Academics break the Great Firewall of China

Academics break the Great Firewall of China

Summary: University of Cambridge computer experts say they breached firewall but can use it to launch denial-of-service attacks.


Computer experts from the University of Cambridge claim not only to have breached the Great Firewall of China, but have found a way to use the firewall to launch denial-of-service attacks against specific Internet Protocol addresses in the country.

The firewall, which uses routers supplied by Cisco, works in part by inspecting Web traffic for certain keywords that the Chinese government wishes to censor, including political ideologies and groups it finds unacceptable.

The Cambridge research group tested the firewall by firing data packets containing the word "Falun" at it, a reference to the Falun Gong religious group, which is banned in China.

The researchers found that it was possible to circumvent the Chinese intrusion detection systems by ignoring the forged transmission control protocol resets injected by the Chinese routers, which would normally force the endpoints to abandon the connection.

"The machines in China allow data packets in and out, but send a burst of resets to shut connections if they spot particular keywords," explained Richard Clayton of the University of Cambridge computer laboratory. "If you drop all the reset packets at both ends of the connection, which is relatively trivial to do, the Web page is transferred just fine."

Clayton added that this means the Chinese firewall can be used to launch denial-of-service attacks against specific IP addresses within China, including those of the Chinese government itself.

The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a "sensitive" keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time.

If an attacker had identified the machines used by regional government offices, they could block access to Windows Update, or prevent Chinese embassies abroad from accessing specific Chinese Web content.

"Due to the design of the firewall, a single packet addressed from a high party official could block their Web access," said Clayton.

Even though this technique would block communication between only two particular points on the Internet, the researchers calculated that a lone attacker using a single dial-up connection could still generate a "reasonably effective" denial-of-service attack. If an attacker generated 100 triggering packets per second, and each packet caused 20 minutes of disruption, 120,000 pairs of endpoints could be prevented from communicating at any one time.

Clayton, speaking at the Sixth Workshop on Privacy Enhancing Technologies in Cambridge last week, said that the researchers had reported their findings to the Chinese Computer Emergency Response Team.

Topics: Networking, Data Management, Hardware, Mobility, Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • thank you big brothers
  • Cambridge boffins - why report the flaw back? are they getting back-handers from the chinese government?
  • What's the point reporting this back to chinese officials and supporting censorship? I thought we should fight for the freedom of information..
  • gee...thanks for helping the chinese.
  • better than helping the usa and their fascist war against everyone but themselves!
  • The news was so good, until that last paragraph.

    Still, we have TOR, elgooG,, and countless free proxies.
  • Don't just report or say it, DO IT!
  • Wonder if Dr. Clayton and Cisco think for a second about the people they've put into Chinese prisons?
  • So if the industry leader Cisco cant implement a proper "firewall" then see the rest of the world's internet security!!! be careful people!!
  • I'm from Spain and my isp blocks p2p (bittorent for example) and tor =( but now i use SmartHide free version. You can get it from
  • Academics break the Great Firewall of China

    you still can download free