Analysis of the GFW's Unconditional Port 443 Block on August 20, 2025
67 comments
·August 20, 2025kotri
Terrible, this is Internet curfew. It's not uncommon to imagine they'd shutdown Internet across border during any war (like against Taiwan).
outworlder
> Terrible, this is Internet curfew.
If you think this is bad...
You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD
You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.
UltraSane
AWS in China also doesn't have the Key Management Service, which leads to me to conclude it must be pretty secure.
I added an A record for subdomain and pointed it at Chinese IP addresses. I wonder if I will get that angry email?
bawolff
Or they just dont want to be put in the position of having to give out keys.
I think the real paranoid people use cloudHSM.
veunes
The infrastructure for that kind of control clearly already exists. What's unclear is how coordinated or deliberate these events are versus being side effects of testing or internal changes
wkat4242
Could you bring something like a starlink mini for backup i wonder? Id imagine this would be very worrying being stuck there as a foreigner in such a situation.
mryall
Starlink connects you to the internet via a ground station in the country where you are registered, and the antenna will also only operate in an approved zone (depending on your country and account type). You cannot use it in China.
eastbound
In fact, it’s a common tactic to do something unusual, in a recurrent way, so people aren’t alerted when it happens for real. (When the Mossad stole 7 boats from a French port (that they had fully paid), they prepared a few months in advance by having the pilots start the engines every night at 23:00, pretending they needed it against the cold temperatures. When they day came, they started the engines and left, no-one saw it coming).
vintermann
It could also be a test to look for surprising things that break, in case they want to do this permanently at some later point.
woooooo
Hanlon's and Occam's razors point to it being a mistake by the GFW operators, imo.
If it's on purpose, I think you have the most likely motivation.
hackernewsdhsu
That's what's so great about LoRA. Decentralized txt msgs, ultra cheap radios people run at home or wherever. $10-35USD ON AMAZON. Least txts get through.
phantomathkg
It won't get you from where you are to China though.
wkat4242
No but something like WSPR or FT8 would. Needs a license though.
technics256
How would one get around this if they found themselves in such a situation?
est
In this exact scenario, just use ports other than :443
But GFW certainly had the capability to block all ports. So no one really knew.
SuperMouse
[dead]
molticrystal
Well for starters recreate the situation and test out different approaches. Thanks to the detailed analysis that can be done.
If I understand right, a good next step would would be with eBPF or some type of proxy ignore the forged RST+ACK at the beginning.
Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
chickenzzzzu
Think of how many people who have remote jobs with American companies couldn't connect to their meetings while they "work from home" while secretly being in China!
Normally they have to fight VPN issues anyway, but having a sovereign state inject your packets is certainly a fun new one.
veunes
How many people suddenly "lost internet" mid-meeting and had to blame it on their router...
ChrisMarshallNY
I suspect those connections worked fine.
It’s good to know the boss.
chickenzzzzu
I definitely appreciate that a percentage of so called "employees" are actually just full fledged Chinese nationals, living permanently in China, paid a salary to pretend to be an American who had their identity stolen.
But there absolutely is also a non-negligible number of Chinese and Indian nationals, who have some type of visa status in the US (especially a green card) who spend many months in their original countries making $200,000 or more per year while living like royalty in their home countries :)
bapak
The green card isn't citizenship, you lose it if you don't live in the US. It's not like they don't know when you enter or exit the country.
tietjens
How common can this really be? And what kind of companies? I’m finding it really hard to imagine this to be widespread.
Ayesh
I live in a popular Digital Nomad friendly country, and myself included, work with Europe/American companies roughly matching their time zones.
Now, the people I work with know that I'm not really located in the same time zone, but I know people who don't bother to mention it. I rarely get phone calls, but I have a roaming connection active for banking/OTP/etc. Plenty of cheap cafes with great WiFi (500mbps+ almost everywhere), and several times cheaper too.
esseph
Lookup the North Korean version of this with the laptop farms
Example: https://www.justice.gov/opa/pr/justice-department-announces-...
chickenzzzzu
Sadly much more common than it should be. The durations vary widely, but with the price of airline tickets and the nature of corporate software engineering jobs, it's extremely easy to self-justify a month abroad. The US government allows 6 months officially for green card holders.
If it wasn't literally 10x cheaper to live abroad than it is to live in Seattle/San Jose, it wouldn't be as prevalent. And not to mention, the quality of life is often better at the 10x cheaper price as well.
I can give you as much proof as you would like!
wkat4242
Yeah if I'd sneak off to work from another place I'd pick somewhere really nice. Not China.
djtango
China spans 9.6M km. It has some of the biggest and most modern megacities (Beijing, Shanghai, Chongqing, Shenzhen to name a few) and features ancient historical wonders like the Great Wall, Forbidden City and Terracotta Warriors.
The nature spans salt lakes and rainbow mountains akin to South America, to the Northern Lights in Mohe down to karst formations of Guilin shared with Vietnam's Halong Bay.
The cuisine is diverse and dishes popular in places like Xi'an reveal lasting influences dating back to the Silk Road.
If you can't find "somewhere really nice" amongst the myriad people and locations you haven't tried.
dbetteridge
Have you ever been to China?
Because they have some of the most beautiful scenery and buildings I've seen and I've been to dozens of countries.
Personally I wouldn't go there for remote work, because the internet interference is a pain but a holiday definitely.
chickenzzzzu
You say that because you don't hold a Chinese or Indian passport. Now think of those who do, who have family obligations, food preferences, local bank accounts.
jart
It's kind of disingenuous to call that blocking. Imagine what people would say about Cloudflare if they had an hour long outage.
JumpCrisscross
> Imagine what people would say about Cloudflare if they had an hour long outage
That Cloudflare had an outage. Not America.
flohofwoe
> That Cloudflare had an outage. Not America.
You probably mean the USA? After all, it was China and not Asia which was responsible for the incident ;)
est
outage would mean a connection timeout
in this case, the connection works fine, some extra RST+ACK packets were delivered to your network on purpose
jart
Which could easily be explained by a buggy rollout to their great firewall. What does China gain from intentionally blocking SSL for one hour? The idea is completely ridiculous. America isn't going disrespect its way to victory when dealing with her adversaries.
preisschild
I mean... it got blocked by their censorship infrastructure, does it really matter if it only got misconfigured?
neuroelectron
They probably had a good reason to do it if they resorted to such extreme measures.
outworlder
There's no good reason to do that.
veunes
But "good reason" depends a lot on your perspective
rfoo
Pretty sure it's an incident.
preisschild
Yeah, dont want their citizens to voice anti-CCP thoughts
> from a vantage point(s)
Lists a single AS45090.
> multiple sources
From a Telegram group, reports from people from the same AS.
I think these people are overthinking. Probably a misconfigured firewall rate limiting some bots or crawler from the network.
But yeah go on, China bad.