Ignoring the “Great Firewall of China”

June 27th, 2006 at 08:11 UTC by Richard Clayton

The Great Firewall of China is an important tool for the Chinese Government in their efforts to censor the Internet. It works, in part, by inspecting web traffic to determine whether or not particular words are present. If the Chinese Government does not approve of one of the words in a web page (or a web request), perhaps it says “f” “a” “l” “u” “n”, then the connection is closed and the web page will be unavailable — it has been censored.

This user-level effect has been known for some time… but up until now, no-one seems to have looked more closely into what is actually happening (or when they have, they have misunderstood the packet level events).

It turns out [caveat: in the specific cases we've closely examined, YMMV] that the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey. Hence the censorship occurs.

However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall’s reset packets, then the connection will proceed unhindered! We’ve done some real experiments on this — and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall — just shut your eyes and walk onto Platform 9¾.

Ignoring resets is trivial to achieve by applying simple firewall rules… and has no significant effect on ordinary working. If you want to be a little more clever you can examine the hop count (TTL) in the reset packets and determine whether the values are consistent with them arriving from the far end, or if the value indicates they have come from the intervening censorship device. We would argue that there is much to commend examining TTL values when considering defences against denial-of-service attacks using reset packets. Having operating system vendors provide this new functionality as standard would also be of practical use because Chinese citizens would not need to run special firewall-busting code (which the authorities might attempt to outlaw) but just off-the-shelf software (which they would necessarily tolerate).

There’s a little more to this story (but not much) and all is revealed in our academic paper (Clayton, Murdoch, Watson) which will be presented at the 6th Workshop on Privacy Enhancing Technologies being held here in Cambridge this week.

NB: There’s also rather more to censorship in China than just the “Great Firewall” keyword detecting system — some sites are blocked unconditionally, and it is necessary to use other techniques, such as proxies, to deal with that. However, these static blocks are far more expensive for the Chinese Government to maintain, and are inherently more fragile and less adaptive to change as content moves around. So there remains real value in exposing the inadequacy of the generic system.

The bottom line though, is that a great deal of the effectiveness of the Great Chinese Firewall depends on systems agreeing that it should work … wasn’t there once a story about the Emperor’s New Clothes ?

Entry filed under: Internet censorship, News coverage

78 comments Add your own

  • 1. Nicholas Weaver  |  June 27th, 2006 at 20:40 UTC

    Unfortunatly, this isn’t that effective a bypass. As the resets are (unless painfully broken) sent in both directions, you need software on both sides of the connection.

    If you have software on both sides of the connection, you can do FAR FAR FAR more subtle covert channels that would completely/drastically increase the difficulty of detecting censorable communication.

  • 2. Richard Clayton  |  June 27th, 2006 at 22:31 UTC

    First, it’s a totally effective bypass — it works just fine, using very simple mechanisms.

    Secondly, we understand entirely that discarding resets is needed at both at ends of the connection, abeit not very complicated software is necessary to do it. Standard firewalls do it out of the box.

    However (see the paper) we also understand that the dynamics are very different if the firewall can correctly log what is being transferred — distinguishing porn from politics. That’s not the case for encrypted links (which could easily be banned per se by looking at the entropy of the packets; and an entirely negative view taken of what the content was) or proxies (which is merely a scaling issue, so a question merely of money and commitment).

    However, the key point is that changing the TCP/IP stacks to ignore the firewall is almost a no-brainer for the vendor. There are excellent technical reasons for discarding the firewall’s resets as a matter of course. If stack builders did this as standard, then an entire Great Firewall of China mechanism entirely fails to work. That can only, in my view, be a good result.

  • 3. spacehunt  |  June 28th, 2006 at 03:50 UTC

    Tried that already, doesn’t work; packets are not passed through unscathed.

  • 4. Bill Xia  |  June 28th, 2006 at 04:46 UTC

    I explained this mechanism in 5th HOPE conference:
    http://www.dit-inc.us/report/hope2004/cover.htm Sorry the slides are hard to read without the video presentation

    This is one of the many mechanisms that is being used. Some new mechanisms were added later on.

    The reset will be send from the firewall to both client and server, so you need to convince both sides to ignore reset.

  • 5. Nik  |  June 28th, 2006 at 04:55 UTC

    This is all great, but keyword filtering is really not the big issue in China. The only time you notice it is when you use sites like Google, which have extra sensitivity conditions beyond keywords. On my own site I have virtually all bad keywords in different documents, and they fly through without a hitch to me in China.

    The annoying thing is the site bans of blogspot.com, wordpress.com, bbc.com and the temporary blocks of wikipedia.org. That epochtimes and such propaganda sites are blocked is really of no importance; people in the West drastically overemphasize the will of the Chinese to gather such information. In any case, you can always use anonymous.org for blogspot.com and such sites (but not for epochtimes).

  • 6. .$author.  |  June 28th, 2006 at 07:20 UTC

    [...] Light Blue Touchpaper » Ignoring the “Great Firewall of China” [...]

  • 7. .$author.  |  June 28th, 2006 at 11:54 UTC

    [...] Via B. Schneier, Security Research at Cambridge has worked out a way to penetrate through China’s Great Firewall, by ignoring the reset TCP packet sent back by the Chinese routers to keep the connection going. Very interesting analysis, although the article also stated that censorship in China is more than just “Great Firewall”. Might be useful for those heading back to China. –> [...]

  • 8. Robert Gagnon  |  June 28th, 2006 at 16:09 UTC

    If China uses a “Great Firewall” can the Bush Administration be far behind?

    Since at least two of their covert programs to monitor phone conversations and international bank transactions of US citizans and corporations have been uncovered by the NY Times and other stellar members of print journalism, will they find a way to use a similar concept to block pubic discussion of these, and other, points of high vulnerability as they see them??

    Just curious!

  • 9. Chinese  |  June 29th, 2006 at 11:34 UTC

    I am a Chinese,My english is bad, We need your help,For anthropic freedom,Help us! Thank your very much! Freedom vive!
    Beat down Communist Party! Liberate all human!

  • 10. LSH  |  June 29th, 2006 at 12:07 UTC

    中国共产党的防火墙封锁网络时用的方法不只一种,但主要有如下三种:

    1、IP封锁
    2、关键字过滤
    3、域名解析欺骗

    有以上任意一种在,中国用户就不能上到国外的一些网站

  • 11. Paul  |  June 29th, 2006 at 18:28 UTC

    I have no idea how to figure whether the Bush administration will try to build such a firewall. I can’t say I would be surprised if they did do it, complete with all the spin to paint opponents as terrorist sympathizers. Freedom is slavery, and all that rot.

  • 12. .$author.  |  June 30th, 2006 at 02:55 UTC

    [...] This has been covered here, and here. The academic paper is here. The interesting part is China using ancient technology to censor its citizenship – the router machines (coupled with devices with IDS technologies) send RST (reset) packets based on keyword matches. And we know, this can be bypassed. Read the paper for a more thorough explanation. [...]

  • 13. Robert Gagnon  |  June 30th, 2006 at 04:43 UTC

    Gee Jim,

    I guess that you never lived in China or you have never read Peter Hessler’s memoir “River Town”.

    The Chinese have their own way of seeing these things which has little to do with the radical opinions of right wing nuts. However, I will say this that there is a class of Chinese, not very numerous, who seem to parrot the ideas and notions of the extreme Western rigth wing nuttery.

    This is not a simple subject. Certainly it’s not well portrayed by either the Hong Kong or Taiwan types who squeek loudly, even if the Hong Kong types have degrees from U of Toronto or even Columbia U or even Harvard or what ever you may suggest! Most Chinese who have easy access to the Internet are happy enough to enjoy the “freedoms” that they have.

    Caucasian whiners “scream” about limits on “free speech”. These days with regular practices of the Bush Administration which considers “free speech” as a “threat to the security of US citizens”, it does seem a tad of a stretch to paint one side or the other as less tolerant of “free speech”.

    Free speech is something you know you have when you can use it as I am right now!

  • 14. .$author.  |  June 30th, 2006 at 07:21 UTC

    [...] Richard Clayton nevű úriemberé a kudos (meg a BB-é, hogy tudomást szereztem róla), a megoldás pedig nem is túl bonyolult. A content filter alapvetően ugyanis átengedi a csomagokat, és ha valami fennakad a content filteren, akkor a küldőnek egyszerűen küld egy RST csomagot. A küldő ezt autentikusnak veszi, a kapcsolatot lezárja, a cenzúra megvalósul. (Máshogy megvalósítani egy ekkora ország cenzúrázását olyan erőforrásokat igényelne, ami még Kínának sincs.) A megoldás: dobd el a RST csomagokat! Ha nem veszed őket figyelembe, a kapcsolat nem szakad meg, az adatforgalom megmarad. [...]

  • 15. .$author.  |  June 30th, 2006 at 08:42 UTC

    [...] Richard Clayton, a computer security researcher at the University of Cambridge, has been poking around at the technical structure of China’s “great firewall.” On the lightbluetouchpaper collective blog, he says he’s come up with a way to penetrate that “wall” by ignoring the reset TCP packet returned by Chinese routers to maintain connection. As he explains it, if those packets are discarded instead of being dutifully returned as expected, then — poof, the firewall becomes utterly ineffective. Clayton acknowledges that Internet filtering in China involves other methods, too, but this still seems significant: The Great Firewall of China is an important tool for the Chinese Government in their efforts to censor the Internet. It works, in part, by inspecting web traffic to determine whether or not particular words are present. If the Chinese Government does not approve of one of the words in a web page (or a web request), perhaps it says “f” “a” “l” “u” “n”, then the connection is closed and the web page will be unavailable — it has been censored. [...]

  • 16. Ziao  |  June 30th, 2006 at 08:59 UTC

    The easiest way is to use such great tools like Anonymouse.org to access all websites.

  • 17. .$author.  |  June 30th, 2006 at 09:20 UTC

    [...] It isn’t a secret that china filters every TCP connection from and to their country. They use some wordlists for the generell filter. On Ignoring the “Great Firewall of China” some smart guys from the University of Cambridge have shown some basic strategies on how to bypass this firewall. Filed under: privates, en   |   Tags: cambridge, censorship, china, chinas firewall, privacy. –> [...]

  • 18. Richard Clayton  |  June 30th, 2006 at 10:32 UTC

    There are of course other ways of evading the firewall. Anything that encrypts the traffic will prevent the traffic from being inspected. We discuss this in the paper. Using a simple proxy such as anonymouse.org will not work well. This type of system prevents websites from learning who their visitors are, but without any encryption (that’s what their FAQ says) on the link to the proxy, the traffic is still in the clear as it crosses the firewall and will therefore be subject to censorship.

  • 19. Tom  |  June 30th, 2006 at 19:08 UTC

    Of course, a much simpler and more effective method would be to install Tor.

  • 20. .$author.  |  July 1st, 2006 at 02:51 UTC

    [...] Xeni Jardin: Richard Clayton, a computer security researcher at the University of Cambridge, has been poking around at the technical structure of China’s “great firewall.” On the lightbluetouchpaper collective blog, he says he’s come up with a way to penetrate that “wall” by ignoring the reset TCP packet returned by Chinese routers to maintain connection. As he explains it, if those packets are discarded instead of being dutifully returned as expected, then — poof, the firewall becomes utterly ineffective. Clayton acknowledges that Internet filtering in China involves other methods, too, but this still seems significant: The Great Firewall of China is an important tool for the Chinese Government in their efforts to censor the Internet. It works, in part, by inspecting web traffic to determine whether or not particular words are present. If the Chinese Government does not approve of one of the words in a web page (or a web request), perhaps it says “f” “a” “l” “u” “n”, then the connection is closed and the web page will be unavailable — it has been censored. [...]

  • 21. .$author.  |  July 1st, 2006 at 05:53 UTC

    [...] Light Blue Touchpaper » Ignoring the “Great Firewall of China” hogyan kerüljük meg a kínai szupertűzfalat. Gondolom nem sokáig lesz működőképes a dolog, de ha valaki mostanában készül Kínába, akkor hasznos lehet. (tags: censorship computer howto network internet security firewall china) [...]

  • 22. Fulan Peng  |  July 2nd, 2006 at 02:06 UTC

    Richard;
    Great jobs!
    We are doing the job to break the CCP’s blockage. Our strategy is to use dynamic IPs and SSL. It is very simple to write an iptable command for our server but I do not think it will work as you said in your paper because there are some other fake signals. We can recompile LInux and FreeBSD easily, we would be your test site if you have interest to develop a strategy to break the Chinese Bulin Wall. Our dynamic IP site, https://www.ddint.org/mvnforum/mvnforum/index?lang=en has dynamically be traced and been blocked by CCP. It is a good site to test out your strategy. We change our IP hourly and SSL certificate daily. But our domain name is kidnapped. We need more mirrors with different domain names on different machines. We have a database cluster running behind our web site which could support unlimitted number of mirrors.

  • 23. .$author.  |  July 2nd, 2006 at 05:05 UTC

    [...] Via Bruce Schneier, an interesting paper about a technique to bypass the filtering technique currently employed by China’s Great Firewall. I am gonna get a little nerdy here — something I generally reserve for the CentreBlog — so bear with me here: [...]

  • 24. Lawrence Sheed  |  July 2nd, 2006 at 07:34 UTC

    I wouldn’t say its a big secret that one of the technical tools the government uses is connection resets, this is fairly obvious to ascertain – your browser tells you the connection is reset.

    One issue I have been seeing, is that the connection resets happen both ways – incoming traffic from ‘problem’ isp’s to china served sites receive the resets also. Its not just an inside -> out filter, its happens both ways*.

    eg
    Blocked ip range -> Inside China site (experience connection resets)
    China -> Outside blocked ip range (experience connection resets)

    *Limited testing (this may not be a china wide effect).

    This is an interesting unintended side effect.

    Also remember that different isp’s have different blocks
    eg – on cable internet in shanghai you can get to BBC.co.uk
    On adsl (in most area’s), you can’t.

    So one thing to note is that not all blocks are system wide.

    Also note that certain block mechanisms come and go, this is commonly believed to be because of the process overhead – its not feasible on the scales we’re dealing with here.

  • 25. Ziao  |  July 2nd, 2006 at 13:47 UTC

    Richard, Anonymouse.org helps to bypass the static blocks you mentioned but it’s true that the unencrypted traffic may be subject
    to censorship via the keyword-filter.

    However, their sustaining membership allows encryption and
    works well here in PRC.

  • 26. .$author.  |  July 2nd, 2006 at 18:44 UTC

    [...] I had a long conversation with a concerned voter over my Net Neutrality position yesterday. He stated that I was putting too much trust into the corporations and the telcos to do the “right thing”. Through extensive experience, I realize that they’ll usually do the self-serving thing, but this is difficult to do on the Internet. The best example of this is China’s attempt to control the Internet, which yet again, had another method demonstrated this week of how to bypass it. Activists continue to raise the spectres of restricted free-speech, corporate agendas, and toll booths on the Internet, yet I have seen time and time again that the regulatory approach towards resolving problems of the Internet is not effective. I am proud of the role I had in crafting anti-spam and anti-spyware legislation, but I fully realized beforehand that it would have very little effect on the actual problem. Instead of lamenting the lack of laws, I went back to work at my business and worked on real solutions. My opponent applauds the flavor of the week for filtering the Internet, yet I’ve been giving effective solutions to parents for over a decade without the help of my government representatives. [...]

  • 27. ThirdRockPhoto  |  July 3rd, 2006 at 18:40 UTC

    Nik, anonymous.org switches to autopart.com, useless. Robert Gagnon, why do you insinuate that the great firewall is no big deal? This is not a partisan issue. Not everything in the world has to be pushed to one side or the other of the U.S. 2-party ranting system.

    Here is what the Chinese Internet community needs: an application that can be installed on a user’s computer that will take the geeky setup out of the world of nerds and put it into the hands of the average Joe (or Zhou) so we can all use it without hiring a network/IT consultant to come to our home and tinker with the settings for an hour. If it were platform independent, even better.

  • 28. Jean Martina  |  July 5th, 2006 at 00:45 UTC

    Very good work Richard. Light Blue Touchpaper is spread in very imporant and accessed web sites, like: http://www.zdnetasia.com/news/security/0,39044215,39372326,00.htm.

    Just take care to don’t finish like Jack Bauer in the end of the 5th season :)

  • 29. target  |  July 5th, 2006 at 15:46 UTC

    Interesting. Also interesting is the statement in news coverage that someone involved in finding this hole has made sure to report it to whatever part of the Chinese government is responsible for these access controls, so that they might consider how to fix the hole. An interesting decision – why was this finding publicised and then also given directly to the Chinese government? (Or are the news reports incorrect?)

  • 30. Richard Clayton  |  July 5th, 2006 at 20:13 UTC

    We reported the denial-of-service attack to CERT (who passed it to CERT-CN) when we first realised that this was an issue, way back in March. In our view the simplest way of addressing this problem would be to turn off the keyword detection — and we are disappointed that they have not done so. Otherwise, we suspect, the only way of addressing the problem would be to discard the current design and replace it entirely — which would be expensive and time-consuming.

    Reporing security flaws to the vendor (and we cannot tell who the vendor is in this case; presumably some Chinese Government Agency, CERT-CN will have known) is widely accepted to be proper behaviour.

    We did NOT report the observation that discarding resets made the firewall ineffective, or our other thoughts about dealing with faked SYN/ACK packets. That’s a matter of functionality failure — not of security.

  • 31. .$author.  |  July 6th, 2006 at 17:40 UTC

    [...] I wanted to post again about the great Chinese firewall.  Apparently someone had the same idea that id and I had around ways to get around the filters.  Apparently, according this post on bypassing the Chinese firewall, it uses RST packets when it sees the forbidden content pass over it’s firewalls.  The RST packets are sent in either direction. However, if your firewall is set up to ignore RST packets AND the person in China is also set up to do the same, the text will flow through the firewall indisciminately. [...]

  • 32. .$author.  |  July 7th, 2006 at 19:17 UTC

    [...] I wanted to post again about the great Chinese firewall.  Apparently someone had the same idea that id and I had around ways to get around the filters.  Apparently, according this post on bypassing the Chinese firewall, it uses RST packets when it sees the forbidden content pass over it’s firewalls.  The RST packets are sent in either direction. However, if your firewall is set up to ignore RST packets AND the person in China is also set up to do the same, the text will flow through the firewall indisciminately. [...]

  • 33. .$author.  |  July 7th, 2006 at 22:28 UTC

    [...] I’ve talked to several trusted friends about Richard Clayton’s “Ignoring the Great Firewall of China” paper. Long story short: I’m not crazy. But my objections may be too wordy. Here’s another way of summing up the problem with this research: [...]

  • 34. Jeffrey Zhang  |  July 11th, 2006 at 06:40 UTC

    ooh, this page has not been keyword-filtered yet :)

  • 35. .$author.  |  July 26th, 2006 at 21:02 UTC

    [...] LightBlueTouchPaper – Ignoring the “Great Firewall of China” [...]

  • 36. john  |  August 13th, 2006 at 11:06 UTC

    I come from China.I hate to see all the leader’s activity news ,all the GDP growth news.Everyone live in a lying world ,no true words .we don’t feel any improvement in our life .On the countrary,we have more pressure today.Could you kindly introduce a operative way to Break China censorship ?I don’t want the theory.Thanks a lot

  • 37. garnwraly  |  August 27th, 2006 at 21:23 UTC

    could someone please post on how exactly can one setup their computer to ignore tcp resets?

  • 38. Richard Clayton  |  August 27th, 2006 at 21:40 UTC

    To ignore resets: read the paper for firewall rules appropriate for a *nix system. If you’re using Windows then you’ll need some custom software. At present, we haven’t written any :(

  • 39. garnwraly  |  August 28th, 2006 at 00:44 UTC

    whow, that was FAST!
    I’m using winXP sp2
    I found this WIPFW software that claims to have the same functions as IPFW made for windows(from http://belnet.dl.sourceforge.net/sourceforge/wipfw/wipfw-0.2.8.zip)
    However, after installing and trying the command for the IPFW with no errors, i tried to access wikipedia and image.google.com (searched for “tiananmen”) and was unable to access both (actually the google one loaded 4 or 5 picture results, then got timed out), all same as before

    is it the software’s problem or am i trying it on the wrong sites?

  • 40. Richard Clayton  |  August 28th, 2006 at 00:54 UTC

    You should read the paper again… it’s necessary for BOTH ends to ignore resets. Also, high profile sites may be blocked by other mechanisms instead — such as straightforward discarding of all packets to the particular IP address. Plus there’s the “blocking with confusion” that we describe.

    The mechanism can be simple to overcome — but not entirely trivial :(

    Also, please note our comments about the possibility of logging!

  • 41. garnwraly  |  August 28th, 2006 at 14:08 UTC

    Oh yeah….sorry about that, my bad
    Could you give an example of which site currently blocked can be accessed using the method in the post?

  • 42. .$author.  |  September 4th, 2006 at 18:49 UTC

    [...] What makes this particular proposal interesting however (and you can read more at Richard Clayton’s (one of the researchers) blog, is that he’s proposing a solution that makes it easy for the user. Rather than have the user look for a proxy server, he’s asking that content providers (i.e. website servers) and operating system manufacturers (i.e. Microsoft) work together to “ignore” the Great Firewall of China, or more broadly, produce a standard that makes it more difficult to censor access to particular pieces of Internet content.Ultimately, I think that’s the key to breaking down censorship in China. When people say that economic progress and globalization will loosen up this authoritarian state, there are two general assumptions behind this. The first is that a growing middle class demands freedom, has access to information from outside the country, yada yada. The second is the state, in order to function within this new global system, has to conform to certain standards of that system (which we assume is relatively good). [...]

  • 43. .$author.  |  September 7th, 2006 at 09:47 UTC

    [...] [As an interesting addendum, see Richard Clayton on: “Ignoring the Great Firewall of China”.] [...]

  • 44. Michael  |  September 12th, 2006 at 09:39 UTC

    I have set my machine up to ignore packets with the RST flag. If anyone wants to test if from China, just send me an e-mail and I will give you an address of a page hosted on my server that would otherwise have been blocked. Remember that you need to ignore RST’s in your end as well (see the paper and post nr. 39 above)

    michael[at]carceri[dot]dk

  • 45. .$author.  |  September 14th, 2006 at 21:13 UTC

    [...] Bruce Schneier recently wrote about the discovery that the firewall system being used by China could be circumvented by both ends of the connection ignoring the TCP reset sequence. The paper was presented at the 6th Workshop on Privacy Enhancing Technologies, which sounds like an interesting gathering. It’s refreshing to see people working towards more privacy in a world where minature cameras and tracking devices abound. [...]

  • 46. .$author.  |  September 30th, 2006 at 03:14 UTC

    [...] But my technical analysis of the packet level filtering was less than comprehensive and this new research by our colleages at Cambride provides an amazing in-depth analysis of China’s keyword filtering at the packet level. The observed behaviours I previously reported have been explained in skillful detail and this paper has also has provided some new insights into the GFW: [...]

  • 47. Sam  |  November 14th, 2006 at 03:23 UTC

    I believe that IP blocking by China is more of an issue. They seem to have lot’s of body monitoring the web those days, and blocking any IP that they don’t like. The force IP blacklists to all their ISPs almost daily I’ve heard…

  • 48. censored and concerned  |  November 16th, 2006 at 14:20 UTC

    I live in Shanghai. I have tried Tor to no avail. So far the only thing that has remotely helped is just copying and pasting blocked sites into http://www.fastsec.com which at least gets me into Google at times when it is censored.

    I find it hard to believe that there is no software readily available that easily bypasses the Great Firewall of China.

  • 49. DragonLord  |  November 17th, 2006 at 03:55 UTC

    Is that possible to launch massive attach on those censor servers? They are really disgusting existences.

    As a Chinese citizen I am really sorry to have such a government.

    And, to Robert Gagnon, dont tell me how the Chinese people are “satisfied”. You have no idea what the heck are you talking about.

  • 50. DragonLord  |  November 17th, 2006 at 03:58 UTC

    Mr Gagnon,

    The other people’s wrong doings would never justify ours.

  • 51. .$author.  |  November 18th, 2006 at 17:37 UTC

    [...] Light Blue Touchpaper » Ignoring the “Great Firewall of China” However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall’s reset packets, then the connection will proceed unhindered! We’ve done some real experiments on this — and it works just fine!! [...]

  • 52. WTF  |  November 21st, 2006 at 15:33 UTC

    Could you give us an example of a website that can bypass censorship? Possibly a new one…the old ones have been blocked…

  • 53. WTF  |  November 21st, 2006 at 15:36 UTC

    I have tried asking the staff of Peacefire…but their censorship websites keep getting blocked…

  • 54. .$author.  |  November 28th, 2006 at 15:20 UTC

    [...] Ignoring the “Great Firewall of China” [...]

  • 55. David Collins  |  November 28th, 2006 at 15:51 UTC

    hallo, nice page i like it.

  • 56. WTF again...  |  December 14th, 2006 at 15:18 UTC

    I ment like an actual website name like from Peacefire? If anyone has ever even heard of Peacefire…it gives the best websites to bypass websites ever! I’m on their mailing list, but i don’t get on the computer much and I have to use the school’s computer…I can’t check my email on yahoo either because it blocks it…So please! Anybody that knows it by chance please help me out here…I dont have much time….

    Or if anyone knows another good website to bypass censorship I would really like to know….Thank you. ——-Rocka Da Kil/ Spawnn666

    And Contact me if you play RUNESCAPE!!!

  • 57. PB  |  December 16th, 2006 at 06:31 UTC

    I’ve used this service with success http://www.strongvpn.com but I can’t get past the speed problem of the Great Firewall. Does anyone have any tips on how to improve speed once past it?

  • 58. .$author.  |  March 1st, 2007 at 01:39 UTC

    [...] The machines doing the filtering send TCP RSTs to both end of the connection, thus killing the connection dead. There’s a good article that’s a lot more in-depth than I can ever be here. [...]

  • 59. chine_meigui  |  April 10th, 2007 at 16:21 UTC

    I am a foreigner living in China for 5 years now and really got fedup ‘coz we were blocked for more than 2 weeks even from our own blogs…so I tried your method and VOILA it works –for all my block websites (but the format is a little screwy) but who care about that! TX

  • 60. www.dongtaiwang.com  |  May 8th, 2007 at 07:31 UTC

    this site is a good solution to the gfw.

    try this .

    or falundafa .etc

  • 61. Hide IP  |  September 9th, 2007 at 09:49 UTC

    Of course, a much simpler and more effective method would be to install SmartHide. Is a perfect solution for the biggest online problem – Complete Anonymity. This unique program will keep your IP address (and your identity) hidden; secure all the protocols on your PC (E-mail, Web-browsing, Instant Messaging, P2P, etc); provide full encryption of your traffic while working in Internet, and a lot more.

    Anonymous surfing with Smart Hide

  • 62. Richard Clayton  |  September 9th, 2007 at 12:10 UTC

    The previous comment is an advert … the text is pretty much the same as you will find on the smarthide.com web website. There’s not a lot of detail there, but from the looks of it this is a pretty standard third party proxy — so the third party (who seem to be based in Salem Oregon) will be aware of all your activities — as will anyone in that jurisdiction who can serve them with paperwork to inspect their logs. This may be fine for you, but to describe it as a “simpler and more effective method” is really rather too simple and may not be effective for you.

    Oh — and there’s dozens of other third party proxies if you think that’s a solution. Don’t go with the first one you see! especially if you look at their website and it takes you 10 minutes to work out what company is running it, where they are based, and even what nationality they are!

  • 63. Rob  |  September 9th, 2007 at 21:20 UTC

    @ Richard
    Kudos for providing an analysis, rather than simply deleting the advert. Much more useful :-)

  • 64. John  |  October 5th, 2007 at 13:59 UTC

    Richard, as for me i think it is better to use the service of the trusted people who provide such a service rather than using proxies which are scanned or to use tor which can be monitored by anyone?

  • 65. Martel  |  October 5th, 2007 at 17:22 UTC

    My web site was swamped with Chinese traffic downloading my software and providing pirate keys to unlock it. The Chinese traffic consisted almost entirely of thieves. So I’d like to block it. Then came the idea that I could let the GFC do the blocking for me!

    Then I read your articles and realized something else. If we want to defeat the GFC we could all add lots of banned key words to our web sites. If most of the web sites in the free world had these blocked words, then the GFC would block everything — and the Chinese web users would demand a loosening.

    But I don’t know which Chinese would benefit the most, the average citizens or the thieves.

  • 66. Healing the Body  |  May 13th, 2008 at 21:15 UTC

    Don’t they know, the more they try to suppress the freedom of the people, the more they will inspire them. They could crush the followers of any creed by doing what Western Society has done – turn it into a mindless and spiritless commercial Festival. Let any system follow its own devices and it will rapidly become extinct, but criticize and punish it, and it will flourish like the forest.

  • 67. Nathan Zadoks  |  June 30th, 2008 at 09:21 UTC

    What about launching a massive DDoS on all the systems that do China’s content filtering?

  • 68. Richard Clayton  |  June 30th, 2008 at 10:38 UTC

    @nathan

    I don’t think that advocating illegal activity (which will additionally cause all sorts of collateral damage) is a particularly sensible suggestion.

  • 69. Jerek Bickford  |  August 26th, 2008 at 01:18 UTC

    My school has a server that can recgonize proxies on its own so even when I make my own and don’t even use the word proxy it still blocks it. How can I bypass this? If anyone can help me please E-Mail me at jerekb@gmail.com .

  • 70. Oh-Noahs!  |  February 23rd, 2009 at 05:01 UTC

    中国共产党的防火墙封锁网络时用的方法不只一种,但主要有如下三种:

    1、IP封锁
    2、关键字过滤
    3、域名解析欺骗

    有以上任意一种在,中国用户就不能上到国外的一些网站

    Just at courtesy translation.

    Below is a Google translation the LSH pst above on| June 29th, 2006 at 12:07 UTC

    Communist Party of China firewall blocking network method used in more than one, but mainly has the following three types:

    1, IP blocking
    2, keyword filtering
    3, domain name to deceive the

    Have more than an arbitrary, Chinese users will not be able to go abroad on a number of sites

  • 71. daniel  |  April 23rd, 2009 at 03:30 UTC

    Richard Clayton, do you know any ways to bypass an isp’s blacklist? if a chinese user types in a url, the url is checked against an isp blacklist of sites, and if the url is on the blacklist then access is denied. the blacklist blocks urls, ip addresses etc.

  • 72. Sam  |  May 13th, 2009 at 03:55 UTC

    Here are three effective methods to bypass the firewall: Ctunnel, Hot Spot Shiled, and Tor.

    I have screencasts and an article on these proxies here:
    http://www.laowise.com/blog

  • 73. Jeff  |  May 25th, 2009 at 08:44 UTC

    Freedur.com allow me to bypass China firewall with my favorite browser – firefox. You don’t need even to install it – they have portable version.
    You can use it even at school. I always watch Yutube at school as my internet at home is so slow. It supports SSL too so I can read my gmail.

  • 74. kerry  |  August 8th, 2009 at 10:17 UTC

    k… these are the ways that i have found…
    1. use ultrasurf. u need a proxy to download it and its somewhat slow
    2. use freegate. it is super difficult to download.
    3. use a proxy server:
    http://www.unblockmyspace.com
    unblockyoutube.org

  • 75. swookiee  |  July 5th, 2010 at 08:45 UTC

    another easy way to bypass,
    http://www.cyberghostvpn.com
    off you go.
    using it right now :)

  • 76. Mike  |  May 30th, 2012 at 12:05 UTC

    A VPN is a must if you`re living in China. It`s almost impossible to get online without one. For example, if you go to a blocked site, Internet access is cut off COMPLETELY for one or two minutes. It becomes extremely annoying after a while. I am using this VPN now: http://www.sunvpn.com/, had no problems with it.

  • 77. John  |  October 17th, 2012 at 14:49 UTC

    You must use SSTP vpn protocol in China

  • 78. Sarah  |  January 26th, 2013 at 19:17 UTC

    Great article! :) I think a VPN would work just as well . Also, its secure and reliable. So, a VPN really helps if you’re in China. There are many such services like HighspeedVPN . Its one of the services that hasnt been blocked.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

June 2006
M T W T F S S
« May   Jul »
 1234
567891011
12131415161718
19202122232425
2627282930