China tried to upgrade the Great Firewall but may have left it vulnerable to attack

News
By published

Attempts to censor traffic have left the country at risk

China's flag overlays laptop screen
(Image credit: Shutterstock)
  • Researchers have identified vulnerabilities in China's Great Firewall
  • The firewall attempts to block QUIC connections
  • Blocking attempts leave the state exposed

Upgrades to China’s Great Firewall (GFW) have not gone as planned, and the resulting ‘critical flaw’ reduces the effectiveness of the firewall in moderating traffic loads, researchers have found. Attempts by China to censor a specific type of internet traffic in the country have left the state at risk and vulnerable to attack;

‘We [..] demonstrate that this censorship mechanism can be weaponized to block UDP traffic between arbitrary hosts in China and the rest of the world. We collaborate with various open-source communities to integrate circumvention strategies into Mozilla Firefox, the quic-go library, and all major QUIC-based circumvention tools.’

The paper was written by researchers from activist group Great Firewall Report, as well as Stanford University, University of Massachusetts Amherst, and the University of Colorado Boulder - and is titled ‘Exposing and Circumventing SNI-based QUIC Censorship of the Great Firewall of China’.

Internet censorship

The vulnerabilities stem from China’s attempts to block Quick UDP Internet Connections (QUIC) - a transport layer network protocol that is designed to replace Transmission Control Protocol (TCP) because of its built in security, flexibility, and fewer performance issues.

QUIC was invented by workers at Google back in 2012, and at least 10% of sites use the protocol - with many Google and Meta sites included. Both of these organizations are blocked by the GFW, so blocking QUIC connections seems to be an extension of this, although researchers note that not all QUIC traffic is blocked successfully.

The mechanism used to block QUIC connections is vulnerable to attacks that could block all open or root DNS resolvers outside of China from access from within the state, resulting in widespread DNS failures;

“Defending against this attack while still censoring is difficult due to the stateless nature and ease of spoofing UDP packets,” the paper explains. “Careful engineering will be needed to allow censors to apply targeted blocks in QUIC, while simultaneously preventing availability attacks.”

Via; The Register

You might also like

Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.