China’s Botched Great Firewall Upgrade Invites Attacks On Its Censorshipinfrastructure
China’s attempts to censor traffic carried using Quick UDP Internet Connections (QUIC) are imperfect and have left the country at risk of attacks that degrade its censorship apparatus, or even cut access to offshore DNS resolvers.
Those findings emerged last week in a paper written by researchers from University of Massachusetts Amherst, Stanford University, University of Colorado Boulder, and activist group Great Firewall Report. The paper, titled “Exposing and Circumventing SNI-based QUIC Censorship of the Great Firewall of China,” is the subject of a presentation at next week’s USENIX Security Symposium.
QUIC is a transport layer network protocol that uses User Datagram Protocol (UDP) instead of Transport Control (TCP). Network boffins at Google invented the protocol and it later became a standard because it allows a client and server to exchange data with fewer round trips than are needed to establish a TCP link. Internet measurement wonks think that at least ten percent of websites use QUIC, among them many services provided by Meta and Google.
China uses the Great Firewall (GFW) to block both companies’ sites, so upgrading QUIC is a sensible extension of its pervasive censorship regime.
The researchers used “traceroute-like measurements to show that the devices responsible for QUIC censorship are co-located at the same hop as existing GFW devices, indicating that they may use shared infrastructure or have similar management.”
The authors note that the operators of China’s Great Firewall started blocking QUIC connections to certain domains in April 2024 but appear to be doing so indiscriminately.
“The GFW’s QUIC blocklist substantially differs from blocklists used for TLS, HTTP, or DNS censorship in China,” the paper states. “In particular, the QUIC blocklist is roughly 60 percent of the size of the DNS blocklist in terms of number of domains. Surprisingly, a large number of these domains do not even support QUIC, making it unclear why they ended up on a QUIC-specific censorship list.”
The researchers also noticed “parsing idiosyncrasies” that saw the GFW attempt to process QUIC payloads that don’t meet requirements set out in standards – meaning it wastes time trying to process packets that may not be attempts to reach forbidden websites.
The paper also found China can’t block all QUIC traffic, and the percentage of successful censorship attempts fluctuate according to the time of day.
After testing QUIC block across the cities of Beijing, Shanghai, and Guangzhou, the researchers found “a clear diurnal pattern across all three cities, with blocking percentages peaking during early morning hours and dropping to the lowest levels during the day.”
Blocking rate is influenced by the Internet usage patterns in China
“This pattern suggests that the blocking rate is influenced by the Internet usage patterns in China, with the highest blocking rates observed during periods of low network traffic.”
QUIC’s design could be one reason for those fluctuations.
As the paper explains, “QUIC encrypts all packets, unlike TLS where the destination server name is sent in plaintext. In QUIC, even the first handshake message, the QUIC client Initial, is encrypted, albeit under a key that is derivable by a passive network observer.”
“This means that a censor that wants to block QUIC connections based on the Server Name Indication (SNI) field needs to decrypt the first packet of every QUIC connection to reveal the destination site.”
“The operational cost of decrypting QUIC Initial packets is substantial at scale, making the blocking rate sensitive to network load, which varies during the day,” the paper suggests.
Those problems processing QUIC initial packets saw the paper’s authors ponder whether it might be possible to purposefully degrade China’s censorship capabilities by sending QUIC packets to the GFW. After taking care to design experiments that would not disrupt the Chinese internet, the researchers concluded it’s possible to degrade the GFW’s QUIC-crimping infrastructure from outside China.
DNS DoS
The researchers also found that the GFW’s QUIC-blocker offered a new way to initiate an “availability attack” – a form of attack that deliberately triggers a censorship mechanism. The paper explains that censorship systems often lift traffic blocks after a few minutes. An availability attack sees attackers deliberately send additional spoofed packets so the censorship persists.
The authors found the QUIC blocking mechanism is susceptible to availability attacks that could “block all open or root DNS resolvers outside of China from being accessed from within China, leading to widespread DNS failures in the country.”
Careful engineering will be needed to allow censors to apply targeted blocks in QUIC
“Defending against this attack while still censoring is difficult due to the stateless nature and ease of spoofing UDP packets,” the paper states. “Careful engineering will be needed to allow censors to apply targeted blocks in QUIC, while simultaneously preventing availability attacks.”
The researchers worried that their work could harm China’s internet and citizens, and therefore disclosed their work to Chinese authorities in January 2025. In March, the authors observed changes in the GFW’s behavior in March.
Analysis of those changes detailed in the paper suggests the GFW’s maintainers managed only a partial mitigation. The authors didn’t disclose the ability to degrade the GFW to Chinese authorities, and instead shared their work with anti-censorship communities, followed by a public disclosure with this paper’s publication.
“We chose this disclosure strategy because the degradation attack affects only the GFW’s infrastructure, not users. A private disclosure to the censor would have afforded them an opportunity to strengthen their censorship mechanisms before the broader anti-censorship community could become aware of and learn from this vulnerability,” the paper states. ®
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
