| gfw.report
中国的防火长城(GFW)于2025年8月20日对 TCP 443 端口实施了大规模、无差别的封锁。本报告记录了我们对该事件的测量与分析。| GFW Report
The Great Firewall of China (GFW) conducted a large-scale, unconditional block targeting TCP port 443 on August 20, 2025. This report documents the measurements and analysis we conducted of that event.| GFW Report
Exposing and Circumventing SNI-based QUIC Censorship of the Great Firewall of China Ali Zohaib∗ University of Massachusetts Amherst Qiang Zao∗ GFW Report Jackson Sippe University of Colorado Boulder Abdulrahman Alaraj University of Colorado Boulder Amir Houmansadr University of Massachusetts Amherst Zakir Durumeric Stanford University Eric Wustrow University of Colorado Boulder *Ali Zohaib and Qiang Zao contributed equally to this work. Abstract Despite QUIC handshake packets being encryp...| Great Firewall Report - GFW Report on Great Firewall Report
尽管 QUIC 握手数据包是加密的,中国防火长城(GFW)自2024年4月7日起,已开始封锁针对特定域名的 QUIC 连接。在此次研究中,我们对 GFW 针对 QUIC 的审查行为进行了测量与分析,以理解其封锁方式以及封锁对象。我们的测量结果显示,GFW 能够大规模解密 QUIC Initial 数据包,应用启发式过滤规则,并采用与其他审查机制不同的封锁名单。我们揭示了这一新系统的一个关键缺陷:...| GFW Report
What We Do --- GFW Report is a long-term censorship monitoring platform, aiming at advancing the understanding and spreading the awareness of Internet censorship. Our platform has a primary focus on the Internet censorship in China as it is one of the most repressive censoring regimes that has been developing and deploying notoriously sophisticated censorship techniques. News --- May 2025: S&P'25: A Wall Behind A Wall: Emerging Regional Censorship in China February 2025: NDSS'25: Wallbleed: A...| Great Firewall Report - GFW Report on Great Firewall Report
A Wall Behind A Wall: Emerging Regional Censorship in China Mingshi Wu∗ GFW Report gfw.report@protonmail.com Ali Zohaib∗ University of Massachusetts Amherst azohaib@umass.edu Zakir Durumeric Stanford University zakir@cs.stanford.edu Amir Houmansadr University of Massachusetts Amherst amir@cs.umass.edu Eric Wustrow University of Colorado Boulder ewust@colorado.edu *Mingshi Wu and Ali Zohaib contributed equally to this work. Abstract China has long orchestrated its Internet censorship throu...| Great Firewall Report
墙中之墙:中国地区性审查的兴起 Mingshi Wu∗ GFW Report gfw.report@protonmail.com Ali Zohaib∗ University of Massachusetts Amherst azohaib@umass.edu Zakir Durumeric Stanford University zakir@cs.stanford.edu Amir Houmansadr University of Massachusetts Amherst amir@cs.umass.edu Eric Wustrow University of Colorado Boulder ewust@colorado.edu *Mingshi Wu 和 Ali Zohaib 对这项工作贡献相当。 摘要 长期以来,中国的互联网审查有着相对集中的政策和统一...| Great Firewall Report
The open dataset contains code and datasets for the paper: Triplet Censors: Demystifying Great Firewall’s DNS Censorship Behavior. Updates If you have any question, comment or feedback, please feel free to leave them on the pad. We will have a summary of our paper on this page within days. Please check back! As of August 11, 2020, we have released all our code and datasets to the maximum extend that does not harm our anonymity. These code and datasets support all major findings in our paper...| Great Firewall Report
三重审查:揭秘防火长城的DNS审查行为 Anonymous Arian Akhavan Niaki University of Massachusetts Amherst Nguyen Phong Hoang Stony Brook University Phillipa Gill University of Massachusetts Amherst Amir Houmansadr University of Massachusetts Amherst 摘要 中国的防火长城(GFW)长期以来一直使用DNS数据包注入来审查互联网访问。在这项工作中,我们使用Alexa前100万个域名作为测试列表分析了GFW在九个月内的DNS注入行为。我们...| Great Firewall Report
Wallbleed(墙出血):中国防火长城中的内存数据泄露漏洞 Shencha Fan GFW Report gfw.report@protonmail.com Jackson Sippe University of Colorado Boulder Jackson.Sippe@colorado.edu Sakamoto San Shinonome Lab 54k4m070@proton.me Jade Sheffey University of Massachusetts Amherst jsheffey@cs.umass.edu David Fifield david@bamsoftware.com Amir Houmansadr University of Massachusetts Amherst amir@cs.umass.edu Elson Wedwards ElsonWedwards@proton.me Eric Wustrow University of Colorado Bo...| Great Firewall Report
How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic Mingshi Wu GFW Report Jackson Sippe University of Colorado Boulder Danesh Sivakumar University of Maryland Jack Burg University of Maryland Peter Anderson Independent researcher Xiaokang Wang V2Ray Project Kevin Bock University of Maryland Amir Houmansadr University of Massachusetts Amherst Dave Levin University of Maryland Eric Wustrow University of Colorado Boulder Abstract One of the cornerstones in censorship circu...| Great Firewall Report
中国的防火长城是如何检测和封锁完全加密流量的 Mingshi Wu GFW Report Jackson Sippe University of Colorado Boulder Danesh Sivakumar University of Maryland Jack Burg University of Maryland Peter Anderson Independent researcher Xiaokang Wang V2Ray Project Kevin Bock University of Maryland Amir Houmansadr University of Massachusetts Amherst Dave Levin University of Maryland Eric Wustrow University of Colorado Boulder 摘要 全加密协议是翻墙生态系统中的一块基...| Great Firewall Report
On September 20, 2021, Apple released iCloud Private Relay (archive) as a new service on iOS 15, iPadOS 15, and macOS Monterey. Although Apple does not introduce Private Relay as a censorship circumvention tool, in this post, we attempt to understand the potential value of iCloud Private Relay for censorship circumvention. We first introduce how private relay works based on Apple’s documents and our measurement. We then present our empirical observation on its censorship resilience, support...| Great Firewall Report
On September 20, 2021, Apple released iCloud Private Relay (archive), a new capability embedded into iOS 15, iPadOS 15, and macOS Monterey. Its objective is to enhance the privacy and security of Apple users who surf the web in Apple’s Safari browser. This comes as an exciting news to privacy advocates, especially given Apple’s controversial plans for inspecting iCloud photos, a decision that has caused outrage in the privacy community. In this report, we present an early analysis of iClo...| Great Firewall Report
苹果公司于2021年9月20日,发布了一项名为iCloud Private Relay (archive)的新服务,包含在iOS 15, iPadOS 15和macOS Monterey中。 尽管苹果公司没有将它的翻墙功能作为卖点,在这篇报告中,我们试图理解iCloud Private Relay的翻墙价值。首先,基于我们的测量和对苹果文档的理解,我们介绍Private Relay的工作原理。接着我们通过在中国进行的测量实验实证性地评估Private Relay的抗封锁能力。截...| Great Firewall Report
In our recent IMC'20 work (paper, talk) we provided insight into the combination of traffic analysis and active probing techniques that the Great Firewall uses to detect and block Shadowsocks servers. In this short post, we provide practical suggestions for non-technical users and circumvention tool developers to prevent their circumvention servers from being detected and blocked. We also introduce the mitigation to partitioning oracle attacks newly demonstrated by Len et al.. If your Shadows...| Great Firewall Report
This tutorial documents how to install, configure and maintain a Shadowsocks-libev server. One cool thing about this tutorial is, by following this tutorial, your Shadowsocks-libev servers should be able to defend against various attacks, including active probing from the GFW and the partitioning oracle attack. Additionally, we compile a list of commonly asked questions, debunking common myths of Shadowsocks-libev. As of November 7, 2021, we received a few reports on the blocking of Shadowsoc...| Great Firewall Report
这篇教程记录了如何安装,配置并维护一台Shadowsocks-libev服务器。 这篇教程的亮点在于, 按照这里的配置建议,你的Shadowsocks-libev服务器可以抵御各种已知的攻击, 包括来自GFW的主动探测和封锁以及partitioning oracle攻击。 我们还在教程的最后加入了有关Shadowsocks-libev部署的常见问题。 截止2021年11月7日,我们收到零星的用户报告按此教程配置的服务器仍遭到了端口封锁,我们...| Great Firewall Report
在近期的IMC'20的工作中(论文, 演讲),我们揭示了中国的防火长城采用流量分析与主动探测相结合的手段来检测和封锁Shadowsocks服务器。 在这篇短文中,我们将分别向技术小白和翻墙软件开发者提供防御GFW主动探测的实用建议。 我们还将介绍Len et al.展示的partitioning oracle攻击的缓解办法。 如果在遵循了本文的建议后,你的Shadowsocks服务器仍被封锁,请将封锁情况汇报给GFW Report...| Great Firewall Report
A typical DNS poisoning event consists of three steps: A client sends a DNS query to a DNS server, asking for the IP address of a sensitive domain; the GFW observes the query and injects a forged DNS response, telling the client a wrong IP address; the client receives the forged response, and attempts to connect to the wrong IP address. But what will happen after step 3? While packets sent to these wrong IP addresses are often believed to be dropped or null-routed; in this report, we document...| Great Firewall Report
This is the talk for our paper How China Detects and Blocks Shadowsocks. You can select English or Chinese subtitle by clicking the cc button on the video. Video This is “How China Detects and Blocks Shadowsocks”, by GFW Report, Jan Beznazwy and Amir Houmansadr. I’m David Fifield and I’m presenting this work on behalf of the authors, most of whom are anonymous. I have experience researching in this field and the authors have acquainted me thoroughly with this work. The grand summary o...| Great Firewall Report
论文摘要 在这项研究中,我们揭示了中国的防火长城(GFW)是如何检测并封锁Shadowsocks及其变种的。通过网络测量实验,我们发现GFW会根据每个连接中的第一个数据包的长度和熵来识别Shadowsocks流量;然后再向被怀疑是Shadowsocks的服务器分阶段地发送7种不同的主动探测,来验证其怀疑。 我们开发了一个主动探测模拟器,并用它来分析不同的主动探测对不同版本的Shadowsocks的作...| Great Firewall Report
这场演讲介绍了我们的IMC'20论文: Shadowsocks是如何被检测和封锁的。 你可以点击视频下方的cc按钮来选择中文或英文字幕。 Video 这是关于"中国是如何检测和封锁Shadowsocks的"的论文介绍, 该论文出自GFW Report,Jan Beznazwy和Amir Houmansadr。 我是David Fifield。我今天代替作者做论文介绍, 因为他们中大多数都是匿名的。 我有在这个领域的研究经验, 而且在作者的帮助下, 我已经完全...| Great Firewall Report
Explanations on datasets The open dataset contains code and datasets for the paper: How China Detects and Blocks Shadowsocks. We introduce the major components of the dataset below. Paper The paper directory includes: the CSVs of probe metadata, along with the code that generates CSVs from PCAPs the source code, including Makefile, that reproduces all figures (except Figure 1 and 10) in the paper the source code of latex pp.sh code/pp.sh Parallelly Parses all pcap files in a specified directo...| Great Firewall Report
The open dataset contains code and datasets for the paper: Triplet Censors: Demystifying Great Firewall’s DNS Censorship Behavior. Updates If you have any question, comment or feedback, please feel free to leave them on the pad. We will have a summary of our paper on this page within days. Please check back! As of August 11, 2020, we have released all our code and datasets to the maximum extend that does not harm our anonymity. These code and datasets support all major findings in our paper...| Great Firewall Report
On 2020-07-30, iyouportreported (archive) the apparent blocking of TLS connections with the encrypted SNI (ESNI) extension in China. iyouport says that the first occurrence of blocking was one day earlier, on 2020-07-29. We confirm that the Great Firewall (GFW) of China has recently begun blocking ESNI—one of the foundational features of TLS 1.3 and HTTPS. We empirically demonstrate what triggers this censorship and how long residual censorship lasts. We also present several evasion strateg...| Great Firewall Report
iyouport于2020年7月30日报告 (存档)中国封锁了带有ESNI扩展的TLS连接。 iyouport称初次封锁见于2020年7月29日。 我们确认中国的防火长城(GFW)已经开始封锁ESNI这一TLS1.3和HTTPS的基础特性。我们在本文中实证性地展示如何触发审查,并研究"残余审查"的延续时长。 我们还将展示7种用Geneva发现的基于客户端或服务端的绕过审查策略。 什么是加密服务器名称指示(ESNI)? TLS是网络通...| Great Firewall Report
Several weaknesses were discovered in the V2Ray recently, which could be used to identify V2Ray clients or servers that run VMess, TLS or HTTP protocol. Below is our summary and understanding on these weaknesses. In general, these weaknesses fall into three categories: Inappropriate authentications in VMess, making the servers vulnerable to replay attacks. Hardcoded unique ciphersuites, leading to the rarely-seen fingerprints of the TLS ClientHello messages. Failed attempt to parrot/mimic the...| Great Firewall Report
近期数个V2Ray的弱点被发现。这些弱点可以被用来识别使用VMess、TLS或HTTP协议的V2Ray客户端和服务器。 以下是我们对这些弱点的总结和理解。 总体上,这些弱点可分为三类: VMess服务器没有正确验证客户端的请求,使得服务器可受到重放攻击。 客户端硬编码了一套罕见的TLS密码套件,导致客户端发送的TLS ClientHello拥有几乎独一无二的指纹。 伪装成HTTP服务器的企图失败。 针...| Great Firewall Report
I came across a one-liner script by @gfwrev and got seriously impressed by it. Although it does not work anymore, I still would like to have a writeup on it for its beauty and for the author’s creativity. The one-liner named gfw-looking-glass.sh is as follows: while true; do printf "\0\0\1\0\0\1\0\0\0\0\0\0\6wux.ru\300" | nc -uq1 $SOME_IP 53 | hd -s20; done As shown in the figure below, it was able to print out part of the memory of the GFW. But how? nc nc -uq1 $SOME_IP 53 sends input from ...| Great Firewall Report
我近日被@gfwrev所写的一行脚本深深吸引。尽管它已经失效,但它所流露出来的创意与美感仍值得被记录。 这行名为gfw-looking-glass.sh的脚本如下: while true; do printf "\0\0\1\0\0\1\0\0\0\0\0\0\6wux.ru\300" | nc -uq1 $SOME_IP 53 | hd -s20; done 如下图所示,它可以被用来打印出GFW内存中的某一部分。这是怎么做到的呢? nc nc -uq1 $SOME_IP 53 会把在stdin收到的信息以UDP包的形式发送给$SOME_IP的53端口。如@g...| Great Firewall Report
Shadowsocks is one of the most popular circumvention tools in China. Since May 2019, there have been numerous anecdotal reports of the blocking of Shadowsocks from Chinese users. This report contains preliminary results of research into how the Great Firewall of China (GFW) detects and blocks Shadowsocks and its variants. Using measurement experiments, we find that the GFW passively monitors the network for suspicious connections that may be Shadowsocks, then actively probes the corresponding...| GFW Report
在中国,Shadowsocks 是最流行的翻墙软件之一。从2019年5月起,大量的中国网民反馈他们的Shadowsocks服务器被封锁了。这篇报告是我们对中国的防火长城(GFW)是如何检测和封锁Shadowsocks及其衍生翻墙软件的初步调查结果。通过网络测量实验,我们发现GFW会被动的监视网络流量从而识别出疑似Shadowsocks的网络流量;然后对对应的Shadowscoks服务器进行主动探测已验证其怀疑的正确与...| GFW Report
We present Wallbleed, a buffer over-read vulnerability that existed in the DNS injection subsystem of the Great Firewall of China. Wallbleed caused certain nation-wide censorship middleboxes to reveal up to 125 bytes of their memory when censoring a crafted DNS query. It afforded a rare insight into one of the Great Firewall’s internal architecture and the censor’s operational behaviors.| GFW Report
