Censorship platform is distorting some internet lookups, researchers warn

Research: Hundreds of high-traffic web domains vulnerable to same-site attacks

China’s notorious website-blocking technology is impacting the global DNS system as well as restricting access to content locally, according to a comprehensive analysis of the technology.

China’s DNS-based internet filtering apparatus – popularly known as the ‘Great Firewall’ – was observed for nine months by Citizen Lab-affiliated computer scientists using GFWatch, a platform capable of testing hundreds of domains a day.

The platform, which enabled continuous monitoring of the Great Firewall’s filtering behavior detected that a total of 311,000 domains were being censored.


ANALYSIS Behind the Great Firewall: Chinese cyber-espionage adapts to post-Covid world with stealthier attacks


After reverse engineering these domains, members of the nine-person team discovered that 41,000 “innocuous” domains had been blocked.

“We also observe bogus IPv6 and globally routable IPv4 addresses injected by the [Great Firewall], including addresses owned by US companies, such as Facebook, Dropbox, and Twitter,” the researchers report.

This “abusive design” could lead to DDoS attacks on specific IPs, the researchers warn.

Polluted caches

The study – conducted by researchers from Stony Brook University, New York; University of Massachusetts, Amherst; and University of California, Berkeley – uncovered evidence that the Great Firewall is interfering with the smooth running of the internet.

“We found 77,000 censored domains with DNS resource records polluted in popular public DNS resolvers, such as Google and Cloudflare,” according to the researchers.

The impact of polluted DNS caches is that people outside China who use these public DNS services will accidentally obtain forged DNS records, preventing from accessing the actual websites even though both the client and website are not located inside China.


Read more of the latest security news from Asia


Although China’s filtering system is tainting the well of global DNS resolution, the researchers suggest it is possible to “sanitize poisoned DNS records from the cache of public DNS resolvers”.

During a related I2P censorship study, one of the researchers found that a client in South Korea was unable to access https://geti2p.net because of the GFW’s bi-directional DNS censorship.

“In order to sanitize the polluted records from public DNS resolvers, the operators of these resolvers can simply verify DNS records against the pool of fake IPs used by the GFW that we have discovered here,” they advise.

Usenix presentation

A paper (PDF) on the research, entitled “How Great is the Great Firewall? Measuring China’s DNS Censorship”, is due to be presented this week during the 30th Usenix Security Symposium.

Nguyen Phong Hoang, a computer scientist at Stony Brook University, New York, and lead author of the paper, told The Daily Swig that “DNS is the main mechanism and plays an important role in [China’s] internet censorship because almost every online communication/activity nowadays starts with a DNS lookup.”

“While circumventing DNS censorship is not super difficult, it is still effective at preventing the vast majority of ordinary internet users in China from accessing contents that are deemed as ‘unwanted’ by the [Chinese] government,” Nguyen said.

By monitoring the behavior of the Great Firewall, the researchers have been able to identify themes and trends for sites that end up on the blocklist.

Nguyen explained: “Since the launch of our measurement platform, we have spotted several blockages that coincide with political events and informed the public in a timely fashion about these blocking cases and how they reflect Beijing’s policy.”


RELATED Research roadblock: Security pros weigh in on China’s new vulnerability disclosure law