China Blocking VPN’s and Google

On Saturday, November 10th 2012 several news websites including Yahoo and TechInAsia announced that the Chinese government had blocked access to all of Google’s online services including the Google Search Engine, Gmail, Google Analytics, Google Docs, Google Drive, Google Maps and Google Play. In addition, a number of VPN providers began receiving notifications from their customers that they were no longer able to connect to International based VPN servers from within mainland China.

Through additional testing it became apparent that websites belonging to Facebook, Twitter, parts of Wikipedia and parts of Yahoo were also being blocked using DNS Poisoning. DNS Poisoning allows a firewall (or Internet provider) to inject invalid DNS entries into their DNS resolvers in order to null route or black hole traffic, essentially making the websites and services inaccessible. As of Monday, November 19th these websites remain blocked.

VPN providers are experiencing a number of different types of Chinese blocks including:

IP Blocks – IP addresses belonging to some VPN providers are being blocked by China’s perimeter firewalls. Several IP’s are being null routed to non-existent systems within China. This effectively breaks the “route” between the client and the server.

DNS Blocks – A number of providers who utilize DNS based resolution for their VPN services are experiencing blocks caused by DNS Poisoning.

Connection Reset – Connections to VPN services (e.g. SSL VPN, PPTP, IPSEC, L2TP) experience a “Connection Reset” which attempting to negotiate a link. This is likely caused by Deep Packet Inspection (DPI) systems and/or Intrusion Detection Systems (IDS) carrying out content inspection and blocking VPN traffic based on signatures and/or protocol detection. Most commercial and open source VPN technologies utilize a standard protocol, port and signature so they are easily blocked.

TLS-AUTH, TLS-REMOTE Blocking – Several VPN services have customers experiencing connection failures during the Transport Layer Security (TLS) authentication validation process. Many VPN services use a TLS-AUTH or TLS-REMOTE Continue reading “China Blocking VPN’s and Google”


Sorry for the lack of recent blog posts. Work has been exceptionally busy and I’ve had little time to post information about projects, articles and news.

I have upgraded the blog’s back office and will begin regularly posts again this month!

In the mean time, check our Aorta’s website at

Thai Cyber Law Compliance

I often receive question from customers and partners regarding Thai Cyber Law Compliance.

Thailand’s Computer Crime Act of 2007 requires any company or organization that provides Internet access to their employees, customers or visitors (that includes hotels providing broadband to their guests and staff) to retain certain header information for various types of internet activity (email, web surfing, instant messenger chat, FTP downloads) for 90 days as well as maintain a log of the users’ identities. Thailand’s full Computer Crimes Act (B.E. 2550 / 2007) is available in English here.

Thailand has a history of media censorship including printed news, TV, videos (DVD, VHS), satellite TV and has taken a number of steps to address Internet censorship in the past five years. The Thai Computer Crime Act is a component of this in providing Internet access history, records and tracking capabilities at end user sites.

There are a number of open source based Internet firewall solutions which include authentication and logging capabilities such as Untangle, IP Cop and Smoothwall.

A number of school’s and organizations in Bangkok and Chiang Mai which have been investigated by the Thai Police (Section 5) for failing to meet the compliance requirements so Thai based organizations should take the laws seriously.

Putty 0.61 Released

PuTTY 0.61 is out, after over four years, with new features, bug fixes, and compatibility updates for Windows 7 and various SSH server software.

Features are new in beta 0.61 (released 2011-07-12) include:

  • Kerberos/GSSAPI authentication in SSH-2.
  • Local X11 authorisation support on Windows. (Unix already had it, of course.)
  • Support for non-fixed-width fonts on Windows.
  • GTK 2 support on Unix.
  • Specifying the logical host name independently of the physical network address to connect to.
  • Crypto and flow control optimisations.
  • Support for the [email protected] SSH-2 compression method.
  • Support for new Windows 7 UI features: Aero resizing and jump lists.
  • Support for OpenSSH AES-encrypted private key files in PuTTYgen.
  • Bug fix: handles OpenSSH private keys with primes in either order.
  • Bug fix: corruption of port forwarding is fixed (we think).
  • Bug fix: various crashes and hangs when exiting on failure,
  • Bug fix: hang in the serial back end on Windows.
  • Bug fix: Windows clipboard is now read asynchronously, in case of deadlock due to the clipboard owner being at the far end of the same PuTTY’s network connection (either via X forwarding or via tunnelled rdesktop).

The stand-alone executable can be downloaded from the snap-shot store here and the full package (which includes pscp, plink, psftp, pageant etc) here. As always, I recommend verifying the checksums using the MD5 list available here.