A nation-scale firewall, colloquially referred to as the “Great Firewall of China,” implements many different types of censorship and content filtering to control China’s Internet traffic. Past work has shown that the firewall occasionally fails. In other words, sometimes clients in China are able to reach blacklisted servers outside of China. This phenomenon has not yet been characterized because it is infeasible to find a large and geographically diverse set of clients in China from which to test connectivity. In this paper, we overcome this challenge by using a hybrid idle scan technique that is able to measure connectivity between a remote client and an arbitrary server, neither of which are under the control of the researcher performing measurements. In addition to hybrid idle scans, we present and employ a novel side channel in the Linux kernel’s SYN backlog. We show that both techniques are practical by measuring the reachability of the Tor network which is known to be blocked in China. Our measurements reveal that failures in the firewall occur throughout the entire country without any conspicuous geographical patterns.We give some evidence that routing plays a role, but other factors (such as how the GFW maintains its list of IP/port pairs to block) may also be important.
 Linux kernel source tree. http://git.kernel. org/cgit/linux/kernel/git/torvalds/linux.git/ tree/net/ipv4/inet_connection_sock.c?h= 4d0fa8a0f01272d4de33704f20303dcecdb55df1#n562.
 tcp(7) - Linux man page. http://linux.die.net/man/7/tcp.
 Extensive Analysis and Large-Scale Empirical Evaluation of Tor Bridge Discovery. In INFOCOM, Orlando, FL, USA, 2012. IEEE.
 Alexa. Alexa top sites in China. http://www.alexa.com/ topsites/countries/CN.
 C. Anderson, P. Winter, and Roya. Global censorship detection over the RIPE Atlas network. In Free and Open Communications on the Internet. USENIX, 2014.
 Anonymous. Towards a comprehensive picture of the Great Firewall’s DNS censorship. In Free and Open Communications on the Internet. USENIX, 2014.
 Antirez. new TCP scan method, 1998.
 W. Chen, Y. Huang, B. F. Ribeiro, K. Suh, H. Zhang, E. de Souza e Silva, J. Kurose, and D. Towsley. Exploiting the IPID field to infer network path and end-system characteristics. In Passive and Active Network Measurement. Springer, 2005.
 China internet and mobile phone users. Available at http: //www.procurasia.com/china-industrial-sourcing/chinastatistics- corner/china-internet-users/.
 R. Clayton, S. J. Murdoch, and R. N. M. Watson. Ignoring the Great Firewall of China. In Privacy Enhancing Technologies. Springer, 2006.
 J. R. Crandall, D. Zinn, M. Byrd, E. Barr, and R. East. ConceptDoppler: A weather tracker for Internet censorship. In Computer and Communications Security. ACM, 2007.
 A. Dainotti, C. Squarcella, E. Aben, K. C. Claffy, M. Chiesa, M. Russo, and A. Pescapé. Analysis of country-wide Internet outages caused by censorship. In Internet Measurement Conference. ACM, 2011.
 J. Dalek, B. Haselton, H. Noman, A. Senft, M. Crete- Nishihata, P. Gill, and R. J. Deibert. A method for identifying and confirming the use of URL filtering products for censorship. In Internet Measurement Conference. ACM, 2013.
 R. Dingledine, N. Mathewson, and P. Syverson. Tor: the second-generation onion router. In USENIX Security Symposium. USENIX Association, 2004.
 Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: fast Internet-wide scanning and its security applications. In USENIX Security Symposium. USENIX Association, 2013.
 R. Ensafi, J. Knockel, G. Alexander, and J. R. Crandall. Detecting intentional packet drops on the Internet via TCP/IP side channels: Extended version. CoRR, abs/1312.5739, 2013. Available at http://arxiv.org/abs/1312.5739.
 R. Ensafi, J. Knockel, G. Alexander, and J. R. Crandall. Detecting intentional packet drops on the internet via TCP/IP side channels. In Passive and Active Measurement Conference. Springer, 2014.
 R. Ensafi, J. C. Park, D. Kapur, and J. R. Crandall. Idle port scanning and non-interference analysis of network protocol stacks using model checking. In USENIX Security Symposium. USENIX Association, 2010.
 E. Katz-Bassett, H. V. Madhyastha, V. K. Adhikari, C. Scott, J. Sherry, P. Van Wesep, T. Anderson, and A. Krishnamurthy. Reverse Traceroute. In Networked Systems Design & Implementation. USENIX Association, 2010.
 S. Khattak, M. Javed, P. D. Anderson, and V. Paxson. Towards illuminating a censorship monitor’s model to facilitate evasion. In Free and Open Communications on the Internet. USENIX Association, 2013.
 G. Lowe, P. Winters, and M. L. Marcus. The Great DNS wall of China. Technical report, New York University, 2007.
 G. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure.Org LLC, Sunnyvale, CA, USA, 2009.
 H. V. Madhyastha, T. Isdal, M. Piatek, C. Dixon, T. Anderson, A. Krishnamurthy, and A. Venkataramani. iPlane: An information plane for distributed services. In Operating Systems Design and Implementation. USENIX Association, 2006.
 Z. M. Mao, J. Rexford, J. Wang, and R. H. Katz. Towards an accurate AS-level traceroute tool. In SIGCOMM ’03: Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, pages 365-378, New York, NY, USA, 2003. ACM Press.
 Global RIPE Atlas Network Coverage. Available at https: //atlas.ripe.net/results/maps/network-coverage/.
 World map of PlanetLab nodes. Available at https://www. planet-lab.org/generated/World50.png.
 The DIMES project: Active Agents by Countries in Last 7 Days. Available at http://www.netdimes.org/new/?q= node/52.
 M-Lab Platform: Server Map. Available at http://www. measurementlab.net/infrastructure.
 MaxMind - GeoIP2 City Accuracy. Available at https:// www.maxmind.com/en/geoip2-city-database-accuracy.
 M. Morbitzer. TCP idle scans in IPv6. Master’s thesis, Radboud University Nijmegen, The Netherlands, 2013.
 D. Nobori and Y. Shinjo. VPN gate: A volunteer-organized public vpn relay system with blocking resistance for bypassing government censorship firewalls. In Networked Systems Design and Implementation. USENIX, 2014.
 J. C. Park and J. R. Crandall. Empirical study of a nationalscale distributed intrusion detection system: Backbone-level filtering of HTML responses in China. In Distributed Computing Systems. IEEE, 2010.
 T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., 1998.
 Z. Qian and Z. M. Mao. Off-path TCP sequence number inference attack. In Security & Privacy. IEEE, 2012.
 Z. Qian, Z. M. Mao, Y. Xie, and F. Yu. Investigation of triangular spamming: a stealthy and efficient spamming technique. In Symposium on Security and Privacy. IEEE, 2010.
 S. Sanfilippo. hping. http://www.hping.org, 2006.
 Sparks, Neo, Tank, Smith, and Dozer. The collateral damage of internet censorship by dns injection. SIGCOMM Computer Communication Review, 42(3):21-27, 2012.
 The Tor Project. Relay descriptor archives. https://metrics. torproject.org/data.html#relaydesc.
 The Tor Project. Tor metrics - direct users by country. https://metrics.torproject.org/userstats-relay-country.html? graph=userstats-relay-country&start=2014-01-01&end= 2014-07-01&country=cn&events=off.
 Tokachu. The not-so-great firewall of China. 2600 Magazine, Winter 2006-2007.
 TorStatus. Tor network status. http://torstatus.blutmagie. de.
 G. Walton. China’s golden shield : corporations and the development of surveillance technology in the People’s Republic of China. International Centre for Human Rights and Democratic Development, 2001.
 Y. A. Wang, C. Huang, J. Li, and K. W. Ross. Queen: Estimating packet loss rate between arbitrary internet hosts. In Passive and Active Network Measurement. Springer, 2009.
 N. Weaver, R. Sommer, and V. Paxson. Detecting Forged TCP Reset Packets. In Network and Distributed System Security. The Internet Society, 2009.
 P. Winter and S. Lindskog. How the Great Firewall of China is blocking Tor. In Free and Open Communications on the Internet. USENIX Association, 2012.
 J. Wright. Regional variation in Chinese internet filtering. Technical report, University of Oxford, 2012.
 X. Xu, Z. M. Mao, and J. A. Halderman. Internet censorship in china: Where does the filtering occur? In Passive and Active Measurement Conference. Springer, 2011.