What Is the GFW? A Simple Explanation

GFW devices are mounted on certain routers in the backbone network. GFW reacts differently to different kinds of sensitive content. For example, with something as simple as a DNS query for twitter.com, GFW will return an incorrect domain name resolution result. There are many such kinds of reactions, targeting protocols such as DNS, HTTP, SMTP, and others. And some “reactions” are actually no reaction at all—for example, when blocking an IP or a port, its response is simply to drop your packets.

The second characteristic of GFW is half-stream. That is to say, GFW only cares about your one-way packets. This means you do not need any cooperation from the server side; you can just talk to yourself, so to speak. But while the speaker may have no intention, the listener (GFW) certainly does. This means you can send packets to any IP address, and as long as the content is “appropriate” and GFW hears it, you can trigger GFW’s response.

Similar tools have been written before, such as mongol(https://github.com/mothran/mongol/). The improvements in qiang are in four areas:

  • Not just HTTP keywords; it includes all GFW reactions that could be found
  • One-way firing, with no server cooperation required. It is fast, and the range of possible targets is greatly expanded, which means more GFW devices can be found.
  • Configurable policy-based target selection for firing (for example, when firing from outside China into China, you can choose IPs from different carriers such as China Unicom, China Telecom, China Mobile, etc.)
  • It probes the properties of the routes themselves (for example, whether the IP packet path changes with the source address or port)

What do these features mean when combined? They mean that with a single machine on the public Internet, whether inside or outside China, if you run it overnight you can basically find all the routers across the country that have GFW attached. It can also tell you which IPs perform both DNS hijacking and HTTP keyword inspection, and which IPs also do TCP packet dropping, and so on. Once you have the raw information such as IP addresses, AS/carrier ownership, and whether all rules are deployed, it may be possible to infer some broader deployment patterns. That is what this tool can currently do.

By extension, it can also be used to probe the content of GFW censorship itself. For example, the efficient HTTP keyword inspection probe included in qiang can be used to determine which keywords are being censored. Running it regularly over a long period can also reveal the timing of blocking and unblocking.

It requires Python, scapy, and a machine on the public Internet to use.

https://github.com/fqrouter/qiang

There are two scripts in it that can be used independently:

http://fqrouter.tumblr.com/post/46745599157/qiang-dns-wrong-answer-probe-py

http://fqrouter.tumblr.com/post/46758595474/qiang-tcp-rst-probe-py

Leave a Comment

Your email address will not be published. Required fields are marked *

中文 EN
🚀

RedGate VPN

免费节点太挤太慢?
升级高速稳定专线

立即体验 →

告别卡顿

RedGate VPN
全球高速节点

免费下载 →
Scroll to Top