An Analysis of China’s “Great Cannon”

TitleAn Analysis of China’s “Great Cannon”
Publication TypeConference Paper
Year of Publication2015
AuthorsMarczak, B., Weaver N., Dalek J., Ensafi R., Fifield D., McKune S., Rey A., Scott-Railton J., Deibert R., & Paxson V.
Published inProceedings of the USENIX Workshop on Free and Open Communications on the Internet (FOCI)
Date Published08/2015

On March 16th, 2015, the Chinese censorship apparatus employed a new tool, the “Great Cannon”, to engineer a denial-of-service attack on, an organization dedicated to resisting China’s censorship. We present a technical analysis of the attack and what it reveals about the Great Cannon’s working, underscoring that in essence it constitutes a selective nation-state Man-in-the-Middle attack tool. Although sharing some code similarities and network locations with the Great Firewall, the Great Cannon is a distinct tool, designed to compromise foreign visitors to Chinese sites. We identify the Great Cannon’s operational behavior, localize it in the network topology, verify its distinctive side-channel, and attribute the system as likely operated by the Chinese government. We also discuss the substantial policy implications raised by its use, including the potential imposition on any user whose browser might visit (even inadvertently) a Chinese web site.


Special thanks to: Adam Senft (Citizen Lab) and Paul Pearce (UC Berkeley, ICSI). We wish to acknowledge GreatFire for making their logs available to us for analysis. We also express our deep gratitude to several individuals, anonymous or pseudonymous at their request, including “Jack B,” who aided us in understanding elements of the attack in the early days, and others whohelped us formulate and develop this report. This work is sponsored in part by The John D. and Catherine T. MacArthur Foundation, the Open Technology Fund’s Information Controls Fellowship Program, and the National Science Foundation grants NSF-1237265, NSF-1213157, and NSF-1223717. All opinions are those of the authors, not the funding institutions.

ICSI Research Group

Networking and Security