Large-scale Spatiotemporal Characterization of Inconsistencies in the World's Largest Firewall

A nation-scale firewall, colloquially referred to as the "Great Firewall of China," implements many different types of censorship and content filtering to control China's Internet traffic. Past work has shown that the firewall occasionally fails. In other words, sometimes clients in China are able to reach blacklisted servers outside of China. This phenomenon has not yet been characterized because it is infeasible to find a large and geographically diverse set of clients in China from which to test connectivity. In this paper, we overcome this challenge by using hybrid idle scan techniques that are able to measure connectivity between a remote client and an arbitrary server, neither of which are under the control of the researcher performing measurements. In addition to hybrid idle scans, we present and employ a novel side channel in the Linux kernel's SYN backlog. We demonstrate both techniques by measuring the reachability of the Tor network which is known to be blocked in China. Our measurements reveal that 1) failures in the firewall occur throughout the entire country without any conspicuous geographical patterns, 2) a network block in China appears to have unfiltered access to parts of the Tor network, and 3) the filtering seems to be mostly centralized at the level of Internet exchange points. Our work also answers many other open questions about the Great Firewall's architecture and implementation.