The GFW enforces QUIC-specific censorship
QUIC, the successor to TLS over TCP, has become popular in recent years. Despite its increase in popularity, QUIC has remained largely uncensored: Only Russian TSPU devices analyzed QUIC connections and could extract the server’s hostname from the SNI extension. Other censors—such as China’s GFW—have not been found capable of sophisticated QUIC analysis; in January 2025, we noticed sophisticated QUIC censorship in China.
Similar to Russian TSPU devices, the GFW now extracts the SNI extension from QUIC connections and blocks unwanted connections. As of now, the GFW’s QUIC censorship operates on a limited list of hostnames, is residual-only, and triggers inconsistently. Based on these characteristics, we suspect that the deployment of QUIC censorship in the GFW is an ongoing process: This process might culminate in broad QUIC censorship by the GFW. This blog post details our findings.
This section introduces the QUIC protocol and its relevance for Internet censorship.
QUIC was standardized as a successor to TLS in 2021
Under the hood, QUIC uses TLS 1.3 for its cryptographic handshake. Therefore, it also inherits the Server Name Indication (SNI) field of TLS, which censors commonly use to detect whether a connection should be censored
QUIC’s choice of UDP over TCP also affects how censors deal with QUIC. For TCP-based protocols, censors can inject TCP Reset packets to the peers to tear down connections. In UDP, there is no generic connection close mechanism. Instead, censors may need to drop packets to stop or tear down active QUIC connections
QUIC can be used as a transport for different protocols, most notably HTTP/3. Before attempting to connect via HTTP/3 over QUIC, browsers determine whether the destination supports QUIC. A server can indicate support using response headers in a previous HTTP over TLS connection, or by adding DNS HTTPS
entries that indicate support for QUIC. Because of this, TLS and DNS censorship can interfere with QUIC detection.
In 2021 and 2022, Elmenhorst et al. vk.com
. In China, they did not identify QUIC-specific censorship. However, IP-blocking still interfered with QUIC connections. In particular, the IP ranges of Google—an early adopter of QUIC—were blocked in China.
In mid-2023, a user in the net4people BBS reported intermittent QUIC censorship in China
Besides directly blocking connection attempts, censors also employ so-called residual censorship
When a censor residually censors all packets from a client IP and port to a specific destination (IP and port), it applies 4-tuple residual censorship. When the censor ignores the port on the client side, it applies 3-tuple residual censorship. When only the IP addresses need to match, the scope is called 2-tuple.
Type | Source Address | Destination Address | ||
---|---|---|---|---|
IP | Port | IP | Port | |
2-tuple | X | X | ||
3-tuple | X | X | X | |
4-tuple | X | X | X | X |
Implementations of residual censorship differ widely between censors and even between protocols in specific censors. For a given censor, the timing may vary between different protocols. In some cases, sending a censored packet during residual censorship restarts the timer, while in others it does not.
The connections or packets that trigger residual censorship are usually censored themselves. But this is not always true: In 2021, Bock et al.
While investigating other censorship, we encountered unexpected behavior in China. We observed failing QUIC connections and decided to investigate further. In the following, we show that—despite not being directly censored—QUIC is residually censored in China.
For our scans, we rented a server in China and a server in Germany. From China, we attempted to open QUIC connections to our server in Germany. The QUIC packets were restricted to a single QUIC Initial Packet from China to Germany, which was followed up with different 10-byte UDP packets in both directions.
We used different values on the SNI field of the QUIC connections. As an uncensored domain, we used example.com
; as a censored domain, we used en.m.wikipedia.org
. We performed the scans in March and April 2025.
In our tests, we found China has started censoring QUIC, based on the SNI value in the ClientHello. For the uncensored SNI, we found no indication of interference. In contrast, when the QUIC Initial Packet included a forbidden domain, further packets on the same 4-tuple were likely to be dropped:
Interestingly, the average packet loss seen in this plot does not match the packet loss of individual connection attempts. For many connections, we observed that no packets arrived in Germany during the residual censorship window, while at other times, all packets arrived after sending an identical censored packet.
To illustrate these cases, we categorized each connection attempt by the effectiveness of residual censorship that followed. In addition to packets on the 4-tuple, we also sent packets that only match the 3-tuple, using a new client port in China:
We conclude that there are three possible censor reactions to a QUIC packet with a forbidden SNI: either all following packets on the 3-tuple are dropped, only the packets on the 4-tuple are dropped, or no censorship occurs at all. This may be because the current infrastructure in the GFW is unreliable, but may also be a deliberate choice to obfuscate or experiment with different censorship.
During the residual censorship windows, we also sent packets from Germany to the server in China. These reverse packets were not affected by the residual censorship, even when they are a response on the original packet’s 4-tuple. This matches prior findings of residual censorship being unidirectional in China
We also found that not all domains censored over TLS are affected by QUIC censorship. For example, the SNI freetibet.org
did not trigger QUIC censorship in our experiments. Connections without an SNI did not trigger QUIC censorship either.
In 58% of connection attempts, we found residual censorship that drops all follow-up packets on the 3-tuple. This residual censorship lasts 3 minutes, with no packets being dropped afterwards. Packets following the censored packet do not get dropped immediately: It takes a moment for residual censorship to start—usually less than 500ms.
In 37% of connection attempts, follow-up packets dropped on the 4-tuple of the trigger packet, but not on the complete 3-tuple. In this case, the time frame is also 3 minutes. After the time frame, packet loss returns to normal.
Besides 4-tuple residual censorship, we observed unusual behavior in this case: While most client ports were unaffected by residual censorship, some unrelated client ports were residually censored.
In the remaining 5% of connection attempts, we did not observe the trigger packets leading to any residual censorship. We assume that these packets were not seen by the censorship system, possibly due to high overall load.
Censored QUIC connections recorded in 2023
For QUIC, we also found the residual censorship to take less than one second to start. At 3 minutes, the time of residual censorship is also similar to the ESNI censorship that was observed in 2021. In contrast to the ESNI censorship from 2021, we did not see staggered 3-tuple and 4-tuple censorship. Instead, both types had the same duration for our QUIC scans.
The QUIC packet that triggers censorship still reaches the server, and the following residual censorship does not start immediately; there is a short delay of up to 500ms before the censor starts dropping packets. This leaves potential for connections to succeed despite censorship triggering. While long-lived QUIC connections cannot proceed on the 4-tuple when censorship triggers, short-lived connections may be able to complete within the uncensored window. However, as international traffic from China is fairly slow, it remains unlikely that forbidden QUIC connections can pass the GFW.
The GFW often prefers injection attacks over null routing packets. For TCP connections, it injects TCP Reset packets, and for DNS, it injects additional responses without stopping the censored request or response directly. As a result of IP blocking, the GFW does drop packets. However, IP blocking is mostly static.
China’s prior ESNI censorship
Another reason the GFW might use such a split approach is that it could simplify censorship for new protocols. In this split approach, protocol-specific infrastructure would remain off-path, while a shared in-path system only implements generic residual censorship.
In summary, we observed that China extended its SNI censorship to QUIC. We did not identify direct QUIC censorship—instead, QUIC censorship in China is residual-only. However, the QUIC censorship of the GFW still proves effective at disrupting QUIC, especially for long-lived connections, such as VPN tunnels.
With residual-only censorship already seen in the past for ESNI in China
@online{china-extended-its-sni-censorship-to-quic,
author = {Heitmann, Nico and Anonymous and Lange, Felix and Niere, Niklas},
title = {China Extended its SNI Censorship to QUIC},
year = 2025,
url = {https://upb-syssec.github.io/blog/2025/quic-china/},
urldate = {2025-04-04}
}