GFW maintains TCP connection state for up to ≈10 hours and tolerates up to ≈1 GB of client-to-server data, but drastically reduces these limits when a sequence hole exists: it abandons state after buffering only 1 KB above the hole (TCP9) and times out holed connections in 60–90 minutes rather than ≈10 hours (TCP10). These thresholds were confirmed over repeated measurements and represent the maxima tested, not precise censor-configured limits.

GFW reassembles both IP fragments and TCP segments for HTTP connections, but its overlap-resolution policy diverges from receiver behavior in documented cases: it prefers the original IP fragment in all overlap configurations except when the challenger is simultaneously left-long and right-long (IP2), and prefers a later left-equal TCP segment over the original (TCP5). The paper tests all 18 possible fragment overlap cases and confirms that placing a banned keyword only in the fragment version GFW discards achieves evasion.

§5, Table 1 (IP2, TCP5) detection

GFW exhibits three confirmed HTTP analysis gaps: it inspects only the first Request-URI and Host header in HTTP-pipelined requests (HTTP3), will not scan beyond 2,048 bytes into a Request-URI (HTTP2), and recognizes only standard percent-encoding while ignoring alternative URI encodings such as overlong UTF-8 (HTTP4). The authors classify all three as low-difficulty fixes for the censor, meaning they may be patched quickly once disclosed.

§5, Table 1 (HTTP2, HTTP3, HTTP4) detection

GFW instantiates a TCB upon observing a bare SYN before any SYN-ACK (TCP1), enabling a split-connection evasion: a client sends a low-TTL SYN visible to GFW but not the server, then opens the real connection on the same 5-tuple with a different initial sequence number. GFW tracks the phantom TCB and fails to detect banned keywords on the real, desynchronized connection. This same behavior also renders GFW vulnerable to SYN-flooding-style memory exhaustion.

§5, Table 1 (TCP1) detection

A TTL-limited bare FIN packet (without ACK) is sufficient to induce GFW to tear down its connection state for a live TCP session (TCP6b), because GFW accepts FIN packets that violate RFC 793's requirement for the ACK flag. After induced state teardown, subsequent packets carrying banned keywords on the same connection produce no RST, confirming the monitor has lost track of the flow.

§5, Table 1 (TCP6b) detection

TLS connections to blocked services (instagram.com, telegram.org) were terminated by TCP RST immediately after the client's ClientHello, before any certificate exchange, confirming SNI-based DPI that reads the plaintext SNI extension and aborts the handshake. HTTP filtering additionally matched Host headers and URL keywords case-sensitively, with injected HTTP 403 pages or TCP RST responses, and case-change evasions were sometimes effective.

2025-aryapour-stealth-blackout §4.2, §4.3 sni-blockingdpirst-injectionkeyword-filtering

Iran's HTTP censor exhibits several parsing inconsistencies exploitable for evasion: (1) it is case-sensitive and ignores lowercase method variant "gET"; (2) it does not censor the Host header for HTTP version strings "HTTP", "1.1", and "example" (suggests a version regex of HTTP/.*); (3) when the Host header is absent, the path is not censored for versions "HTTP" and "HTTP/1"; (4) the body is never analyzed regardless of version. All HTTP and DNS censorship occurs at the same last-hop border node, suggesting centralized architecture.

2025-lange-i-ra-nconsistencies §3.2, Table 1 dpikeyword-filteringrst-injection

China's Great Firewall showed anomalous inconsistency: 13 test vectors produced mixed outcomes—TCP RST injection on some executions and a clean server response on others—with circumvention rates between 10% and 35% across 100 executions per vector. The authors attribute this to heterogeneous GFW infrastructure components applying different HTTP parsing logic, a departure from the GFW's usual consistency.

2024-m-ller-turning §5.2 dpirst-injectionkeyword-filteringmiddlebox-interference

China's GFW exhibited unusually inconsistent HTTP censorship behavior: 13 of the evaluated HRS test vectors circumvented the GFW in some executions but not others, with per-vector success rates between 10% and 35% across 100 executions per domain. The authors attribute this to two distinct parts of GFW infrastructure employing different HTTP censorship mechanisms, a departure from the GFW's typical consistency.

2024-niere-http-smuggling §5.2 (China paragraph), §5 intro dpirst-injectionkeyword-filtering

Extending Geneva's genetic algorithm to the application layer automatically discovered 77 unique HTTP evasion strategies and 9 DNS evasion strategies against censors in China, India, and Kazakhstan — all requiring only unprivileged usermode modifications with no TCP/IP header access. Against India's Airtel censor, 56 of the 77 strategies succeeded; 29 worked against Kazakhstan; 22 evaded China's keyword-based HTTP censorship and 27 evaded its Host-header censorship.

2022-harrity-get §5.1, §6 dpikeyword-filteringrst-injectiondns-poisoning

The GFW only inspects two locations within an HTTP request for censored keywords: the path component of the request line and the Host header, in UTF-8 and GB 18030 encodings (with %-decoding applied). Cookie headers, custom headers (e.g., X-Tension), and POST body fields are not monitored. Even in monitored positions, only approximately 75% of requests containing censored keywords actually trigger a TCP RST disconnection.

2021-rambert-chinese §4.4 keyword-filteringdpirst-injection