DOCSLIB.ORG

An Analysis of China's “Great Cannon”

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An Analysis of China's “Great Cannon” An Analysis of China’s “Great Cannon” Bill Marczak Nicholas Weaver Jakub Dalek Roya Ensafi UC Berkeley, Citizen Lab ICSI, UC Berkeley Citizen Lab Princeton University David Fifield Sarah McKune Arn Rey John Scott-Railton Ron Deibert UC Berkeley Citizen Lab Citizen Lab Citizen Lab Vern Paxson ICSI, UC Berkeley Abstract content as a man-in-the-middle. The operational deployment of the GC represents a On March 16th, 2015, the Chinese censorship apparatus em- significant escalation in state-level information control: ployed a new tool, the “Great Cannon”, to engineer a denial- of-service attack on GreatFire.org, an organization dedicated the normalization of the widespread use of an attack tool to resisting China’s censorship. We present a technical analy- to enforce censorship by weaponizing users. Specifi- sis of the attack and what it reveals about the Great Cannon’s cally, the GC manipulates the traffic of “bystander” sys- working, underscoring that in essence it consitutes a selective tems outside China, silently programming their browsers nation-state Man-in-the-Middle attack tool. Although sharing to create a massive DDoS attack. While in this case em- some code similarities and network locations with the Great ployed for a highly visible attack, the GC clearly has Firewall, the Great Cannon is a distinct tool, designed to com- the capability for use in a manner similar to the NSA’s promise foreign visitors to Chinese sites. We identify the Great QUANTUM system [48], affording China the opportu- Cannon’s operational behavior, localize it in the network topol- nity to deliver exploits targeting any foreign computer ogy, verify its distinctive side-channel, and attribute the system that communicates with any China-based website not as likely operated by the Chinese government. We also discuss fully protected by HTTPS. the substantial policy implications raised by its use, including the potential imposition on any user whose browser might visit We begin in x 2 with a review of the Great Firewall’s (even inadvertently) a Chinese web site. operation, and then describe how the GC operates in x 3. We analyze the history of the injections as observed at 1 Introduction a medium-sized enterprise (x 4) and the impact of the Great Cannon in the DoS attack on GreatFire.org in x 5. On March 16, 2015, GreatFire.org observed that Ama- In x 6 we provide the technical basis for attributing the zon CloudFront services they rented to make blocked operation of the GC to the Chinese government, and dis- websites accessible in China were targeted by a dis- cuss the consequent policy implications in x 7. We re- tributed denial-of-service (DDoS) attack. On March 26, flect on some plausible enhancements that the GC’s op- two GitHub pages run by GreatFire.org also came under erators could employ (x 8) and offer final conclusions the same type of attack. The attacker targeted services in x 9. designed to circumvent Chinese censorship. A report released by GreatFire.org fingered malicious Javascript 2 Review of The Great Firewall returned by Baidu servers as the source of the at- tack [25]. Baidu denied that their servers were compro- In general, firewalls serve as in-path barriers between mised [42]. Several previous technical reports [5, 36, 41] networks: all traffic between the networks must flow suggested that the Great Firewall of China (GFW) or- through the firewall. Thus the name is actually a chestrated these attacks by injecting malicious Javascript misnomer for China’s “Great Firewall”, which instead into Baidu connections as they transited China’s network operates as an on-path system. The GFW eaves- border. drops on traffic between China and the rest of the In this work we show that while the attack infrastruc- world (TAP in Figure1), and terminates requests for ture was co-located with the GFW, the perpetrators car- banned content (for example, upon seeing a request for ried out the attack using a separate offensive system, “http://www.google.com/?falun”, regardless of the ac- with different capabilities and design, that we term the tual destination server) by injecting a series of forged “Great Cannon” (GC). The Great Cannon is not simply TCP Reset (RST) packets that tell both the requester and an extension of the Great Firewall, but a distinct attack the destination to stop communicating [15]. tool that hijacks traffic to (or presumably from) individ- On-path systems have architectural advantages for ual IP addresses, and can arbitrarily replace unencrypted censorship due to their less disruptive nature in the pres- Figure 2: The Great Cannon’s decision flow Figure 1: A simplified logical topology of the Great Cannon and Great Firewall examine all traffic on a link, but only intercepts traffic to (or presumably from) a set of targeted addresses. It ence of failure, but are less flexible and stealthy than is plausible that this reduction of the full traffic stream in-path systems as attack tools, because while they can to just a (likely small) set of addresses significantly aids inject additional packets, they cannot prevent in-flight with enabling the system to keep up with the very high packets (packets already sent) from reaching their desti- volume of traffic: the GC’s full processing pipeline only nation [49]. Thus, one generally can identify the pres- has to operate on the much smaller stream of traffic to ence of an on-path system interacting with active flows or from the targeted addresses. In addition, the GC only by observing anomalies resulting from the presence of examines individual packets in determining whether to both the injected and legitimate traffic. take action, avoiding the computational costs of TCP The GFW keeps track of connections and reassem- bytestream reassembly. The GC also maintains a flow bles their packets to determine if it should block traf- cache of connections that it uses to ignore recent con- fic [29]. As opposed to considering each packet in iso- nections it has deemed no longer requiring examination. lation, this reassembly process requires additional com- We also show that the GC however shares several fea- putational resources, but facilitates better blocking ac- tures with the GFW. Like the GFW, the GC also uses a curacy. While a web request usually fits within a single multi-process design, with different source IP addresses packet, web replies may be split across several packets, handled by distinct processes. The packets injected by and the GFW needs to reassemble these packets to un- the GC have the same peculiar TTL side-channel as derstand whether a web reply contains banned content. those injected by the GFW, suggesting that both the On any given physical link, the GFW runs its re- GFW and the GC likely share some common code. We assembly and censorship logic in multiple parallel pro- find the GC deployed at the same network locations as cesses [4] (perhaps running on a cluster of many differ- the GFW. Taken together, these findings suggest that al- ent computers). Each process handles a subset of the though the GC and GFW are independent systems with link’s connections, with all packets on a connection go- different functionality, there are significant structural re- ing to the same process. This load-balanced architec- lationships between the two. ture reflects a common design decision when a physi- In the attack on GitHub and GreatFire.org, the GC cal link carries more traffic than a single computer can intercepted traffic sent to Baidu infrastructure servers track [46]. Each GFW process also exhibits a highly dis- that host commonly used analytics, social, or advertis- tinctive side-channel—it progressively increments the ing scripts. If the GC saw a request for certain Javascript IP TTL field on successive packets injected into the same files on one of these servers, it appeared to probabilisti- connection [4]. cally take one of two actions: it either passed the request on to Baidu’s servers unmolested (roughly 98.25% of the 3 The Great Cannon time), or it dropped the request before it reached Baidu The Great Cannon differs from the GFW: the GC oper- and instead sent a malicious script back to the request- ates as an in-path system, capable of not only injecting ing user (roughly 1.75% of the time). In this case, the traffic but also directly suppressing traffic. Doing so en- requesting user is an individual outside China browsing ables it to act as a full “man-in-the-middle” (MITM) for a website making use of a Baidu infrastructure server targeted flows. We show that the GC does not actively (e.g., a website with ads served by Baidu’s ad network). The malicious script enlisted the requesting user as an port, we sent one request designed to trigger GC injec- unwitting participant in the DDoS attack against Great- tion, followed by a request designed to trigger GFW in- Fire.org and GitHub. Figure2 shows our overall view of jection. We repeated the experiment from a number of the GC’s decision flow. source ports. While packets injected by both the GFW and GC exhibited a similar (peculiar) TTL side-channel 3.1 Evaluating the GC’s Functionality (previously reported in [4]) indicative of shared code be- We began our investigation by confirming the continued tween the two systems, we found no apparent correlation normal operation of the GFW’s censorship features.1 between the GFW and GC TTL values themselves. We did so with measurements between our test system The GC appears to be co-located with the GFW. outside of China and a Baidu server that we observed We used the same TTL technique to localize the GC on returning the malicious Javascript.
Load more

Recommended publications
  • Internet Surveillance in China
    The Architecture of Control: Internet Su rveillance in China James A. Lewis , Center for Strategic and International Studies July 200 6 Security concerns shape China’s official internet and information technology strateg ies . Th ese include concerns shared by many cou nt ries: promoting a strong and growing economy , providing information assurance , and defending against foreign intrusions into China’s information space . Most importantly for the Chinese, information security include s a political element not foun d in many other nations – c ontrol by the party and the state over communications and the flow of informa tion . The rapid spread of internet access and mobile communications pose a serious challenge to this goal. In response, China’s security apparatus is reorienting its informational defenses. In the past, the emphasi s was on blocking access - the “great firewall.” In the future, the emphasis will be on the monitoring and surveillance of online activities. China’s primary objective in internet securi ty is political – preventing IT from eroding the regime’s authority. Information security is defined in China as “a comprehensive concept understood in a broad sense, and it involves political, economic, cultural, ideological, media, social and military l evel or field. ” It includes “data, system, network, infrastructure .”1 Chin ese officials worry about the potential of the Internet to contribute to the loss of state secrets , offer new avenues for organizing dissent and opposition , and spread “harmful inf ormation. ” This makes controlling access to "harmful network information” and the ability to monitor and intercept communications top priorities .2 For China’s leadership, one particular set of event s demonstrated the risks of not securing networks.
    [Show full text]
  • China, Encryption Policy, and International Influence 3
    A HOOVER INSTITUTION ESSAY China, Encryption Policy, and International Influence ADAM SEGAL Series Paper No. 1610 Hanging over the stand-off between the FBI and Apple over access to an encrypted iPhone used by one of the San Bernardino attackers was the question: What would China do?1 If Apple created unique software that allowed Washington access to the phone, would that open the door for Beijing to make similar demands on the company and all other foreign technology firms operating in China? As Senator Ron Wyden of Oregon argued, “This move by the FBI could snowball around the world. Why in the world would our government want to give repressive regimes in Russia and China a blueprint for forcing American companies to create a backdoor?”2 There was, at least at the rhetorical level, interaction between Chinese and US policymakers on the question of encryption. An early draft of China’s counterterrorism Law and Technology, Security, National law, for example, included provisions requiring the installation of backdoors and the reporting of encryption keys. President Barack Obama criticized these provisions in a March 2015 interview with Reuters, claiming they “would essentially force all foreign companies, including US companies, to turn over to the Chinese government mechanisms where they could snoop and keep track of all the users of those services.” He added, “We’ve made very clear to them [the Chinese government] that this is something they’re going to have to change if they expect to do business with the United States.”3 A few days
    [Show full text]
  • Trapped in a Virtual Cage: Chinese State Repression of Uyghurs Online
    Trapped in a Virtual Cage: Chinese State Repression of Uyghurs Online Table of Contents I. Executive Summary..................................................................................................................... 2 II. Methodology .............................................................................................................................. 5 III. Background............................................................................................................................... 6 IV. Legislation .............................................................................................................................. 17 V. Ten Month Shutdown............................................................................................................... 33 VI. Detentions............................................................................................................................... 44 VII. Online Freedom for Uyghurs Before and After the Shutdown ............................................ 61 VIII. Recommendations................................................................................................................ 84 IX. Acknowledgements................................................................................................................. 88 Cover image: Composite of 9 Uyghurs imprisoned for their online activity assembled by the Uyghur Human Rights Project. Image credits: Top left: Memetjan Abdullah, courtesy of Radio Free Asia Top center: Mehbube Ablesh, courtesy of
    [Show full text]
  • China's Global Media Footprint
    February 2021 SHARP POWER AND DEMOCRATIC RESILIENCE SERIES China’s Global Media Footprint Democratic Responses to Expanding Authoritarian Influence by Sarah Cook ABOUT THE SHARP POWER AND DEMOCRATIC RESILIENCE SERIES As globalization deepens integration between democracies and autocracies, the compromising effects of sharp power—which impairs free expression, neutralizes independent institutions, and distorts the political environment—have grown apparent across crucial sectors of open societies. The Sharp Power and Democratic Resilience series is an effort to systematically analyze the ways in which leading authoritarian regimes seek to manipulate the political landscape and censor independent expression within democratic settings, and to highlight potential civil society responses. This initiative examines emerging issues in four crucial arenas relating to the integrity and vibrancy of democratic systems: • Challenges to free expression and the integrity of the media and information space • Threats to intellectual inquiry • Contestation over the principles that govern technology • Leverage of state-driven capital for political and often corrosive purposes The present era of authoritarian resurgence is taking place during a protracted global democratic downturn that has degraded the confidence of democracies. The leading authoritarians are ABOUT THE AUTHOR challenging democracy at the level of ideas, principles, and Sarah Cook is research director for China, Hong Kong, and standards, but only one side seems to be seriously competing Taiwan at Freedom House. She directs the China Media in the contest. Bulletin, a monthly digest in English and Chinese providing news and analysis on media freedom developments related Global interdependence has presented complications distinct to China. Cook is the author of several Asian country from those of the Cold War era, which did not afford authoritarian reports for Freedom House’s annual publications, as regimes so many opportunities for action within democracies.
    [Show full text]
  • Who Set the Narrative? Assessing the Influence of Chinese Media in News Coverage of COVID-19 in 30 African Countries the Size Of
    Who Set the Narrative? Assessing the Influence of Chinese Media in News Coverage of COVID-19 in 30 African Countries The size of China’s State-owned media’s operations in Africa has grown significantly since the early 2000s. Previous research on the impact of increased Sino-African mediated engagements has been inconclusive. Some researchers hold that public opinion towards China in African nations has been improving because of the increased media presence. Others argue that the impact is rather limited, particularly when it comes to affecting how African media cover China- related stories. This paper seeks to contribute to this debate by exploring the extent to which news media in 30 African countries relied on Chinese news sources to cover China and the COVID-19 outbreak during the first half of 2020. By computationally analyzing a corpus of 500,000 news stories, I show that, compared to other major global players (e.g. Reuters, AFP), content distributed by Chinese media (e.g. Xinhua, China Daily, People’s Daily) is much less likely to be used by African news organizations, both in English and French speaking countries. The analysis also reveals a gap in the prevailing themes in Chinese and African media’s coverage of the pandemic. The implications of these findings for the sub-field of Sino-African media relations, and the study of global news flows is discussed. Keywords: China-Africa, Xinhua, news agencies, computational text analysis, big data, intermedia agenda setting Beginning in the mid-2010s, Chinese media began to substantially increase their presence in many African countries, as part of China’s ambitious going out strategy that covered a myriad of economic activities, including entertainment, telecommunications and news content (Keane, 2016).
    [Show full text]
  • New Media in New China
    NEW MEDIA IN NEW CHINA: AN ANALYSIS OF THE DEMOCRATIZING EFFECT OF THE INTERNET __________________ A University Thesis Presented to the Faculty of California State University, East Bay __________________ In Partial Fulfillment of the Requirements for the Degree Master of Arts in Communication __________________ By Chaoya Sun June 2013 Copyright © 2013 by Chaoya Sun ii NEW MEOlA IN NEW CHINA: AN ANALYSIS OF THE DEMOCRATIlING EFFECT OF THE INTERNET By Chaoya Sun III Table of Contents INTRODUCTION ............................................................................................................. 1 PART 1 NEW MEDIA PROMOTE DEMOCRACY ................................................... 9 INTRODUCTION ........................................................................................................... 9 THE COMMUNICATION THEORY OF HAROLD INNIS ........................................ 10 NEW MEDIA PUSH ON DEMOCRACY .................................................................... 13 Offering users the right to choose information freely ............................................... 13 Making free-thinking and free-speech available ....................................................... 14 Providing users more participatory rights ................................................................. 15 THE FUTURE OF DEMOCRACY IN THE CONTEXT OF NEW MEDIA ................ 16 PART 2 2008 IN RETROSPECT: FRAGILE CHINESE MEDIA UNDER THE SHADOW OF CHINA’S POLITICS ...........................................................................
    [Show full text]
  • RSA-512 Certificates Abused in the Wild
    RSA-512 Certificates abused in the wild During recent weeks we have observed several interesting publications which have a direct relation to an investigation we worked on recently. On one hand there was a Certificate Authority being revoked by Mozilla, Microsoft and Google (Chrome), on the other hand there was the disclosure of a malware attack by Mikko Hypponen (FSecure) using a government issued certificate signed by the same Certificate Authority. That case however is not self-contained and a whole range of malicious software had been signed with valid certificates. The malicious software involved was used in targeted attacks focused on governments, political organizations and the defense industry. The big question is of course, what happened, and how did the attackers obtain access to these certificates? We will explain here in detail how the attackers have used known techniques to bypass the Microsoft Windows code signing security model. Recently Mikko Hypponen wrote a blog on the F-Secure weblog (http://www.f-secure.com/weblog/archives/00002269.html) detailing the discovery of a certificate used to sign in the wild malware. Specifically this malware was embedded in a PDF exploit and shipped in August 2011. Initially Mikko also believed the certificate was stolen, as that is very common in these days, with a large amount of malware families having support, or optional support, for stealing certificates from the infected system. Apparently someone Mikko spoke to mentioned something along the lines that it had been stolen a long time ago. During the GovCert.nl symposium Mikko mentioned the certificate again, but now he mentioned that according to the people involved with investigating the case in Malaysia it likely wasn't stolen.
    [Show full text]
  • Xi Jinping's Address to the Central Conference On
    Xi Jinping’s Address to the Central Conference on Work Relating to Foreign Affairs: Assessing and Advancing Major- Power Diplomacy with Chinese Characteristics Michael D. Swaine* Xi Jinping’s speech before the Central Conference on Work Relating to Foreign Affairs—held November 28–29, 2014, in Beijing—marks the most comprehensive expression yet of the current Chinese leadership’s more activist and security-oriented approach to PRC diplomacy. Through this speech and others, Xi has taken many long-standing Chinese assessments of the international and regional order, as well as the increased influence on and exposure of China to that order, and redefined and expanded the function of Chinese diplomacy. Xi, along with many authoritative and non-authoritative Chinese observers, presents diplomacy as an instrument for the effective application of Chinese power in support of an ambitious, long-term, and more strategic foreign policy agenda. Ultimately, this suggests that Beijing will increasingly attempt to alter some of the foreign policy processes and power relationships that have defined the political, military, and economic environment in the Asia- Pacific region. How the United States chooses to respond to this challenge will determine the Asian strategic landscape for decades to come. On November 28 and 29, 2014, the Central Chinese Communist Party (CCP) leadership convened its fourth Central Conference on Work Relating to Foreign Affairs (中央外事工作会)—the first since August 2006.1 The meeting, presided over by Premier Li Keqiang, included the entire Politburo Standing Committee, an unprecedented number of central and local Chinese civilian and military officials, nearly every Chinese ambassador and consul-general with ambassadorial rank posted overseas, and commissioners of the Foreign Ministry to the Hong Kong Special Administrative Region and the Macao Special Administrative Region.
    [Show full text]
  • Framing International Education in Global Times
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Scholarship@Western Western University Scholarship@Western Education Publications Education Faculty 2019 Framing International Education in Global Times Paul Tarc Western University, [email protected] Follow this and additional works at: https://ir.lib.uwo.ca/edupub Part of the Education Commons Citation of this paper: Tarc, P. (2019). Internationalization of Education as an Emerging Field of Study? A Conceptualization of International Education for Cross-domain Analyses. Policy Futures in Education, 17(6), 732-744. Framing International Education in Global Times – WORKING PAPER by Paul Tarc, PhD [email protected] International education (IE) is a complex and historically-inflected term, which means that its meanings and uses shift in relation to larger geopolitical, economic and social conditions. Indeed, the ebb and flow of IE somewhat mirrors or follows the larger historical conditions of conflict, war, resolution, nationalisms, internationalisms and protectionisms as energized by the most powerful nation-states and blocs. In the 20th Century, in parallel with internationalist and peace movements, IE gained traction in the aftermath of large-scale war. One of the most radical institutional expressions of internationalism for its time—the League of Nations—emerged in the 1920s in the wake of the devastation and unresolved animosities of the First World War. The creation of the League of Nations and the International Labour Organization in Geneva Switzerland, produced the conditions for the birth of what is now considered the longest-running international school, the International School of Geneva. The next period where internationalism and international education peaked in the 1960s and early 1970s occurred, again, in the decades following a ‘world war’ with the reconstruction of Europe and the decolonization of European empires.
    [Show full text]
  • Effective Censorship: Maintaining Control in China
    University of Pennsylvania ScholarlyCommons CUREJ - College Undergraduate Research Electronic Journal College of Arts and Sciences 2010 Effective Censorship: Maintaining Control In China Michelle (Qian) Yang University of Pennsylvania, [email protected] Follow this and additional works at: https://repository.upenn.edu/curej Part of the Political Science Commons Recommended Citation Yang, Michelle (Qian), "Effective Censorship: Maintaining Control In China" 01 January 2010. CUREJ: College Undergraduate Research Electronic Journal, University of Pennsylvania, https://repository.upenn.edu/curej/118. This paper is posted at ScholarlyCommons. https://repository.upenn.edu/curej/118 For more information, please contact [email protected]. Effective Censorship: Maintaining Control In China Keywords censorship, china, incentives, Social Sciences, Political Science, Devesh Kapur, Kapur, Devesh Disciplines Political Science This article is available at ScholarlyCommons: https://repository.upenn.edu/curej/118 Effective Censorship: Maintaining Control in China Michelle Yang April 09, 2010 Acknowledgments My initial interest in this thesis topic was generated during the summer of 2009 when I was interning in Beijing. There, I had found myself unable to access a large portion of the websites I’ve grown so accustomed to in my everyday life. I knew from then that I wanted to write about censorship in China. Since that summer, the scope of the topic has changed greatly under the careful guidance of Professor Devesh Kapur. I am incredibly grateful for all the support he has given me during this entire process. This final thesis wouldn’t be what it is today without his guidance. Professor Kapur, thank you for believing in me and for pushing me to complete this thesis! I would also like to extend my gratitude to both Professor Doherty-Sil and Professor Goldstein for taking time out of their busy schedules to meet with me and for providing me with indispensible advice.
    [Show full text]
  • Forescout Counteract® Endpoint Support Compatibility Matrix Updated: October 2018
    ForeScout CounterACT® Endpoint Support Compatibility Matrix Updated: October 2018 ForeScout CounterACT Endpoint Support Compatibility Matrix 2 Table of Contents About Endpoint Support Compatibility ......................................................... 3 Operating Systems ....................................................................................... 3 Microsoft Windows (32 & 64 BIT Versions) ...................................................... 3 MAC OS X / MACOS ...................................................................................... 5 Linux .......................................................................................................... 6 Web Browsers .............................................................................................. 8 Microsoft Windows Applications ...................................................................... 9 Antivirus ................................................................................................. 9 Peer-to-Peer .......................................................................................... 25 Instant Messaging .................................................................................. 31 Anti-Spyware ......................................................................................... 34 Personal Firewall .................................................................................... 36 Hard Drive Encryption ............................................................................. 38 Cloud Sync ...........................................................................................
    [Show full text]
  • Shedding Light on Mobile App Store Censorship
    Shedding Light on Mobile App Store Censorship Vasilis Ververis Marios Isaakidis Humboldt University, Berlin, Germany University College London, London, UK [email protected] [email protected] Valentin Weber Benjamin Fabian Centre for Technology and Global Affairs University of Telecommunications Leipzig (HfTL) University of Oxford, Oxford, UK Humboldt University, Berlin, Germany [email protected] [email protected] ABSTRACT KEYWORDS This paper studies the availability of apps and app stores across app stores, censorship, country availability, mobile applications, countries. Our research finds that users in specific countries do China, Russia not have access to popular app stores due to local laws, financial reasons, or because countries are on a sanctions list that prohibit ACM Reference Format: Vasilis Ververis, Marios Isaakidis, Valentin Weber, and Benjamin Fabian. foreign businesses to operate within its jurisdiction. Furthermore, 2019. Shedding Light on Mobile App Store Censorship. In 27th Conference this paper presents a novel methodology for querying the public on User Modeling, Adaptation and Personalization Adjunct (UMAP’19 Ad- search engines and APIs of major app stores (Google Play Store, junct), June 9–12, 2019, Larnaca, Cyprus. ACM, New York, NY, USA, 6 pages. Apple App Store, Tencent MyApp Store) that is cross-verified by https://doi.org/10.1145/3314183.3324965 network measurements. This allows us to investigate which apps are available in which country. We primarily focused on the avail- ability of VPN apps in Russia and China. Our results show that 1 INTRODUCTION despite both countries having restrictive VPN laws, there are still The widespread adoption of smartphones over the past decade saw many VPN apps available in Russia and only a handful in China.
    [Show full text]