Feeds

back to article China 'enhances' Great Firewall, teaches it to choke off VPNs

China has tightened the screws on its infamous web-filtering system, according to virtual private network providers. The Great Firewall of China has been enhanced to "learn, discover and block" encrypted VPN protocols. Machine learning algorithms have been applied to carry out encrypted traffic analysis, something advocated by …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

and they want to do business with the rest of the world?!

I can't see how China expects to do serious business with the rest of the world by blocking or attempting to block VPN connections.

The organisation I work for has presence in China and VPN is key to secure comms back to the UK, without this our clients just won't be interested in that market full stop.

19
0
Bronze badge

Re: and they want to do business with the rest of the world?!

its not really china that needs us tho, our decadent western way needs the chinese. this wont effect any business deals

1
13
Headmaster

Re: and they want to do business with the rest of the world?!

Affect! Affect!! Using effect in this context means "this will not conclude any business deals", which actually results in you saying the opposite of what you meant!

11
1
Big Brother

Re: and they want to do business with the rest of the world?!

They really should look at a two-tiered system. Official businesses should be allowed heavily monitored access for large sums, end-users none at all.

If China want to exercise serious censorship while allowing business operations to run unfettered, this is something they should look at.

0
1
Bronze badge

Re: and they want to do business with the rest of the world?!

China and the west may not NEED each other but trade benefits both sides immensely.

Not being able to securely communicate between regional offices is a major impediment to business. If the sovereign risk is too high then business will move elsewhere.

1
0

Re: and they want to do business with the rest of the world?!

This does not effect businesses, you'll get your VPN from your premises.

0
2

Re: and they want to do business with the rest of the world?!

s/effect/affect

just learned the difference :)

0
0
FAIL

Re: and they want to do business with the rest of the world?!

It works in their interest to transparently proxy your VPN communications for a reason. You only thing you have free access through. They have your lunch.

0
0
Bronze badge
Mushroom

Re: and they want to do business with the rest of the world?!

But it will. No international company will want to open an office in China without secure communications back to HQ....And staff that visit wont be able to access their remote desktops / email / phone systems either. Big old mess....

1
1
Anonymous Coward

Re: and they want to do business with the rest of the world?!

And you know that how?

If a visiting businessman can't get his porn, it is affecting business.

I'm done with you,

0
2

Re: and they want to do business with the rest of the world?!

Europe GDP 14 TRILLION DOLLARS, U. S 14 TRILLION DOLLARS, AND CHINA 5 TRILLION DOLLARS. We need them do we? Hahahaha. Don't think so buddy. Try the other way around.

By the way I live in China as an expat and the vpn embargo will probably see me leave sooner. I'm sick of the ignorance of the ruling elite here. They need to go back to common sense school. They are afraid, very afraid, and rightly so. Decisions like this will see their demise hastened and yet they feel they have so much power they could avoid it with draconian measures. History tells different stories. For instance, that new Chinese carrier, dead carrier floating if you ask me. It would be at the bottom of the sea before the western generals or Japanese generals could mutter "war".

0
0
Anonymous Coward

I can confirm this.

Freegate does not seem to be able to pass through the GFWOC (which, in my opinion, is not so great at all!)

Oh, now it works!

Eh... now it doesn't...

Now I can Facebook...

And now I can't! AAAAGGGHHH!!!

There seem to be Angels fighting Demons as we speak!

0
0
Silver badge

One should note...

The technology they are using down there is not home grown. It was sold to them by western countries. Often even specifically for those purposes.

Large scale DPI is not a dual-use technology. You don't need to look at multiple saturated 10gig links to monitor your network, you only need that to monitor your people.

5
0
K
Bronze badge
FAIL

Aside from the Scale

There is absolutely nothing impressive about this!

All "Next Generation" firewalls have the ability to analyse packets... but all they will achieve by this is people moving from PPTP and IPSec based firewalls to SSL VPNs using port 443.

2
0
Anonymous Coward

Re: Aside from the Scale

Actually, we use SSL vpn (openvpn based). Since a couple of months, depending on the region in China, users there can't connect anymore. FW on our side doesn't even see a connection attempt. There are workarounds of course.

3
0
Anonymous Coward

Why block facebook?

it shows how the capitalist failed to monetise properly and what shite they think is worth billions.

A good way to promote communism if you ask me

5
1
Unhappy

Re: Why block facebook?

Because they have a clone site for every single western "innovation"

ren ren wang = facebook

sina weibo = twitter

lashousifang = foursquare

tuangou = groupon (admittedly probably copied from China)

amongst others. They block it for two reasons:

- Free sharing of information with westerners

- All that advertising revenue would go to an american company, not to the state (which has fingers in most of the pies).

Once the Chinese ones are big enough, that they know they won't lose market share....

This is why I keep saying it's a fallacy for people to refer to China as a market. For Chinese companies it's a market. But a market by different rules. A market of face, relationships and how many cartons of cigarettes you can buy the politicians with.

Interestingly, I can confirm anecdotally that China Unicom have started cutting VPNs as soon as they're detected. I quite enjoyed having Facebook access on my smart phone over mobile (China Unicom are the only provider that supports proper 3G and HSPA), but recently, I've been unable to connect, even using "stealth" IPs from my VPN provider. Here in Guangzhou (canton) at least.

11
0

Re: Why block facebook?

Get this man to write an article.

0
0
Silver badge
Stop

Not exactly business-friendly, is it?

Does Beijing expect multinational business people to use an unsecured network connection when trying to get back onto their corporate networks? That's not going to work.

6
0

Re: Not exactly business-friendly, is it?

Rule #1 for dictators in running a country: Preserve Your Own Poser by any means necessary.

There really isn't any other rules. So if it mess up people's ability to actually do business, so be it.

3
0
h3
Bronze badge

Re: Not exactly business-friendly, is it?

Probably they would expect anyone important to meet in Hong Kong. (Which is still completely unrestricted.)

0
0
Bronze badge

Re: Not exactly business-friendly, is it?

Imagine pre-quarterly reports by big companies having to go out by briefcase.

A response market, however, might involve the use of optical signaling. Microwave would require a local or national permit. Light signaling might not affect anyone, but the distance, and attempts to reach a satellite would be prohibitive. Even if feasible to transceive, the payload would probably be astonishingly low.

During the summer, I was in Shanghai, and I could not without a VPN reach fb. I was, however, able to set up a google plus account, but it was spottty, laggy, and seemed as if someone was screwing around with it, delaying my posts for hours if not days.

Countries expecting to be considered Tier One should not be allowed in the club if they behave this way.

I was recently considering sublicensing to Chinese nationals for manufacture some product ideas i had. After experiencing inability to see word press, facebook, wikipedia, and a slew of other sites I could outside of China, i decided to remove China from my list of business planning. So long as they act this way, I will NOT return to that country even if it is an all-expenses-paid trip.

They can spy on and inhibit their OWN people all they want, but, block me from getting useful info or distractive entertainment that is on the wrong side of they firewall.... Well, you do NOT deserve my money.

Grow up, China. End the corruption. Either jail or execute the most corrupt. Replace them with the "untested", but show them the execution or early-retirement vids. Allow foreigners WHO AGREE TO BE ON THEIR BEST BEHAIVOR to go about surfing as usual. Spy on them if you must. But, only go after individual violators,.

One coup for China is that businesses that cannot dare sent financial or competitive or HR or privacy info vial plain traffic will simply pack up and leave, leaving China with a little more than infrastructure-- it will get nearly full ownership of left-behind assets. Carrier pigeons cannot carry cases of papers nor relay optical traffic, and optical messaging just won't carry the bandwidth. The WTO and WIPO should slam China for these and a handful of reasons alone. It is oppressive, anti-competitive, and tantamount to government-sanctioned data theft beyone crime reduction.

Sigh. Maybe the world SHOULD have ended...

0
0
Silver badge
Thumb Down

Re: Not exactly business-friendly, is it?

Unfortunately, the PRC likes to position Shanghai as a major global business hub, and probably Guangzhou, Beijing and other areas. Since China has a pretty poor reputation for protection of IP, I would think that the international business community would be incredibly hesitant to send network traffic "in the clear". They wouldn't do that in any Western nation, much less one with China's rep.

1
0

Re: Not exactly business-friendly, is it?

In typical fascist fashion, business users will have to register with the government.

Or they'll motivate (by randomly dropping packets destined to TCP/22 and 1194, etc) people to use Governemnt-approved VPN providers who can intercept their traffic.

The scum.

0
0
Bronze badge
FAIL

Re: Not exactly business-friendly, is it?

Yep, They'll connect securely to Big Brother, and then Big Brother will secure them to their approved business destination. All the while allowing Big Brother to monitor the in-between. It sure is a good thing that all those Chinese have their government there to protect them from themselves, not like the rest of the world where adults have to make their own choices (well some of the rest of the world).

1
0
Bronze badge
Big Brother

Only spam works at China Unicom

There hasn't been even a slight glitch in postscan, spam, and intrusion attempts coming from China Unicom to my firewall. The official contact "abuse@cnc-noc.net" still doesn't work. Its a surprise that outgoing packet rejection still needs to be done on China's side.

0
0
Anonymous Coward

HTTPS anyone ?

It's possible to tunnel anything over pretty much anything. HTTPS used for a secure website isn't going to look much different from HTTPS used to tunnel some other VPN protocol. I don't think they are going to switch off HTTPS somehow.

I used HTTPTUNNEL for this job once a long time ago, when an employer I won't name blocked SSH, but having 2 TCP layers fight each other isn't a smooth experience. Pretty jerky and a bit slow, but it worked well enough.

0
1

This is already impacting our fledgling Chinese branch office in Shenzhen.

All calls are made over a Cisco CUCM system, connected via a VPN. We can't make internal calls anymore, and their phones can't report back to the main base unit, so they're offline. The staff there are stuck using their personal mobile phones.

Also, the branch email system runs over the VPN too. Staff in China currently can't use that either.

I'm not in a mood to create technical workarounds. I've told the Directors that it is impossible to fix, and they should rethink the idea of having a Chinese branch office. They are now considering other options, such as establishing an office in Hong Kong and working with partners in the mainland from there. They've spent a pretty big sum on the Shenzhen office, and getting local partners, but the current situation is pretty much untenable. The VPN is up and down like a yo-yo.

5
0

try this

My corp firewall does SSLVPN. Should try using it sometime. Might just fix your problem. Unless you deployed a substandard device....

0
0

Re: try this

It's not just PPTP and L2TP VPNs experiencing these issues. We use IPSec via a mix of Cisco devices and strongSwan, and are having issues.

In fact, the problems are even more widespread than that. I'm having trouble SSH-ing into our Internet-facing Linux server in China right now. The connection just keeps dropping out and we're getting errors with key-based authentication regularly.

It's like the Government there basically decided that anything other than plaintext is banned.

2
0

Up to yesterday a VPN to a facility in Shanghai did work, have to check on monday.

0
0
Silver badge

Re: try this

Surprised they haven't forbidden all encryption already and used DPI to make sure other formats/protocols aren't being used for stegonography.

0
0
Bronze badge
Mushroom

Switch to Lync - no VPN is required for secure internet access (plus a much better end user experience)

0
2
Anonymous Coward

Re: try this

Yessir, that's what I just said above, that's what's already happening.

By 2020 the EU fascists will have the same rules and "best practices".

0
0

Yah

I'm with Astrill, and they keep sending me update notices on this.

*Currently* OpenWeb works still, for websites, but Astrill's OpenVPN fails nine times out of ten. Ah well, I generally only use my VPN for surfing the net to get to blocked sites, but if that goes under it will be a *major* pain.

0
0
Silver badge

Company security

That's an end to company email whilst in China, then. More opportunity to break $MEGACORP rules by using gmail.

0
0
Unhappy

Tunnelling over 443 wont work...

They most likely kill tcp/443 connections after a few seconds, on the grounds that anything generating a large amount of data on that port is most likely a VPN. SImilarly, all other SSL service ports can also be limited. Known VPN ports blocked, other ports checked for VPN protocols in the initial packets on connection. As long as you have the resources available to you that the PRC do then this would be feasible...

Actually, I had wondered how long it would take for them to start blocking VPNs.

1
0
Bronze badge
Alert

Re: Tunnelling over 443 wont work...

Feel free to call me an idiot..... But why won't this work?

Firstly, VPN to a non-standard port on your own non-China-based server. Use some standard vpn encryption algorithm, but enclose it in something simple - like an XOR using a pre-agreed value on each byte.

Lots of simple wrappers could be used, e.g. XOR 8 minus 15 etc,

Wouldn't this be enough to stop the DPI recognising a known vpn protocol? Would it have to get to the stage where the only way to stop vpn is simply to block all traffic the DPI doesn't recognise?

0
0
Silver badge

Re: Tunnelling over 443 wont work...

Like I said, I'm surprised it hasn't reached that point already. Even stego has limitations against a determined adversary with enough DPI tools to recognize potential carrier streams. They could alter those streams while still presenting acceptable non-secret data: random loss of bits of data, resizing, quality reduction, etc. With these techniques, you could reduce the potential stego flow to impractical levels.

0
0
Big Brother

Steganography

Don't know how, bound to be slow, but gotta be possible.

0
1
Bronze badge

Re: Steganography

You want something which is hard for them to filter easily (ie. using software) but painful to block outright.

So send videos back and forth by email. A few hundred megs a pop, who cares what they are: corporate promo material, safety or training videos, staff doing touristy things, whatever. Replace the video data, for a few seconds in each video file with the encrypted file(s) you actually want to send.

The idea being that to selectively filter videos, they'd have to employ real people to watch them which, even in China, is more expensive than software filtering. And outright blocking any video sent to/from China would hurt their tourism industry.

Not as convenient as, for example HTTPS which is all but invisible to the end user, but I imagine it'd work.

0
1
Silver badge

Re: Steganography

If I were China and I had a good enough nest of computers, I'd intercept graphic and video transmissions and mangle them just a bit: resize them some, alter their brightnesses and so on, IOW find a way to mangle stegonography in various ways while still presenting pictures and videos of acceptable quality. If they're not robust, this mangling will ruin the stego, making it useless. If they're robust, they're more likely to be detected through some signal analysis.

1
0
Anonymous Coward

Dictatorships in information control shocker

If you want to do business with corrupt regimes, like China, Israel and the US, then you get all you do deserve

0
2
Anonymous Coward

Re: Dictatorships in information control shocker

Which regime is not corrupt?

And where is the EU on that list?

0
0

This post has been deleted by its author

Bronze badge
FAIL

The pressure vessel will explode

Many repressive systems continue for a long time ONLY because a pressure relief valve does exist for those that really value it.

If China really closed down all VPNs this is going to head into a really interesting phase.

0
0
Bronze badge

Hmmm... I wonder what enterprising hack groups

Will expose the non-indigenous companies selling the code and switches to China are these days. Hurt their investor relatioons a bit, and they might cut off or reduce support of such a regime. But, we know that that has not crimped Cisco enough.

But, imagine the government in cahoots with spammers.... Yikes!

0
0
This topic is closed for new posts.