On August 20, 2025 from approximately 00:34 to 01:48 Beijing Time (74 minutes), the GFW unconditionally injected TCP RST+ACK packets on all port 443 traffic, regardless of payload content, disrupting all TCP/443 connections between China and the rest of the world. The injected packets came in triples with incrementally increasing TTL and window size fields — a fingerprint that does not match any previously catalogued GFW device — indicating either a new device or a known device in a novel or misconfigured state. The blocking was port-443-specific: ports 22, 80, 8443, and others were unaffected during the same window.

The August 20, 2025 unconditional RST event revealed an asymmetry in the GFW's triggering mechanism: for traffic originating inside China, both the client SYN and the server SYN+ACK each independently triggered three injected RST+ACK packets (six total per connection). For traffic to China from outside, only the Chinese server's SYN+ACK triggered RSTs — the foreign client's SYN alone was insufficient. This asymmetry implies the responsible device observed the SYN+ACK from the Chinese server as the trigger condition, not a port-match rule on the SYN.

§2.1, §2.2 detection

After a censored connection, 50–75% of subsequent connections from the same client IP to the same server IP and port are blocked for 90 seconds even without censored keywords ("penalty box"). The penalty box is strictly scoped to the (client IP, server IP, server port) triple — other ports at the same server IP or other server IPs are unaffected. The GFW monitors HTTP keyword traffic on every TCP port, not just port 80.

2021-rambert-chinese §4.4, §4.5 keyword-filteringrst-injectionport-blocking

Winter and Lindskog [157] (2012) documented that the GFW used TLS SNI inspection in combination with IP/port filtering and TCP disruption to block Tor, as recorded in the survey's Table 1. This is one of the earliest published accounts of the GFW applying SNI-based blocking specifically to a circumvention protocol, demonstrating that the GFW correlated multiple detection signals rather than relying on any single technique.

2015-aceto-internet Table 1 sni-blockingip-blockingport-blockingrst-injection

Table 1 of the survey documents that by 2013–2014 censors were deploying simultaneous blocking across BGP, DNS, IP/port filtering, TCP disruption, TLS, and application-layer keyword filtering. No single detection tool in the survey covers all six layers; the most comprehensive, OONI (2012), covers DNS, IP/port, TCP, TLS, keyword, and HTTP but notes only partial BGP coverage.

2015-aceto-internet Table 1 bgp-hijackdns-poisoningport-blockingip-blockingrst-injectiontls-fingerprintkeyword-filteringdpi

Post-trigger blocking persisted for an average of ~20 minutes (observed range: a few minutes to nearly an hour) per source-IP/destination-IP pair, but was scoped to the 128 TCP port numbers sharing the same 7 most-significant bits as the triggering connection's ephemeral port. On pseudo-random ephemeral-port systems such as OpenBSD, the probability of a subsequent connection falling in the blocked port range is only ~1 in 500; on sequential-port systems such as Windows, an average of 64 further connections are blocked.

2006-clayton-ignoring §6.1 rst-injectionport-blocking

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

During the June 2025 shutdown, Iranian authorities blocked international One-Time Password (OTP) SMS delivery, preventing new sign-ins to foreign secure-messaging platforms and VPN services. This forced users toward government-approved domestic platforms that lack security and privacy protections. The blockade of OTPs effectively weaponized account-recovery flows as a secondary shutdown layer, disproportionately affecting users who needed to activate new circumvention tools during the crisis.

2025-iran-shutdown-measurement §Human Rights Implications port-blockingdpikeyword-filtering