A study published ahead of NDSS 2025 revealed a critical vulnerability in China’s Great Firewall (GFW) DNS injection subsystem, called Wallbleed, which allowed sensitive memory data leaks for over two years before being patched in March 2024.
The flaw exposed up to 125 bytes of memory per request from censorship middleboxes, offering rare insights into the GFW’s internal operations and posing severe privacy risks to global internet users. ips firewall
Wallbleed, named in reference to similar vulnerabilities like Heartbleed and Cloudbleed, stemmed from a buffer over-read flaw in the GFW’s DNS injectors. These devices monitor DNS queries for blocked domains (e.g., dissident websites) and inject forged responses to suppress access.
Researchers found that malformed DNS queries crafted with oversized label length fields triggered the injectors to include fragments of their own memory in responses.
Between October 2021 and March 2024, these leaks revealed:
Researchers from U.S. universities conducted longitudinal scans, sending billions of probes to Chinese IPs. They reverse-engineered the GFW’s parsing logic, identifying flawed bounds checks in DNS name decoding. “The injector treated adjacent memory as part of the query, leaking whatever was there—whether a UPnP request or an SSH handshake,” the paper states.
Notably, the vulnerability affected both IPv4 and IPv6 traffic and revealed deterministic process assignments within injectors. Researchers identified multiple internal processes by analyzing forged DNS responses’ fake IP sequences, each handling specific traffic streams.
The study navigated ethical challenges, as exploiting Wallbleed risked exposing user data. Researchers limited data collection, anonymized findings, and deleted raw datasets post-analysis. “The GFW’s very existence is the real vulnerability. Fixing Wallbleed didn’t stop censorship it just made it less risky for the censor,” the authors noted
China’s National Computer Network Emergency Response Technical Team (CNCERT) partially patched Wallbleed in November 2023 (Wallbleed v1), but residual flaws persisted until a complete fix in March 20241.
Wallbleed underscores the dual risks of state-level censorship infrastructure: beyond suppressing free expression, poorly implemented systems jeopardize global cybersecurity. The GFW’s vast deployment spanning every Chinese province and major ASes like China Telecom amplified the flaw’s reach.
“This isn’t just about China,” the researchers warn. “Any nation deploying deep packet inspection at scale must recognize that bugs in censorship tools become national security liabilities.” The incident highlights the need for transparency in network governance and raises questions about the ethical responsibilities of studying adversarial systems.
external firewall Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free