notes

GET /s?src=8003&vendor=100101&source=ycnhp_{searchbutton&};q=%E6%B3%95%E8%BD%AE%E5%8A%9F HTTP/1.1 Host: www.yahoo.cn Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86₆₄) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.71 Chrome/28.0.1500.71 Safari/537.36 Referer: http://cn.yahoo.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: www_{yahoocnuserid}=435ec044647a32f9f521a68027630771; BX=4t02tq991o4uu&b=3&s=nu

%E6%B3%95%E8%BD%AE%E5%8A%9F turns out to be: 法轮功 which is: Falun Gong which is the same thing that the paper mentioned being filtered out

These are the three reset packets that are just like they describe in the paper

GET /s?src=8003&vendor=100101&source=ycnhp_{searchbutton&};q=%E9%85%B8%E8%BE%A3%E6%B1%A4 HTTP/1.1 Host: www.yahoo.cn Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86₆₄) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.71 Chrome/28.0.1500.71 Safari/537.36 Referer: http://cn.yahoo.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: www_{yahoocnuserid}=435ec044647a32f9f521a68027630771; BX=4t02tq991o4uu&b=3&s=nu

Homework #2

In this pcap file (along with a bunch of uninteresting traffic) we can see the computer with the ip address 64.106.46.53 go to cn.yahoo.com and search for 法轮功 (Falun Gong). We then see the Great Firewall of China in action; We see three reset packets sent to 64.106.46.53 almost exactly as described in ¹.

The first interesting packet is number 1712 in which we see the following GET request: GET /s?src=8003&vendor=100101&source=ycnhp_{searchbutton&};q=%E6%B3%95%E8%BD%AE%E5%8A%9F. The command: printf "\xE6\xB3\x95\xE8\xBD\xAE\xE5\x8A\x9F\n" yields: 法轮功 which translates to Falun Gong which is the same keyword the authors of ¹ use in their query. The packets 1717 through 1719 are all reset packets that appear to originate from cn.yahoo.com but they have unusually high TTL fields (160, 161, and 162 respectively) which is significantly higher that any of the other packets received from that host which (along with some other details that cannot be crammed into this small turn-in) indicate that the reset packets were forged by the firewall in the interests of censorship.

Footnotes: