On August 20th, in the early morning, a large-scale abnormality occurred in the Chinese cyberspace. The outbound 443 port (HTTPS encrypted access) traffic was completely blocked, affecting international websites such as Apple, Tesla, and Bing. Multiple network security engineers pointed out that this action may be a test drill following the upgrade of the Great Firewall (GFW), indicating a progressively stricter monitoring system being formed.
Throughout the day, social media platforms and WeChat groups both domestic and abroad were full of complaints, with users saying that they couldn’t open web pages and VPNs were ineffective. Similar reports were reflected in cities like Beijing and Shanghai, with netizens sharing screenshots of nearly twenty blocked IP addresses.
According to an “Analysis Report” released by an overseas research institution on that day, from 00:34 to 01:48 on August 20, 2025 (UTC+8), the GFW unconditionally injected fake TCP RST+ACK into all TCP 443 port connections, resulting in a large-scale disruption of connectivity between China and the rest of the world.
The report indicated that the injection targeted only the 443 port and did not affect common ports like 22, 80, 8443, etc.; both inbound and outbound traffic were affected, but the triggering mechanism was asymmetric: when initiated from within China, both SYN and SYN+ACK triggered 3 RST+ACK, while when initiated from abroad, only the server’s SYN+ACK triggered. The fingerprint of the injection device did not match the existing GFW, indicating a new device or abnormal configuration. The process lasted approximately 74 minutes.
Various feedback observed by journalists showed that from 0:34, the outbound 443 port was blocked, expanding to a bi-directional disruption by 1:30, with almost all cross-border encrypted traffic being cut off. By 1:38, some major services began to recover, with a gradual restoration of access to numerous websites by 1:50. The entire process lasted about an hour.
A network security engineer from Hebei, Yang Kun (alias), told a reporter from Epoch Times on the 20th that he also detected the network anomaly, which was not the first time. “There have been several similar situations recently, mostly in the early hours of the morning. The block usually lasts about an hour, looking more like a technical test rather than a complete drill.”
He added, “This action was somewhat special. From the timing and path, it seems more like a stress test after the firewall upgrade, searching for vulnerabilities and patching them up. About a month ago, a similar situation occurred, lasting for about twenty minutes. It was around one in the morning.”
Another engineer, Mr. Guo, bluntly stated during an interview, “The upgrade of the firewall is similar to military exercises. Experiments are usually conducted in virtual networks and local area networks. Once there is a large-scale event, it can be immediately activated. The goal is to quickly cut off the network during so-called special moments to prevent internet users from coordinating.”
Mr. Guo also revealed that in recent years, the firewall is not only operated by the “national team” but some regions have also begun to establish their “provincial firewalls” that restrict local users from accessing external websites: “Henan, Shandong have shown this trend. It’s more pronounced after the epidemic. The national firewall mainly handles external networks, but local provincial firewalls can set their own rules and intercept data. It’s like adding another ‘wall within the wall’ within the Great Firewall.”
In May of this year, an international research report jointly released by GFW.Report, Stanford University, and the University of Massachusetts Amherst confirmed that Henan was the first province to deploy the “wall within the wall.” The research found that since the end of 2023, Henan’s main network exit nodes have enabled a locally operated filtering system, blocking over 4.2 million domain names, even affecting academic and government websites, surpassing the scale of the national-level firewall.
Experts pointed out that this signifies a decentralization of censorship authority, with local governments having greater operational space in network control, which could result in a more fragmented network environment across different regions.
A political observer in Beijing noted that the central government has made a significant investment in internet security engineering, “even considered to surpass some large international propaganda expenses.” He believes that these tests coinciding with major political events approaching show authorities are preparing for “digital warfare readiness.”
Experts in mainland China cautioned that the 443 port is a core interface for global encrypted communication, and frequent blocking would not only affect ordinary users but also impact cross-border business operations, scientific research collaborations, and financial transactions. With the approaching military parade in Beijing on September 3, these tests seem more like a “cyber defense drill,” indicating the formation of a more stringent monitoring system.