Readit NewsDeleted Comment
There are special virtual SIM cards that provide access to services from mainland China, as well as VPNs that function normally without issues. I used both while I was in China.
If I understand right, a good next step would would be with eBPF or some type of proxy ignore the forged RST+ACK at the beginning.
Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
See <Ignoring the Great Firewall of China> in 2006. That won't work if RST/ACK was injected to both sides.
> Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
This is an interesting approach already being utilized, namely TCB desync. But currently most people tend to buy VPN/proxy services rather than studying this.
If you think this is bad...
You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD
You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.
But yeah, they can shutdown anything unless proxy server is widely used. as <Nearly 90% of Iranians now use a VPN to bypass internet censorship>.
Unknown. I haven't seen any injected fake DNS or reset packets so far to domestic hosts. But there are rumors that Google's servers in Beijing (AS24424) was once black holed.
> Is GFW a central hub for all traffic between all hosts?
It's supposed to has centralized management system, but not a single hub.
> Or between residential ASNs and commercial ones only?
Yes, the injecting devices are deployed in IXPs, the AS borders. See <Internet censorship in China: Where does the filtering occur?>.
> In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting.
I believe Iran has more centralized system like China controlled by Tehran.
> Maybe internal traffic is just all banned?
No, internal HTTPS traffic is not banned in that hour.
With one violation, it lost 3334 tokens.
Elon's Wikipedia article from its top to the end of Starlink section counts as 3088 tokens: https://en.wikipedia.org/w/index.php?title=Elon_Musk&oldid=1...