The Great Firewall of China: Obstacles to Monitoring Performance

great firewall of china_blocking

The entire country of China’s internet connectivity is shielded by the Great Firewall (GFW). There are three state-owned ISP providers, China Unicom, China Telecom, and China Mobile, that control internet in China.  Essentially, all traffic between China and the rest of the world goes through a few national level and a handful of core level access points in different regions. The limited number access points, compounded with the fact that traffic is controlled by the Ministry of Industry and Information Technology, creates performance bottlenecks for all users in China when trying to access websites from inside and outside of the country.

Every year, the Ministry of Industry and Information Technology seeks to improve the Great Firewall’s filtering and blocking techniques and enhance its algorithm. The censorship and monitoring of internet have evolved from anti-virus-like and firewall software to hardware security patches for all devices that uses internet.  The main filtering and blocking technologies of Great Firewall include IP blocking of the national entrance gateway, keyword filtering and blocking at the backbone router, HTTP/S certificate filtering, detection and banning of phishing, and domain name hijacking.

 

Operating System Updates and Security Patches

Since the majority of gadgets are produced in China, the government of China has collaborated with the manufacturers of mobile phones, tablets, and laptops to customize operating systems, such as Windows, Android, and IOS, based on the Great Firewall’s internet security guidelines. Devices purchased outside of China will, at a certain point, will require security updates when used within mainland China. These updates will disable access of Google apps downloader, for example. One can only download apps using the manufacturer’s downloader software, where VPN installers and other banned apps are not available for installation.

 

IP Blocking

IP addresses from other countries are immediately filtered at the backbone router. All foreign websites hosted outside China undergoe screening and analysis for blacklisting and whitelisting. A website that is accessed in China for the first time will have a slow loading time due to this process. China’s firewall works both ways: people inside China cannot access restricted sites hosted in foreign countries, while a number of Chinese sites, apps, music and other media are not accessible outside China as well. This setup enables the government to control the flow of information. The laws in China are the basis of the filtration guidelines of the great firewall.

 

Keyword Filtering and Blocking

Search engines must be specially designed with search results that are compliant to existing Chinese laws on internet security and bandwidth control. Illegal, pornographic, gambling and other blacklisted sites are banned from appearing in search results, while some unauthorized sites may appear in the search results but will time out when the link is clicked since they do not belong to the whitelist. The firewall’s artificial intelligence (AI) technology analyzes website keywords and meta tags then whitelists or blacklists the URL or IP address.

 

HTTP/S Certificate Filtering

The most recent technology automatically shuts internet off whenever blacklisted URLs are accessed. The browser would return ERR_TIMED_OUT with an error message like the following, “This site can’t be reached. Try checking in the internet connection.”  Apart from the top level filtering at the National Internet Gateway, each province in China has its own filtering devices that can probe HTTP/S URL and certificates. This makes censorship of domestic traffic faster.

 

DNS Hijacking and Phishing

Only accredited companies are authorized to have applications and websites implemented for public use. DNS hijacking is usually applied to redirect unauthorized sites to an government approved website. The Great Firewall detects the domain name entered and analyses its content, then suggest a similar domain from the white list, then poisons the DNS cache redirect the browser request to another domain. All information typed by users are collected for future analysis. Data gathered overtime makes the Great Firewall more “intelligent” in replacing websites.  All chat or messenger applications are also being monitored by the Great Firewall. One can receive incoming messages from restricted apps, but cannot send messages without the use of VPN. This allows monitoring of suspicious conversations despite one party is using VPN.

Websites and apps that are allowed to be used in China can be accessed at a very fast speed, up to the recent 5G (20Gbps) upgrade.  Therefore, even foreigners inside China will also opt to use the local counterparts of banned apps and websites due to speed. For example, Baidu in lieu Google maps, QQ mail in place of Gmail, Sogou for Google search, Youkou and Weibo instead of Youtube, MangoTV and Qiyi as replacement of Netflix, and Facebook is replaced by WeChat. Connecting to VPN every time is inconvenient and time consuming, so usually people only use VPN from time to time to access information that keeps oneself updated from what is happening outside China, or if they want to maintain privacy in their internet activities.

 

Getting around the Great Firewall of China

One workaround to access restricted sites and bypass the Great Firewall is to download and subscribe to a VPN service before going into Mainland China. Going to Hong Kong to download VPN apps is an option, since Hong Kong still retain its original laws pertaining to internet accessibility. Otherwise, request a friend located in another country to send the VPN installer file directly. There are also web browsers, such as Firefox and Opera that have built-in VPN functionality that can be enabled for private browsing.

The use of VPN however, usually slows down downloading and accessibility by 30 percent or more. Faster VPN services are more costly. One major drawback is that your location appears to be of a different country, and this can cause login problems specially for certain applications and websites that track login location for security purposes. Message timestamps are also affected due to the time zone differences with the country where the VPN server is located. So whenever connecting to a VPN, a best practice is to use one country as server location then stick to it.  Using the same country every time is important to avoid your account being locked out due to suspicious access from another location.

 

Final Thoughts: Monitoring Performance from the Great Firewall of China

For users and companies doing business in China, it’s critical to continually test and monitor website accessibility and performance. Traffic conditions can change suddenly and you’ll want to know immediately when issues from the Great Firewall of China impact your users.  Dotcom-Monitor provides a number of free online performance tools to check performance of your websites, applications, servers, and more from China. Additionally, for a more comprehensive solution, set up continuous web page monitoring to ensure uptime, availability, and performance of all your websites 24/7.

Try the full Dotcom-Monitor platform free for 30 days.

 

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on email
Email
Share on print
Print