Archive

Archive for the ‘gfw’ Category

西厢计划 MacOSX 移植版

October 29, 2011 Leave a comment

最近关注了一个西厢计划 MacOSX 的移植项目 kernet (link: https://github.com/ccp0101/kernet)。技术上,kernet 项目做得比原始的西厢计划还要多,可用性也有很大的提高。

最近我做了一个稳定版,主要是增强了稳定性,并支持更多站点。因为个人博客上相关主题较多,所以在这里发布下。如果又更新,我会最先在我的twitter(link: https://twitter.com/#!/liruqi) 上说。

下载页面:https://github.com/liruqi/kernet/downloads

系统要求:Lion 64位。低版本没测试过。32位的系统应该跑不了,不过自己拿xcode 用源代码(link: https://github.com/liruqi/kernet/tree/stable) 编译打包也不难。

跟上一个发布的不靠谱版本(link: http://www.v2ex.com/t/18488) 相比,
1。回归到 master 可用版本做的修改
2。支持更多站点。手动增加的站点是 *.wordpress.com。这里有一个通过跑脚本,增加的站点列表:https://github.com/liruqi/kernet/blob/stable/Scripts/reset.txt

还是说明下,我不能保障你正确安装之后就一定能访问列表中所有站点。参考这篇 总结(link: http://gfwrev.blogspot.com/2010/03/gfw.html)

PS1: 最近做 kernet 打包的同时,对 GFW 做了些有意思的统计。(统计基于 gfwlist.txt,结果不完整不精确,但是正确率应该是大于 50%的;大家也可以看我 stable 分支脚本自己做测试)
a)已解放的http://t.cn/ShP1ya
b)关闭服务器或者被IP封锁的 http://t.cn/ShP1yC
c)至今被reset的 http://t.cn/ShP1yj
d)莫名其妙出问题的 https://raw.github.com/liruqi/kernet/stable/Scripts/wtf.txt

PS2: 算是一个坏消息吧。最近域名封锁、ip 封锁逐步开始了。网络白名单制度大概已经步入实施阶段了。
a)域名封锁是指不再搞dns缓存污染,dns缓存污染是dns-query 被gfw抢答了,还能获得正确返回的;而域名封锁,是直接丢包(目前这种现象并不是每个网络运营商都会有)。这种封锁可能是最近才有的。
b)ip 封锁比较明显的是 tumblr。

Categories: gfw

West chamber season 3 – a new way to bypass Great Firewall

July 30, 2011 1 comment

(I don’t quite believe wordpress.com, I edit this post in google docs, and it is open for anyone to edit. I am not used to write in English, if you find mistakes please correct it for me in google docs. I may update here periodly based on the google docs one.)

Everyone knows that Chinese from mainland China have problem accessing international internet – the World Wide Web, e.g, Facebook, Twitter, and many services provided by Google. Here I provide a new a way to drop the threat of “connection reset”, without proxy server, and it is free.

The Great Firewall of China

Normally, we illustrate the Great Firewall(GFW) with the Great Wall of China:

But technically, GFW does not simply work like a wall. The commonly-used technical methods are IP blocking, DNS cache poisoning, connection reset, (ref wikipedia Great Firewall of China). And connection reset is now the most import part that works.

Technical details of connection reset

Why choose connection reset? For web sites, IP may change, and normally domain do not, it’s a big overhead to maintain an IP list of domains; and DNS cache poisoning can be bypassed by changing a hosts file for local name resolution. Connection reset is, somehow an elegant way to block the unwelcome sites (of course, unwelcomed by Chinese goverment).

When GFW detect sensitive words from site url or site content, it will send reset packet to both client and web server, thus, both client & web server give up the connection, and “Error 101 (net::ERR_CONNECTION_RESET): The connection was reset.” come to your chrome browser. This works like cheating, not blocking.

The scholarzhang project

There is nearly no way to bypass GFW without proxy servers (strictly speaking, bypass var p2p network, is also implemented by proxy, the different is that any node in p2p network may be the server, server is not fixed). Servers cost money, and there must be someone to pay for it.
Scholarzhang is a great attempt to build tool to bypass directly without intermedia server. It’s trying to save connection before reset package is sent by GFW. The theory is sophisticated, and it meet many restrictions(ref README, I wish some one could translate it to English). Now, the tools provide by scholarzhang hardly work anymore.

West chamber season 3

This project is mainly inspired by and inherited from scholarzhang. The theory is simple: drop the cheating packages send by GFW on both sides – server and client. Currently I have got a working prototype. If you are in China mainland, you should not be able to visit liruqi.me directly. But if install client by this install guide, then you should be.

But I need help:

  1. Spread and promote this project. It need client and web server cooperate, without either side, this will not work. Especially If you can directly contact the webmaster or system administrator of a blocked site, persuade him/her to do this! This will bring them lots of Chinese users.
  2. Find more specific rules of GFW. Currently, On the server, I simply drop reset packet from China; On the client, I simply drop reset packet from China. I wonder how risky of doing this. I wish to reduce the negative impact to minimum.
  3. More test & improvement on Windows client.

Beside, anyone interested in this project, mail me! Tell me what you can do, documentation, translation, web site building & development are welcomed. I cannot finish them all by myself anyway 🙂 . Also, contact me if there is any chance for me to go abroad, to work or study on anti-GFW, for this is my interest. I also love to “make the world a more open place”, but in a different way from Mark Zuckerberg, you know.

Categories: 翻墙, gfw

西厢计划第三季 – Ignore the Great Firewall

July 22, 2011 19 comments

本文google docs 链接:https://docs.google.com/document/d/1-PurF8_pJoLVJ7IqMfy5pdATjzR1_B5gqSlc2B5VPcY/edit?hl=en_US

本文最后更新时间:2011年7月27日

This post is inspired by http://obmem.info/?p=615

By ‘ignore’ instead of ‘bypass’, we mean working without intermedia server.scholarzhang is a great attempt, but currently it hardly work. scholarzhang contain three parts: zhang(client-side connection obfuscation), cui(server-side connection obfuscation), gfw(drop gfw dns hijacking packets) (ref 项目计划). On the client, we need to run zhang & gfw. The difficult part is that, GFW send RST packages to both ends, client & server, and Mr. zhang is trying to save reuse the connection after server received RST package(ref), 我估计 CUI 也是在尝试做类似的事情. The limitations are summarized in 项目计划:

“首先作为开发者,对于这个项目,应该消除幻觉,着眼缺点。西厢的弱点在README.wiki的局限一节已经描述得比较清楚,主要是两种问题:不稳定和易变。不稳定可能造成在使用过程中可能出现连接失败的情况,易变可能造成GFW升级之后如果西厢不升级便无法使用。不稳定是由于张某和崔某实际上做的是通过协议hacking弥补GFW造成的破坏,要求一种RFC规定的理想状况,原理就是不稳定的;而西厢的原理部分所依赖的GFW指纹和漏洞机制是易变的,需要即时更新。因此,“没有银弹”,西厢也不是对GFW的银弹,我看到自由亚洲的报道夸大其事,我想开发者关注的应该是bug才对。 “

However, if Miss Cui make a move to help Zhang in, and this will make the task much easier. In fact, Ignoring the Great Firewall of China and 西厢计划原理小解 both mention a way to ignore GFW: just ignore and drop the RST packges sent by GFW.

“大家都知道,连接被重置的本质,是因为收到了破坏连接的一个 TCP Reset 包。以前剑桥大学有人实验过,客户端和服务器都忽略 Reset, 则通信可以不受影响。但是这个方法其实只有理论价值,因为绝大多数服务器都不可能忽略 Reset 的 (比如 Linux, 需要 root 权限配置iptables, 而且这本身也把正常的 Reset 给忽略了)。”

正常的 tcp 连接的创建和结束过程中,都不需要用到 Reset。客户端直接drop 掉 Reset,一般不会有问题,至少是可以正常上网的;服务器上如果直接这么做,可能会产生一定的资源消耗。但是这种方式显然比最初始的西厢计划更有效。

具体操作方法

在客户端和服务器上分别用 root 执行:
iptables -A INPUT -p tcp -m tcp –tcp-flags RST RST -j DROP
如果用的是 FreeBSD的 ipfw,命令换用:
ipfw add 1000 drop tcp from any to me tcpflags rst in
如果客户端用的windows,拿西厢项目中的 windows 客户端试试。

另外,客户端还可以丢弃掉gfw 发送的扰乱的 ack+rst 包,具体参考最后更新的说明:
iptables -A INPUT -p tcp -m tcp –tcp-flags RST,ACK RST,ACK -j DROP

在 google code 上已经新建项目,西厢计划第三季。项目后续会在这里更新。更详细的操作方法,参考项目wiki

局限

1. 无法应对 IP 封锁。如果 ping IP 都超时,基本无法离开中间服务器绕墙。

2. 在多次触碰敏感词之后,GFW 会直接阻断两端通信,从而导致后续的数据无法传输。

可能的问题

1) 如何让服务器识别 GFW 发送的 Reset 包,而正常处理其它 Reset。很有可能的情况是,西厢 CUI 模块已经解决了这个问题,甚至服务器上直接安装 CUI 即可达到预期效果。
2) Windows 客户端的开发。linux 环境上安装 zhang 和 gfw 是相对容易的,西厢目前也有windows 客户端,但我不清楚目前可用性如何。(如果用方便翻墙作为理由推广linux 倒也不错)
3) 也是最麻烦的问题:这个方法如何推广。如果是个人的vps 上的博客域名被污染,只需要打一条命令就可以搞定;但是如何说服 facebook 在他们服务器上安装这些东西呢?这需要对 CUI 模块做认真的后续开发、测试,以及文档完善。这些准备工作做好了,如果国外的互联网公司认为中国用户足够重要,也自然会考虑这些事情。当然,客户端的推广同样重要。本文最开始打算用英文写,也是希望国外互联网公司能方便地找到这里。

匿名性

原始的西厢计划小组成员基本是匿名参与。此次我基本上实名了。如有感兴趣的同学欢迎加入。如果遇到政府的压力,我会考虑移民出国。另外,如果本方案有国外网站使用,我也会发布一个项目捐赠方式。

测试结果(7月24日更新)

本文发布当天我没有做测试。今天才找到一朋友的vps 做测试。GFW 有一个惩罚机制,大概是你连上国外服务器的,被发现触碰关键词(访问一个被污染的域名,或者交互数据中有明文的敏感词),发送 RST 之后,会在一段时间内(目前感觉大概是30秒),可能会封禁两端的通信,效果如同 ip被封禁。但是,这种惩罚机制的触发条件不太稳定。我在 Ubuntu 11.04 上的测试结果是:

  1. curl 100% 触发惩罚规则 – User-Agent: curl/7.21.3 (i686-pc-linux-gnu) libcurl/7.21.3 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18\r\n
  2. chrome  和 firefox 在连续地发送大约6次http 请求撞墙之后,gfw 似乎会随机阻断若干请求,但是没触发封禁通信的处罚。

总体上来说,目前结果比较乐观。

另外,我测试的域名是 liruqi.me,这个域名已指向一个会丢弃 RST 包的主机上,供大家测试。

Categories: gfw