”,5 regardless of actual destination server) by injecting a series of forged TCP Reset (RST) packets that tell both the requester and the destination to stop communicating (INJECT RST in Figure 1).6 On-path systems have architectural advantages for censorship, but are less flexible and stealthy than in-path systems as attack tools, because while they can inject additional packets, they cannot prevent in-flight packets (packets that have already been sent) from reaching their destination.7 Thus, one generally can identify the presence of an on-path system by observing anomalies resulting from the presence of both injected and legitimate traffic.8
通 常来说,防火墙是设置在两个网络之间的联通路上的屏障:所有网络之间的流量必须经过防火墙。而像中国GFW这样的旁路系统则与之相反:它监听中国和世界其 他地区之间的通信(图1中的TAP),然后通过注入伪造的TCP RST包阻止对被禁止的内容的请求(举个例子,请求“http://www.google.com/?falun” [5],不管终点服务器在哪里),TCP RST包的作用是告诉请求来源和终点停止通信(图1中的INJECT RST)[6]。旁路系统在架构上利于审查,但是如果作为攻击工具,相比在路径上的系统(例如防火墙)更不稳定和容易暴露。因为当旁路系统能够向流量中注 入额外数据包时,系统无法阻止已经被送出去的包到达目的地。[7]因此,一个人可以通过观察合法流量与被注入的流量之间的区别从而判断出旁路系统的存在。 [8]
The GFW keeps track of connections and reassembles the packets (“TCP bytestream reassembly”) to determine if it should block traffic. This reassembly process requires additional computational resources, as opposed to considering each packet in isolation, but allows better accuracy in blocking. While a web request often fits within a single packet, web replies may be split across several packets, and the GFW needs to reassemble these packets to understand whether a web reply contains banned content.
9/26 首页 上一页 7 8 9 10 11 12 下一页 尾页
|