RSTs and the Chinese firewall

| Comments (5) |
Clayton et al. have a new paper about the Chinese content filtering firewall and how to defeat it. The basic observation is that the firewall doesn't actually block traffic that it doesn't like--that would require too much work on the part of the router--but rather forges TCP RST packets. If the endpoints ignore the RSTs then they can communicate without interruption.

Of course, RSTs aren't the only way to DoS a TCP connection. One obvious approach is to inject bogus traffic. If you're lucky and hit the HTTP headers (e.g., by forging packets immediately after you observe the SYN or SYN/ACK), this will cause one side to abort the connection. Interestingly, secure channel protocols can make the problem much worse: TLS, for instance, aborts the connection if it detects any MAC error (this is a common complaint about TLS but is pretty inherent in running it over TCP). You can, of course, make protocols that are much more resistant to this form of attack--IPsec for example, but it more or less has to be done below the TCP layer.


OR just send a FIN rather than a RST.

Additionally, the bypass requires modification on BOTH sides of the "great firewall". If you have software on both sides of the firewall, there are far more subtle things you can do.

Nick: interesting point about the FIN, but with HTTP/1.1 you can use the content-length values as your end-of-message indicators and ignore the FIN. I mostly agree with the point about modifications about both sides, but I think the implied argument here is that the modifications (suppressing RSTs) are trivial, rather than requiring new stack components or a proxy.

Simplest fix would be to take a wireless router box and do a firmware mod. Most of them use Linux and there are alternative software images.

Instead of passing the RST through immediately the modified software would simply delay it until it could be sure it was genuine. If it was spurious then it would be suppressed.

The advantage of doing this over modifying a PC is that it is much easier to deploy and much harder for the modification to be detected. A modified TCP/IP stack is going to be immediately apparent to any investigator, they could even send out a trojan to detect the modified stacks. A modified wireless router would be much harder to detect.

EKR: But the problem with the advocated position is that it is breaking TCP but without benefit:

It would be easy to just inject routes for (Connection suspicious, need more analysis) and put things completely inline.

Or to build a trivial connection-tuple-blocker. I've built one in fact, for Gigabit line rates (although currently a bug craps it out at 450 Mbps). Design me a nice FPGA board with OC192 links or 10 GigE and a QDR-SRAM and I'll show you how to do it at core backbone speed.

Its easy to bring the blocking inline.

Also, its easy to detect the ignore RST behavior: If the IDS sees that the system is ignoring resets, you now know someone who's not just being stupid, but deliberately trying to evade your censorship (allowing you to send in the goon squad).

Nick: no big argument from me here...

Leave a comment