We last left off our exploration of China’s censorship system at an in-depth analysis of the content-filtering technical behemoth that is the Great Firewall, and an examination of how the Great Firewall and opposing circumvention tools have evolved in tandem. But the Great Firewall isn’t the only play in China’s book — the Chinese government has also begun to develop intimidatingly powerful Internet weapons that can attack websites that run afoul of authorities’ rules. One of the most recent developments in China’s ever-evolving arsenal is the Great Cannon, a selective attack tool distinct from the Great Firewall that hijacks traffic to individual IP addresses and can arbitrarily replace unencrypted content as a man-in-the-middle.
On March 26, GitHub also came under the same type of DDoS attack, which was carried out likely in the hopes of coercing GitHub to remove sensitive content, including GreatFire-run GitHub repositories that provide anti-censorship technology and links to mirror sites of the Chinese version of the New York Times. This was not the first time Chinese authorities had attempted to block GitHub. Because GitHub is fully encrypted and the Great Firewall can’t distinguish between innocuous and undesirable packets carrying content from the site, the government could not selectively block offending content, and so instead fully blocked GitHub’s entire site in China in 2013. But the site is indispensable for tech companies in China, and the block caused such an outcry from China’s computer engineers that GitHub was unblocked just two days later. In 2015, the government again tried to force the offending content off GitHub using the Great Cannon.
Let’s explore some of the research that explains how the Great Cannon achieved such large-scale attacks.
In contrast with the Great Firewall, the Great Cannon operates as an in-path system capable of not only injecting traffic but also directly suppressing traffic. This allows it to act as a full man-in-the-middle for targeted flows. The Great Cannon doesn’t actively examine all traffic on a link, but rather intercepts traffic to a set of targeted addresses. This is how its in-path system can keep up with huge volumes of traffic — it only has to process a much smaller stream of traffic destined to targeted addresses, and unlike the Great Firewall it only examines individual packets one at a time, avoiding any computational costs of TCP bytestream reassembly. In addition, the Great Cannon only examines the first data packet of a connection when deciding whether to inject a reply. It does so by maintaining a flow cache of connections used to ignore recent connections that have already been examined.
Though the Great Cannon is a distinct tool, it does have significant structural similarities with the Great Firewall, including its load-balanced architecture where packets are routed to censoring nodes based on source IP address. The Great Cannon is also co-located with the Great Firewall across multiple ISPs including China Telecom and China Unicom, a fact that confirms the government’s involvement.
Implications of Targeted Internet Intervention
The Great Cannon significantly increases the flexibility and power of China’s censorship system. While its design isn’t well-suited for performing traffic censorship (the job of the Great Firewall), it can successfully inject traffic to specifically target unwelcome organizations. The attack on GreatFire.org was exceptionally costly in terms of monetary costs and also disrupted GitHub’s operations. The attack was likely both an attempt to block the operations of an undesirable resource, and also a warning sent to other similar organizations.
Using Baidu traffic in the attack on GreatFire.org suggests that Chinese authorities are willing to pursue domestic stability and security aims at the expense of fostering economic growth in the technology sector. The Great Cannon attacks put Baidu in a difficult position, especially since they directly affected the company’s revenues by interrupting advertising traffic.
The government has a strong agenda, and perhaps what is most striking is that the Great Cannon can also be enhanced in a number of ways. For instance, a simple change in the Great Cannon’s configuration could switch to operating on traffic from a specific IP address rather than to a specific address. This would allow the ability to deliver malware to targeted individuals who communicate with any Chinese server. In other words, if the target ever made a single request to a server inside China not employing encryption, the Great Cannon could deliver a malicious payload to the target. This could happen even if, for instance, the target accessed a non-Chinese website that served ads ultimately sourced from Chinese servers. Encrypted HTTPS connections may not even be enough to safeguard against such attacks, since in practice websites that offer HTTPS protections frequently mix unencrypted traffic from third-party sites into their encrypted traffic. The Great Cannon could still take advantage of this vulnerability by manipulating traffic from one of those third parties.
The introduction of the Great Cannon represents a significant escalation in state-level information control, as it expands China’s efforts beyond censoring websites accessed from within national borders to attacking web services located outside China. Not only that, but the Great Cannon also repurposed the devices of unwitting foreign users for large-scale attacks supporting China’s national priorities. China’s government now has the ability to exploit any foreign computer that communicates with any China-based website not fully protected by HTTPS. It will be fascinating to watch the nation navigate political waters as it attempts to redefine the rules of the Internet, and as its censorship program continues to evolve into a tremendously powerful force that will inevitably affect networks, services and users even outside China’s borders.