Analysis of the GFW's Unconditional Port 443 Block on August 20, 2025

Thanks for sharing this. I researched this for my A level project a few years ago, and this is a really neat cross reference. I didn't mention V2Ray as much.

> How is traffic controlled inside PRC?

Unknown. I haven't seen any injected fake DNS or reset packets so far to domestic hosts. But there are rumors that Google's servers in Beijing (AS24424) was once black holed.

> Is GFW a central hub for all traffic between all hosts?

It's supposed to has centralized management system, but not a single hub.

> Or between residential ASNs and commercial ones only?

Yes, the injecting devices are deployed in IXPs, the AS borders. See <Internet censorship in China: Where does the filtering occur?>.

> In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting.

I believe Iran has more centralized system like China controlled by Tehran.

> Maybe internal traffic is just all banned?

No, internal HTTPS traffic is not banned in that hour.

It's in operators but managed by the regional government.

So what's blocked differs by region

Determining the scope of the impact would also be part of such a dry run. And if it is meant to be used along some kind of military action then it's going to throw the economy into chaos anyway.

> Terrible, this is Internet curfew.

If you think this is bad...

You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD

You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).

In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.

In fact, it’s a common tactic to do something unusual, in a recurrent way, so people aren’t alerted when it happens for real. (When the Mossad stole 7 boats from a French port (that they had fully paid), they prepared a few months in advance by having the pilots start the engines every night at 23:00, pretending they needed it against the cold temperatures. When they day came, they started the engines and left, no-one saw it coming).

Could you bring something like a starlink mini for backup i wonder? Id imagine this would be very worrying being stuck there as a foreigner in such a situation.

The infrastructure for that kind of control clearly already exists. What's unclear is how coordinated or deliberate these events are versus being side effects of testing or internal changes

That's what's so great about LoRA. Decentralized txt msgs, ultra cheap radios people run at home or wherever. $10-35USD ON AMAZON. Least txts get through.

There's nothing inevitable about this. Civil society needs to organize, coordinate, and spend money on PR about this.

Right now liberal people mostly sit back and wait for things to get better, it's not enough. (Also going and walking up and down is not really effective.)

Anyone operating in/around China who needs a real VPN has a service they pay for and use that isn't mainstream that isn't blocked (using V2ray or similar). There's a reason why Shadowrocket is the number 1 app on the app store. I'm sure there are a lot of cases of people using e.g., off-the-shelf VPN apps and have trouble, but power users in China are always running a VPN, usually to Japan, that doesn't have this problem.

How many people suddenly "lost internet" mid-meeting and had to blame it on their router...

> Normally they have to fight VPN issues anyway

There are special virtual SIM cards that provide access to services from mainland China, as well as VPNs that function normally without issues. I used both while I was in China.

I suspect those connections worked fine.

It’s good to know the boss.

How common can this really be? And what kind of companies? I’m finding it really hard to imagine this to be widespread.

That'd be somewhat more workable than blocking importation of anything made in China. Somewhat.

In this exact scenario, just use ports other than :443

But GFW certainly had the capability to block all ports. So no one really knew.

Well for starters recreate the situation and test out different approaches. Thanks to the detailed analysis that can be attempted.

If I understand right, a good next step would would be with eBPF or some type of proxy ignore the forged RST+ACK at the beginning.

Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.

> Imagine what people would say about Cloudflare if they had an hour long outage

That Cloudflare had an outage. Not America.

outage would mean a connection timeout

in this case, the connection works fine, some extra RST+ACK packets were delivered to your network on purpose

I mean... it got blocked by their censorship infrastructure, does it really matter if it only got misconfigured?

There's no good reason to do that.

But "good reason" depends a lot on your perspective

Yeah, dont want their citizens to voice anti-CCP thoughts

Pretty sure it's an incident.