BREAKING: The Great Firewall of China Has Evolved its QUIC Censorship Capabilities
Our latest research, to be presented at USENIX Security '25, reveals that the Great Firewall of China (GFW) can now inspect encrypted QUIC Initial packets to perform real-time, SNI-based censorship and block specific domains. Our paper provides a deep analysis of the GFW's new censorship logic, reverse-engineers its heuristic parsing rules, and maps out its blocklist of targeted domains and services.
This new system introduces two critical vulnerabilities:
1️⃣ Degradation Attack: We propose a novel attack that can overwhelm the censorship apparatus by sending a moderate amount of carefully crafted traffic, temporarily reducing the GFW's effectiveness.
2️⃣ Availability Attack: We discovered that anyone can exploit the GFW and use it as a weapon to launch availability attacks, blocking UDP traffic between arbitrary hosts from China and the rest of the world.
Given the severity of the availability attack, we followed responsible disclosure protocols and notified CNCERT and Fang Binxing of the vulnerability. Their reaction (or lack thereof) is discussed in the paper.
To protect users, we have already collaborated with industry leaders including Mozilla (Firefox & Neqo), the quic-go project, and developers of all major QUIC-based circumvention tools to design and deploy effective countermeasures.
Read the full paper here:
https://gfw.report/publications/usenixsecurity25/en/
Our latest research, to be presented at USENIX Security '25, reveals that the Great Firewall of China (GFW) can now inspect encrypted QUIC Initial packets to perform real-time, SNI-based censorship and block specific domains. Our paper provides a deep analysis of the GFW's new censorship logic, reverse-engineers its heuristic parsing rules, and maps out its blocklist of targeted domains and services.
This new system introduces two critical vulnerabilities:
1️⃣ Degradation Attack: We propose a novel attack that can overwhelm the censorship apparatus by sending a moderate amount of carefully crafted traffic, temporarily reducing the GFW's effectiveness.
2️⃣ Availability Attack: We discovered that anyone can exploit the GFW and use it as a weapon to launch availability attacks, blocking UDP traffic between arbitrary hosts from China and the rest of the world.
Given the severity of the availability attack, we followed responsible disclosure protocols and notified CNCERT and Fang Binxing of the vulnerability. Their reaction (or lack thereof) is discussed in the paper.
To protect users, we have already collaborated with industry leaders including Mozilla (Firefox & Neqo), the quic-go project, and developers of all major QUIC-based circumvention tools to design and deploy effective countermeasures.
Read the full paper here:
https://gfw.report/publications/usenixsecurity25/en/
GFW Report
Exposing and Circumventing SNI-based QUIC Censorship of the Great Firewall of China
Since April 2024, the Great Firewall of China (GFW) has been censoring QUIC traffic to specific domains. Our findings show the GFW decrypts QUIC Initial packets at scale and employs a unique blocklist. Our research reveals this system is ineffective under…
👍2😨2❤1
中国防火长城 (GFW) 已具备QUIC SNI审查能力
我们在 USENIX Security '25 会议上发表的最新研究报告揭示,中国的防火长城 (GFW) 自2024年4月起,已经可以检测加密的QUIC初始数据包,以进行基于服务器名称指示 (SNI) 的实时审查和域名屏蔽。我们的论文深入分析了其审查逻辑、逆向工程了其启发式解析规则,并揭示了其封锁名单。
这个新系统引入了两个严重的漏洞:
1️⃣ 降级攻击 (Degradation Attack): 我们提出了一种新型攻击方式,通过发送适量的精心构造的数据包,即可压垮审查设备,从而暂时性地降低GFW的审查效率。
2️⃣ 可用性攻击 (Availability Attack): 我们发现,任何人都可以利用GFW作为武器发动可用性攻击,从而借GFW之手,阻断中国与世界其他地区之间任意主机间的UDP通讯。
鉴于可用性攻击的严重性,我们遵循了“负责任的漏洞披露”原则,向中国国家互联网应急中心 (CNCERT) 及方滨兴本人通报了此漏洞。我们在论文中讨论了他们对此的反应。
为了保护用户,我们已经与行业领导者合作,包括 Mozilla (Firefox & Neqo)、quic-go 项目以及所有主要的基于QUIC的翻墙工具的开发者,共同设计并部署了有效的缓解措施。
论文中文版:
https://gfw.report/publications/usenixsecurity25/zh/
我们在 USENIX Security '25 会议上发表的最新研究报告揭示,中国的防火长城 (GFW) 自2024年4月起,已经可以检测加密的QUIC初始数据包,以进行基于服务器名称指示 (SNI) 的实时审查和域名屏蔽。我们的论文深入分析了其审查逻辑、逆向工程了其启发式解析规则,并揭示了其封锁名单。
这个新系统引入了两个严重的漏洞:
1️⃣ 降级攻击 (Degradation Attack): 我们提出了一种新型攻击方式,通过发送适量的精心构造的数据包,即可压垮审查设备,从而暂时性地降低GFW的审查效率。
2️⃣ 可用性攻击 (Availability Attack): 我们发现,任何人都可以利用GFW作为武器发动可用性攻击,从而借GFW之手,阻断中国与世界其他地区之间任意主机间的UDP通讯。
鉴于可用性攻击的严重性,我们遵循了“负责任的漏洞披露”原则,向中国国家互联网应急中心 (CNCERT) 及方滨兴本人通报了此漏洞。我们在论文中讨论了他们对此的反应。
为了保护用户,我们已经与行业领导者合作,包括 Mozilla (Firefox & Neqo)、quic-go 项目以及所有主要的基于QUIC的翻墙工具的开发者,共同设计并部署了有效的缓解措施。
论文中文版:
https://gfw.report/publications/usenixsecurity25/zh/
👍42🌚7🔥5❤2😁1