Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Can you make the Great Chinese Firewall work for you?

Published: 2021-10-19
Last Updated: 2021-10-19 13:14:21 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

The "Great Chinese Firewall" has been well documented for its ability to block content from reaching users in China [1][2]. The firewall is implemented using various tools, inspecting traffic for blocked keywords or, in some cases, even scanning images or outright blocking specific sites.
One persistent rumor has it that it is possible to block traffic from China by embedding blocked keywords in traffic. I wanted to test this using my home mail server. As part of the server banner, I added a few banned words:


There is no authoritative list of blocked keywords. But the keywords above have often been cited as being blocked. Adding them to the mail server's banner should also expose them before, for example, STARTTLS is activated.

I used my mail server as an example for several reasons:

  1. It receives almost no actual email, but pretty much only spam.
  2. A large number of brute-forcing and other connections to the mail server originate from China.
  3. I could not find much about how the great Chinese firewall affects email. Email is often controlled on the mail server and may not be affected by the firewall to the same extend.

The pie charts display the top countries before and after making the change. While there was a slight change in the number of Chinese IP addresses (9% instead of 11% of the total number of connections), the difference is not what I would consider significant. So, for now, I call the rumor busted that you can get the Chinese firewall to block traffic to your system by injecting simple keywords.
I think this may require a more detailed investigation. For example, the keywords will likely matter. It may also matter in what context the keywords are sent. HTTP content is more likely going to be blocked (I think). Or maybe the SMTP content is ignored if it is part of the SMTP envelope?

 

[1] https://en.wikipedia.org/wiki/Great_Firewall
[2] https://isc.sans.edu/forums/diary/Why+Does+Emperor+Xi+Dislike+Winnie+the+Pooh+and+Scrambled+Eggs/23395/

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
1 comment(s)
Diary Archives