A recent upgrade to China’s Great Firewall—the country’s sprawling national internet censorship apparatus—has inadvertently undermined the very infrastructure it was designed to fortify, according to findings from leading cybersecurity researchers.
Background: An Ambitious but Risky Upgrade
In an attempt to adapt to modern internet protocols, Chinese authorities began targeting the QUIC protocol (pronounced “quick”) in April 2024. QUIC underpins much of today’s web traffic, especially through HTTP/3, and now accounts for over 30% of all web requests. To counter emerging loopholes, China’s upgraded censorship began using deep packet inspection to identify and block connections to blacklisted domains over QUIC.
However, researchers from multiple university teams and the Great Firewall Report have found that the approach is fundamentally flawed and introduces several serious vulnerabilities.
The Unintended Consequences
A central weakness in the new system lies in how it handles incoming QUIC traffic. For each connection, the Great Firewall attempts to decrypt the initial “Client Hello” packet; this packet contains the Server Name Indication (SNI), which reveals the intended website. The inspection process is computationally intensive, especially when scaled to China’s immense internet population.
This design flaw has two major consequences:
- Inconsistent Censorship: The Great Firewall’s ability to block QUIC is highly variable. During off-peak hours (such as early morning), the system performs as intended. However, once millions of users are online, the infrastructure becomes overloaded, and the effectiveness of domain-based blocking sharply declines. This leads to significant gaps in censorship enforcement during periods of high network activity.
- Susceptibility to Denial-of-Service (DoS): Most troubling, the researchers found that it is possible for attackers (even those located outside of China) to intentionally flood the system with bogus or spoofed QUIC packets. Because each packet requires computational processing, such an attack could overwhelm the censorship infrastructure. In extreme scenarios, this could cause widespread disruption by blocking legitimate access to external DNS servers. Essentially, the mechanism intended to suppress information could be turned against itself, resulting in self-inflicted outages and large-scale internet instability within China.
Disclosure and Responsible Handling
Upon discovering these issues, research teams discreetly informed Chinese authorities to allow mitigations before publicizing the flaws. Only limited fixes were observed, prompting the researchers to release their findings more broadly, including to anti-censorship communities and software developers to help build effective evasion tools.
