How China Blocks the Tor Anonymity

Network
Security analysts reveal the inner workings of Chinas efforts to block the Tor anonymity
networkand how to get around this censorship.

The Tor Project is a free network run by volunteers that hides users locations and usage from
surveillance and traffic analysis. Essentially, it provides online anonymity to anybody who wants
it.
Tor users can send email and instant messages, surf websites, and post content online without
anyone knowing who or where they are. Consequently, it is widely acknowledged as an
important tool for freedom of expression.
Thats clearly a worry for authoritarian regimes that want to control and limit their citizens
access to the outside world. The biggest and most powerful of these is China, and the
government there operates a firewall that denies its citizens online access to the outside world.
Its no surprise then that the Great Firewall of China, as it is called, actively blocks access to the
Tor network. So an interesting question is how this censorship works and how it might be
circumvented.
Today, Philipp Winter and Stefan Lindskog at Karlstad University in Sweden provide an answer.
These guys have conducted a comprehensive analysis of the way the Great Firewall of China
blocks Tor and how these measures might be sidestepped.

First, a bit of background about Tor. Lets imagine a fictional user called Alice. To use the Tor
network, Alice must first download the free software package, which she runs on her computer.
This software encrypts Alices online communication and sends it to a Tor server called an entry
relay, which then directs it randomly through a network of Tor relays operated by volunteers
around the world. Anybody receiving information from Alice can trace the message back only to
the last Tor server.
Also, since the Internet address of the sender and receiver are encrypted while they are in the
network, an eavesdropper cannot tell who sent a message or where it is going.
The obvious way for China to prevent access to Tor is to block access from inside the country to
the entry relays. Thats easy because the entry relays are publicly listed, and, indeed, the Great
Firewall of China does exactly this.
However, in anticipation of this tactic, the Tor network always operates a number of entry relays
without publishing their details. These are much harder to block and can easily be changed.
The trouble is that the Great Firewall of China seems to have found a way to detect and block
these secret relays as well.
Now Winter and Lindskog think theyve worked out how this is done. The trick has been to set
up their own secret relay and to try to connect to it from inside China (building on previous work
by Tim Wilde at Team Cymru).
The Tor software that Alice runs must connect with any Tor relay it contacts using a special
handshake protocol. This protocol contains unique sequences of code.
Winter and Lindskog say the firewall uses deep pattern inspection to look for this code in any
outgoing communications. If it finds it, it assumes a potential Tor connection. It then attempts to
make its own connection. If that works, the firewall then blocks future access to this IP address.
Impressively, Winter and Lindskog have worked out the details of how the deep packet
inspection does this.
Even more impressively, these guys have used Googles reverse DNS lookup service to work out
who seems to be behind this censorship. The evidence points strongly to two of Chinas largest
telecom companies: China Telecom and China Unicom.
Both of these organisations are government-owned and clearly well placed to operate a firewall
on this scale.
So what to do? With their newfound knowledge of how the Great Firewall of China works,
Winter and Lindskog suggest a number of strategies that Tor users could exploit to beat it.

One idea is packet fragmentationdividing up the packets to confuse the deep packet inspection
system so that it cannot easily find and block secret relays.
However, that relies on all Tor users using packet fragmentation. A single Tor user who connects
to a secret relay in the conventional way will give it away, allowing the authorities to block it.
Perhaps the most promising avenue is a tool currently being developed called Obfsproxy. This
camouflages Tor traffic, making it look like something else, such as Skype traffic, for example.
China is clearly worried about this approach. The Great Firewall of China currently blocks all
published relays designed to use Obfsproxy. However, Winter and Lindskog set up a private
Obfsproxy relay in Sweden and successfully connected to it from inside China. We initiated
several connections to it over several hours and could always successfully establish a Tor
circuit, they say.
That seems to prove that the deep packet inspection system cannot spot private Obfsproxy relays
and so looks like a promising route forward.
The main reason the Great Firewall is able to detect Tor traffic is that it is easily distinguishable
from other types of Internet traffic. It is crucial that this distinguishability is minimised,
conclude Winter and Lindskog.
There is a broader issue of course. Because Tor is an open and transparent organisation, these
kinds of discussions about how best to circumvent the Chinese firewall inevitably take place in
public, in full view of the Chinese authorities they are attempting to outwit.
The mere publication of Winter and Lindskogs paper gives the Chinese authorities full view of
the techniques these guys have used to reveal how the firewall works.
Security analysts and the developers behind Tor must be sorely tempted to hide their
deliberations and protect their future work behind an impenetrable veil of secrecy. That must be
resisted.
These kinds of open discussion may be like fighting with one hand tied behind your back. But
surely such is the price of freedom.