capability for use in a manner similar to the NSA’s QUANTUM system, 4 affording China the opportunity to deliver exploits targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS. Specifically, the Cannon manipulates the traffic of “bystander” systems outside China, silently programming their browsers to create a massive DDoS attack. The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the “Great Cannon.” The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle. This post describes our analysis of the attack, which we were able to observe until April 8, 2015. Several previous technical reports 3 have suggested that the Great Firewall of China orchestrated these attacks by injecting malicious Javascript into Baidu connections. 1 Baidu denied that their servers were compromised. A report released by fingered malicious Javascript returned by Baidu servers as the source of the attack. Both attacks appear targeted at services designed to circumvent Chinese censorship. On March 26, two GitHub pages run by also came under the same type of attack. On March 16, observed that servers they had rented to make blocked websites accessible in China were being targeted by a Distributed Denial of Service (DDoS) attack. The first known usage of the Great Cannon is in the recent large-scale novel DDoS attack on both GitHub and servers used by.
This post describes our analysis of China’s “Great Cannon,” our term for an attack tool that we identify as separate from, but co-located with, the Great Firewall of China.