[LINK] How filters work (was Re: Possible Letter to Conroy (the

stephen at melbpc.org.au stephen at melbpc.org.au
Sat Mar 21 16:56:51 AEDT 2009


Stil comments on,

>> Eg, "(The filter) will apparently be a dedicated box rather than
>> simply filtering software. [snip] Also, if everything has to pass
>> through a single box, and that box gets attacked and goes down, you
>> can kiss your connection goodbye .."

Thanks, Stil .. your interesting and informative reply is appreciated. 

The above quote, regarding our government supplying a 'sealed' filter
box, rather than just a software filter, is a direct quote from the UK
Inquirer, apparently quoting:  www.banthisurl.com  For eg, "BanThisURL 
recently interviewed Matthew Strahan, a computer security professional 
with Securus Global, Examining Censorship in Australia".

I wondered about it at the time. ONE filter box? It would hardly appear
adequate for the job intended. Seems to me that one 'sealed' box, which
will be automatically updated per ISP, would be impossible to implement

So, thanks for your technical input. I am wondering, if/when our gov do
supply presumably multiple 'sealed' boxes, do the router comments still
apply? If the boxes are 'sealed', can router tables supply a first cut?

However, thinking about this, a thousand sites blocked, out of millions
(billions?) of websites is indeed silly. Hence, it seems to me that the
current lists of filtered sites, might appear perhaps irrelevant to the
government's real purpose.

It may appear that a 'real' purpose for mandatory filtering systems may
be to establish secret ISP filtering mechanisms in order to block sites
that the government does not like in future. The current lists, in that
case, might seem irrelevant. The real purpose is simply the mechanisms?

One imagines most (all?) governments would love to be able to block any
website they didn't like. And so, pre-implementation filter-lists might
be irrelevant. In fact, it would be good if the pre-implementation list
DOES contain just dirt, and that it is leaked, simply to re-assure folk
as to the government's altruistic intentions in implementing mechanisms.

Or, is this being altogether too cynical?


> People often imagine that all Internet traffic has to pass through a  
> filter box for it to work. This is not the case. It's certainly the  
> simplest architecture, and may work for the smallest ISPs, but it
> doesn't scale well for the reasons outlined.
>
> There are two other approaches..
>
> 1. Assuming we're still looking at the core aim of filtering "the ACMA  
> blacklist" or something similar, i.e. a specific list of URLs... The  
> first cut can be by IP address, and it can be done in a router using 
> the routing table. The router doesn't have the URLs, just the IP  
> addresses associated with their domains. The small proportion of the  
> traffic intended for those IPs is routed to the filter box, where the  
> packets are opened up to look at the URLs to see whether they're  
> passed on or blocked.
>
> In this case, the majority of the traffic is routed as normal -- the  
> router always has to make a decision about where to send every packet  
> anyway -- but only a little bit of traffic is routed through a box  
> which does the harder work of analysis and decision-making. There can  
> be multiples of those boxes to spread the load.
>
> 2. Pass-by filtering is another technique, and this is what's used  
> within China by the Great Firewall. There's a diagram of one vendor's  
> device at
> www.business-concepts.co.uk/internet_filtering_8e6/8e6pass_by.jpg
>
> All traffic is routed normally. That traffic is monitored passively to  
> look out for banned content -- pretty much anything you want, like
> URLs, keywords, phrases, what have you. None of the traffic actually  
> passes through this magic box, so in high-traffic situations it's just  
> that the box can't necessarily keep up with monitoring everything.
> 
> If the magic box detects banned content, it notes the source and  
> destination IP addresses (i.e. the addresses of the each end of that  
> connection) and fires at each of them three RST packets which are  
> crafted to look like they can from the other end. These packets cause  
> the the connection to reset, i.e. "hang up".
>
> If you were watching this happen, say if you were even sending email 
> containing bad words like "democracy" and "freedom", then you'd just  
> see the connection suddenly fail, as if there'd been a network glitch.
>
> As I wrote in "The Great Firewall of China: how it works, how to bypass
> " in August 2008...
> http://stilgherrian.com/politics/the-great-firewall-of-china-how-it-
> works-how-to-bypass-it/  or http://is.gd/1aZG  (snip)


--

Cheers,
Stephen



More information about the Link mailing list