China blocked all HTTPS connection abroad for 1 hour in midnight

Summary

1. Introduction Between approximately 00:34 and 01:48 (Beijing Time, UTC+8) on August 20, 2025, the Great Firewall of China (GFW) exhibited anomalous behavior by unconditionally injecting forged TCP RST+ACK packets to disrupt all connections on TCP port 443. This incident caused massive disruption of the Internet connections between China and the rest of the world (source1 and source2). This report documents our measurements and analysis of this temporary, widespread blocking event. Our primary findings are: The unconditional RST+ACK injections was on TCP port 443, but not on other common ports like 22, 80, 8443. The unconditional RST+ACK injection disrupted connections both to and from China, but the trigger mechanism was asymmetrical. For traffic originating from inside China, the SYN packet from the client and the SYN+ACK packet could each trigger three injected RST+ACK packets. For traffic to inside China, only the server’s SYN+ACK response, not the client’s SYN packet, could trigger the RST+ACK packets. The responsible device does not match the fingerprints of any known GFW devices, suggesting that the incident was caused by either a new GFW device or a known device operating in a novel or misconfigured state. It is important to note that our analysis was limited by the short duration of the incident (approximately 74 minutes). We encourage others in the community to share their observations to build a more complete picture of this event. 2. Triggering the blocking We first confirmed the blocking by sending probes from a vantage points inside of China (AS45090, Tencent Cloud, Beijing), and from multiple vantage points outside of China. 2.1 Inside-out triggering In particular, we used the following command to try to establish a TCP handshake with a $NON_CN_IP: nc -vn $NON_CN_IP 443 nc: connect to $NON_CN_IP port 443 (tcp) failed: Connection refused We simultaneously used tcpdump to capture traffic: tcpdump -n host $NON_CN_IP It appears that the SYN packet trigge...