According to the report titled “Exposing and Circumventing SNI-based QUIC Censorship of the Great Firewall of China,” Beijing’s Great Firewall (GFW) has a “critical flaw” that makes it less effective at regulating traffic loads. The upgrades have not gone as planned. China’s efforts to restrict a particular category of internet traffic have exposed the government to danger and made it open to assault.
The research paper further shows how this censorship mechanism can be used as a weapon to stop UDP traffic between any host in China and those in other countries. Researchers from the University of Massachusetts Amherst, activist group Great Firewall Report, Stanford University and University of Colorado Boulder worked together with different open-source communities to incorporate QUIC-based circumvention techniques into all of the main QUIC-based tools, Mozilla Firefox, and the quic-go library.
“We [..] demonstrate that this censorship mechanism can be weaponised to block UDP traffic between arbitrary hosts in China and the rest of the world. We collaborate with various open-source communities to integrate circumvention strategies into Mozilla Firefox, the quic-go library, and all major QUIC-based circumvention tools,” the paper stated.
The alleged “vulnerabilities” are caused by China’s efforts to block Quick UDP Internet Connections (QUIC), a transport layer network protocol that is intended to take the place of Transmission Control Protocol (TCP) due to its inherent security, adaptability, and reduced performance problems.
QUIC was created in 2012 by Google employees, and at least 10% of websites use the protocol, including many Google and Meta websites. Blocking QUIC connections appears to be an extension of the GFW’s blocking of both of these organisations, though researchers point out that not all QUIC traffic is successfully blocked.
Attacks could prevent all open or root DNS resolvers outside of China from being accessed from within the state due to the vulnerability of the mechanism used to block QUIC connections, leading to widespread DNS failures.
“Defending against this attack while still censoring is difficult due to the stateless nature and ease of spoofing UDP packets. Careful engineering will be needed to allow censors to apply targeted blocks in QUIC, while simultaneously preventing availability attacks,” the paper concluded.