Is Chinese Government Peeping at Your Web Site?

-- An Analysis of web server logs of www.wangbingzhang.us

Introduction

To be honest, as a webmaster of three dissident web sites in recent two years, I had worried very little about things like traffic and performance bottlenecks because, generally speaking, web sites of political dissidents will be able to attract only the eyeballs of dissidents and occasional attention of the government. Therefore, I seldom took a look at web server logs in the past.

However, recently, I happened to investigate the computer logs of one web site, www.wangbingzhang.us, dedicated to the rescue of Dr. Bingzhang Wang, a well-known senior leader of overseas Chinese dissidents. Dr. Wang was kidnapped by Chinese secret agents in Vietnam in late June 2002, and sentenced to life imprisonment in February 2003, the severest punishment ever made in China. The investigation turns out to be very astonishing after analysis of visitors' IP addresses recorded in the logs. If your web site is really something on the blacklist of Chinese government, you may be able to figure out who must be governmental agents and how doggedly and seriously they are peeping at you.

Analysis of IP Addresses from China

Now, let's take a look at the records in the logs for www.wangbingzhang.us. The web server only provides logs for current four months, including present month. Given consideration to whole months, there are at least those who, using the following IP addresses from China, visited our web site throughout February to April 2004. (Generally, IP addresses allocated for China have 202 as the first of the four parts. China may also use other IP addresses. It is reasonable in our case to loosely assume that all IP addresses of China begin with 202. The following statistic result will show that the average hits ratio from China reaches 6.46%. Since our web site is prohibited in mainland China, this ratio can not be too high. So, our assumption is indeed acceptable.)

February 2004
202.ddd.ddd.10202.xxx.yyy.211202.xxx.yyy.36202.xxx.yyy.46202.ddd.ddd.6
202.ddd.ddd.69202.xxx.yyy.212202.xxx.yyy.37202.xxx.yyy.47202.ddd.ddd.4
202.ddd.ddd.101202.xxx.yyy.215202.xxx.yyy.38202.xxx.yyy.48202.ddd.ddd.162
202.ddd.ddd.24202.xxx.yyy.217202.xxx.yyy.39202.xxx.yyy.49202.ddd.ddd.11
202.ddd.ddd.29202.xxx.yyy.27202.xxx.yyy.40202.xxx.yyy.50202.ddd.ddd.168
202.ddd.ddd.194202.xxx.yyy.28202.xxx.yyy.41202.ddd.ddd.241202.ddd.ddd.249
202.ddd.ddd.242202.xxx.yyy.29202.xxx.yyy.42202.ddd.ddd.235 
202.xxx.yyy.16202.xxx.yyy.30202.xxx.yyy.43202.ddd.ddd.7 
202.xxx.yyy.201202.xxx.yyy.32202.xxx.yyy.44202.ddd.ddd.12 
202.xxx.yyy.203202.xxx.yyy.33202.xxx.yyy.45202.ddd.ddd.240 
Top 3 hits: 202.ddd.ddd.101(103)   202.xxx.yyy.16(67)   202.ddd.ddd.11(26) Ratio of hits from China: 4.53% (346 among total 7646 hits)

March 2004
202.ddd.ddd.113202.ddd.ddd.118202.xxx.yyy.218202.xxx.yyy.32202.xxx.yyy.49
202.ddd.ddd.131202.ddd.ddd.221202.xxx.yyy.219202.xxx.yyy.33202.xxx.yyy.50
202.ddd.ddd.7202.ddd.ddd.225202.xxx.yyy.221202.xxx.yyy.34202.ddd.ddd.59
202.ddd.ddd.1202.xxx.yyy.201202.xxx.yyy.223202.xxx.yyy.35202.ddd.ddd.194
202.ddd.ddd.130202.xxx.yyy.202202.xxx.yyy.224202.xxx.yyy.36202.ddd.ddd.115
202.ddd.ddd.170202.xxx.yyy.203202.xxx.yyy.225202.xxx.yyy.37202.ddd.ddd.162
202.ddd.ddd.82202.xxx.yyy.204202.xxx.yyy.226202.xxx.yyy.38202.ddd.ddd.98
202.ddd.ddd.50202.xxx.yyy.205202.xxx.yyy.228202.xxx.yyy.39202.ddd.ddd.84
202.ddd.ddd.10202.xxx.yyy.206202.xxx.yyy.229202.xxx.yyy.40202.ddd.ddd.226
202.ddd.ddd.69202.xxx.yyy.207202.xxx.yyy.230202.xxx.yyy.41202.ddd.ddd.46
202.ddd.ddd.112202.xxx.yyy.209202.xxx.yyy.232202.xxx.yyy.42202.ddd.ddd.208
202.ddd.ddd.16202.xxx.yyy.210202.xxx.yyy.26202.xxx.yyy.43202.ddd.ddd.196
202.ddd.ddd.1202.xxx.yyy.211202.xxx.yyy.27202.xxx.yyy.44202.ddd.ddd.197
202.ddd.ddd.101202.xxx.yyy.212202.xxx.yyy.28202.xxx.yyy.45202.ddd.ddd.198
202.ddd.ddd.68202.xxx.yyy.215202.xxx.yyy.29202.xxx.yyy.46202.ddd.ddd.54
202.ddd.ddd.76202.xxx.yyy.216202.xxx.yyy.30202.xxx.yyy.47202.ddd.ddd.26
202.ddd.ddd.116202.xxx.yyy.217202.xxx.yyy.31202.xxx.yyy.48202.ddd.ddd.131
Top 3 hits: 202.ddd.ddd.101(89)   202.ddd.ddd.197(61)   202.ddd.ddd.98(35) Ratio of hits from China: 6.26% (779 among total 12453 hits)

April 2004
202.ddd.ddd.82202.xxx.yyy.231202.xxx.yyy.41202.ddd.ddd.194202.ddd.ddd.49
202.ddd.ddd.10202.xxx.yyy.232202.xxx.yyy.42202.ddd.ddd.27202.ddd.ddd.6
202.ddd.ddd.193202.xxx.yyy.26202.xxx.yyy.43202.ddd.ddd.66202.ddd.ddd.66
202.ddd.ddd.101202.xxx.yyy.27202.xxx.yyy.44202.ddd.ddd.218202.ddd.ddd.122
202.ddd.ddd.253202.xxx.yyy.28202.xxx.yyy.45202.ddd.ddd.169202.ddd.ddd.196
202.ddd.ddd.171202.xxx.yyy.29202.xxx.yyy.46202.ddd.ddd.219202.ddd.ddd.197
202.ddd.ddd.225202.xxx.yyy.30202.xxx.yyy.49202.ddd.ddd.5202.ddd.ddd.198
202.xxx.yyy.16202.xxx.yyy.31202.xxx.yyy.50202.ddd.ddd.98202.ddd.ddd.199
202.xxx.yyy.208202.xxx.yyy.32202.ddd.ddd.24202.ddd.ddd.151202.ddd.ddd.202
202.xxx.yyy.214202.xxx.yyy.33202.ddd.ddd.209202.ddd.ddd.153202.ddd.ddd.152
202.xxx.yyy.217202.xxx.yyy.36202.ddd.ddd.165202.ddd.ddd.39202.ddd.ddd.89
202.xxx.yyy.220202.xxx.yyy.37202.ddd.ddd.113202.ddd.ddd.179202.ddd.ddd.180
202.xxx.yyy.222202.xxx.yyy.38202.ddd.ddd.4202.ddd.ddd.47202.ddd.ddd.138
202.xxx.yyy.227202.xxx.yyy.39202.ddd.ddd.163202.ddd.ddd.2202.ddd.ddd.98
202.xxx.yyy.230202.xxx.yyy.40202.ddd.ddd.110202.ddd.ddd.72202.ddd.ddd.56
Top 3 hits: 202.xxx.yyy.16(247)   202.ddd.ddd.197(102)   202.ddd.ddd.98(55) Ratio of hits from China: 8.33% (771 among total 9260 hits)

Average ratio of hits from China (Feb - Apr 2004): 6.46% (1896 among total 29359 hits)

First of all, we got surprised at the average hit counter of each month, 9786. For a non-comprehensive web site providing only serious topics instead of attractive entertainment contents, we are fully satisfied with the achievement.

However, we got even more surprised at the amount of hits from China. Is it not amazing that over 6.46% of the entire hits came from China, a totalitarian empire which adopts strictest censorship over Internet contents in the whole world? Is the communist regime 'kind' enough to let our web site go into China? Is it too small and too nonsignificant to attract the effort of the evil regime to filter out our web site? (No, our friends in mainland China have been complaining about failure to access.) Or, are visitors all from Hong Kong?

There were 142 different IPs used from China throughout February to April. Since no one-to-one relation can be assumed between computers and users, we have no idea about the exact number of our visitors from China.

However, some phenomena are very prominent. Say, visits from 202.xxx.yyy.16 each day throughout April 5 to 30 is so strange that I am sure the users must be governmental Internet agents. Why?

Firstly, for most Internet users in present China, they must access Internet via dial-up service which will dynamically give each an IP address available at the time they connect to the Internet. Therefore, even at different time of the same day, a user will obtain different IP addresses, without mentioning the small possibility to own the same IP address everyday.

Secondly, for those mainland China visitors using fixed IP address (and thus on the same computer) in non-governmental organizations or (DSL users) at home, if they dare frequently visit web site like ours, they must be crazy because they are supposed to know the risk they have to take by behaving in this dangerous way.

Thirdly, according to the logs available, IP address 202.xxx.yyy.16 appeared almost every day throughout February 1 to 16. Then, it disappeared. But from April 5 on, it appeared every day again. Why was this IP address absent from February 17 until April 4? Behold, it is within those days that Chinese congress was convening in Beijing and, more importantly, Taiwan was undergoing presidential election. Is it just an accidental coincidence? No, I prefer to believe that the related users might have been ordered to supervise other web sites or safeguard congress members.

In addition, please give attention to the distribution of IP addresses. Characteristics like continuity of IP addresses is very obvious. For example, there appears each month a long series of consecutive IP addresses, such as 202.xxx.yyy.27, 202.xxx.yyy.28, 202.xxx.yyy.29, ..., 202.xxx.yyy.50. In fact, in March 2004, IP addresses within subnet 202.xxx.yyy revealed striking features. Besides, there appeared 57 different IP addresses of that subnet within three months. Visitors using these addresses are not ordinary Internet users by possibility. Instead, they must belong to the same division of certain special governmental department.

Admittedly, some friends in Hong Kong may use IP addresses with prefix 202. But We can not understand why they had never published any message on Bingzhang Wang Forum of our web site. (In the following we'll discuss the only message posted by a user on 202.xxx.yyy.16.) On the other hand, it is still hard to explain the above-mentioned consecutive IP addresses if the users were indeed coming from Hong Kong.

Therefore, we strongly believe that people using 202.xxx.yyy.16 or from its subnet must be working for certain special department of Chinese government.

As per other users from China, we don't know if all of them came from Hong Kong. For those from mainland China, we have obtained no obvious evidence from the logs to conclude that they were working for government while having strong belief in it. Since this web site has opened for over one year, and Dr. Bingzhang Wang is so important a Chinese dissident, Chinese government must put an eye on it so as to forbid its distribution of "harmful" information into China, while obtaining information about, say, what plans are being carried out to rescue him by his friends overseas. In a word, this web site must have been filtered out from the access of ordinary Chinese people long time ago. In practice, we once invited our friends in mainland China to visit and were informed of their failure. Furthermore, the hits counted by China's subnets in all three months extremely concentrated on one to three subnets (see the following figure). Anyway, all the phenomena drive us to believe that, except a few from Hong Kong, all our visitors from China must be working for special governmental departments.

You may have noticed that the IP addresses came from different Internet subnets. It indicates that the visitors from mainland China came from a big branch or several branches of a large organization which a physical subnet could not accommodate. Of course, it is also possible that they might come from different security organizations, say, secret Internet police and intelligence department.

It's worth pointing out that almost all our visitors from China have been very 'nice'. By 'nice' I mean they just browse the web contents and do not disturb the web site by 'injecting water', i.e., posting tons of offensive, dirty, pornographic or specious messages to detract other visitors' attention. During the three months there was only a user of host 202.xxx.yyy.16 who once posted a message on the Bingzhang Wang Forum at 03:02:40 on February 13, 2004. However, I failed to find the very message. It must have been deleted because of intolerability since we have taken a very easy attitude toward any reasonable arguments.

Why have the governmental agents been so 'nice' so far? In my opinion, that's because they know dissident web sites do not possess a huge group of visitors except well-educated dissidents. They also know that, if keeping 'injecting water', they will be stopped due to their IP addresses. On the other hand, anyway, to collect information and find new dissidents is their major duty when dealing with dissident web sites. Certainly, 'injecting water' will expose their existence and may make it hard to fulfill their major task.

Therefore, we can conclude that not 'injecting water' is the normal and safe way for secret Internet agents to hide themselves completely on any dissident web sites. Of course, whether they are able to hide depends on whether the webmasters are willing to and really know how to analyze server logs. Unfortunately, for many Chinese dissident web sites, they must have hidden successfully since many webmasters have little IT knowledge while they are senior writers and professional editors. We hope those webmasters may find this article helpful. It is our negligence and ignorance that give governmental agents chances to peep at us on fixed computers using fixed IP addresses.

By the way, if we know secret governmental agents are hiding among our visitors, can we take any advantage of it? Of course, we can take steps to do something benefiting our purpose. For example, we may release false news to cheat and confuse them. We may even organize and write special articles to reeducate them, too.

Conclusion

Finally, it is out of question that, the more attention the communist regime puts on a dissident web site, the more obviously that the web site has formed a real challenge to the regime, and thus, we need stronger courage and motivation to form stronger challenge to the regime. Instead, if our web site has got less and les attention of its enemy, we should contemplate its purpose and adjust our goal and strategy. While the communist regime taking Internet as main battlefield to find and detain new dissidents and potential leaders of political organizations, we fighters of freedom and democracy must also take Internet as the main platform to make new friends and strengthen our union. Analysis of web server logs can help us test our effort and build up our belief.

Concretely, by analysis of web server logs, we discover that the Chinese government has put lasting attention on our web site, www.wangbingzhang.us, which will assuredly propel us to make further efforts to help Dr. Bingzhang Wang recover his freedom.


Zhongxiao Wang
Webmaster and editor-in-chief, www.wangbingzhang.us
National Director, Free China Movement

May 12, 2004

Note:
To protect the privacy of innocent visitors, we mask as many digits in an IP address as possible when publishing this report publicly.