防外线

Why can’t Chinese people use Twitter or Facebook

Why can’t Chinese people use Twitter or Facebook when foreigners can use Chinese social media platforms? We are just adding an extra channel to share information and communicate with people in other countries.

– Hua Chunying , 22 FEBRUARY 2021

It sounds hilarious to be questioned by our foreign minister, Ms. Hua Chunying why Chinese cannot use Twitter or Facebook.

Why?

Let me answer you, Ms. Hua: Because the Chinese government (under the CCP) deliberately set up a NetWall, preventing Chinese people from accessing Twitter or Facebook in many network levels including DNS, TCP and IP.

Does she know the answer but pretend not, or she isn’t aware of it at all? Today, I doubt that the latter is true.

Because she is probably using 防外线 (literally Defense Outside Line), or 绿线 (Green Line).

Translation

For the title Green Line, it’s quite simple, no ambiguity.

But for ‘防外线’, I have to explain character by character.

• 防, it reads fang, meaning anti, defense or protect.
• 外, it reads wai, meaning outside, foreign or external.
• 线, it reads xian, meaning line or thread.

Keep it a secret

Yes, that’s right. It’s called anti-external line…There is no such thing as a whitelist, and there is no such thing as a VIP IP. It’s just that the anti-external line does not pass through GFW, and it bypasses it. It’s not the so-called whitelist in GFW. It’s very strict to use this line, and only people who are very politically correct can use it…(they use) Kitten (modem) dial-up.

– Anonymous , 2009-8-4

From what I’ve tested below, I can guess these comrades have the special PPPoE accounts.

By taking advantage of the loophole that GFW thinks it is in the dark when scouting targets and does not take any protective measures, we conducted a phishing experiment and obtained a moderate amount of data for analysis. We confirmed the close relationship between the net.china.cn reporting platform and GFW in terms of workflow, and discovered reporting verification that may have come from Golden Shield, as well as the rumor that Golden Shield uses “anti-external line” and is not affected by GFW.

– gfwrev , NOV 2, 2009

We have a good citizen at the comments.

These materials can form a consistent explanation: In order to adapt to the different link specifications of different ISPs, GFW’s own exchange center needs to integrate different links, and different ISPs lead out bypass access to GFW. The lines that are not connected to GFW are called “anti-external lines” [source is unreliable] and are not affected by GFW. The access line type should mainly be optical fiber lines, so this access method is usually called splitting. This is “bypass splitting.”

gfwrev , FEB 18, 2010

I don’t know why the hack this sentence has an unreliable source notation; it looks like it was copy-pasted from Chinese Wikipedia. But gfwrev itself was referenced a lot of times on Chinese Wikipedia already. Reference loophole?

Very simple. If the APEC News Center has no firewall, it will use a dedicated IP, which is the anti-external line in the picture. If you know the IP of the anti-external line, you can know the privileged people in China who usually use these IPs. You can do human flesh search and also fight against GFW.

– suoluo ,10 Nov 2014

Apparently the well-trained listener has no interest in his idea!

By ’the picture’, he means the Topology of GFW by gfwrev. Notably, that the Anti-external Line (防外线) in this picture was not translated. Confidential information about national security?

Ordinary online commentators (wumao) should not be able to enjoy the treatment of “dedicated channel” (technically called “protection from external lines”). Perhaps only online commentators of a certain level can enjoy such treatment.

– ProgramThink , 2015-01-07

Oh god, at the level of Hu Xijin the treatment still cannot be given; he often complains about VPN throttling on Sina Weibo.

Do the fart people have no other options but to be slaughtered? No. The webmasters behind the firewall can unite and find those special IPs from the mainland. These IPs have fast download speeds and are not interfered by the firewall (anti-external lines). The webmasters can collect them for a long time and block these IPs, so that these staff can also have a taste of looking for agents everywhere to check the content of the website.

– est , 2015-02-27

This is one post about the green line on Livid’s forum in 2015; I don’t even want to mention of this castrated forum. I’ll write another post about this forum and its Chinese owner someday.

You said that this matter (GFW) is now well known. It is not well known. It is well known to the people below, but we still have to keep it confidential to the people above.

– Fang Binxing , 2016-06-15

The author wrote, Do Not Repost or Discuss Publicly. What a well-trained Chinese student!

There’s a Chinese idiom deceiving the above and concealing the below for you, Fang Bing Chink.

This restriction can be exempted from the beginning. Internally, it is called the “green line” or the “outer defense line”, and the Ministry of Public Security and the Ministry of Industry and Information Technology can approve it. However, because the procedures are more ostentatious, many departments and units that have the qualifications to apply for it do not apply, and the leaders are afraid of being held responsible if something goes wrong. Therefore, no one uses it, and privately they still use the same method of “running dog holes”.

– httperror400 , Sep 3, 2024

In conclusion, Chinese people love their dictatorship and are trained well from being incited to subvert anything. The very few people (as said by CCTV in 1989) can never achieve their evil purpose (不会得逞).

Bidirectional injecting

The Great Firewall is not actually a firewall, but an injector spreading misinformation, including:

• false DNS response
• false TCP reset packet
• false BGP announcing

One of its special features is that it does bidirectional injection; that is, not only the censor desiring outbound traffic, but also the inbound traffic through the nation can trigger the injection.

Saudi Arabia’s censoring injector also has such a feature: HTTP GET any prohibited Host from outside the country to any target IP inside the country will still trigger an injection. Take 134.239.12.134 (www.moh.gov.sa ) for an example, executed at a virtual machine in the United States.

$ curl -v 134.239.12.134 -H "Host: www.pornhub.com"
*   Trying 134.239.12.134:80...
* Connected to 134.239.12.134 (134.239.12.134) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: www.pornhub.com
> User-Agent: curl/8.13.0-rc2
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 503 Service Unavailable
< Content-Type: text/html; charset=UTF-8
< Content-Length: 6806
[truncated]
<body>
<div id="content" class="container">
    <img src="data:image/png;base64,[truncated]" alt="Error">
    <h1>Web Page Blocked</h1>
    <p>The web page you are trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is an error.</p>
    <div class="response">
        <p><b>User:</b> 11.45.1.4</p>
        <p><b>URL:</b> www.pornhub.com/</p>
        <p><b>Category:</b> adult</p>
    </div>
</div>
</body>
</html>
* shutting down connection #0

But for the Great Firewall of China, this blocking warning HTML will be replaced with just a malformed TCP reset packet.

$ curl --verbose 203.208.43.66 -H "Host: twitter.com"
*   Trying 203.208.43.66:80...
* Connected to 203.208.43.66 (203.208.43.66) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: twitter.com
> User-Agent: curl/8.13.0-rc2
> Accept: */*
> 
* Request completely sent off
* Recv failure: Connection reset by peer
* closing connection #0
curl: (56) Recv failure: Connection reset by peer

This also goes for the DNS. But the DNS injection is stateless, as the default UDP for DNS is stateless. The injector doesn’t have to wait for any handshake to finish, including the server’s response.

For DNS injection trigging, the target IP doesn’t necessarily have to be a real DNS server.

I don’t know about the BGP, though.

Walless IPs

Published by the site owner of xjp.rip on his Telegram channel , his site was already blocked; however, there are still Chinese IPs visiting it every day as shown in Cloudflare’s logs. He calls them Xi VPN, referencing the famous honeypot Wang VPN.

• 2408:860a:d001:53:f2d1:2fcc:a801:aa81
• 2409:8900:fffd:8efe:50c9:f4d0:6e0c:e309
• 2409:8900:fffe:9f6:489:b9ff:fe7c:9d09

GeoIP resolved by nali :

2408:860a:d001:53:f2d1:2fcc:a801:aa81 [中国 北京市 中国联通政企专线] 
2409:8900:fffd:8efe:50c9:f4d0:6e0c:e309 [中国 北京市 中国移动CMNET网络] 
2409:8900:fffe:9f6:489:b9ff:fe7c:9d09 [中国 北京市 中国移动CMNET网络] 

“中国联通政企专线” is literally China Unicom Government and Enterprise Dedicated Line.

First, make a DNS request of dw.com (probably the shortest blocked domain) to the first one.

$ dig @2408:860a:d001:53:f2d1:2fcc:a801:aa81 dw.com
;; communications error to 2408:860a:d001:53:f2d1:2fcc:a801:aa81#53: timed out
;; communications error to 2408:860a:d001:53:f2d1:2fcc:a801:aa81#53: timed out
;; communications error to 2408:860a:d001:53:f2d1:2fcc:a801:aa81#53: timed out

; <<>> DiG 9.20.7-1-Debian <<>> @2408:860a:d001:53:f2d1:2fcc:a801:aa81 dw.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

By reducing the suffix and repeating querying, I get the following IPv6 prefixes that aren’t affected by DNS injecting.

• 2408:860a:d001::/48
• 2409:8900:fffd::/48
• 2409:8900:fffe::/48

Note that changing the prefix just a bit is enough to trigger it, for example:

$ dig @2408:860a:d002:: dw.com +short
128.121.243.107
$ dig @2408:860a:d002:: dw.com +short
199.59.149.203
$ dig @2409:8900:ffff:: dw.com +short
69.63.184.14

Next, use traceroute or MTR to check the route to different prefixes. I can see these prefixes are quite special. Check the JSON output of MTR on codeberg.org/karasawa/greenline .

For the Government and Enterprise Dedicated Line, its route from my virtual machine is rather short than its neighbor prefixes; it is only 6 hops rather than others’ about 10 hops.

For the 2409:8900, it seems the two green lines have a dedicated inbound route through 2001:470:0:5d5::2 (cmi-int-as-as58807.port-channel5.switch7.lax2.he.net).

Usage

There are multiple methods I can come up to play with this.

Scanning

How many /48 does China have?

I was just trying to calculate it considering all IPv6 prefixes AS4808 and AS56048, which the above green lines are in. But look, the Hurricane Electric BGP tool already sticks the 3 prefixes out.

I suppose if these prefixes have special routes, they do look different, unfamiliar and stick out for an observer like HE.

But, disappointingly. I cannot find any other green line in these /48, even for the prefixes of Development & Research Center of State Council Net (国务院发展研究中心). The procedure is manual checking; it can be automated in the future.

IP spoofing

Well, it cannot unblock any site and is risky.

Counter-blocking

Block the wumaos back! But the biggest challenge is over-blocking; it’s uncertain how long these prefixes have privileged whitelist routes. But the 3 published addresses were found 1 year ago. So it can be very long; as far as I know, it’s longer than most DHCP leases. Bloggers and helping companies can block them safely.

Next

More details are needed. Did Fang Bin Chink mention such whitelist route setup in any prototype system? How is it implemented? Is Hua Chunying using this green line?