Leaked Documents Expose Capabilities of China’s “Great Firewall” and TSG Security Gateway

A recent leak of internal documents and source code from Geedge Networks, a Chinese information technology company also known as Jizhi, has shed light on the capabilities of its core product, the TSG (Tian Gou) security gateway. The TSG is reportedly used in conjunction with China’s Great Firewall (GFW) to perform deep packet inspection (DPI), block circumvention tools, throttle specific protocols, monitor user behavior, and even inject or modify network content. This leak provides unprecedented insight into the inner workings of China’s internet censorship apparatus.

TSG Deployment Modes: Inline vs. Bypass

The TSG can be deployed in two primary modes:

• Inline (Active Mode): All data packets are routed through the TSG, enabling strong control and blocking capabilities. However, this introduces additional latency and potential reliability risks.
• Bypass (Passive Mode): Data packets are forwarded directly to the internet, while a mirrored copy of the traffic is sent to the TSG for analysis. This mode minimizes impact on normal operations but requires packet injection or spoofing to block connections.

Deep Packet Inspection (DPI) Capabilities

The TSG’s DPI engine allows it to analyze network traffic beyond the traditional network and transport layers. Unlike basic firewalls that only inspect IP addresses, ports, and connection status, DPI delves into the application layer to identify specific protocols and content.

For unencrypted protocols like HTTP, the TSG can directly read the requested domain names, web page content, submitted form data, and even comments. This capability enables the GFW to decrypt VPN traffic and identify websites being visited, which highlights the need for encryption of web panel traffic, as pointed out by the Xray developer.

Traffic Shaping and Prioritization

In addition to DPI, the TSG implements traffic shaping (QoS) to prioritize or throttle different types of traffic. This involves:

• Assigning higher priority to normal HTTPS traffic.
• Lowering the priority of specific protocols or unidentifiable encrypted data.
• Blocking abnormal high-volume traffic patterns.

This allows the GFW to degrade the performance of circumvention tools without outright blocking them.

Content Injection and Tampering

The TSG can inject and modify plaintext traffic in real-time using techniques such as:

• Spoofing redirection responses.
• Modifying HTTP headers.
• Injecting or replacing scripts.
• Replacing links and images.
• Overwriting response bodies.

These techniques can be used to redirect users to government-controlled websites, inject anti-fraud warnings, or even launch DDoS attacks without the user’s knowledge. This is possible even with the prevalence of HTTPS because the initial HTTP request is enough to allow traffic manipulation during a redirect.

User Identification and Tracking

The leaked documents confirm the ability to link network traffic to individual users through their real-world identities. This is facilitated by:

• Real-name registration requirements for broadband and SIM cards.
• Association of IP addresses with broadband and SIM card subscriptions.
• Real-time location tracking via cellular networks.

The documents reveal that the system can identify and track individuals, even labeling them as “terrorists” for monitoring purposes.

Conclusion

While many of the revealed surveillance and blocking techniques were previously suspected, the leaked documents provide concrete evidence of their implementation within the GFW. While the leaker suggests ordinary users shouldn’t panic, it is recommended to avoid expressing extreme viewpoints online, and to review previous security-related videos to further obfuscate their internet activity.