on-path TCP port blocking may look like TLS Interference

[Lanius-collaris]

Describe the bug

GFW of China may use TCP RST injection to block ports but ignore TCP SYNs ( or TCP segments without data? ).

A few comments on gfw.report mentioned this: https://gfw.report/publications/sp25/zh/#isso-1014

Issue "CDN 77 fronts appear to be blocked in China": https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/168

To Reproduce

Here are some knowned affected IPs:

104.21.16.1
104.21.32.1
104.21.48.1
104.21.64.1
104.21.80.1
104.21.96.1
104.21.112.1
2606:4700:3030::6815:2001
2606:4700:3030::6815:3001
2606:4700:3030::6815:4001
2606:4700:3030::6815:5001
2606:4700:3030::6815:6001
2606:4700:3030::6815:7001

195.181.172.6
195.181.172.3
195.181.172.5
143.244.51.58
143.244.51.246
89.187.187.14
89.187.187.12
89.187.187.18
89.187.187.5
143.244.51.249
156.146.44.89
89.187.187.19
89.187.187.4
143.244.51.250
143.244.51.59
89.187.187.13

Send some data with ncat:

$ nc 195.181.172.6 443
a
Ncat: Connection reset by peer.

https://globalping.io/?measurement=231YLnjCxgSkbufOy0001zCqK ( connect to 195.181.172.4:443 )
https://globalping.io/?measurement=2lRiHx0zzmKz5ST5D0001zCqS ( connect to 195.181.172.4:443 )

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

System information (if applicable):

• Device: [e.g., iPhone6]
• OS: [e.g., iOS8.1]
• OONI Probe version: [e.g., 3.11.0]

Additional context

Add any other context about the problem here.

[Lanius-collaris]

Relevant PCAP files and OONI measurements:
cdn77-rst-pcap.zip
https://explorer.ooni.org/m/20251101114635.835304_CN_webconnectivity_e5b13f8311c20b52
https://explorer.ooni.org/m/20251102151424.730702_CN_webconnectivity_ca6d81991698d2b4

@bassosimone @Kkevsterrr
Is it a new behavior of GFW?

[Kkevsterrr]

We'll take a look - thanks for the ping

[Kkevsterrr]

As far as I understand, the GFW issuing TCP RSTs to censor TLS connections is how it has worked for quite some time - is the GFW taking action even with an innocuous SNI?

[Lanius-collaris]

As far as I understand, the GFW issuing TCP RSTs to censor TLS connections is how it has worked for quite some time - is the GFW taking action even with an innocuous SNI?

Yes, even one-byte data \x0a can trigger TCP RST injection ( see cdn77-rst-one-byte.pcap ).
https://explorer.ooni.org/m/20251105000054.617630_CN_tlsping_f4acbd788cf58832 ( 195.181.172.2:443 )
https://explorer.ooni.org/m/20251105000106.684631_CN_tlsping_2d8200e3b5dd6f18 ( 195.181.172.4:443 )
The data format of tlsping can be found in https://github.com/ooni/spec/blob/master/nettests/ts-033-tlsping.md#expected-output

[Lanius-collaris]

@Kkevsterrr
I'm very curious about how the GFW is blocking/throttling github.com too, could you spend some time examining it? Thanks in advance. I only know a client needs to send SNI github.com to trigger it, the IP of the server (e.g. 20.205.243.166) may be a contributing factor as well.
220.171.42.239 (xinjiang.gov.cn) can be used to retrieve part of the DNS blocklist in Ürümqi.