If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
The GFW's reactive probing system scans egress network traffic for circumvention protocol signatures, and then launches short-lived probes to verify if the suspected server is, in fact, speaking the circumvention protocol. If that is the case, the GFW adds the IP address and port of the server to a country-wide blacklist, preventing people in China from connecting to it. We recently finished a multi-month research project in which we looked at the system from different angles to answer several open questions. In particular, we will talk about:
<li>How the reactive probing system makes use of thousands of unique IP addresses to launch its probes.</li>
<li>We discuss our hypotheses on the physical design of the reactive probing system. Our evidence shows that all these IP addresses are either hijacked, or that the GFW operates a large, geographically distributed network of proxies.</li>
<li>We show patterns in the IP, TCP, and TLS headers that suggest that the thousands of reactive probing IP addresses we harvested are controlled by few centralized systems.</li>
<li>How the system seems to flush its blacklist regularly, providing a short window for circumvention.</li>
<li>The effectiveness of the system, i.e., how good is it at blocking servers and how well does it scale?</li>
<li>How the GFW seems to treat science and education networks different from consumer networks.</li>
<li>Ways to troll the Great Firewall of China.</li>