- Nihao Cloud


How the Great Firewall of the Chinese Mainland works- all you need to know

In this article, I would like to explain how Chinese Mainland is controlling their Internet.

As I would call it, Chinese Mainland is running a “Mainland Intranet” which is protected by The Great Firewall of China (GFW).

Mini Office Firewall

We can compare this with your office or home where your router protects your computers. The router has local “Parental” like settings that gives access to the Internet but it also controls or blocks websites with possible harmful content. That's how some companies block Facebook during office hours.

Bigger Router- Bigger Wall

The GFW works similar but on a much larger scale. Instead of just dealing with your small office, the GFW is filtering all the traffic going in and out of Chinese Mainland.

I will explain how Internet Traffic works in a short and simple way and no you don't need to be a geek to understand it.

Understanding Internet Traffic Rules

So how does an actual E-Mail gets sent or received over the Internet? How can we browse websites or stream movies?

For the data to travel fast back and forth it has to follow Internet traffic rules. Using these rules all the data gets delivered in little IP packets. So lets imagine we want to look at a funny cat video on Youtube. We click to load the video, Youtube server dissembles that video into thousands of little packets and sends it to your laptop. Then these packets get reassembled back into a video again. This happens very fast.

All you need to know from this, that all Internet Traffic travels in little packets.

IP Address

So how did Youtube know where to send those little packets? On the Internet every destination: computer, website or cellphone has to have an IP Address to send and receive data on the Internet. Google for "my IP" and you can see your own IP address. IP addresses are a bunch of numbers because computers can then convert them into 1’s and 0’s but we need domain names so we can memorise it.

Otherwise, instead of nihaocloud.com, you would see 52.79.32.36. Not the most memorable web address right?

Whats is DNS?

For the "Internet” to understand those Domains names, we have Domain Name Service (DNS). DNS servers translate domain names back into an IP address that.

(nihaocloud.com → 13.124.52.38). There are thousands of those DNS Servers that translate Domain Names into IP Addresses.

OK, enough of dry and boring theory and back to how does the Great Firewall of China and how it works.

DNS Spoofing


The first and most efficient way to block websites is by DNS spoofing or “DNS Cache Poisoning”.

So let's go back to our cat video. When we type youtube.com on the browser, DNS Server receives a request to check what youtube.com means and send you to the right IP address. This process happens to any Internet communication like web browsing etc.

Any DNS requests for websites outside of Chinese Mainland will be taken to a Deep Package Inspection (DPI) by the GFW. This means, that each little IP Package will be opened and checked for the content like a customs control.

If any pattern found in that Package matches unwanted content a bogus IP Address will be returned and the Website will not open …

Thats why if you are in China and try to reach Youtube.com you will receive this website:

VPN & Encrypted Traffic

Even though GFW knows that this traffic is encrypted but it can only can guess what is inside. Here lies the biggest opportunity to get the traffic across the GFW. Now GFW is UNCERTAIN, whether this is a simple Youtube access which can be blocked, or this is the most important connection for the financial transactions where by cutting this connection could cause huge damage to the economy.

UNCERTAINTY- that's the biggest headache for the GFW.



The keyword here is “Collateral Damage” which could be caused by blocking encrypted packets. This Collateral Damage has to be kept to a minimum.

So what is the GFW is doing with this?

The keyword here is “Collateral Damage” which could be caused by blocking encrypted packets. This Collateral Damage has to be kept to a minimum.

As we can imagine the staff behind the GFW are not stupid and came up with an “Active Probing” mechanism. The GFW is now looking for the encrypted traffic and guessing the encryption / VPN Protocols.

Then a Probing Server at GFW takes encrypted packets and forwards the Package to the receiver then waits for the reply. From those replies, the GFW can decide what to do with that Package, drop it or let it go through.

So to sum it up the GFW is working in 2 ways:

DNS Poisoning

Active Probing

One more interesting thing to know is that different networks in Chinese Mainland are running through different filtering. While public Networks like China Unicom or Telecom have strongest filters, Networks for Universities (eg the CERNet - China Education and Research Network) is filtered less harshly.

We should keep in mind that the GFW is a very dynamic animal. It is always trying to find the optimal balance between Collateral Damage and efficiently blocking the Internet. So some Services can be blocked today, but not tomorrow and again blocked the day after.

Those who live in Chinese Mainland know that during big public events or holidays the GFW is controlling much tougher than usual. Also, the GFW is learning and being constantly developed and improved. So what we understand today might change tomorrow.

All we know can be found by research and testing but nobody will explain how it really works. I would also like to mention that this article is not only based on my own 20 year IT experience in Chinese Mainland but also on a Research, presented at the annual Conference of the CCC -Chaos Computer Club Hamburg

So there will be always a battle between the GFW and VPN Providers and there will always be the problem of Collateral Damage and nobody wants to hurt the economy.

The GFW is well prepared and will always be. Also, do not forget that Chinese Mainland also has placed legal notices to fight this battle offline. 

UPDATE: NiHao Cloud was interviewed by BBC Business daily, about China's Internet Privacy Clampdown. You can listen to the full episode here









































>