The Great Firewall: How China Polices Internet Traffic
It may be famous for its Great Wall, the ancient stone and earth formation that winds its way more than 5,000 miles along the country’s border, but there’s another wall in China that’s causing a stir these days.
The Golden Shield Project — informally dubbed the “great Chinese firewall” — is an elaborate governmental exercise in power politics. The firewall, constructed by the Communist Party of China (CPC), restricts Web traffic and effectively censors the Chinese public’s ability to access foreign information.
According to some reports, the Shield was the CPC’s direct response to the creation of the China Democracy Party (CDP), which was founded in 1998 and outlawed the same year. The potential loss of political clout — and the fact that the CDP allegedly included former students who had been involved in the 1989 Tiananmen Square massacre, a series of protests that left hundreds dead in and near Tiananmen Square in Beijing — posed a threat to the CPC, reports stated.
The Golden Shield is run by China’s Ministry of Public Security (MPS). Design began in 1998 and it became operational in November 2003. According to China Central Television (CCTV), the project cost $800 million. An updated version was built between 2006 and 2008 at an unknown cost.
Laying Down the Law
The Communist Party has the monumental task of controlling the information flowing out to the country’s estimated population of 1.3 billion. According to many reports, Beijing has employed more than 30,000 people to monitor Internet access, chat rooms, blogs and Web sites for content deemed unacceptable by the government. That’s nearly double the number of CIA agents employed by the U.S.
In December 1997, Zhu Entao, then-assistant to China’s minister of public security, released the “Computer Information Network and Internet Security, Protection and Management Regulations.” This dictum assigned fines for illegal activities on the Internet, which included “defaming government agencies,” “splitting the nation” and “leaking state secrets.” In some cases, fines mounted to 15,000 yuan, or approximately a year and a half of income for the average citizen.
Content restrictions were imposed in September 2000 with State Council Order 292. This order prevented Chinese Internet service providers (ISPs) from providing access to foreign media without government approval. Foreign news could only be provided by entities officially licensed by the state information offices and from the State Council Information Agency.
How Does It Work?
So how does the firewall work? The Internet is, by nature, a web, but in China, this web is connected to government-licensed ISPs that have to comply with government standards for providing public information. In turn, these ISPs connect to a series of routers that all funnel into a single logical node of an international-level router called p-0-0-0-r1-I-bjbj-1.cn.net, at Internet protocol (IP) address 126.96.36.199.
The bulk of Internet traffic into China goes through this single logical node, which enables the country’s government to control the information that passes through.
Defense Meets Offense
According to a 2002 report by the Global Internet Freedom Consortium, the Golden Shield polices Internet traffic by:
Blocking IP addresses. Every Web site uses at least one numeric address. Blocking this IP address prevents access to that individual site. Traffic to blocked IP addresses is dropped by the router.
Some IT professionals work around this by using a proxy server, which passes the connection from a blocked network to a network with full access. Communication occurs between the client and proxy server, then between the proxy server and the target. Traffic logged on the router does not show a direct conversation between the client workstation and the target Web site. Some common proxy sites include peacefire.org, anonymizer.com, unipeak.com, anonymouse.org, proxyweb.net, guardster.com, webwarper.net, and the-cloak.com.
Employing DNS tricks. The domain name system (DNS) is the method for translating the name of a Web address, such as google.cn, to the IP address for the site, such as 188.8.131.52. This resolution occurs every time you search for a Web site.
One way to prevent access to certain sites is by filtering the names of the specific addresses. Another way is to hijack or redirect the traffic to different Web sites. For instance, an image search for “Tiananmen Square massacre” on Google.comGoogle.cn will turn up touristy pictures of the square, highlighting its beautiful architecture and frolicking Chinese youth. will yield many tough, warlike pictures of the event. The identical search on
Some IT pros attempt to get around DNS redirection by browsing to the specific IP address of a Web site, such as http://184.108.40.206. They must know the correct IP address first, however.
URL filtering. URL stands for uniform resource locator. URL filters examine and make routing decisions based on the text in the URL. Secure sockets layer (SSL) or virtual private networks (VPNs) are two standard methods for obfuscating traffic affected by URL filtering.
Packet filtering. This advanced form of filtering examines the individual packets of data that are transferred between the client and target computers. The packets can be filtered based on the type of traffic, such as streaming video. Packets also can be filtered based on content. A packet containing the search term “Taiwanese independence” could be intercepted and blocked or redirected. As with URL filtering, those in the IT community may use SSL and VPNs to avoid packet filtering, since the data stream is encrypted.
Connection reset. When a user enters a request for data through a Web page, the Web page sends a SYN request, which is a packetized request for data. Under normal circumstances, the target Web site sends a return SYN-ACK packet acknowledging the request. Instead of acknowledging packets, a connection reset sends a RST packet to reset the connection, halting communication between the Web site and the client for at least 10 seconds. Sending RST packets can be thought of as a crude denial-of-service attack.
Researchers at the University of Cambridge have found that the Chinese government makes extensive use of connection resets. The researchers also found that simply filtering out the RST connections allows traffic to continue as expected.
Using Green Dam Youth Escort software. Green Dam software is used “to filter pornography on the Internet,” according to the Internet Affairs Bureau of the State Council Information Office in China. The Ministry of Industry and Information Technology (MIIT) announced that it would require the software to be installed on all computers sold in mainland China starting July 1. The directive was intended to “build a green, healthy, and harmonious online environment, and to avoid the effects on and the poisoning of our youth’s minds by harmful information on the Internet,” according to a statement released by the MIIT.
The software was developed by Zhengzhou Jinhui Computer System Engineering Ltd., a Chinese development company.
What Content Is Blocked?
A Harvard study showed that around 18,000 Web sites are blocked from within China. Hong Kong and Macau are the two special administrative regions that are notably exempt from most censorship. Most blocked Web sites are those that discuss Taiwanese independence, freedom of speech, democracy, Tiananmen Square protests, the Dalai Lama and the spiritual practice of Falun Gong; those that include pornographic material; and those that disparage the Chinese government.
Some of the blocked sites include Wikipedia, YouTube, Hotmail, Skype, MySpace, WhiteHouse.gov, Amnesty.org, Greenpeace.org, Disney.go.com, BoingBoing, LiveJournal and TheOnion.com. Perhaps in an effort to conceal this widespread censorship from the press — or, from a kinder perspective, to increase communication ability during a critical time — these sites were meticulously unblocked from many Beijing-area hotels and the city’s 110,000 Internet cafes during the 2008 Summer Olympics.
Response to Crackdowns
A popular example of government crackdown and the ensuing international response can be found in the case of Wang Xiaoning, a Chinese dissident from Shenyang. Wang, along with other activists, used Yahoo e-mail addresses to post illegal comments anonymously. Yahoo capitulated to government pressure and handed over the identities of the anonymous posters, who were eventually sentenced to 10 years in prison in 2001.
Yahoo was later successfully sued by the World Organization for Human Rights for turning over the identities of Wang Xiaoning and others. Even in light of these lawsuits, however, major search engines, including Yahoo, Google and MSN, have decided to comply with Chinese government requests.
According to Amnesty International, China has the largest recorded number of imprisoned journalists and “cyberdissidents” in the world. Google’s stance is that a censored Internet is better than no Internet. According to TheRegister.com, Andrew McLaughlin, Google’s senior policy counsel, explained it thus: “In order to operate from China, we have removed some content from the search results available on Google.cn, in response to local law, regulation or policy. While removing search results is inconsistent with Google’s mission, providing no information (or a heavily degraded user experience that amounts to no information) is more inconsistent with our mission.”
The Future of the Great Firewall
Blocking Internet traffic in China is generally effective because it takes resources to be able to work around the government controls — resources that most average Chinese citizens don’t have at their fingertips. Technical and legal hurdles act as a further deterrent.
However, for those with the means and desire to beat the system, the Great Firewall is more like a sponge than a wall. It is an impressive technological and political feat, but when it comes to keeping foreign invaders out, the original bricks-and-mortar version probably has it beat.
Shawn Conaway, VCP, MCSE, CCA, is a director of NaSPA and editor of Virtualize! and Tech Toys magazines. He can be reached at email@example.com.