Link to the posting of the original discovery with technical details included: http://www.nsc.liu.se/~nixon/sshprobes.html

How could such a technique actually give the firewall information pertinent to whether or not the offending site was illegal? It's like a MITM attack where they intercept the outgoing ssh connection, send seemingly arbitrary data to the ssh server on the non-Chinese internet, and then sometimes disrupt the ssh connection or allow it pass through.

What information could the response to garbage possibly convey beyond: "how does this server respond to garbage"?

How would that even help with fingerprinting, which is his suggestion? Would there even be much variation in how different sshds would respond to that? So what could you do with that information? 30% of known Tor servers use sshd version X, so let's ratchet up the frequency of RST packets for connections to servers of version X? Seems like a long shot: that would be both a sophisticated attack and have pretty hamfisted results. And how could this information be used to find open relays? Just guilt by sshd version again, since statistically machines with open relays have a tendency to run version X of sshd?

I'd like to hear a security person come and talk instead of my wild speculations.

TCP uses a 32bit sequence number that should be initially seeded to a _securely generated_ random number. As each packet is sent back and forth between endpoints, this number increments by 1. If an adversary wanted to disrupt the connection (denial of service) they could obtain the sequence number and other numbers such as the source and destination ports and spoof some packets pretending to be the real client. It would then become a race between the real and fake clients as to which packet is accepted first. There is usually over 2^40 bits of entropy that an adversary would need to know to hijack a TCP session.

If the adversary is in the middle (MITM) they can read all your traffic and obtain the required entropy in real time. In this scenario, it doesn't matter how much entropy is contained in each packet because the adversary knows that information in real time. Thus the adversary will be able to inject packets to reset/terminate the TCP session, causing a Denial of Service situation.

Cryptographic protocols including SSH and TLS are designed to solve the majority of problems that MITM adversaries can cause. The notable exception is that these protocols rely on unprotected TCP sessions. MITM adversaries are still able to reset/terminate TCP sessions (when SSH/TLS protocols are detected).

IPSec protects not only the information transmitted, but the IP packet headers as well. An Authentication Header (AH)[1] is appended and verified to ensure that packets haven't been tampered with or forged. MITM session reset/termination attacks are therefore no longer possible because forged packets will be ignored.

[1] https://en.wikipedia.org/wiki/IPsec#Authentication_Header

While IPSec would solve the technical problem using it would make blocking even easier unfortunately.

You can fairly easily spot most common protocols by seeing what they 1) Say to you without you prodding them or 2) Respond when you hit them with random data.

My guess is that they're using it as a cheap way to tell the difference between most of the common protocols. (ie. ssh vs. openvpn vs. https, etc.)

Would an outgoing ssh request be hard to discriminate from an outgoing openvpn request or an outgoing https request? I don't know enough about how the protocols work to understand.

> Would an outgoing ssh request be hard to discriminate from an outgoing openvpn request or an outgoing https request?

No. But the point probably is: it is much easier and more economic to block the receiving end once by figuring out what it is than having to scan every single outgoing connection all the time.

Seems more like a way to answer the question "Is this thing running on an ssh port really a vpn server?".

I'm guessing its not actually garbage, but something that an authorized VPN can respond to, so if you are not authorized, its garbage and you cannot give the correct response and are blocked.

So then you're theorizing that this is a whitelist approach to VPN connections. Again, this would seem really heavy-handed, since it would block the vast majority of VPN traffic. It's certainly not the case for me currently (I'm in China), but it's possible that other cities are taking that approach.

> since it would block the vast majority of VPN traffic

Which would be a problem for the Chinese government HOW?

I think those very blunt ways of identifying "unwelcome" connections and then just blocking them looks like exactly the solution a government makes that doesn't twitch an eye at re-locating thousands because they want to build a dam right there.

So far encrypted traffic was a neat way of circumventing the control, now this could be trying to just plug those holes. Even if the handshake message does not say "OpenSSH xx...." at least the protocol response to random data would give them a clue and it is (sort of) more difficult to fix on a larger scale because they could always fine-tune the finger-printing.

Instead of monitoring and analyzing all outgoing connections all the time, they just figure out where they are going and then block the destination once and for all - sounds logical and neat.

china's ssh protection is getting really serious

vpns have been horribly bad the last few weeks

tunneling through ssh has also stopped working consistently.

I don't know anybody over here who has a good vpn anymore. It's got to be hurting business that collaborate internationally - the net goes down for a few minutes at a time, throughout the day.

Using a commercial (but certainly not approved) VPN on a home DSL: It works for a few minutes and then starts to degrade. I wonder if it's related to this new tactic. It's a little hard to distinguish from old behavior, unfortunately.

Yes. I believe they start to degrade VPN/SSH, amazonaws.com, google couple of months ago. Things may vary depends on which city you are and which ISP you are using, eg: pptpd barely can connect on my DSL.

exactly the same thing is happening to me. Used to be better a few months ago. Honestly, this will be the primary reason I will leave China when I get completely tired of this.. Slowly getting there...

I've been in China recently and noticed I was having trouble establishing VPN connections after just a few hours. I would have to find new VPN servers to connect to every 3 or 4 days.

I have not noticed any drop off in connectivity when using my company's VPN, but I'm sure this is because this is an authorized VPN.

The most notable blow here is that people using solutions like FreeGate are getting heavily affected by this. Most Shanghainese people use this to connect to the outside world.

This is pretty depressing. It seems like the Chinese government, in creating new more powerful Internet censorship methods, is outpacing services to circumvent it.

People like those of us reading this site probably won't have much trouble finding ways around it, but it seems people (esp. Chinese) who would normally hop the Great Firewall with ease using VPNs/proxy will have to put in more effort/get more technical to do that successfully, and i'm afraid that they won't want to bother.

The thing I fear most is that if anti-ssh/ssl/tor/vpn measures start to be somewhat effective, western governments will also see it as an excuse to implement them in the guise of "crime prevention", just now that services such as gmail are finally adopting it as default.

Which means we'd be forced back to a 90's level of internet security at least for consumers, I'm sure corporations will be able to 'buy' the right to use encryption...

Appears to be down. Google Cache: http://webcache.googleusercontent.com/search?q=cache%3Awww.f...

From http://www.nsc.liu.se/~nixon/sshprobes.html "So, to more precisely describe what we have found: a small subset of the ssh logins from Chinese IPs to two of our systems are preceded by one or two connections from unrelated Chinese IP addresses, in which opaque binary data is thrown at sshd." "My hypothesis is that just over a year ago, a new function in the firewall went into limited beta test, where a sample of outgoing ssh connections from China is carefully selected for secondary screening.""For the selected ssh connections, the target system is probed from one or two IP addresses under the control of the Chinese government. These may be otherwise innocent addresses that are spoofed at the level of the great firewall, or they may be actual computers under remote control by the government - I have no way to tell.""In some cases, the legitimate ssh connections are unsuccessful; they appear to be interrupted. This may be a result of the firewall deciding the target system to be unsuitable and injecting RST packets into the TCP stream to kill it.

The last few weeks, the frequency of the probing has increased. This might mean the beta test period is nearing its end, and that this function is about to become more widely deployed."

This is why I am moving my company back to the States and why the Chinese startup scene is so depressingly obscure. The Chinese government can go to hell. I'll take my business and dollars somewhere else.

At least it won't take me an hour to push to heroku and my aws access won't be throttled.

Today. The US is getting closer to the China model by the day.

EDIT: Downvoters, do you disagree? With the continuous attempts at controlling the internet and destroying people that get dirt on US corruption? SOPA is just the latest attempt. It wasn't the first, and if we beat it it won't be the last.

Oh well, that may be the reason I've problems connecting to my VPN and SSHing to my server. Not every time, though.

Posting via https works, however.

There may be a reason Chinese gov't does not view SSL as a threat. Collusion with CAs?

This is so pathetic, why do the Chinese government think they can tell users what they should and shouldn't be looking at. I agree that this type of measure should come into play if there was a guaranteed way of stopping people looking at child pornography or something like that but it almost always appear to be political.

I have not been on the Tor network before and I do not plan to but it should be the persons choice of whether they access it or not.

China are like the dick head IT manager who turns off javascript at network group policy level, just because he can.

You're expecting a relatively new Communist government, formed only about half a century ago and currently governs 1.3 billion people, to change its core philosophies overnight. It's not so easy. I don't support this stuff, but I recognize that it's not easy. I bet you it's harder than changing a country's dependence on oil as an energy source (assuming that viable alternatives are available). You have to change the world's largest population's philosophies, governing structure and infrastructure, expectations, etc.

India and Japan generally don't censor foreign websites, and their governments survive OK.

It's a big loss of face for the present leaders to change their policy. But we keep on hearing the phrase from within China: "Perhaps the new generation of leaders taking over in October 2012 will have different ideas about web censorship". If the policy is going to change, it'll be soon after this time when no government leaders "lose face".

The US and EU are also preparing to challenge China at the WTO claiming the Great Firewall violates free trade. If the US and EU can get their timing and level of prodding right, the Firewall might be dismantled. China's already given their web businesses such as Baidu enough startup advantage from the Firewall, and will probably find other ways to give advantage to subsequent startups.

But... the infrastructure's already there in China to block foreign websites. Anything that exists but isn't used will be used again sooner or later by some politician, so thanks to Cisco et al the Firewall will always exist even if "dismantled" under WTO enforcement. Just like the US military is there to defend the integrity and borders of the Union, to be used as a last resort, but gets used to invade Iraq for cheap oil.

I think you misunderstood what I'm trying to say. I don't think it's about losing face. Nor about whether the government survives. It's about cultural momentum. Look at how hard it is to change policies in any government. Look at how long it took the US to get socialized health care, despite people clamoring for it for decades, and even then, that could be repealed by future administrations, as some GOP folks are demanding.

For the same reasons a startup is nimbler than a big corporation for changing things, larger countries are slower than smaller countries for making significant change. India is lucky because it's had a tradition of democracy and freedom for quite some time. They already had cultural momentum in that direction, so they don't need to change anything to align with what you want. Similar for Japan. China, you're asking them to reverse the pull of gravity.

I've worked in teams that were focused on creating big vision cultural and organizational change in big corporations. I can't even begin to imagine how difficult it would be in a big government, especially one of China's size, and one where there is no easy allowance for diversity of opinions.

For example, China's central government is huge on trying to stamp out corruption. However, despite the number of executions they continually carry out for corruption matters and the dissatisfaction of the populace, it is logistically impossible to keep a handle on all of the regional and local governments. It's a huge complicated machine, and I'd warrant that it's even more complicated than the US government's operations, judging from what I've seen living in China.

From what I've heard India totally has their equivalent of their Great Firewall, blocking VOIP calls and more.

>I agree that this type of measure should come into play if there was a guaranteed way of stopping people looking at child pornography or something like that but it almost always appear to be political.

No offense, but you seem to miss the point. You've just cited a different political bar at which [government] censorship is okay. I'm not saying child pornography is okay, but it's just a different line in the sand.

I am making a point about the levels which they go to. I would happily let our government block content like that.

There should be more policing on the internet as a whole, I just don't agree with how far they go.

When they banned Google search months ago, that was because of political agenda over user censorship.

I still don't think you're getting what I'm saying. Where do you draw the line? I don't like images of extreme gore any more than child pornography. Should we let governments censor it too? How would we accomplish that anyway?

Well I think there are some obvious assumptions you can make. Child pornography being one of them.

I do understand what you mean, I just think there can be clear cut boundaries you can draw.

It's also not a matter of preference but a matter of what is right and wrong?

> It's also not a matter of preference but a matter of what is right and wrong?

Who defines right and wrong?

Is it right or wrong to look for abortion clinics? What about just doing research on abortion? How about stem cells? Should I be able to use bit torrent? After all, I can torrent Ubuntu releases, or copies of mp3's, or child pornography - and there's no way to tell the difference.

Is it wrong to look up information that makes your government look bad? How about someone else's government?

what is right and what is wrong is different for different people

> This is so pathetic, why do the Chinese government think they can tell users what they should and shouldn't be looking at

You are measuring a totalitarian regime against your own values of freedom and call their actions "pathetic" because they don't allow personal choice of having encrypted traffic?

You must have no understanding of China and its politics and the meaning of their censorship and their Great Firewall... that's like saying "Hitler was a real dork because he did not allow free speech and freedom of art which are totally awesome and everyone should be allowed to draw what they want!".

Yes I am because they are deciding at a government level what everyone should be looking at.

People are using VPNs to bypass the firewall therefore the people inside of China do not want the restriction so it's obvious that the people inside do not want to be restricted.

So yes, I deem what they are doing from a government level pathetic as it doesn't stand for what the whole nation wants. So it's not MY values of what I call freedom but my understanding of what a majority of the people inside China actually want.

If people didn't want that then there would be no need for encrypted traffic to connect to sites that the firewall would class an inappropriate.

> my understanding of what a majority of the people inside China actually want.

Do you really think that the majority of Chinese citizens use VPNs to bypass the firewall?

If there was not a massive demand for this then the service would not exist. Also, if a lot of people were not doing it then they would not have rolled out software at ISP level to combat such a service.

So I would say yes, a lot of people are using a VPN to bypass the firewall

The majority of people in China do not use the Internet. Many live in rural areas and are too poor to even have a computer, never mind the Internet. Internet penetration in China is actually only at 28.8%, though it's growing.

http://www.google.ca/publicdata/explore?ds=d5bncppjof8f9_...

Given this data, it's impossible to say that the majority of people in China do not want the restriction. Rather, I'd say the majority of people in China do not care because they're not on the Internet anyway. And once they get on the Internet, do they care about Youtube? No, Tudou and Youku have free licensed streaming for anything they could care about, including now licensed stuff for Western movies and TV shows. Facebook? Everyone's on QQ. Twitter? They got weibo and it's growing gangbusters and is the only real outlet for political dissatisfaction; so it's immensely popular. Twitter clients and apps? Heck, everyone's making one for weibo.

Some users want access to Facebook and the like, sure. But how many? Nobody really knows because that data is suspect when it is available. But even if nobody was interested, it's still such a huge market that even a small subset would create enough revenues for these companies to make a profit. That's why they exist. Because the market is so large anyway and it's low hanging fruit.

There is huge gap between "enough demand for a service" (few thousands) and "majority of China" (half a billion).