Researchers at the University of Cambridge discovered a way to DoS users in China using China’s own firewall/filter against them.

To quote the article (linked below), “the Chinese firewall can be used to launch denial-of-service attacks against specific IP addresses within China, including those of the Chinese government itself.

The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a “sensitive” keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time.”

Nice.

 The article goes on to say that Internet access could be denied by using this method to individual members of covernment.  I say, however that any bot herder with a political agenda on human rights, could potentially deny internet access for ALL of China.

The researchers did send their findings to the Chinese CERT. 

Human rights issues aside, it looks like they may need to rethink how they apply the technology, and we can learn a lesson as well.  Apparently, the Chinese firewall is not mindful of state – if the firewall can be fooled by just one spoofed packet, it is clear that it has no concept of state   Sure, statefull inspection at a scale this large would require massive computing power – but understand the technology and design your systems appropriatley!

- Larry

Academics break the Great Firewall of China

University of Cambridge computer experts say they breached firewall and can use it to launch denial-of-service attacks.

About the author

Leave a Reply