Analysis of the GFW's Unconditional Port 443 Block on August 20, 2025
gfw.report167 points by kotri 15 hours ago
167 points by kotri 15 hours ago
> A Brief, Incomplete, and Mostly Subjective History of Chinese Internet censorship and its countermeasures
https://danglingpointer.fun/posts/GFWHistory
Posted 6 days ago (https://news.ycombinator.com/item?id=44898892)
Terrible, this is Internet curfew. It's not uncommon to imagine they'd shutdown Internet across border during any war (like against Taiwan).
> Terrible, this is Internet curfew.
If you think this is bad...
You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD
You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.
I laughed when I saw "Nginxia", thinking it was a portmanteau of, well, nginx and wuxia, a Chinese fiction genre. Reality is much less funny when I looked up NWCD, and you likely just made a typo of Ningxia.
"Xia" would map to a single character (code point) in Chinese. For instance, in simplified Chinese, it could be 下 (xia, meaning down), 侠 (martial arts - like the xia in wuxia), or any number of other homophones. Since the characters are already combinatorial, I'm not sure a Chinese speaker would think of this as a portmanteau.
Not all Western companies comply with Beijing, like Route53, a name I've never heard of; Cloudflare seems to be most popular in China.
But yeah, they can shutdown anything unless proxy server is widely used. as <Nearly 90% of Iranians now use a VPN to bypass internet censorship>.
AFAIK Route53 is AWS’s managed DNS product, not a company.
OK, AWS again, I know it not only complies with Beijing but also Russia and many other dictatorships. Banned domain fronting and recently enforced S3 bucket-based subdomains for government to better inspect.
Their point is if you’re served within China (aka hosted off a chinese IP, or accessing anything from a Chinese IP) it doesn’t matter if the other company interacts or complies with China’s rules - the other half of the transaction will be blocked.
So using DNS hosted outside won’t matter, because the destination Chinese IP will get blocked. Or if using outside hosting, it won’t matter, because anyone in China trying to access it will get blocked. Or anyone trying to publish anything to it the CCP doesn’t like. Presumably also with some follow up in-person ‘check-ins’.
The GFW is a pretty massive and actually impressively effective piece of technology, even if we don’t agree with it’s purpose.
Technology backed by force is not impressively effective as a technology.
Not only that, it seems to be entirely unimpressive: The premise is that they would be able to allow everything except for what they want to censor, which isn't what they're doing.
If you allow connections to random websites outside of your jurisdiction then you're de facto allowing everything, because people can proxy arbitrary traffic that way. If you don't, you're effectively disconnecting your country from the global internet, which is not an impressive technological feat. Anybody with a backhoe can do a fiber cut.
> You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
Wait what? So I can DoS any Web site in China by creating a rogue DNS record that points to its IP address, even under a completely unrelated domain? How would they even find those records?
I guess they would find it the moment someone in China using a Chinese resolver tries to resolve your rogue record, since that would recurse to one of the root mirrors in China, which presumably feeds this mechanism.
Seems like a very minor speed bump in your plan, though: presumably something like https://www.chinafirewalltest.com would achieve that, or send a few emails for folks to click.
AWS in China also doesn't have the Key Management Service, which leads to me to conclude it must be pretty secure.
I added an A record for subdomain and pointed it at Chinese IP addresses. I wonder if I will get that angry email?
Or they just dont want to be put in the position of having to give out keys.
I think the real paranoid people use cloudHSM.
Actually, they wouldn't really know unless this domain is used. I guess they check the `Host` header to get the domain that targeted this IP and then check where the MX are hosted.
Could you bring something like a starlink mini for backup i wonder? Id imagine this would be very worrying being stuck there as a foreigner in such a situation.
Starlink connects you to the internet via a ground station in the country where you are registered, and the antenna will also only operate in an approved zone (depending on your country and account type). You cannot use it in China.
> Starlink connects you to the internet via a ground station in the country where you are registered
Not true anymore.
> and the antenna will also only operate in an approved zone (depending on your country and account type). You cannot use it in China.
This is still correct.
A friend of mine tried, no signal.
If war breaks out, it'll likely be enabled.
No it won't but if it did would take just few hours for china to shoot a bunch of them down and with how tightly packed their orbits are the debree would take care of the rest.
I’m not so sure debris would help take down other satellites in that orbit. The orbit is very low so much of the debris that ends up with a deviation in its orbit will fall down. Even if it doesn’t there’s still air resistance up there which may cause more of the debris to deorbit before jt has time to hit other satellites.
And I doubt China would want to make LEO impossible to move through anyway. It’d affect China badly as well
space is huge and the orbit is low. I'm not so sure debris would be as effective as on higher orbits.
potentially very dangerous for everyone if they did that. could make it impossible for even them to make a launch. Kessler Syndrome is nothing to toy with.
Starlink are very low orbit. Easy to bring down.
Very expensive to take down 10-100k at once. No one today has that many antisat-capable missiles stockpiled.
Relevant, Chinese domestic media reporting on China's own perspective:
https://www.scmp.com/news/china/science/article/3178939/chin... ("China military must be able to destroy Elon Musk’s Starlink satellites if they threaten national security: scientists" (2022))
> "Researchers call for development of anti-satellite capabilities including ability to track, monitor and disable each craft / The Starlink platform with its thousands of satellites is believed to be indestructible"
"Easy to bring down" vs. "believed to be indestructible"—some tension there!
EMP?
If you're talking about nuclear weapons, their major effect on satellites (Starfish Prime as the reference point) isn't EMP effects, but ionizing radiation—creating a persistent radiation belt of MeV electrons. (A physical process that took months to disable some satellites). Beyond that I don't know much.
At the point anyone is using nukes in LEO, things have gotten really out of control already.
how though?
https://en.wikipedia.org/wiki/2007_Chinese_anti-satellite_mi...
Every major power has polluted near Earth space as a show of power.
One missile for one satellite? This gets expensive really fast.
They follow well defined orbits and propellant limited. You could easily cover their trajectory with some shrapnel and attack it one lane at a time.