The great (fire)wall: how China's internet works

· 9 min read

By Kyle Jeong

A few weeks ago, I traveled through China, a country famous for two great walls: the 13k+ mile stone one you can walk on,

Kyle at the Great Wall of China
me on the great wall
Aerial view of the Great Wall of China

And the Great Firewall (GFW), a machine.

This post covers how their country-wide firewall works.

TLDR; A mirror of every packet gets scanned against a blocklist in milliseconds, and if you hit one, a forged reply is fired back to kill the connection before the real server's answer can arrive. The whole system is a bet that a spoofed packet, sent from closer, beats the truth.


The shape of China's internet

China adopted the internet (reluctantly) around the same time that the rest of the world did in 1994. The CCP initially pushed back and believed the internet would do more harm than good, and tried to stop citizens from accessing it. Running a propaganda machine is hard enough, imagine introducing the internet: a place where anyone could publish information and anyone with access could consume it.

Today, nearly all traffic between China and the outside world crosses through a small number of international gateways run by three state carriers (China Telecom, China Unicom, China Mobile), landing at roughly ten backbone access points tied to submarine-cable stations.

The system grew out of the Golden Shield Project, spun up in 1998 under chief architect Fang Binxing, the "father of the Great Firewall."


In-path vs on-path

A firewall is a filter between two networks deciding which packets live and which die. There are two ways to wire one, and the difference controls everything downstream.

In-path (inline) means the box (a dedicated firewall or DPI appliance, or filtering built into the border router itself) physically sits in the traffic path. Every packet routes through it, so it can drop, delay, or rewrite anything. This is total control, but at scale it becomes a bottleneck and SPOF, and sizing an inline box for a country's entire border bandwidth is as expensive as you can imagine.

On-path means the box sits off to the side and gets a copy of the traffic via a tap. It observes everything but cannot stop a packet already in flight. Its only weapon is to inject forged packets and hope they arrive first. The GFW is on-path, sometimes called "inline passive," and that constraint is why it must win a physical race rather than simply drop your data (Censored Planet, Marczak et al. 2015).

Since injected packets and the real packets coexist, you can observe both.

drag the server-distance slider: the closer the real server, the more often its response beats the injected reset

The hardware: tap, detect, inject

There are three physical stages, and they run as separate systems.

1. Tap: The router copies the packet.

The gateway router copies every passing packet at line rate, either through an optical splitter (a prism on the fiber that duplicates the light) or a SPAN port (switched port analyzer, a router feature that mirrors traffic to another port).

The copy is made at the router's ASIC / NP layer (application-specific chip and network processor that forward packets in hardware, not the CPU), so the original packet keeps moving with zero added latency (hardware DPI overview).

2. Detect: They inspect the info in the packet.

The mirrored copies fan out to a cluster of DPI boxes (deep packet inspection), sourced largely from Huawei and ZTE. One link carries more traffic than any single box can handle, so the cluster load-balances. Every packet in a given TCP connection is hashed to the same process, so that process can hold the connection's state.

These detectors reassemble IP fragments and TCP segments, track the handshake, and (since late 2008) just inspect the first HTTP GET or the TLS handshake rather than every individual packet. Unfortunately, hashing to process is also a weakness. If the outbound and return paths of a connection traverse different gateways (asymmetric routing), no single process sees the whole flow, and the firewall can miss it.1

3. Inject: Send a fake packet to race the "bad" packet to the requester.

When a detector matches a rule, it signals a separate injector that spoofs packets straight back onto the link: a forged DNS answer, or a forged TCP reset. Sensing and injection are different planes, which is why the firewall can be both omniscient and unable to actually block an in-flight packet.

Great Firewall packet flow: the gateway router mirrors a copy off the untouched spine to a DPI cluster that hashes the flow to one process, a keyword/SNI decision either passes the packet or fires the injector, which races forged RST + poisoned DNS back to both client and server. Evidence box shows the forged RST's spoofed source, stolen seq/ack, and wrong TTL versus a real reply.


What happens to the packet

These are the 3 mechanisms, in order of how early they fire.

DNS poisoning

Before your phone reaches Google it asks a resolver "what IP is google.com?" over DNS, with a single UDP packet. The injector sees the query and fires back a forged A-record pointing at a bogus IP pulled from a fixed rotation pool (researchers catalogued 592 addresses cycled deterministically).

Because the injector is physically closer than the real resolver, its answer usually wins, and your resolver caches the lie.

To watch the tampering from the US, use a vantage point that already lives inside China: GreatFire and OONI Explorer both probe from within the border and log the poisoned DNS in real time.

TCP RST injection

If DNS resolves and a TCP connection opens, content inspection kicks in. The detector reads the first HTTP GET (or TLS handshake) and matches the URL and payload against a keyword blacklist.

On a hit, the injector forges RST packets (the TCP reset flag that tells both ends "tear this connection down now") aimed at the client and the server.

The forged reset is a precise impersonation. Here's what's in it versus the real thing:

text
forged RST from the GFW           legitimate packet from Google
--------------------------------  --------------------------------
src IP  = Google's IP (spoofed)   src IP  = Google's IP (real)
seq/ack = lifted from the         seq/ack = correct by construction
          handshake it observed
flags   = RST (or RST/ACK)        flags   = ACK / PSH
TTL     = wrong: hops from the    TTL     = consistent with the
          injector, not Google              real path from Google

That TTL mismatch is gives it away; the forged packet took a different number of hops than a genuine one, which is how the injection is detected. The GFW sends several RSTs with different ACK numbers so at least one lands even if Google's real data arrives first, then holds a per-flow block on that source/dest/port tuple for minutes at a time.

SNI and DPI over TLS

HTTPS encrypts the payload but leaks the destination. When your browser opens a TLS connection it sends the hostname in cleartext inside the SNI field (Server Name Indication, the "which site am I asking for" hint). The DPI cluster parses the ClientHello, reads the SNI, and resets the connection if the name is on the block list.

The fix is ECH (Encrypted Client Hello, which encrypts the SNI too), successor to ESNI. China responded by blocking ESNI-style handshakes wholesale in 2020. If the firewall can't read the "label," it drops the whole packet. QUIC is the next contested surface for the same reason.

toggle SNI to ECH and watch the hostname in the ClientHello turn to ciphertext, blinding the injector

The arms race

Every block seeds a workaround, and every workaround a better block.

Round one was the VPN. It worked until the firewall learned to fingerprint the legacy protocols: IPSec, L2TP, and PPTP all ride fixed ports and leave handshake traces, so the GFW throttles or resets anything shaped like them. While most VPNs are blocked, there are a handful of VPN providers that work around these restrictions (explaining them would require another post).

Then the tunnels learned to hide. Shadowsocks and V2Ray wrap your traffic to resemble ordinary HTTPS, and Trojan goes further by sitting behind a real TLS certificate so it reads as a plain website. The firewall answered with active probing: when it spots a suspicious server, it opens its own connection and speaks proxy protocols at it, and if the server answers like a proxy, the IP gets blacklisted.

The solution to that was obfs4 stays silent unless the client proves an out-of-band shared secret, so a prober that doesn't already know the key gets nothing back.

The 2025 leak of Geedge Networks' Tiangou Secure Gateway shows ML classifiers that flag tunnels by traffic shape (packet sizes, timing, flow fingerprints) without having to read a payload byte.


The human layer

Human content moderation on domestic platforms (like Weibo or WeChat) is a separate system with humans in the loop, and it exists because Mandarin makes keyword filtering leaky. The language is dense with homophones, so people swap in characters that sound identical but read differently, avoiding the blacklist that matches exact strings.

An early workaround was calendar math. To discuss the Tiananmen crackdown of June 4, people write "May 35th" (May has 31 days, so the 35th rolls over to June 4) to avoid being blocked. The word "Censorship" itself gets renamed river crab (héxiè), a near-homophone for the Party's word harmony (héxié), so "getting harmonized" becomes slang for being scrubbed.

The only way to keep up with these terms is with human moderation, which alone employs over 100k people in China.


The future of China's internet

As ECH, DoH (DNS over HTTPS), and QUIC push every readable label inside an encrypted envelope, keyword lists and SNI parsing age out, and the firewall pivots to behavioral ML-based classification.

Within a few years the dominant blocking signal in heavily censored networks will be a learned traffic-shape classifier, not a keyword table/list. The way around it will be tools that make your traffic "statistically boring" rather than just encrypted.

Understanding the complexity of China's restricted internet makes me grateful to live in the US, where we have access to a free and open internet.

→ Kyle


Footnotes

  1. 1.

    On any given link the GFW runs reassembly and matching across many parallel processes, hashing each connection to one process so state stays consistent; asymmetric routing that splits a flow across gateways can slip past it entirely (Marczak et al. 2015).