英卫报：中共使用新技术收紧长城防火墙

dandenong

中共似乎收紧控制那些偷偷在长城防火墙上挖洞的互联网服务，阻止网民读取海外网站内容。公司和个人都受到这种由中共政府部署的用以控制国民阅读的新技术的打击。

英国《卫报》12月14日报导说，多个提供“模拟专用网络”（VPN）服务给中国用户的公司说，中共的这种新系统可以“学习，发现和阻断”一系列不同VPN系统使用的加密通讯方法。

一家VPN公司说，中国联通，中国最大的一家电信供应商，正在切断它探测到的VPN的连接。

VPN加密两点之间的互联网通讯以便即使数据被拦截，它也不能被读取。一个连接中国境内和境外的VPN意味着用户的互联网连接始于长城防火墙之外，理论上可以接触到中共政府封杀的巨大范围的信息和网站。这包括许多西方报纸网站和推特，脸书及谷歌上的信息来源。

中国用户怀疑在2011年五月份，中共政府试图扰乱VPN使用，现在VPN提供商开始注意到效果。一家名为Astrill的VPN提供商给它的用户发电子邮件，警告他们“长城防火墙”系统在封杀至少四种VPN使用的常见协议，这意味着它们不再工作。

“这次的长城防火墙更新给许多中国企业造成伤害。”电子邮件说，“我们相信中国审查部长是一个聪明的人……这种堵塞将被去除，事情会恢复正常。”

但是VPN公司说，挑战审查者是一个“猫和老鼠”的游戏。但是他们在研制新系统，希望它可以领先于探测系统。

FRANKSTON

github上有人释出了一个python脚本mongol.py，可以定位中国防火长城的物理位置和数量。
mongol.py以密歇根大学计算机系的Xueyang Xu和Z. Morley Mao在2011年发表的一篇论文为理论依据，发送“tibetalk“这个关键字来刺激防火墙，然后跟踪TCP报头的路由，找出RST数据包返回前最后一跳的位置，从而定位防火长城的物理位置。
这是目前得到的防火长城分布图。

–

这图根本就是个芭乐。还不如直接说每个数据中心的出口都有一个GFW设备算了

这是全国各地蓝翔技校的地址？

越来越觉得封python.org太有前瞻性了

GFW连个IP都没有，它是透明的

完了，好不容易解封沒兩天的github估計又不保了。。。
———

代码


#!/usr/bin/env python

import socket
import logging
import sys, getopt, time

logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *

# a few silly globals
debug = True
MESSAGE = "GET %s HTTP/1.1" + "\x0d\x0a" + "Host: %s" + "\x0d\x0a\x0d\x0a"
port = 80
inputfile = ""
outputfile = "output.txt"

def usage():
print "Mongol.py -- a tool for pin pointing the ip addresses\n\t of the great firewall of china keyword blocking devices"
print ""
print "usage: python mongol.py -i hostslist.txt -o outputfilename.txt"
print "-i: required newline seperated list of hosts to scan"

# Basically a slightly modified traceroute
def ackattack(host):
port = RandNum(1024,65535)

# build a simple ACK packet, using a range (1,255) for the ttl creates 255 packets
ack = IP(dst=host, ttl=(1,255))/TCP(sport=port, dport=80, flags="A")

# send packets and collect answers
ans,unans = sr(ack, timeout=4, verbose=1)

iplist = []
retdata = ""
for snd,rcv in ans:
#print rcv.summary()
endpoint = isinstance(rcv.payload, TCP)
retdata += "%s %s %s\n" % (snd.ttl,rcv.src,endpoint)
iplist.append(rcv.src)

if endpoint:
break

return retdata, iplist

# parse arguments
try:
opts, args = getopt.getopt(sys.argv[1:],"hi:o:")
except getopt.GetoptError:
usage()
sys.exit(1)
for opt, arg in opts:
if opt == "-h":
usage()
sys.exit(0)
elif opt == "-i":
inputfile = arg
elif opt == "-o":
outputfile = arg

# read the hostnames in from the intputfile
if not inputfile:
usage()
print "ERROR: Please select an input file of hostnames, one hostname per line"
sys.exit(1)

hostnames = []
fd = open(inputfile, "r")
hosts = fd.readlines()
for addr in hosts:
hostnames.append(addr.rstrip("\n"))

# empty list of found firewalls
firewalls = []

for host in hostnames:
# first we create a real handshake and send the censored term
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# why 5 seconds? idk you got a better idea?
s.settimeout(5)

# make sure we can resolve the host
try:
ipaddr = socket.gethostbyname(host)
except socket.gaierror:
print "Could not resolve " + host
continue

# make sure the host is up
try:
s.connect((ipaddr, port))
except socket.timeout:
print "connection to " + host + " has timed out moving on"
continue
except socket.error:
print "connection failed, moving on"
continue
s.send(MESSAGE % ("/", host))

try:
response = s.recv(1024)
except socket.timeout:
print "connection to " + host + " has timedout moving on, Possibly not a webserver"
continue
except socket.error:
print "RST: Possibly already blocked"
continue

s.close()

# TODO: implement other valid response codes, this is a hack.
if response.find("200 OK") != -1 or response.find("302 Redirect") != -1 or response.find("401 Unauthorized") != -1:

# get a non firewalled ACK trace.
noFWprint, noFWlist = ackattack(ipaddr)

# http://en.wikipedia.org/wiki/Lis ... s_Republic_of_China
# tibetalk
print "Sending stimulus"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ipaddr, port))
except socket.timeout:
print "connection to " + host + " has timedout moving on"
continue
s.send(MESSAGE % ("/tibetalk", host) )

# possibly a delay from the IDS to reaction time
time.sleep(3)
try:
response = s.recv(1024)

except socket.error:
print "Found a filter\n\n"

# get a firewalled trace
FWprint, FWlist = ackattack(ipaddr)

if debug:
print "\n\nIPADDR: " + ipaddr
print "Without FW:"
print noFWprint
print "\n\nWith FW:"
print FWprint

filterIP = FWlist[-2]
# we only check the first 3 octecs because of variation in the routers depending on
# firewall status
# fuck regex's
shortip = filterIP.split(".")
shortip = "%s.%s.%s." % (shortip[0], shortip[1], shortip[2])
print "shortip: " + shortip

# add the firewall's IP to the list to be written out if it does not already exist
if filterIP not in firewalls:
firewalls.append(filterIP)

if shortip in noFWlist:
hopsdiff = noFWlist.index(filterIP) - FWlist.index(filterIP)
print "Guess: " + filterIP
print "IP block: " + shortip
print "Hops diff: " + str(hopsdiff)
else:
print "Guess: " + filterIP

else:
print "Appears not to be blocking"

else:
print "Bad response code from " + host
#print response
continue
s.close()

# output the ip's to a file.
fd = open(outputfile, "w")
for ip in firewalls:
fd.write(ip + "\n")
fd.close()