2025-gfw-port443-rst

Analysis of the GFW's Unconditional Port 443 Block on August 20, 2025

GFW Report team · gfw.report · 2025

Abstract

Analysis of an unusual GFW behavior observed on August 20, 2025: the GFW unconditionally injected TCP RSTs on port 443 traffic, regardless of payload, for a measurable window. Likely a misconfiguration or test deployment rather than a permanent change.

Team notes

Operational anomaly worth knowing about: when the GFW occasionally exhibits unconditional behavior on a port, it tells us about failure modes in their deployment process. If we see a sudden CN- wide spike in tracks failing on port 443 in our bandit signals, this paper is the precedent: it might be a brief misconfiguration rather than a deliberate policy change.

Tags

censors: cn
techniques: rst-injection port-blocking dpi
method: measurement-study

findings extracted from this paper

The August 20, 2025 unconditional RST event revealed an asymmetry in the GFW's triggering mechanism: for traffic originating inside China, both the client SYN and the server SYN+ACK each independently triggered three injected RST+ACK packets (six total per connection). For traffic to China from outside, only the Chinese server's SYN+ACK triggered RSTs — the foreign client's SYN alone was insufficient. This asymmetry implies the responsible device observed the SYN+ACK from the Chinese server as the trigger condition, not a port-match rule on the SYN.

§2.1, §2.2 detection rst-injectionport-blockingdpi cn
On August 20, 2025 from approximately 00:34 to 01:48 Beijing Time (74 minutes), the GFW unconditionally injected TCP RST+ACK packets on all port 443 traffic, regardless of payload content, disrupting all TCP/443 connections between China and the rest of the world. The injected packets came in triples with incrementally increasing TTL and window size fields — a fingerprint that does not match any previously catalogued GFW device — indicating either a new device or a known device in a novel or misconfigured state. The blocking was port-443-specific: ports 22, 80, 8443, and others were unaffected during the same window.

§1, §2.3, §3 detection rst-injectionport-blocking cn