TNC The Dark Side of the China: The Government, Society and the Great Cannon

The main purpose of this research is to understand the concept of one of the main firewall technology developed within the scope of Golden Shield Project called “Great Cannon” and “Great Firewall” and elaborates the details of this tool in China. The proposed technology deployed in China has claimed to enhance the public safety and country wide national cyber security however there were many other circumstances raised from the legal, ethical and moral issues due to censorship and surveillance of this deployment. The research also elaborates and outlines the effects and technical issues of this deployment since this paper highlights the existing research trends in network security and exposing the current state of the Golden Shield project for the China with its censorship policy


Introduction
The In digital age, it is important to understand information technology, information security, and the challenges an interconnected world face. Military capabilities of a country are usually underestimated or not fully understood by population, which is also caused by a not always correct perspective the media suggests. Thinking about evolution of warfare, we understand that not only military strategies have changed, but the tools to carry out the mission are evolving rapidly.
The wars in future would not necessarily require the opponents to even meet each other face to face physically, instead, the resolution of conflicts will take place in cyberspace.
In this report we discuss security and attack tools considered as one of the most powerful in current cyber space, which were created by People's Republic of China in the Golden Shield Project. China's intention is to use information warfare in the cyber realm. This is well implemented by the "Blue Army" -a unit that carries out cyber warfare -which conducts both offensive and defensive cyber missions to protect the infrastructure of China from foreign cyber threats. It is widely reported that the Chinese supposedly use the public Internet and World Wide Web to exploit weaknesses of foreign countries including the United States, England, Canada, Australia, France, Japan, Taiwan, India, Pakistan, South Korea and Vietnam. It is also stated that the Chinese allegedly intrude countries via the Internet to exfiltrate data, and consequently to gain competitive economic advantages [2].
The following section of the report will describe history of the Chinese Golden Shield Project creation, and mechanism and tools designed for cyber security, existing network technologies, its circumvention and cyber-attacks.

History of the Internet in China & Creation of Golden Shield Project
The beginning of the use of the Internet in China occurred in 1987, by sending an email with a title "Crossing the Great Wall to Join the World". Up until 1994, the steps have been taken to make the Internet available to the Chinese population. In September 1994, a Sino-American Internet agreement was signed by China Telecom and U.S. Secretary of Commerce, under which China Telecom is to open two 64K dedicated circuits in Beijing and Shanghai through Sprint Corporation of the United States [3].
The initial steps to control the Internet use were taken by the State Council in 1996. The first Internet censorship was called the "Temporary Regulation for the Management of Computer Information Network International Connection", and stated that "No units or individuals are allowed to establish direct international connection by themselves" and "All direct linkage with the Internet must go through ChinaNet, GBNet, CERNET or CSTNET. A license is required for anyone to provide Internet access to users" [2]. In 1997, the Ministry of Public Security announced a number of policies for the Internet users in China, which were approved by the State Council. A few of the listed regulations state that any unit or individual is prohibited to use the Internet to create, replicate, retrieve, or transmit information that incites to resist or breaks the Constitution, law, or administrative regulations; incites division of the country, hatred or discrimination among nationalities; the truth, spreads rumors, or destroys social order; or provides sexually suggestive material or encourages gambling, violence, or murder, terrorism or other criminal activity. In 1998, the project of the Internet content blocking and filtering was started by the Chinese Government, but was not implemented. The project was named the "Golden Shield Project", also widely known as the "Great Firewall of China" [2] [4]. The project provides China with Internet censorship at the Internet backbone and internet provider level, and aims to control the information movement between the Internet in China and the global Internet. The initial design planner of the "Golden Shield" and its architect is known to be the President of the Beijing University of Posts and Telecommunications, Fang Binxing. He stated that the creation of the project took five years and was launched in 2003. Another key figure in "Golden Shield" project is Mr. Li Run sen, the Head of the Commission of Science and Technology of the Ministry of Public Security of China, and since 1996 the group leader and chief technical advisor of Golden Shield Project. As Technology Director at MPS, in 2002, he announced the "Information Technology for China's Public Security" to a national audience of Chinese law enforcement, four-day inaugural "Comprehensive Exhibition on Chinese Information System" in Beijing [2].
The Great Firewall does not allow the access to sites that have specific keywords estimated as threats to public security and safety by blocking IP addresses, TCP ports, HTTP requests, DNS requests [5]. Generally, firewalls are in-pass barriers between the networks through which the traffic from one network flows to another. Yet the Chinese project is called "Great Firewall", it operates as an on-pass system which eavesdrops on traffic flowing between China and other countries. On-path systems are good for censorship and provide more scalability but less flexible than in-path systems as attack tools, due to inability to control packets that were already sent from server to reach their destination [7] [8]. The Great Firewall observes the connections and decides whether their packets should be blocked by reassembling them which provide better blocking accuracy but require additional computational resources [7].
According to [13], Intrusion Detection System (IDS) devices of the Great Firewall of China are placed for keyword filtering at Autonomous Systems (ASes) and router level. There are 24 border ASes and most of them belong to backbone. The majority of internal ASes (87.0%) are within direct reach of border (belonging to the backbone) ASes. The best vantage points for efficient content filtering are in the border/backbone ASes since they can easily serve as choke points, given that IDS devices have enough power and the censors do not intend to monitor domestic traffic. Two of Chinese IPSs -CHINANET and CNCGROUP have the majority (63.9%) of China's total peerings with other countries and are the major filtering ISP's. They have different approaches placing their filtering devices. CHINANET, instead of filtering strictly along the border, offloads the burden to its provincial network. While, CNCGROUP has most of its filtering devices in the backbone rather than provincial network, and all its filtering is done within very few hops into China's address space.

GOLDEN Shield Project and Great Firewall of China
The Great Firewall performs via three types of content blocking technology, which are DNS Poisoning, IP Address blocking, and filtering URLs and TCP packets for sensitive keywords via deep packet inspection [8][10].

IP blocking (packet dropping)
IP blocking is done in case if the access to a certain IP address with potentially sensitive data should be denied [2]. Great Firewall relies on null routing, i.e. dropping or ignoring packets without informing the source that the data did not reach its intended recipient, rather than forwarding them. GFW peers with the gateway routers of all Internet Service Providers in China, and hijacks all traffic to blocked websites by injecting routing information into BGP (Border Gateway Protocol) -routing protocol of global Internet. This way through GFW, the Chinese government maintains the blacklist. Null routing does not add performance impact on gateway routers of ISPs, also there are no special devices needed for implementing null routing [11]. However, this packet dropping scheme have two main problems: first, the list of IP addresses must be kept up-to-date; second, if a few websites share hosting server with a blacklisted website, all of the websites on the same server will be blocked [2] [16]. IP blocking mechanism is not difficult to circumvent. It can be done by setting up a proxy outside of China or by moving the website to another IP address [11].

DNS (Domain Name System) injection
DNS poisoning of responses for certain domains is one of the primary filtering methods that the Great Firewall of China. The GFW has load-balanced architecture, where on each physical link the reassembly and censorship is done in multiple parallel processes ( Figure 1). It performs DNS-based censorship at China's borders, using a blacklist of around 15,000 keywords. GFW nodes operate in clusters of several hundred processes which inject censored responses at a rate of about 2,800 per second [9].
With DNS poisoning method, requested domain names are not resolved, but instead incorrect IP addresses are returned to a requester [2]. Once a DNS request is sent from a user located in China to a certain domain outside of the country, the GFW checks the request and if it finds patterns that match censored content, it sends a poisoned DNS response to the requesting DNS resolver, which due to its position in the network, reaches the DNS resolver faster than the DNS server. The requesting DNS resolver catches the poisoned DNS response from the GFW, and ignores a legitimate response sent by DNS server [9] [12].  Some of the GFW DNS poisoning studies claim, that if the first DNS response is ignored, then the legitimate response can be received [14]. In another [12], on contrary, it was found that despite of expectations that after the poisoned response sent by GFW, the DNS server sends the correct response to DNS resolver, that was not always the case. In many occasions both the legitimate and the poisoned DNS responses were incorrect. The GFW returns poisoned responses from a small set of incorrect IP addresses. The same IP addresses are used as responses of legitimate DNS responses. These IP addresses are registered in different locations around the world without a clear pattern. If to try accessing these IP addresses, no response package is sent from them. This could mean that either there is no host located at these IP addresses, or that even if there is a host, the responses are filtered either by an outbound firewall or at the network interface. Even if a particular DNS request is not poisoned by GFW, the result will still be unavailable to a user. As it appears, DNS servers within China are poisoned themselves, that is why widely proposed methods of avoiding DNS poisoning, such as ignoring the first received DNS response or identify and ignore poisoned responses [14], would not always work. As a solution, users should configure their local DNS resolver to point to DNS servers which are outside of the influence of the GFW and not poisoned [12]. Findings show that the main use of the GFW's DNS poisoning is actually to corrupt the cache of DNS servers, but not to poison DNS requests of users [9].
Users outside of China can also be affected by DNS poisoning mechanism of Great Firewall. Collateral damage happens when DNS resolvers outside of China contact authoritative servers located in or at the end of paths that transit China, that is, Chinese censorship is being applied to non-Chinese requests as well [15].

TCP Reset/Keyword blocking
The Great Firewall of China also blocks content by filtering URLs and TCP packets. If a user requests a URL with a banned keyword, or a webpage that contains a keyword, the GFW drops packets by closing the connection between the two points [10]. The keyword-based blocking occurs within the routers that maintain connections between China and the rest of the world [16].  However, blocking of packets is done not during TCP connection establishment phase, but after the first HTTP GET request. HTTP GET requests are allowed to proceed as normal but the router censors the request and sends a spoofed TCP RST packet ( Figure 3) [18]. After TCP resets are sent, further attempts by the same client to request access to the same resource will be disabled for a period from a few minutes to an hour by injecting additional reset packages. However, if the endpoints entirely ignore the TCP resets, they will not have any effect on the client's TCP/IP stack, so the client will have an access to requested web page. IDS systems might also add a discard rule to the main router, rather than issuing resets. There is another occasionally used strategy observed. The GFW sends a fake SYN/ACK packet to some pairs of endpoints with random, invalid sequence numbers. If the SYN/ACK packet generated by the GFW reaches the client before the real SYN/ACK then the connection fails. The client then records the incorrect sequence number from the misleading SYN/ACK and returns the value to the server which is considered as an incorrect ACK value. This occasion triggers a reset packet and the client closes [16]. One of circumvention methods applied through monitoring of keywords by using HTTPS which encrypts content that is potentially to be blocked and thus makes the keyword unreadable in the packet. Another method is to avoid the use of URL so that the keywords cannot be read in plain text. In cases with popular websites, the GFW blocks the access to the entire website by using aforementioned IP address blocking mechanism [10].

Circumvention methods
There are around 688 million Internet users in China [22], 1-3% (app. 20 million Internet users) of which regularly try to access the open Internet by circumventing the Great firewall [23]. The main anticensorship tools used by Chinese population and people within the borders of China include proxy servers, VPN (virtual private network) services and Tor.
Proxy servers. Using proxy servers to bypass the GFW can be done by finding some proxy nodes and encrypting the traffic. Proxy servers operate through browsers, connecting a Chinese user's machine with a server located outside the country, and masking the user's IP address with the server's IP address [10]. Popular and free proxy services used in China are FreeGate, Ultrasurf, and Psiphon (version 3). They depend on a range of proxy servers outside China and encrypt all the HTTP traffic in SSL (Secure Sockets Layer) tunnels to these servers. Using proxy is usually does not cost anything to the users, however VPN provides better performance at least in terms of speed and stability [11].
VPN services. VPN and Secure Shell (SSH) services are considered the most powerful and stable tools for bypassing censorship. They work in a similar way to proxy servers, but depend on a virtual, private host or an account outside China.
Users connect their computers to VPN, which encrypts the users' requests and sends them to a foreign server, which processes the actual request. The request is able to bypass the Firewall because it is encrypted [10]. A private encrypted invisible for the GFW channel is created to connect users to a server outside of China. VPN services are usually not free and requite technical professionals for configuration. Usually popular commercial or public VPN services are be blocked by IP address and/or "vpn." domain names, such as vpn.com, vpn. net, vpn.org, vpn.info, etc. [11].
Tor. Tor is a famous anonymous communication and circumvention tool against Internet censorship. It achieves anonymity by re-routing through a series of proxy servers. The complicated encrypted SSL-based protocols and thousands of proxies make Tor an ideal tool for bypassing the blocking and surveillance of GFW [24]. In order to create a private network pathway with Tor, a client needs to build a circuit of relays (encrypted connections through proxy nodes) on the Tor network. The pathway is built incrementally, by adding one hop at a time, so each relay along the way knows only the two nodes that are one hop before and after it. A separate set of encryption keys is used for each hop along the circuit, except for the last hop to the destination server [25]. However, the global public list of relays is Tor's biggest weakness. Chinese censors download the lists and add each IP address to a blacklist. In response to the blocking of its relays, the operators of the Tor network began to reserve a portion of new relays as secret, non-public "bridges" [26].

Active probing
The operators in charge of Chinese censorship infrastructure continue to innovate methods to detect and block the circumvention methods. Because the encrypted traffic is more difficult to analyze, so that deep packet inspection might not be able to understand what is in the traffic and whether it should be blocked. Yet during deep packet inspection the operators can look at specific set up of TLS such as port number, type of encryption, handshake parameters or flow information, this information is usually not enough to be sure that this is something that needs to be blocked. In order to exclude uncertainty and collateral damage, and response to enhanced circumvention systems, the method called "Active probing" started being used by the censors of the GFW. This probing works by passively monitoring the network for suspicious traffic, then actively probing the corresponding servers, and blocking any that are determined to run circumvention servers such as Tor (Figure 4). Once the connection between Chinese server and a server in a foreign country is established, the Great Firewall initially closely looks at TLS connection handshake, and if it considers the connection suspicious, it next launches a probe that connects to the same server in that country and tries to speak the protocol of the connection they suspected (e.g. Tor).
The foreign server will terminate the connection, if the guess of the GFW was not correct, but if the Firewall is right, the server will answer with a handshake, so in that case the GFW is sure that the connection is undesirable and can block it. This is a two stage inspection, where in the first stage deep packet inspection is done on a lot of traffic, and a portion of the traffic that is suspicions is selected; in the second stage, the active probing is used to understand what this portion of traffic really is. The system can detect the servers of at least five circumvention protocols and is upgraded regularly and operates in real time.

Great Cannon
In March 2015, two services designed to circumvent Chinese censorship -GreatFire.org and two GitHub pages run by GreatFire.org -were stroke by a Distributed Denial of Service (DDoS) attack with 2.6 billion requests per hour sent (at peak) [21] [19]. The implemented mechanism allowed the attackers to manipulate a part of the legitimate traffic from inside and outside China to launch and steer Denial of Service attacks against the anti censorship project [20]. It was later reported that the source of the attack was a malicious Javascript returned by Baidu servers. This recent event showed that the Golden Shield Project has evolved from just blocking foreign content from coming into the country to attacking foreign websites. The offensive system is called "Great Cannon" (GC), and considered separate from the Great Firewall, with different design and capabilities. This distinct attack tool hijacks traffic to (or presumably from) individual IP addresses and can randomly replace unencrypted content as a man-in-the-middle. The Great Cannon is known to use traffic of systems outside of China by infecting the users' browsers with malicious programs to create a massive DDoS attack. Observations show that the design of the Great Cannon is not well-suited for traffic censorship, compared to mechanisms used by the Great Firewall. That is, it cannot censor any traffic not already censorable by the GFW. This indicates that that the role of the GC is to inject traffic under specific targeted circumstances, not to censor traffic. However, there are some mutual features that the Great Cannon and the Great Firewall have, such as the same specific TTL sidechannel, and that they might share some common code ( Figure 3). Great Cannon acts on traffic on the same link as the Great Firewall, which is the evidence that the GC appears to be co-located with the GFW. However, the content analysis of the GC is more primitive and easily manipulated, but offers big performance advantages as it does not need to deal with complex state concerning connection status and packets reassembly, as GFW does. The Great Cannon discovers the target's IP address and identify a suitable exploit. When the GC decides to inject a reply, unlike the GFW, it only examines the first data packet of a connection. It uses a flow cache (with capacity up to 16,000 entries for a single sending IP address) to remember recent connections it has estimated no longer requiring examination. The GC is then tasked to intercept traffic from the target's IP address, and replace certain responses with malicious content. Figure 4 shows the decision flow of the Great Cannon. Any user who has ever made a single request to a server inside China not employing encryption is a potential target for GC's malicious code. The users of some websites that are located outside of China but use some sources from Chinese servers would not even realize that their computers were communicating with Chinese servers and were a target for attacks. The Great Cannon is noticed to have similar capabilities as the NSA's QUANTUM system. The DDoS attacks launched by the GC so far are aligned with political concerns of the Chinese government. The attacked websites, GreatFire and GitHub, provided services, like proxies, and technologies for users to circumvent Chinese government censorship [19]. The Great Cannon is a big shift in tactics of the political implication of Chinese government. The reasons for deploying the GC are not mentioned explicitly. However, analyzing the attack to GreatFire website, we can state that the Chinese government's aims were both to try blocking the operations of an undesirable resource and to show other organizations that the outcomes can be costly. Yet, we do not know the full power of the Great Cannon, thus the way China decides to use this tool is not know the full power of the Great Cannon, thus the way China decides to use this tool is unpredictable and probably future attacks can reach the entire country level. What is seen from already implemented attacks should be a notice to the countries with not advanced cyber security mechanisms to take serious actions towards improving their situation in cyberspace.
Societies facing lot of challenges due to governmental limitations and protection based restrictions. The strict regulations lead distrust in the public against government services and virtualization become necessary. However some countries exaggerated the meaning of security and public safety through censorship policy [25][26].
The researchers focused on developing variety of different technologies in order to enhance secure communication environments [27][28][29][30][31][32][33]. The security proposals targeted to reach maximum security without leading and collision and censorship during providing secure communication environment for public. Both organizations and governments spend effort on spreading and deploying these emerging technologies to propose a secure environment and protect user/customer data [34][35][36][37][38][39][40].
Providing countrywide security is a serious issue that requires considering lightweight communication infrastructure, scalability and flexible fault tolerance systems. The existing mechanism that was deployed within China focused on censoring by detecting anomalies on the network in existing communication infrastructure through restriction policies [35][36][37][38][39][40][41][42][43][44][45][46]. The existing technologies focused on enhancing supremacy of the government on public and nations through modifications and restrictions of current communication infrastructure.
As described above, blockchains have the potential to revolutionize the world of technology and communication. At the very least, it is very likely to disrupt the financial industry and turn it on its head. The technology also has the potential to disrupt other markets such as the entertainment industry, the energy industry and even electoral processes. The group of researchers has described as how the blockchain can cause disintermediation in the entertainment industry [31]. Essentially, artists would be able to earn more because they would be able to sell their content directly to consumers using smart contracts. The various levels of middlemen would be eliminated and artists would be able to regulate content consumption and sale via smart contracts; programmable bits on a blockchain. In the energy sector, a scenario is described where independent generators of energy via renewable sources such as solar, are selling energy to one another via blockchains [30]. The large utility firms across the world are taking note of the trend and quite a few in countries such as Austria and Germany have started experimenting with blockchain technology. A comparison of the applications of blockchain technology in the financial services, entertainment and utilities industries generates a clear theme: disintermediation. The decentralized, distributed, transparent, programmable and anonymous nature of the blockchain is a death knell for middlemen. Smart and proactive companies are taking note and embracing the technology in a bid to remain relevant with time.

Conclusion
Since the beginning of the Golden Shield Project in 1998, there have been many improvements made in both censorship mechanisms and attack tools. Implementation of censorship mechanisms under the Golden Shield Project has both advantages and disadvantages and can be considered from a few perspectives: the Chinese government, businesses, and regular users (both within Chinese borders and outside of China). The Golden Shield Project is implemented from the approval of the Chinese government; consequently, its design was done in the way to benefit the government at the first place. So, having such a powerful mechanism for censorship as the Great Firewall and an attack tool as the Great Cannon, gives China great political, social and economic advantages against other nations. They control the information flow to the country, that is, the population is educated and aware of the countries and the world's concerns and problems, in the way which is preferable to the government. Because China has their own search engines, social networks, mail services, they have access to any private information of user of the Chinese Internet, what gives them an opportunity to control the population and use them as a resource for operations in cyberspace against foreign businesses or countries. The disadvantage of having such strict censorship is the dissatisfaction of the population whose human rights and freedom of speech are violated. For businesses in China, a big advantage is they are protected from western influences and businesses, where it would be more difficult to compete and achieve success. Censorship is disadvantageous for international businesses, as it makes the communication with outside countries more difficult, as for reaching out potential consumers, supplies or services, thus it decreases profit the companies could have made. Advantages of the censorship for the users of the Chinese Internet include: safer environment by blocking offensive material available on racist and pornographic websites and reduction of internet crime. The major disadvantage is an obvious violation of human rights. It prevents people from sharing their opinion, especially on topics such as religion and politics. The users of foreign countries are affected by collateral damage caused by implementation of the Great Firewall's censorship mechanisms.