Firewalls, Routers

Great Firewall of China = Pwn3d

Researchers at the University of Cambridge discovered a way to DoS users in China using China’s own firewall/filter against them.

To quote the article (linked below), “the Chinese firewall can be used to launch denial-of-service attacks against specific IP addresses within China, including those of the Chinese government itself.

The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a “sensitive” keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time.”


 The article goes on to say that Internet access could be denied by using this method to individual members of covernment.  I say, however that any bot herder with a political agenda on human rights, could potentially deny internet access for ALL of China.

The researchers did send their findings to the Chinese CERT. 

Human rights issues aside, it looks like they may need to rethink how they apply the technology, and we can learn a lesson as well.  Apparently, the Chinese firewall is not mindful of state – if the firewall can be fooled by just one spoofed packet, it is clear that it has no concept of state   Sure, statefull inspection at a scale this large would require massive computing power – but understand the technology and design your systems appropriatley!

– Larry

Academics break the Great Firewall of China

University of Cambridge computer experts say they breached firewall and can use it to launch denial-of-service attacks.

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.