edepot.com

[edepot]

One of the frustrating things about the great China firewall is the way it is implemented. Apparently, it uses behavioral carrot and stick approach for certain blocking policies. Here is an example of how it works:

When you are in http://www.google.com and search for sites, sometimes certain links show up in the results that are sites blocked by the firewall if you try to go there. Examples are blogspot.com, twitter.com, youtube.com, and facebook.com. The problem is, because the link will go through google.com before it reaches the actual blocked site, http://www.google.com will be blocked for a duration of time when you click on the blocked link within the google results page because that is where the source of the blocked site is from. Apparently, the ISP has a timer set for 1 minute 30 seconds that prevents you from going to http://www.google.com after you click on a blocked site link from http://www.google.com results page. For 1 minute 30 seconds, you can't do searches on http://www.google.com, you can't click on other links in the results pages that are not blocked because, again, the source of the blocked link came from google.com. Apparently this distracts from productivity because obviously 1 minutes 30 seconds of your life is wasted as the firewall shuts off all outgoing connections to http://www.google.com for your IP address each time you click on a blocked link. Sometimes you have to be careful and look at the search results page to make sure it is not one of the affected blocked site, because if you accidentally click on one, you just lost 1 minute and 30 seconds of your time. So the only way you can prevent it is to know ahead of time what sites are blocked in the first place and there is no known list, so it seems like a random bad occurrence each time you do searches as it take a LOT from productivity if each time you click on a link you hope you did not just lose another 1 minute 30 seconds of your time.

Why not just block the destination site and not block the source site with a 1 minute 30 seconds timer? Perhaps the "stick" from the carrot and stick is to prevent people from going to sites that link to the blocked sites, but http://www.google.com is a search engine so this is quite distracting.

[edepot]

HTML injection. Here is the typical html injection code done by the ISP in China while browsing. Apparently, it is a frame set on top of the actual website you are visiting. In this case, while browsing google.com...

<html>
<body scroll='no' style='border:0;margin:0;padding:0;'>
<iframe src='http://www.google.com' width='100%' height='100%' frameborder='0'></iframe>
<iframe src='about:blank' frameborder='0' id='frmContent'></iframe>
<script>
try{
var win=window.frames[1];
var s=screen;
var ss="http://121.15.207.177:4022/logo.jpg?p="
+navigator.appMinorVersion+"|"+s.availHeight+"|"+s.availWidth+"|"+s.colorDepth+"|"+s.height+"|"+s.width;
win.location=ss;}
catch(e){
location.reload(true);}
_hInterval=window.setInterval('Check()', 500);
function Check(){
try{
var win=window.frames[0];
if(win.document.readyState!='complete'){return;}
window.clearInterval(_hInterval);
_hInterval=null;
var doc=win.document;
for(var i in doc.links){
if(doc.links[i].target=="")
{doc.links[i].target="_top";}}
for(var i in doc.forms){
if(doc.forms[i].target==""){doc.forms[i].target="_top";}}}
catch(e){}
}
window.setInterval('window.status=location.href', 200);
</script>
</body>
</html>

[edepot]

the IP in the HTML insertion can change as well.

121.15.207.177:4022
121.15.207.139:4022

Here is a WHOIS lookup on one of the ip:


IP Information - 121.15.207.139

IP address: 121.15.207.139
Reverse DNS: [No reverse DNS entry per dns.guangzhou.gd.cn.]
Reverse DNS authenticity: [Unknown]
ASN: 4134
ASN Name: CHINANET-BACKBONE (No.31,Jin-rong Street)
IP range connectivity: 1
Registrar (per ASN): APNIC
Country (per IP registrar): CN [China]
Country Currency: CNY [China Yuan Renminbi]
Country IP Range: 121.8.0.0 to 121.15.255.255
Country fraud profile: Normal
City (per outside source): Guangzhou, Guangdong
Country (per outside source): CN [China]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 121.15.207.139

WHOIS - 121.15.207.139


Location: China [City: Guangzhou, Guangdong]

ARIN says that this IP belongs to APNIC; I'm looking it up there.

% [whois.apnic.net node-3]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 121.8.0.0 - 121.15.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: IC83-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GD
mnt-routes: MAINT-CHINANET-GD
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: **********@apnic.net 20060518
source: APNIC

route: 121.8.0.0/13
descr: From Guangdong Network of ChinaTelecom
origin: AS4134
mnt-by: MAINT-CHINANET
changed: ******@cndata.com 20060707
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: *********@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: ******@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC

person: IPMASTER CHINANET-GD
nic-hdl: IC83-AP
e-mail: *****@gddc.com.cn
address: NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU
phone: +86-20-83877223
fax-no: +86-20-83877223
country: CN
changed: *****@gddc.com.cn 20040902
mnt-by: MAINT-CHINANET-GD
remarks: IPMASTER is not for spam complaint,please send spam complaint to *****@gddc.com.cn
source: APNIC