A TTL-limited bare FIN packet (without ACK) is sufficient to induce GFW to tear down its connection state for a live TCP session (TCP6b), because GFW accepts FIN packets that violate RFC 793's requirement for the ACK flag. After induced state teardown, subsequent packets carrying banned keywords on the same connection produce no RST, confirming the monitor has lost track of the flow.

GFW reassembles both IP fragments and TCP segments for HTTP connections, but its overlap-resolution policy diverges from receiver behavior in documented cases: it prefers the original IP fragment in all overlap configurations except when the challenger is simultaneously left-long and right-long (IP2), and prefers a later left-equal TCP segment over the original (TCP5). The paper tests all 18 possible fragment overlap cases and confirms that placing a banned keyword only in the fragment version GFW discards achieves evasion.

§5, Table 1 (IP2, TCP5) detection

GFW exhibits three confirmed HTTP analysis gaps: it inspects only the first Request-URI and Host header in HTTP-pipelined requests (HTTP3), will not scan beyond 2,048 bytes into a Request-URI (HTTP2), and recognizes only standard percent-encoding while ignoring alternative URI encodings such as overlong UTF-8 (HTTP4). The authors classify all three as low-difficulty fixes for the censor, meaning they may be patched quickly once disclosed.

§5, Table 1 (HTTP2, HTTP3, HTTP4) detection

GFW maintains TCP connection state for up to ≈10 hours and tolerates up to ≈1 GB of client-to-server data, but drastically reduces these limits when a sequence hole exists: it abandons state after buffering only 1 KB above the hole (TCP9) and times out holed connections in 60–90 minutes rather than ≈10 hours (TCP10). These thresholds were confirmed over repeated measurements and represent the maxima tested, not precise censor-configured limits.

§5, Table 1 (TCP9, TCP10) detection

GFW instantiates a TCB upon observing a bare SYN before any SYN-ACK (TCP1), enabling a split-connection evasion: a client sends a low-TTL SYN visible to GFW but not the server, then opens the real connection on the same 5-tuple with a different initial sequence number. GFW tracks the phantom TCB and fails to detect banned keywords on the real, desynchronized connection. This same behavior also renders GFW vulnerable to SYN-flooding-style memory exhaustion.

§5, Table 1 (TCP1) detection

Russian TSPU devices directly block ECH by dropping ClientHello messages that contain both an ECH extension and the outer SNI hostname "cloudflare-ech.com" — the static outer SNI Cloudflare advertises in all its ECH configurations. Blocking affects both TLS and QUIC. ECH connections to servers with Cloudflare ECH support but outside Cloudflare's official IP ranges are NOT blocked. TCP segmentation alone or TLS record fragmentation alone did NOT bypass TSPU ECH blocking, but combining both techniques did circumvent it. TSPU has also added TCP reassembly capabilities that defeat previously effective fragmentation-only bypasses.

2025-niere-encrypted §5, Figure 5 dpirst-injectionmiddlebox-interference

The GFI's HTTP and HTTPS filters are now stateful (requiring initial SYN packet with matching sequence numbers) and have been activated on all TCP ports—not only standard ports 80 and 443 as reported by prior studies. This is a significant departure from previous work that found stateless HTTP/HTTPS blocking limited to standard ports. The HTTP filter injects a 403 Forbidden blockpage (not RST packets as used by the GFW), while HTTPS injects a single RST+ACK packet. The GFI also exhibits TCP non-compliance (not requiring a full three-way handshake to trigger filtering), enabling outside-in measurement without in-country servers.

2025-tai-irblock §2.1, §3.2 dpirst-injectionpacket-injectionmiddlebox-interference

China's Great Firewall showed anomalous inconsistency: 13 test vectors produced mixed outcomes—TCP RST injection on some executions and a clean server response on others—with circumvention rates between 10% and 35% across 100 executions per vector. The authors attribute this to heterogeneous GFW infrastructure components applying different HTTP parsing logic, a departure from the GFW's usual consistency.

2024-m-ller-turning §5.2 dpirst-injectionkeyword-filteringmiddlebox-interference

Server-side censorship evasion strategies require zero client-side changes: clients bypass censorship without installing software or even being aware of the evasion, and this approach has been adopted in production tools including Psiphon's packetman. The packet manipulations exploit weaknesses in how censors track or tear down TCP connections, occurring entirely at the server during the three-way handshake.

2023-tran-crowdsourcing §1 Introduction dpirst-injectionmiddlebox-interference

The paper identifies three distinct GFW resynchronization-state triggers with protocol-specific behavior: (1) a server payload on any non-SYN+ACK packet causes resync on the next SYN+ACK or client ACK-flagged packet for all protocols; (2) a server RST causes resync on the next client packet for all protocols except HTTPS; (3) a SYN+ACK with a corrupted acknowledgment number triggers resync only for FTP. Strategy 1's 50% per-attempt success rate for HTTP is confirmed to result from the 50% probability of the GFW entering the resynchronization state on an injected RST, consistent with Wang et al. [36].

2020-bock-come §5.1 dpirst-injectionmiddlebox-interference

The paper presents 11 purely server-side censorship evasion strategies requiring zero client-side software, successfully bypassing censorship in China, India, Iran, and Kazakhstan across DNS-over-TCP, FTP, HTTP, HTTPS, and SMTP. All strategies manipulate only TCP handshake packets (primarily the SYN+ACK) and were verified against 17 versions of 6 client operating systems (Windows XP–Server 2018, MacOS, iOS, Android, Ubuntu, CentOS) with unmodified clients.

2020-bock-come §1, §5, Table 2 dpirst-injectionmiddlebox-interference