HTTPS connections on port 443 received forged replies.
Chinese web users couldn’t access websites outside the People’s Republic yesterday. The outage lasted an hour and a quarter—with no explanation. Nobody’s sure whether it was a mistake or an ominous test of new censorship capabilities.
But some are linking it to a recent outage in Pakistan. In today’s SB Blogwatch, we shave with Hanlon’s razor.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Fact or fraud?.
Xi Whiz
What’s the craic? Simon Sharwood says: China cut itself off from the global internet
“Huge drop”
[The] disruption meant Chinese netizens couldn’t reach most websites hosted outside China, which is inconvenient. The incident also blocked other services that rely on port 443, which could be more problematic because many services need to communicate with servers or sources of information outside China for operational reasons. For example, Apple and Tesla use the port to connect to offshore servers that power some of their basic services.
…
If asked nicely, China will share the tech behind the Great Firewall with other nations. … Pakistan is thought to have implemented its own version of the Firewall and … experienced a huge drop in local internet traffic a few hours before the port 443 incident in China.
Blocked how? Here’s what Nathaniel Mott’s got: China’s Great Firewall blocked all traffic to a common HTTPS port
“China can’t pull a North Korea”
A site dedicated to monitoring China’s internet censorship systems … claimed the Great Firewall “exhibited anomalous behavior by unconditionally injecting forged TCP RST+ACK packets to disrupt all connections on TCP port 443” for approximately 74 minutes before resuming its normal processes. … The bigger mystery is whether or not the behavior seen on August 20 was intended. … But the group’s investigation into this blip was hindered by its short duration.
…
The Chinese government is effectively trying to have its cake and eat it too. Blocking connections to the rest of the world would be economically devastating, so China can’t pull a North Korea by cutting off access to the broader internet. But it doesn’t want to provide unfettered access to information, either. … Instead the GFW is a weird compromise.
Horse’s mouth? Mingshi Wu is lost in translation: 2025年8月20日中国防火长城GFW对443端口实施无条件封禁的分析
“Does not match the fingerprints”
Our primary findings are:
1. The unconditional RST+ACK injections was on TCP port 443, but not on other common ports like 22, 80, 8443.
2. The unconditional RST+ACK injection disrupted connections both to and from China, but the trigger mechanism was asymmetrical. For traffic originating from inside China, the SYN packet from the client and the SYN+ACK packet could each trigger three injected RST+ACK packets. For traffic to inside China, only the server’s SYN+ACK response, not the client’s SYN packet, could trigger the RST+ACK packets.
3. The responsible device does not match the fingerprints of any known GFW devices, suggesting that the incident was caused by either a new GFW device or a known device operating in a novel or misconfigured state.
“Misconfigured”? Yeah, right—geekmux scoffs at that idea:
Call it what it is already: A Test. … Injecting forged packets doesn’t sound like a “whoops” error. And to leave it alone for an entire hour?
…
What the hell were they waiting on to fix it? Was the metric ****ton of negative impact in the first 5 minutes not quite enough?
Conversely, ch3nyang opts for the simpler answer:
Not only individuals, but also major companies were locked down. If this was a dry run for “certain measures” in the future, I can’t believe how much of a blow it would cause to the economy. Therefore, I think this was more of a human error.
Or could it be outside influence? Here’s Elongated Muskrat:
There’s a possibility this wasn’t intentional. Whilst there are the obvious explanations of a test of capabilities, a screw-up, or genuine censorship of something (seemingly successfully so), there’s also the possibility that this was a demonstration of disruptive capability from another power.
…
[i.e.,] “We can cut you off from the internet via a DoS attack,” kind of thing from [say] the US or Israel. If I wanted to send a warning shot to another nation in a way that says, “I can do this at any time,” but maintain plausible deniability, then this might be one way to go about it.
Who cares? Chinese citizens hardly use any web services outside China. But chickenzzzzu explains one impact:
Think of how many people who have remote jobs with American companies couldn’t connect to their meetings while they “work from home” while secretly being … full fledged Chinese nationals, living permanently in China, paid a salary to pretend to be an American who had their identity stolen.
Accessing the worldwide web is hard enough at the best of times, observes dwater:
Cloudflare is worse. It is a royal [pain] for people inside China wanting to access sites outside China — which mostly means foreigners, of course. Cloudflare blocks or challenges almost all accesses.
Meanwhile, AMBxx quips this “meanwhile” quip:
Meanwhile, the firewall on my website blocks all traffic from China. I guess this makes us even.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Alejandro Luengo (via Unsplash; leveled and cropped)
