China's Great Firewall Mysteriously Severed Connection to the World for an Hour

For about an hour on Wednesday, China appeared to go dark—or at least internet access across the country did. According to an analysis published by the Great Firewall Report, a group that monitors internet censorship efforts in China, something happened in the wee hours of Wednesday morning that resulted in China blocking almost all traffic to TCP port 443, the standard port for HTTPS traffic.

Between the hours of 12:34 and 1:48 AM in Beijing, someone was observed “unconditionally injecting forged TCP RST+ACK packets to disrupt all connections on TCP port 443,” according to the Great Firewall Report. “This incident caused massive disruption of the Internet connections between China and the rest of the world.” As a result, Chinese citizens couldn’t access most sites hosted outside of China, and services that operate in China but communicate with outside servers were cut off during the outage.

In the past, China’s Great Firewall has blocked HTTPS communication, which uses encryption to securely transfer information between a user’s device and the web server they are attempting to access, typically as a means of preventing that traffic from being directed to more secure protocols that would limit the amount of information that can be collected.  But according to the GFW Report, this instance was an odd one because it exclusively affected port 443. Typically, the report said, other common ports like 22, 80, and 8443 would also be blocked, like in 2020 when the Great Firewall blocked HTTPS protocols across every port, from 1 to 65535.

So why the more limited restriction that isn’t really that limited because it hit the most common port? It’s hard to say. As GFW Report pointed out, the Great Firewall doesn’t operate with a singular, central censor. Instead, a number of entities have the ability to block access. What adds even more intrigue into this situation, though, is the fact that the device identified as blocking the traffic “does not match the fingerprints of any known GFW devices,” per the analysis, “suggesting that the incident was caused by either a new GFW device or a known device operating in a novel or misconfigured state.”

While China occasionally limits internet access during events the government would rather not deal with, it doesn’t appear like such an occurrence was happening at the time of this outage. So perhaps one of the censors wanted to test out the capability in case they need to deploy it in the future. Or maybe someone just set their tequila bottle down on the delete key.