China Blocking VPN’s and Google

On Saturday, November 10th 2012 several news websites including Yahoo and TechInAsia announced that the Chinese government had blocked access to all of Google’s online services including the Google Search Engine, Gmail, Google Analytics, Google Docs, Google Drive, Google Maps and Google Play. In addition, a number of VPN providers began receiving notifications from their customers that they were no longer able to connect to International based VPN servers from within mainland China.

Through additional testing it became apparent that websites belonging to Facebook, Twitter, parts of Wikipedia and parts of Yahoo were also being blocked using DNS Poisoning. DNS Poisoning allows a firewall (or Internet provider) to inject invalid DNS entries into their DNS resolvers in order to null route or black hole traffic, essentially making the websites and services inaccessible. As of Monday, November 19th these websites remain blocked.

VPN providers are experiencing a number of different types of Chinese blocks including:

IP Blocks – IP addresses belonging to some VPN providers are being blocked by China’s perimeter firewalls. Several IP’s are being null routed to non-existent systems within China. This effectively breaks the “route” between the client and the server.

DNS Blocks – A number of providers who utilize DNS based resolution for their VPN services are experiencing blocks caused by DNS Poisoning.

Connection Reset – Connections to VPN services (e.g. SSL VPN, PPTP, IPSEC, L2TP) experience a “Connection Reset” which attempting to negotiate a link. This is likely caused by Deep Packet Inspection (DPI) systems and/or Intrusion Detection Systems (IDS) carrying out content inspection and blocking VPN traffic based on signatures and/or protocol detection. Most commercial and open source VPN technologies utilize a standard protocol, port and signature so they are easily blocked.

TLS-AUTH, TLS-REMOTE Blocking – Several VPN services have customers experiencing connection failures during the Transport Layer Security (TLS) authentication validation process. Many VPN services use a TLS-AUTH or TLS-REMOTE