- Researchers have identified vulnerabilities in China’s Great Firewall
- The firewall attempts to block QUIC connections
- Blocking attempts leave the state exposed
Upgrades to China’s Great Firewall (GFW) have not gone as planned, and the resulting ‘critical flaw’ reduces the effectiveness of the firewall in moderating traffic loads, researchers have found. Attempts by China to censor a specific type of internet traffic in the country have left the state at risk and vulnerable to attack;
‘We [..] demonstrate that this censorship mechanism can be weaponized to block UDP traffic between arbitrary hosts in China and the rest of the world. We collaborate with various open-source communities to integrate circumvention strategies into Mozilla Firefox, the quic-go library, and all major QUIC-based circumvention tools.’
The paper was written by researchers from activist group Great Firewall Report, as well as Stanford University, University of Massachusetts Amherst, and the University of Colorado Boulder – and is titled ‘Exposing and Circumventing SNI-based QUIC Censorship of the Great Firewall of China’.
Internet censorship
The vulnerabilities stem from China’s attempts to block Quick UDP Internet Connections (QUIC) – a transport layer network protocol that is designed to replace Transmission Control Protocol (TCP) because of its built in security, flexibility, and fewer performance issues.
QUIC was invented by workers at Google back in 2012, and at least 10% of sites use the protocol – with many Google and Meta sites included. Both of these organizations are blocked by the GFW, so blocking QUIC connections seems to be an extension of this, although researchers note that not all QUIC traffic is blocked successfully.
The mechanism used to block QUIC connections is vulnerable to attacks that could block all open or root DNS resolvers outside of China from access from within the state, resulting in widespread DNS failures;
“Defending against this attack while still censoring is difficult due to the stateless nature and ease of spoofing UDP packets,” the paper explains. “Careful engineering will be needed to allow censors to apply targeted blocks in QUIC, while simultaneously preventing availability attacks.”
Via; The Register