As someone living blissfully unaware of the struggles people go through in countries with rampant government censorship -- sorry, control for the public good -- of the Internet, it was a bit a of a shock when I got some first-hand experience.
I had a customer that wanted to set up some web servers in China so that they could sign up students for some classes at their school.
At first I just assumed that this is a straightforward matter of selecting a Chinese region in a public cloud, deploying a couple of web servers, and we'd be done by lunch. Easy!
Turns out... that this is actually technically achievable, as long as: You have a Chinese business registered in China, you have a photo ID that you register with the "local authorities" (in person!), pay in Renminbi from a Chinese bank account, and read and write Chinese.
They want to make sure they have someone by the balls. It's either you personally, or someone willing to step up and take the risk of jailtime on your behalf if you publish anything the Grand Pooh Xi doesn't like.
Meanwhile, I can spin up a server in Dubai or South Africa or Brazil like... right now. No paperwork. No prostrating myself in front of the Police to beg for permission to be able to post government-approved content.
Meanwhile, on the map of AWS or Azure regions -- or on any CDNs map -- there's just a hole where China is. It's like those photos of Earth from space, where you can see the city lights glowing brightly everywhere except for North Korea, where there's just darkness.
Remind me, why do we do business with these people again? Why do we give them our money?
You have to get your ICP number registered by a Chinese national (like you say) and then display it on the footer of all your web pages (if you don't, your site will be taken down & you'll be fined). You've also got to store all data on Chinese citizens on a Chinese server.
And they don't mention this on that page, but for every publc IP you want to use in China, you have to re-submit your ICP filing/license paperwork, listing every public IP you will use, and what it is used for. So don't accidentally destroy your AWS load balancer, or you'll need to re-file all your paperwork before you can bring your site back up! (AWS load balancers can't be configured with static IPs)
> Remind me, why do we do business with these people again? Why do we give them our money?
Because then we get money. It's the largest "emerging" market in the world. If you have a product that makes 1 million dollars in the US, do some localization work and launch it in China, and you've doubled your money. Every major corporation is actively working on launching in China, because it's obvious that they're leaving money on the table by not being in China.
> As someone living blissfully unaware of the struggles people go through in countries with rampant government censorship
Where do you live? Because I know of no major country without rampant government censorship.
> They want to make sure they have someone by the balls. It's either you personally, or someone willing to step up and take the risk of jailtime on your behalf if you publish anything the Grand Pooh Xi doesn't like.
No offense but you make a good argument for why china restricts access. Your comment seems to come from a political operative than someone trying to spin up some web servers in china.
> Meanwhile, I can spin up a server in Dubai or South Africa or Brazil like... right now. No paperwork. No prostrating myself in front of the Police to beg for permission to be able to post government-approved content.
You make it sound like that's a good thing? It's not. Also, all those countries you listed have censorship...
> Remind me, why do we do business with these people again? Why do we give them our money?
I don't know. Why are you so desperate to do business in china? Shouldn't you be happy since you aren't doing business in china?
I don't understand people like you. You say we shouldn't do business with china. But you whine about not being able to do business in china.
I may be unnecessarily cynical, but the only reason you can open up a server anywhere in the west is because you can be gotten by the balls anywhere in the west if you are breaking the laws here. And the issue with spam, child porn, tax evasion has the same probability of occurring in our world as the DNS breakthrough in theirs.
Of course the laws in China are different, but I don’t see why they would be less protective of those laws as we are, even though I would agree that I think that our world is better to live in than theirs.
This is a rational response if you look at it from a governance perspective.
Pre-GFW, the government was basically in a position where if there was anything illegal online (not just political stuff, but everything from gambling to piracy) they had no recourse. If they sent a takedown notice the company can basically say "why don't you make me".
So it makes total sense to require a local presence if you want to interact with the local market. The GFW in this case is a tool that the government can hit any company who doesn't comply with...
Frankly, the thing that really is worrying is that because this is so rational from an Internet governance perspective we might well see more and more countries follow this path... Not censorship per se but building up mechanisms to create a more fragmented Internet.
I was setting up a self-hosted VPN to work-around GFW. I tried everything. Some solutions would sort of work, but unreliably, with extremely minimal bandwidth and would suddenly stop working after some time. I can't remember the combinations of transport and obfuscation tech that I tried, but they were considered best bets at the time. I would be very interested in finding out how commercial offerings do it. I'm not comfortable using them, since chances are that they're honeypots.
Funnily enough I traveled to another part of China then, and the Airbnb wifi had practically no GFW-type blocking. GFW is made up of local or provider-specific implementations that vary a lot. It was a small, rural town.
The ecosystem of secure proxies are pretty advanced in China (Thanks to, you know ...), you can setup a home router that selectively reroute traffic through different proxies automatically and transparently based on latency, target IP and domain etc.
Since Airbnb is international, I guess if someone (assuming it's a small private operation) is offering rental service there, they might as well setup a proxy for foreign guests.
> Some solutions would sort of work, but unreliably, with extremely minimal bandwidth and would suddenly stop working after some time
The sad part is, anti proxy technology is also fairly advanced. Most of well-known VPN protocols such as OpenVPN, AnyConnect, IPSec and Wireguard etc can be identified via traffic analyze, once GFW detects suspicious traffic, it may launch probes to further investigate the service. That's why Chinese people use Shadowsocks, Clan and V2Ray, those proxies are designed to protect itself from these situations.
Shadowsocks and V2Ray require some know-hows to correctly setup. Notably, Shadowsocks requires AEAD ciphers to be relatively safe, and you should never run Tor through it due to flaws in it's transport protocol. As for V2Ray, avoid VMESS protocol since it's is known to be vulnerable to probe attacks.
Your description of the symptom was more or less the same with my personal experience, but the conclusion might be a little bit off IMO. I first tried to deploy proxies to google app engine and use PAC scripts to auto switch between them. It was super fast and worked for ONE day. I really meant one day here, the whole thing stopped working the next day obviously the maneuver was detected and busted. Then I tried both public and commercial VPN services but all of which were either unstable or slow, or even both. At the same time, I almost never had any problems with corporate VPNs but I did not want personal stuff to go through company networks so I hardly used them unless had no choice. Things did not change much until AWS/Azure emerged. I almost immediately deployed an Azure VM dedicated for VPN when it's available to my MSDN subscription. I was pretty comfortable with it as even if my VM got blocked, I could actually redeploy it to a different region in minutes. It turned out I worried too much, I never had any drama with it since I kept very low profile and the VPN was really for myself only.
DNS pollution was for sure only one means of the blocking. Even if the IP address of the site got resolved correctly, the site could not reached as a result of "Connection reset" or "Remote host closed the connection" errors. I thought the blocking was all the time and everywhere until I accidentally realized that I had just access some site without VPN connected and such state could last for from hours to days, as long as I did not access contents deemed sensitive, sites did not seem to matter that much as blocking would not be triggered until I clicked some links. HTTPS did not seem to help at all, so GFW must have the ability to do deep packet analysis. Such behaviors make sense to me as the network traffics in China are enormous even the government would not have enough resource to monitor everything all the time, so the practical approach would be using a little bit of heuristics and commencing blocking only when certain signals were triggered. Also I encountered a couple of times man-in-the-middle attacks as I noticed my browser were not happy with the site's certificates. Such attack might be carried out by the ISP as the certificates were self signed.
I'm buying a China Mobile Hong Kong SIM. 10 eur for 10 gb, free roaming in mainland. I can access any blocked service in Mainland at full speed. Usually putting a vpn layer on top. no speed impact.
The sim can be purchased in any convince store in hk without identification.
I had the same experience, trying to self-host my VPN or other evasion solutions only served to get my server and domains banned for all other purposes from inside the GFW. The symptoms were exactly the same as you described (at first, they "sort of work, but unreliably, with extremely minimal bandwidth and would suddenly stop working after some time").
In the end, I'm not going to try that anymore, I haven't been in China for 2+ years now due to COVID, but next time, I'll hope my server is out of the blacklist again and hope I can access my (self-hosted) emails and other normal services that don't try to evade it.
The student VPN of another Asian university or the employee VPN of a well established company seemed to work last time. Not sure if that can be counted on reliably though...
Did you try any public wifi in that small town? In China, much of GFW circumvention happens at the router level. You can easily buy special routers on taobao with shadowsocks built in. It's possible your AirBNB host simply had their internet set up to bypass the GFW by default as a convenience for their guests.
- Bidirectional DNS poisoning: China can send forged DNS responses if you try to access certain Chinese domains from outside the GFW. This isn't server-side enforced geoblocking.
- GFW uses a small space of forged IPs, some belonging to Facebook, Twitter, Dropbox which may be responsible for a non-negligible overhead in server costs responding to HTTP requests for irrelevant hostnames.
Can FB sue China in court for damages for the cost of serving these forged requests?
Packets from the China mainland to these forged IPs are routed to blackhole at the international network outlet of China. So, normally there is no overhead for sites like Facebook.
Nope. For 2nd item, I don't see a reason why GFW would do that. I did see some domain names resolved to 0.0.0.0 or 127.0.0.1 which is nice and easy and unlikely going to cause a problem. And in most of cases, the host names were actually correctly resolved but the request either timed out or got a connection reset error etc. as such methods are the cheapest way to block accesses at scale.
One of the details that I found really interesting is that the great firewall blocks any website that matches *torproject.org like the innocuous mentorproject.org.
The researchers mentioned that they had "controlled
machines located in China". Given the number of requests sent by these machines everyday, how did they avoid being detected? Isn't it very suspicious for a machine to send huge amount of requests to blocked domains every day?
IMHO, the most annoying thing about the great firewall is not the censorship - it's the bandwidth. Every single night in China, right around the time Chinese people start streaming, for about 4-5 hours, the bandwidth from anywhere to China goes to complete shit. You can't deploy anything or transfer data, it'll just time out or get corrupted.
Interestingly, "time in China" is one time, because China has 1 official time zone. Even though it spans 5 geographical time zones. Unless you're in Xinjiang, in which case if you're talking to a Uyghur or Kazakh, they're using Xinjiang time, which is 2 hours behind Beijing Time. Unless you're watching a non-Uyghur/Kazakh TV channel, in which case the time is back in Beijing Time.
Semi-private under-the-radar solutions are reliable, affordable, and readily available, to anyone who cares to Google for a few minutes. Including Gigabit-size holes and very low [added] latency to Japan, HK, Singapore, and other places.
[+] [-] jiggawatts|4 years ago|reply
I had a customer that wanted to set up some web servers in China so that they could sign up students for some classes at their school.
At first I just assumed that this is a straightforward matter of selecting a Chinese region in a public cloud, deploying a couple of web servers, and we'd be done by lunch. Easy!
Turns out... that this is actually technically achievable, as long as: You have a Chinese business registered in China, you have a photo ID that you register with the "local authorities" (in person!), pay in Renminbi from a Chinese bank account, and read and write Chinese.
No, really. That's the process. Really: https://docs.microsoft.com/en-us/azure/china/overview-checkl...
They want to make sure they have someone by the balls. It's either you personally, or someone willing to step up and take the risk of jailtime on your behalf if you publish anything the Grand Pooh Xi doesn't like.
Meanwhile, I can spin up a server in Dubai or South Africa or Brazil like... right now. No paperwork. No prostrating myself in front of the Police to beg for permission to be able to post government-approved content.
Meanwhile, on the map of AWS or Azure regions -- or on any CDNs map -- there's just a hole where China is. It's like those photos of Earth from space, where you can see the city lights glowing brightly everywhere except for North Korea, where there's just darkness.
Remind me, why do we do business with these people again? Why do we give them our money?
[+] [-] throwaway984393|4 years ago|reply
And they don't mention this on that page, but for every publc IP you want to use in China, you have to re-submit your ICP filing/license paperwork, listing every public IP you will use, and what it is used for. So don't accidentally destroy your AWS load balancer, or you'll need to re-file all your paperwork before you can bring your site back up! (AWS load balancers can't be configured with static IPs)
> Remind me, why do we do business with these people again? Why do we give them our money?
Because then we get money. It's the largest "emerging" market in the world. If you have a product that makes 1 million dollars in the US, do some localization work and launch it in China, and you've doubled your money. Every major corporation is actively working on launching in China, because it's obvious that they're leaving money on the table by not being in China.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] fuckchina|4 years ago|reply
[deleted]
[+] [-] simorley|4 years ago|reply
Where do you live? Because I know of no major country without rampant government censorship.
> They want to make sure they have someone by the balls. It's either you personally, or someone willing to step up and take the risk of jailtime on your behalf if you publish anything the Grand Pooh Xi doesn't like.
No offense but you make a good argument for why china restricts access. Your comment seems to come from a political operative than someone trying to spin up some web servers in china.
> Meanwhile, I can spin up a server in Dubai or South Africa or Brazil like... right now. No paperwork. No prostrating myself in front of the Police to beg for permission to be able to post government-approved content.
You make it sound like that's a good thing? It's not. Also, all those countries you listed have censorship...
> Remind me, why do we do business with these people again? Why do we give them our money?
I don't know. Why are you so desperate to do business in china? Shouldn't you be happy since you aren't doing business in china?
I don't understand people like you. You say we shouldn't do business with china. But you whine about not being able to do business in china.
[+] [-] heavenlyblue|4 years ago|reply
Of course the laws in China are different, but I don’t see why they would be less protective of those laws as we are, even though I would agree that I think that our world is better to live in than theirs.
[+] [-] jabbany|4 years ago|reply
Pre-GFW, the government was basically in a position where if there was anything illegal online (not just political stuff, but everything from gambling to piracy) they had no recourse. If they sent a takedown notice the company can basically say "why don't you make me".
So it makes total sense to require a local presence if you want to interact with the local market. The GFW in this case is a tool that the government can hit any company who doesn't comply with...
Frankly, the thing that really is worrying is that because this is so rational from an Internet governance perspective we might well see more and more countries follow this path... Not censorship per se but building up mechanisms to create a more fragmented Internet.
[+] [-] dmos62|4 years ago|reply
Funnily enough I traveled to another part of China then, and the Airbnb wifi had practically no GFW-type blocking. GFW is made up of local or provider-specific implementations that vary a lot. It was a small, rural town.
[+] [-] nirui|4 years ago|reply
Since Airbnb is international, I guess if someone (assuming it's a small private operation) is offering rental service there, they might as well setup a proxy for foreign guests.
> Some solutions would sort of work, but unreliably, with extremely minimal bandwidth and would suddenly stop working after some time
The sad part is, anti proxy technology is also fairly advanced. Most of well-known VPN protocols such as OpenVPN, AnyConnect, IPSec and Wireguard etc can be identified via traffic analyze, once GFW detects suspicious traffic, it may launch probes to further investigate the service. That's why Chinese people use Shadowsocks, Clan and V2Ray, those proxies are designed to protect itself from these situations.
Shadowsocks and V2Ray require some know-hows to correctly setup. Notably, Shadowsocks requires AEAD ciphers to be relatively safe, and you should never run Tor through it due to flaws in it's transport protocol. As for V2Ray, avoid VMESS protocol since it's is known to be vulnerable to probe attacks.
[+] [-] mrjin|4 years ago|reply
DNS pollution was for sure only one means of the blocking. Even if the IP address of the site got resolved correctly, the site could not reached as a result of "Connection reset" or "Remote host closed the connection" errors. I thought the blocking was all the time and everywhere until I accidentally realized that I had just access some site without VPN connected and such state could last for from hours to days, as long as I did not access contents deemed sensitive, sites did not seem to matter that much as blocking would not be triggered until I clicked some links. HTTPS did not seem to help at all, so GFW must have the ability to do deep packet analysis. Such behaviors make sense to me as the network traffics in China are enormous even the government would not have enough resource to monitor everything all the time, so the practical approach would be using a little bit of heuristics and commencing blocking only when certain signals were triggered. Also I encountered a couple of times man-in-the-middle attacks as I noticed my browser were not happy with the site's certificates. Such attack might be carried out by the ISP as the certificates were self signed.
[+] [-] 88840-8855|4 years ago|reply
The sim can be purchased in any convince store in hk without identification.
That's the easiest solution in my eyes.
[+] [-] olalonde|4 years ago|reply
[0] https://guide.v2fly.org/en_US/basics/vmess.html
[+] [-] zertrin|4 years ago|reply
In the end, I'm not going to try that anymore, I haven't been in China for 2+ years now due to COVID, but next time, I'll hope my server is out of the blacklist again and hope I can access my (self-hosted) emails and other normal services that don't try to evade it.
The student VPN of another Asian university or the employee VPN of a well established company seemed to work last time. Not sure if that can be counted on reliably though...
[+] [-] shalmanese|4 years ago|reply
[+] [-] blueblisters|4 years ago|reply
- Bidirectional DNS poisoning: China can send forged DNS responses if you try to access certain Chinese domains from outside the GFW. This isn't server-side enforced geoblocking.
- GFW uses a small space of forged IPs, some belonging to Facebook, Twitter, Dropbox which may be responsible for a non-negligible overhead in server costs responding to HTTP requests for irrelevant hostnames.
Can FB sue China in court for damages for the cost of serving these forged requests?
[+] [-] killingtime74|4 years ago|reply
They had to pass a special law to allow the 9/11 families to sue https://en.m.wikipedia.org/wiki/Justice_Against_Sponsors_of_...
[+] [-] BiteCode_dev|4 years ago|reply
Sure they can. They can't win, but they can waste time and money.
[+] [-] sticnarf|4 years ago|reply
[+] [-] mrjin|4 years ago|reply
[+] [-] seniorivn|4 years ago|reply
[+] [-] SerCe|4 years ago|reply
The paper is also accompanied by an excellent presentation on the USENIX channel, https://www.youtube.com/watch?v=nPwsROLZrnc.
[+] [-] swinglock|4 years ago|reply
[+] [-] Erlangen|4 years ago|reply
[+] [-] greenspam|4 years ago|reply
[+] [-] Dah00n|4 years ago|reply
Both. Neither. (Is there a difference for us? I doubt it.)
[+] [-] nceqs3|4 years ago|reply
[+] [-] throwaway984393|4 years ago|reply
Interestingly, "time in China" is one time, because China has 1 official time zone. Even though it spans 5 geographical time zones. Unless you're in Xinjiang, in which case if you're talking to a Uyghur or Kazakh, they're using Xinjiang time, which is 2 hours behind Beijing Time. Unless you're watching a non-Uyghur/Kazakh TV channel, in which case the time is back in Beijing Time.
[+] [-] senectus1|4 years ago|reply
the state of what's allowed through TGFWC changes constantly.
[+] [-] infofarmer|4 years ago|reply
[+] [-] anuvrat1|4 years ago|reply
[+] [-] lorentzttt|4 years ago|reply
[+] [-] est|4 years ago|reply
[+] [-] est|4 years ago|reply
[+] [-] 2143|4 years ago|reply
https://citizenlab.ca/2015/04/chinas-great-cannon/
[+] [-] greenspam|4 years ago|reply
[+] [-] nikkinana|4 years ago|reply
[deleted]
[+] [-] bronzeage|4 years ago|reply
[deleted]
[+] [-] Seobaz|4 years ago|reply
[deleted]
[+] [-] rastafang|4 years ago|reply