A nation-scale firewall, colloquially referred to as the “Great Firewall of China,” implements many different types of censorship and content filtering to control China’s Internet traffic. Past work has shown that the firewall occasionally fails. In other words, sometimes clients in China are able to reach blacklisted servers outside of China. This phenomenon has not yet been characterized because it is infeasible to find a large and geographically diverse set of clients in China from which to test connectivity. In this paper, we overcome this challenge by using a hybrid idle scan technique that is able to measure connectivity between a remote client and an arbitrary server, neither of which are under the control of the researcher performing measurements. In addition to hybrid idle scans, we present and employ a novel side channel in the Linux kernel’s SYN backlog. We show that both techniques are practical by measuring the reachability of the Tor network which is known to be blocked in China. Our measurements reveal that failures in the firewall occur throughout the entire country without any conspicuous geographical patterns.We give some evidence that routing plays a role, but other factors (such as how the GFW maintains its list of IP/port pairs to block) may also be important.
 Linux kernel source tree. http://git.kernel. org/cgit/linux/kernel/git/torvalds/linux.git/ tree/net/ipv4/inet_connection_sock.c?h= 4d0fa8a0f01272d4de33704f20303dcecdb55df1#n562.
 tcp(7) - Linux man page. http://linux.die.net/man/7/tcp.
 Extensive Analysis and Large-Scale Empirical Evaluation of Tor Bridge Discovery. In INFOCOM Orlando FL USA 2012. IEEE.
 Alexa. Alexa top sites in China. http://www.alexa.com/ topsites/countries/CN.
 C. Anderson P. Winter and Roya. Global censorship detection over the RIPE Atlas network. In Free and Open Communications on the Internet. USENIX 2014.
 Anonymous. Towards a comprehensive picture of the Great Firewall’s DNS censorship. In Free and Open Communications on the Internet. USENIX 2014.
 Antirez. new TCP scan method 1998.
 W. Chen Y. Huang B. F. Ribeiro K. Suh H. Zhang E. de Souza e Silva J. Kurose and D. Towsley. Exploiting the IPID field to infer network path and end-system characteristics. In Passive and Active Network Measurement. Springer 2005.
 China internet and mobile phone users. Available at http: //www.procurasia.com/china-industrial-sourcing/chinastatistics- corner/china-internet-users/.
 R. Clayton S. J. Murdoch and R. N. M. Watson. Ignoring the Great Firewall of China. In Privacy Enhancing Technologies. Springer 2006.
 J. R. Crandall D. Zinn M. Byrd E. Barr and R. East. ConceptDoppler: A weather tracker for Internet censorship. In Computer and Communications Security. ACM 2007.
 A. Dainotti C. Squarcella E. Aben K. C. Claffy M. Chiesa M. Russo and A. Pescapé. Analysis of country-wide Internet outages caused by censorship. In Internet Measurement Conference. ACM 2011.
 J. Dalek B. Haselton H. Noman A. Senft M. Crete- Nishihata P. Gill and R. J. Deibert. A method for identifying and confirming the use of URL filtering products for censorship. In Internet Measurement Conference. ACM 2013.
 R. Dingledine N. Mathewson and P. Syverson. Tor: the second-generation onion router. In USENIX Security Symposium. USENIX Association 2004.
 Z. Durumeric E. Wustrow and J. A. Halderman. ZMap: fast Internet-wide scanning and its security applications. In USENIX Security Symposium. USENIX Association 2013.
 R. Ensafi J. Knockel G. Alexander and J. R. Crandall. Detecting intentional packet drops on the Internet via TCP/IP side channels: Extended version. CoRR abs/1312.5739 2013. Available at http://arxiv.org/abs/1312.5739.
 R. Ensafi J. Knockel G. Alexander and J. R. Crandall. Detecting intentional packet drops on the internet via TCP/IP side channels. In Passive and Active Measurement Conference. Springer 2014.
 R. Ensafi J. C. Park D. Kapur and J. R. Crandall. Idle port scanning and non-interference analysis of network protocol stacks using model checking. In USENIX Security Symposium. USENIX Association 2010.
 E. Katz-Bassett H. V. Madhyastha V. K. Adhikari C. Scott J. Sherry P. Van Wesep T. Anderson and A. Krishnamurthy. Reverse Traceroute. In Networked Systems Design & Implementation. USENIX Association 2010.
 S. Khattak M. Javed P. D. Anderson and V. Paxson. Towards illuminating a censorship monitor’s model to facilitate evasion. In Free and Open Communications on the Internet. USENIX Association 2013.
 G. Lowe P. Winters and M. L. Marcus. The Great DNS wall of China. Technical report New York University 2007.
 G. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure.Org LLC Sunnyvale CA USA 2009.
 H. V. Madhyastha T. Isdal M. Piatek C. Dixon T. Anderson A. Krishnamurthy and A. Venkataramani. iPlane: An information plane for distributed services. In Operating Systems Design and Implementation. USENIX Association 2006.
 Z. M. Mao J. Rexford J. Wang and R. H. Katz. Towards an accurate AS-level traceroute tool. In SIGCOMM ’03: Proceedings of the 2003 conference on Applications technologies architectures and protocols for computer communications pages 365-378 New York NY USA 2003. ACM Press.
 Global RIPE Atlas Network Coverage. Available at https: //atlas.ripe.net/results/maps/network-coverage/.
 World map of PlanetLab nodes. Available at https://www. planet-lab.org/generated/World50.png.
 The DIMES project: Active Agents by Countries in Last 7 Days. Available at http://www.netdimes.org/new/?q= node/52.
 M-Lab Platform: Server Map. Available at http://www. measurementlab.net/infrastructure.
 MaxMind - GeoIP2 City Accuracy. Available at https:// www.maxmind.com/en/geoip2-city-database-accuracy.
 M. Morbitzer. TCP idle scans in IPv6. Master’s thesis Radboud University Nijmegen The Netherlands 2013.
 D. Nobori and Y. Shinjo. VPN gate: A volunteer-organized public vpn relay system with blocking resistance for bypassing government censorship firewalls. In Networked Systems Design and Implementation. USENIX 2014.
 J. C. Park and J. R. Crandall. Empirical study of a nationalscale distributed intrusion detection system: Backbone-level filtering of HTML responses in China. In Distributed Computing Systems. IEEE 2010.
 T. H. Ptacek and T. N. Newsham. Insertion evasion and denial of service: Eluding network intrusion detection. Technical report Secure Networks Inc. 1998.
 Z. Qian and Z. M. Mao. Off-path TCP sequence number inference attack. In Security & Privacy. IEEE 2012.
 Z. Qian Z. M. Mao Y. Xie and F. Yu. Investigation of triangular spamming: a stealthy and efficient spamming technique. In Symposium on Security and Privacy. IEEE 2010.
 S. Sanfilippo. hping. http://www.hping.org 2006.
 Sparks Neo Tank Smith and Dozer. The collateral damage of internet censorship by dns injection. SIGCOMM Computer Communication Review 42(3):21-27 2012.
 The Tor Project. Relay descriptor archives. https://metrics. torproject.org/data.html#relaydesc.
 The Tor Project. Tor metrics - direct users by country. https://metrics.torproject.org/userstats-relay-country.html? graph=userstats-relay-country&start=2014-01-01&end= 2014-07-01&country=cn&events=off.
 Tokachu. The not-so-great firewall of China. 2600 Magazine Winter 2006-2007.
 TorStatus. Tor network status. http://torstatus.blutmagie. de.
 G. Walton. China’s golden shield : corporations and the development of surveillance technology in the People’s Republic of China. International Centre for Human Rights and Democratic Development 2001.
 Y. A. Wang C. Huang J. Li and K. W. Ross. Queen: Estimating packet loss rate between arbitrary internet hosts. In Passive and Active Network Measurement. Springer 2009.
 N. Weaver R. Sommer and V. Paxson. Detecting Forged TCP Reset Packets. In Network and Distributed System Security. The Internet Society 2009.
 P. Winter and S. Lindskog. How the Great Firewall of China is blocking Tor. In Free and Open Communications on the Internet. USENIX Association 2012.
 J. Wright. Regional variation in Chinese internet filtering. Technical report University of Oxford 2012.
 X. Xu Z. M. Mao and J. A. Halderman. Internet censorship in china: Where does the filtering occur? In Passive and Active Measurement Conference. Springer 2011.