great firewall of china research paper

• Conferences

• Registration Information
• Registration Discounts
• Grant Opportunities
• Venue, Hotel, and Travel
• Program at a Glance
• Technical Sessions
• Summer Accepted Papers
• Fall Accepted Papers
• Poster Session and Happy Hour
• Call for Papers
• Submission Policies and Instructions
• Call for Artifacts
• Instructions for Presenters
• Exhibitor Services
• Symposium Organizers
• Past Symposia
• Conference Policies
• Code of Conduct

How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic

Mingshi Wu, GFW Report; Jackson Sippe, University of Colorado Boulder; Danesh Sivakumar and Jack Burg, University of Maryland; Peter Anderson, Independent researcher; Xiaokang Wang, V2Ray Project; Kevin Bock, University of Maryland; Amir Houmansadr, University of Massachusetts Amherst; Dave Levin, University of Maryland; Eric Wustrow, University of Colorado Boulder

One of the cornerstones in censorship circumvention is fully encrypted protocols, which encrypt every byte of the payload in an attempt to “look like nothing”. In early November 2021, the Great Firewall of China (GFW) deployed a new censorship technique that passively detects—and subsequently blocks—fully encrypted traffic in real time. The GFW’s new censorship capability affects a large set of popular censorship circumvention protocols, including but not limited to Shadowsocks, VMess, and Obfs4. Although China had long actively probed such protocols, this was the first report of purely passive detection, leading the anti-censorship community to ask how detection was possible.

In this paper, we measure and characterize the GFW’s new system for censoring fully encrypted traffic. We find that, instead of directly defining what fully encrypted traffic is, the censor applies crude but efficient heuristics to exempt traffic that is unlikely to be fully encrypted traffic; it then blocks the remaining non-exempted traffic. These heuristics are based on the fingerprints of common protocols, the fraction of set bits, and the number, fraction, and position of printable ASCII characters. Our Internet scans reveal what traffic and which IP addresses the GFW inspects. We simulate the inferred GFW’s detection algorithm on live traffic at a university network tap to evaluate its comprehensiveness and false positives. We show evidence that the rules we inferred have good coverage of what the GFW actually uses. We estimate that, if applied broadly, it could potentially block about 0.6% of normal Internet traffic as collateral damage.

Our understanding of the GFW’s new censorship mechanism helps us derive several practical circumvention strategies. We responsibly disclosed our findings and suggestions to the developers of different anti-censorship tools, helping millions of users successfully evade this new form of blocking.

Mingshi Wu, GFW Report

Jackson sippe, university of colorado boulder, danesh sivakumar, university of maryland, jack burg, university of maryland, peter anderson, independent researcher, xiaokang wang, v2ray project, kevin bock, university of maryland, amir houmansadr, university of massachusetts amherst, dave levin, university of maryland, eric wustrow, university of colorado boulder, open access media.

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Presentation Video 

Help | Advanced Search

Computer Science > Cryptography and Security

Title: how great is the great firewall measuring china's dns censorship.

Abstract: The DNS filtering apparatus of China's Great Firewall (GFW) has evolved considerably over the past two decades. However, most prior studies of China's DNS filtering were performed over short time periods, leading to unnoticed changes in the GFW's behavior. In this study, we introduce GFWatch, a large-scale, longitudinal measurement platform capable of testing hundreds of millions of domains daily, enabling continuous monitoring of the GFW's DNS filtering behavior. We present the results of running GFWatch over a nine-month period, during which we tested an average of 411M domains per day and detected a total of 311K domains censored by GFW's DNS filter. To the best of our knowledge, this is the largest number of domains tested and censored domains discovered in the literature. We further reverse engineer regular expressions used by the GFW and find 41K innocuous domains that match these filters, resulting in overblocking of their content. We also observe bogus IPv6 and globally routable IPv4 addresses injected by the GFW, including addresses owned by US companies, such as Facebook, Dropbox, and Twitter. Using data from GFWatch, we studied the impact of GFW blocking on the global DNS system. We found 77K censored domains with DNS resource records polluted in popular public DNS resolvers, such as Google and Cloudflare. Finally, we propose strategies to detect poisoned responses that can (1) sanitize poisoned DNS records from the cache of public DNS resolvers, and (2) assist in the development of circumvention tools to bypass the GFW's DNS censorship.

Submission history

Access paper:.

• Other Formats

References & Citations

• Google Scholar
• Semantic Scholar

DBLP - CS Bibliography

Bibtex formatted citation.

Bibliographic and Citation Tools

Code, data and media associated with this article, recommenders and search tools.

• Institution

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs .

Amanote Research

The great firewall of china: a critical analysis, doi 10.21236/ada488175.

Available in full text

June 1, 2008

Defense Technical Information Center

Ignoring the Great Firewall of China

• Conference paper
• Cite this conference paper

• Richard Clayton 18 ,
• Steven J. Murdoch 18 &
• Robert N. M. Watson 18  

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4258))

Included in the following conference series:

• International Workshop on Privacy Enhancing Technologies

7145 Accesses

85 Citations

32 Altmetric

The so-called “Great Firewall of China” operates, in part, by inspecting TCP packets for keywords that are to be blocked. If the keyword is present, TCP reset packets (viz: with the RST flag set) are sent to both endpoints of the connection, which then close. However, because the original packets are passed through the firewall unscathed, if the endpoints completely ignore the firewall’s resets, then the connection will proceed unhindered. Once one connection has been blocked, the firewall makes further easy-to-evade attempts to block further connections from the same machine. This latter behaviour can be leveraged into a denial-of-service attack on third-party machines.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Unable to display preview.  Download preview PDF.

Bellovin, S.: Defending Against Sequence Number Attacks. RFC1948, IETF (May 1996)

Google Scholar  

Carter, E.: Secure Intrusion Detection Systems. Cisco Press (2001)

Clayton, R.: Failures in a Hybrid Content Blocking System. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, Springer, Heidelberg (2006)

Chapter   Google Scholar  

Clayton, R.: Anonymity and Traceability in Cyberspace. Tech Report UCAM-CL-TR-653, Computer Laboratory, University of Cambridge (2005)

Dornseif, M.: Government mandated blocking of foreign Web content. In: von Knop, J., Haverkamp, W., Jessen, E. (eds.) Security, E-Learning, E-Services: Proceedings of the 17. DFN-Arbeitstagung über Kommunikationsnetze, Düsseldorf 2003. Lecture Notes in Informatics, pp. 617–648 (2003)

Edelman, B.: Web Sites Sharing IP Addresses: Prevalence and Significance. Berkman Center for Internet and Society (February 2003), http://cyber.law.harvard.edu/people/edelman/ip-sharing/

King Abdulaziz City for Science and Technology: Local content filtering Procedure. Internet Services Unit, KACST (2004), http://www.isu.net.sa/saudi-internet/contenet-filtring/filtring-mechanism.htm

The OpenNet Initiative: Probing Chinese search engine filtering. Bulletin 005 (August 2004), http://www.opennetinitiative.net/bulletins/005/

The OpenNet Initiative: Internet Filtering in China in 2004–2005: A Country Study (June 2004), http://www.opennetinitiative.net/studies/china/ONI_China_Country_Study.pdf

The OpenNet Initiative: Internet Filtering in Burma in 2005: A Country Study (October 2004), http://www.opennetinitiative.net/burma/ONI_Burma_Country_Study.pdf

Postel, J. (ed.): Transmission Control Protocol: DARPA Internet Program Protocol Specification. RFC 793, IETF (1981)

Norge, T.: Telenor and KRIPOS introduce Internet child pornography filter. Telenor Press Release (September 21, 2004), http://presse.telenor.no/PR/200409/961319_5.html

US District Court for the Eastern District of Pennsylvania: CDT, ACLU, Plantagenet Inc. v Pappert, 337 F.Supp.2d 606 (September 10, 2004)

Villeneuve, N.: Censorship Is In the Router (June 3, 2005), http://ice.citizenlab.org/?p=113

Watson, P.: Slipping in the Window: TCP Reset Attacks. CanSecWest/core04 (2004)

Watson, R.: 20060607-tcp-ttl.diff (June 2006), http://www.cl.cam.ac.uk/~rnw24/patches/

Download references

Author information

Authors and affiliations.

Computer Laboratory, William Gates Building, University of Cambridge, 15 JJ Thomson Avenue, Cambridge, CB3 0FD, United Kingdom

Richard Clayton, Steven J. Murdoch & Robert N. M. Watson

You can also search for this author in PubMed   Google Scholar

Editor information

Editors and affiliations.

Microsoft Research, Cambridge, UK

George Danezis

Palo Alto Research Center, 3333 Coyote Hill Rd, 94304, Palo Alto, CA, USA

Philippe Golle

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper.

Clayton, R., Murdoch, S.J., Watson, R.N.M. (2006). Ignoring the Great Firewall of China. In: Danezis, G., Golle, P. (eds) Privacy Enhancing Technologies. PET 2006. Lecture Notes in Computer Science, vol 4258. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11957454_2

Download citation

DOI : https://doi.org/10.1007/11957454_2

Publisher Name : Springer, Berlin, Heidelberg

Print ISBN : 978-3-540-68790-0

Online ISBN : 978-3-540-68793-1

eBook Packages : Computer Science Computer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research