The GFW's dominant exploitable discrepancy is accepting data packets whose TCP sequence number is ≤ the initial sequence number (ISN), while Linux rejects such packets as out-of-window. This single 'SEQ ≤ ISN' strategy accounts for the majority of the 3,152 successful evasion-packet cases against the GFW out of 4,587 total successful evasions.
From 2020-wang-symtcp — SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery
· §VIII.C
· 2020
· Network and Distributed System Security
Implications
Prepend an evasion packet with SEQ ≤ ISN before the sensitive payload; the GFW's TCP reassembly de-synchronizes and the subsequent data packet passes inspection while the server ignores the throwaway segment — no application-layer obfuscation required.
This discrepancy is at the TCP reassembly layer, making it protocol-agnostic: it works regardless of whether the overlying protocol is HTTP, TLS, or a custom circumvention protocol.