Post-trigger blocking persisted for an average of ~20 minutes (observed range: a few minutes to nearly an hour) per source-IP/destination-IP pair, but was scoped to the 128 TCP port numbers sharing the same 7 most-significant bits as the triggering connection's ephemeral port. On pseudo-random ephemeral-port systems such as OpenBSD, the probability of a subsequent connection falling in the blocked port range is only ~1 in 500; on sequential-port systems such as Windows, an average of 64 further connections are blocked.

In measurements conducted over 10 days in early February 2006, the GFW scanned approximately two-thirds of packets from a 256-address block per hourly probe, with address selection following a structured (non-random) pattern consistent with simple modular assignment to a limited pool of IDS devices. After several days, the inspected fraction rose to nearly all addresses, suggesting a configuration change to expand capacity.

§6.1 evaluation

The GFW's keyword-blocking mechanism relies entirely on endpoints honoring injected TCP RST packets; because the IDS operates out-of-band and cannot remove packets already queued in the router's transmission path, configuring both endpoints to silently discard incoming RSTs (e.g., via `iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP`) allows blocked content to transfer unimpeded. In a controlled experiment, 28 injected RSTs were ignored and the complete blocked web page was successfully retrieved.

§5 defense

The GFW performs no stateful TCP stream reassembly, inspecting one packet at a time: splitting the blocked keyword '?falun' across two TCP segments is sufficient to evade detection entirely. Cross-device state is also absent — triggering a block on one border AS (e.g., AS9929) had no effect on traffic transiting a different Chinese border AS.

§4.1 detection

GFW-injected RST packets are distinguishable from legitimate endpoint RSTs by TTL: in the authors' 2006 experiments forged resets carried TTL=47 while genuine server packets carried TTL=39, consistent with the IDS sitting 8 hops closer to the client than the destination server. A 20-line FreeBSD kernel patch implementing TTL-divergence filtering was developed and demonstrated positive results in practice.

§7 defense

The August 20, 2025 unconditional RST event revealed an asymmetry in the GFW's triggering mechanism: for traffic originating inside China, both the client SYN and the server SYN+ACK each independently triggered three injected RST+ACK packets (six total per connection). For traffic to China from outside, only the Chinese server's SYN+ACK triggered RSTs — the foreign client's SYN alone was insufficient. This asymmetry implies the responsible device observed the SYN+ACK from the Chinese server as the trigger condition, not a port-match rule on the SYN.

2025-gfw-port443-rst §2.1, §2.2 rst-injectionport-blockingdpi

On August 20, 2025 from approximately 00:34 to 01:48 Beijing Time (74 minutes), the GFW unconditionally injected TCP RST+ACK packets on all port 443 traffic, regardless of payload content, disrupting all TCP/443 connections between China and the rest of the world. The injected packets came in triples with incrementally increasing TTL and window size fields — a fingerprint that does not match any previously catalogued GFW device — indicating either a new device or a known device in a novel or misconfigured state. The blocking was port-443-specific: ports 22, 80, 8443, and others were unaffected during the same window.

2025-gfw-port443-rst §1, §2.3, §3 rst-injectionport-blocking

After a censored connection, 50–75% of subsequent connections from the same client IP to the same server IP and port are blocked for 90 seconds even without censored keywords ("penalty box"). The penalty box is strictly scoped to the (client IP, server IP, server port) triple — other ports at the same server IP or other server IPs are unaffected. The GFW monitors HTTP keyword traffic on every TCP port, not just port 80.

2021-rambert-chinese §4.4, §4.5 keyword-filteringrst-injectionport-blocking

Winter and Lindskog [157] (2012) documented that the GFW used TLS SNI inspection in combination with IP/port filtering and TCP disruption to block Tor, as recorded in the survey's Table 1. This is one of the earliest published accounts of the GFW applying SNI-based blocking specifically to a circumvention protocol, demonstrating that the GFW correlated multiple detection signals rather than relying on any single technique.

2015-aceto-internet Table 1 sni-blockingip-blockingport-blockingrst-injection

Table 1 of the survey documents that by 2013–2014 censors were deploying simultaneous blocking across BGP, DNS, IP/port filtering, TCP disruption, TLS, and application-layer keyword filtering. No single detection tool in the survey covers all six layers; the most comprehensive, OONI (2012), covers DNS, IP/port, TCP, TLS, keyword, and HTTP but notes only partial BGP coverage.

2015-aceto-internet Table 1 bgp-hijackdns-poisoningport-blockingip-blockingrst-injectiontls-fingerprintkeyword-filteringdpi

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking