The GFW evolved to create a TCB not only on SYN packets but also on SYN/ACK packets, and enters a 're-synchronization state' upon seeing multiple SYN packets, multiple SYN/ACK packets, or a SYN/ACK with an incorrect acknowledgment number. Once in this state, it re-synchronizes its TCB using the next client-to-server data packet or server SYN/ACK, invalidating prior TCB-creation evasion strategies that assumed the GFW used only the first SYN sequence number.

Tested across 11 vantage points in 9 Chinese cities against 77 Alexa-ranked websites (50 trials each, April–May 2017), most prior TCB evasion strategies are largely broken: TCB creation with SYN achieves only 6.9% success (88.9% Failure 2), TCB teardown with FIN achieves only 11.1% success (87.9% Failure 2), while in-order data overlapping with TTL-based insertion still achieves 90.6% success and only 3.7% Failure 2. Without any evasion strategy the baseline success rate is 2.8%.

§3, Table 1 evaluation

INTANG, a measurement-driven tool that caches the best-performing TCP evasion strategy per server IP, achieves an average success rate of 98.3% (range 93.7%–100%) from vantage points inside China. Four combined new strategies — Improved TCB Teardown, Improved In-order Data Overlapping, TCB Creation + Resync/Desync, and TCB Teardown + TCB Reversal — each independently achieve average success rates of 94.5%–96.2% inside China and 84.6%–92.7% outside China, with Failure 2 rates below 1.1%.

§7, Table 4 defense

Packets carrying an unsolicited TCP MD5 option header (RFC 2385) are silently ignored by modern Linux servers (kernel ≥ 2.6) that have not negotiated MD5 authentication, yet are accepted and processed by the GFW as normal packets that update its TCB. Crucially, none of the observed middleboxes dropped packets with MD5 options, making the MD5 header the most universally applicable insertion packet type — usable with any TCP flag (SYN, RST, or data) and immune to middlebox filtering.

§5.3, Table 3 defense

Client-side middleboxes at every tested vantage point interfere with IP-layer evasion tactics: Aliyun (6/11 nodes) discards all IP fragments, while the Tianjin China Unicom node drops packets with wrong TCP checksums or no TCP flag. IP-layer discrepancies that survive routers (e.g., IP total-length > actual length) are still dropped by some middleboxes, making IP-layer manipulations unreliable across Chinese ISPs. TCP-layer manipulations are significantly more consistent across paths.

§3, Table 2 evaluation

Russian TSPU devices directly block ECH by dropping ClientHello messages that contain both an ECH extension and the outer SNI hostname "cloudflare-ech.com" — the static outer SNI Cloudflare advertises in all its ECH configurations. Blocking affects both TLS and QUIC. ECH connections to servers with Cloudflare ECH support but outside Cloudflare's official IP ranges are NOT blocked. TCP segmentation alone or TLS record fragmentation alone did NOT bypass TSPU ECH blocking, but combining both techniques did circumvent it. TSPU has also added TCP reassembly capabilities that defeat previously effective fragmentation-only bypasses.

2025-niere-encrypted §5, Figure 5 dpirst-injectionmiddlebox-interference

The GFI's HTTP and HTTPS filters are now stateful (requiring initial SYN packet with matching sequence numbers) and have been activated on all TCP ports—not only standard ports 80 and 443 as reported by prior studies. This is a significant departure from previous work that found stateless HTTP/HTTPS blocking limited to standard ports. The HTTP filter injects a 403 Forbidden blockpage (not RST packets as used by the GFW), while HTTPS injects a single RST+ACK packet. The GFI also exhibits TCP non-compliance (not requiring a full three-way handshake to trigger filtering), enabling outside-in measurement without in-country servers.

2025-tai-irblock §2.1, §3.2 dpirst-injectionpacket-injectionmiddlebox-interference

China's Great Firewall showed anomalous inconsistency: 13 test vectors produced mixed outcomes—TCP RST injection on some executions and a clean server response on others—with circumvention rates between 10% and 35% across 100 executions per vector. The authors attribute this to heterogeneous GFW infrastructure components applying different HTTP parsing logic, a departure from the GFW's usual consistency.

2024-m-ller-turning §5.2 dpirst-injectionkeyword-filteringmiddlebox-interference

Server-side censorship evasion strategies require zero client-side changes: clients bypass censorship without installing software or even being aware of the evasion, and this approach has been adopted in production tools including Psiphon's packetman. The packet manipulations exploit weaknesses in how censors track or tear down TCP connections, occurring entirely at the server during the three-way handshake.

2023-tran-crowdsourcing §1 Introduction dpirst-injectionmiddlebox-interference

The paper identifies three distinct GFW resynchronization-state triggers with protocol-specific behavior: (1) a server payload on any non-SYN+ACK packet causes resync on the next SYN+ACK or client ACK-flagged packet for all protocols; (2) a server RST causes resync on the next client packet for all protocols except HTTPS; (3) a SYN+ACK with a corrupted acknowledgment number triggers resync only for FTP. Strategy 1's 50% per-attempt success rate for HTTP is confirmed to result from the 50% probability of the GFW entering the resynchronization state on an injected RST, consistent with Wang et al. [36].

2020-bock-come §5.1 dpirst-injectionmiddlebox-interference

The paper presents 11 purely server-side censorship evasion strategies requiring zero client-side software, successfully bypassing censorship in China, India, Iran, and Kazakhstan across DNS-over-TCP, FTP, HTTP, HTTPS, and SMTP. All strategies manipulate only TCP handshake packets (primarily the SYN+ACK) and were verified against 17 versions of 6 client operating systems (Windows XP–Server 2018, MacOS, iOS, Android, Ubuntu, CentOS) with unmodified clients.

2020-bock-come §1, §5, Table 2 dpirst-injectionmiddlebox-interference