Title: Exposing and Circumventing SNI-based QUIC Censorship of the Great Firewall of China
Authors: Ali Zohaib*, Qiang Zao*, Jackson Sippe, Abdulrahman Alaraj, Amir Houmansadr, Zakir Durumeric, Eric Wustrow
Paper (HTML): https://gfw.report/publications/usenixsecurity25/en/
Chinese translation (HTML): 揭示并绕过中国防火长城基于SNI的QUIC封锁机制
Source code and open dataset
Slides (PDF)

Abstract

Despite QUIC handshake packets being encrypted, the Great Firewall of China (GFW) has begun blocking QUIC connections to specific domains since April 7, 2024. In this work, we measure and characterize the GFW’s censorship of QUIC to understand how and what it blocks. Our measurements reveal that the GFW decrypts QUIC Initial packets at scale, applies heuristic filtering rules, and uses a blocklist distinct from its other censorship mechanisms. We expose a critical flaw in this new system: the computational overhead of decryption reduces its effectiveness under moderate traffic loads. We also demonstrate that this censorship mechanism can be weaponized to block UDP traffic between arbitrary hosts in China and the rest of the world. We collaborate with various open-source communities to integrate circumvention strategies into Mozilla Firefox, the quic-go library, and all major QUIC-based circumvention tools.

摘要

尽管 QUIC 握手数据包是加密的，中国防火长城（GFW）自2024年4月7日起，已开始封锁针对特定域名的 QUIC 连接。在此次研究中，我们对 GFW 针对 QUIC 的审查行为进行了测量与分析，以理解其封锁方式以及封锁对象。我们的测量结果显示，GFW 能够大规���解密 QUIC Initial 数据包，应用启发式过滤规则，并采用与其他审查机制不同的封锁名单。我们揭示了这一新系统的一个关键缺陷：解密带来的计算开销在中等流量负载下即会削弱其封锁效果。我们还展示了该审查机制如何被滥用，以阻断中国与全球任意主机之间的 UDP 流量。我们与多个开源社区合作，将绕过封锁的策略集成进 Mozilla Firefox、quic-go 库以及所有基于 QUIC 的主流翻墙工具中。