Friday, January 9, 2015

GFW redirected visitors from blocked sites to porn

In the past, the Chinese authorities’ DNS poisoning system would direct Chinese internet users who were trying to access Facebook, Twitter and other blocked websites (without the use of a circumvention tool) to a set of fake IP addresses that are blocked in China or are non-existent. After waiting for some time, Chinese internet users would receive a timeout message if they were trying to access a blocked site.

However, with the new DNS poisoning system, in addition to those IP addresses used before, the Chinese authorities are using real IP addresses that actually host websites and are accessible in China. For example, https://support.dnspod.cn/Tools/tools/ shows that if a user tries to access Facebook from China, they might instead land on a random web page, e.g. http://178.62.75.99

Below is a screenshot by a Chinese user when he was trying to access our GreatFire.org website which was blocked in China. He was redirected to a government site in Korea. In essence, GFW is sending Chinese users to DDOS the Korean government's website.
One Chinese Internet user reported to us that when he tried to access Facebook in China, he was sent to a Russian website, unrelated to Facebook. Another user tweeted that he was redirected to an German adult site when he tried to access a website for a VPN.

某墙你这什么意思,DNS 污染返回给我一个德国工口站的 IP,满屏很黄很暴力弹弹弹(
— nil (@xierch) January 4, 2015

The redirection to adult content is especially ironic. The authorities often cite the “protection of minors” as one reason to justify internet censorship. But in this example, users who are trying to access perfectly legal but blocked content instead are sent to illegal (in China) adult content websites.

This upgrade of the GFW effectively disabled many anti-DNS-poisoning tools. Because GFW used only a small set of fake IP addresses, these tools could discard the fake IP addresses easily and access the correct IP addresses to bypass any block. Now this is no longer possible as legitimate IP address are used to poison other domains.

It is clear that the authorities treat the great firewall as a work-in-progress and are constantly tweaking and making changes to the censorship apparatus. I expect to see more changes in the coming months.

1 comment: