600 GB Leak Sheds Light on Great Firewall’s DPI Stack, Tiangou Architecture, and Overseas Rollouts

CyberSecureFox 🦊

Researchers from Great Firewall Report have disclosed what appears to be the largest data leak to date involving China’s national internet filtering infrastructure, commonly known as the Great Firewall. Approximately 600 GB of internal materials—including source code, developer emails, build logs, package repositories, and operations manuals—were published, offering rare visibility into the technical and operational machinery of large-scale censorship and traffic monitoring.

What the leak contains: DPI builds, SSL/TLS analysis, and Tiangou architecture

Preliminary analysis indicates the dataset aligns with the MESA laboratory at the Institute of Information Engineering (Chinese Academy of Sciences) and with Geedge Networks, a vendor that industry reporting has previously linked to Fang Binxing, often cited as an architect of the Great Firewall. The trove includes full build systems for deep packet inspection (DPI) platforms and modules designed to detect and slow down censorship circumvention tools.

DPI and TLS fingerprinting explained

The leaked stack appears focused on identifying VPNs and other tunneling methods via deep packet inspection, TLS/SSL fingerprinting, and comprehensive session logging. DPI classifies traffic by inspecting packet contents and behavioral patterns, while TLS fingerprinting compares characteristics of encrypted sessions—such as cipher suites and handshake parameters—against known application profiles. This enables recognition of apps and VPN protocols even when payloads are encrypted.

Tiangou: a turnkey GFW-style platform for ISPs and border gateways

Documentation in the archive details the internal design of Tiangou, a commercial platform positioned as a ready-made censorship and monitoring solution for internet service providers and border gateways—effectively a “boxed” version of the Great Firewall. Early deployments reportedly ran on HP and Dell servers, later transitioning to domestic hardware amid sanctions pressure.

Global footprint: Myanmar, Pakistan, and additional jurisdictions

Project materials reference Tiangou deployments across 26 data centers in Myanmar, with real-time monitoring capacity of up to 81 million concurrent TCP connections. The system, apparently managed by a state-controlled telecom, was integrated at internet exchange (IX) points, enabling mass blocking and selective filtering at scale.

According to reporting by Wired and Amnesty International, Geedge Networks’ DPI infrastructure has also been exported to countries such as Pakistan, Ethiopia, and Kazakhstan, often paired with lawful intercept platforms. In Pakistan, Geedge equipment has been evaluated as part of the broader WMS 2.0 monitoring system for mobile networks, with references to interception of unencrypted HTTP traffic in certain scenarios.

Security, legal, and compliance implications

The leaked build logs, specifications, and developer notes could expose protocol weaknesses and operational misconfigurations within censorship stacks. This knowledge may inform the development of more effective evasion techniques, but it can also help defenders—ISPs, IX operators, and equipment vendors—strengthen network security controls, detection fidelity, and resilience against abuse.

For telecom operators, the incident underscores the need to harden secure software development lifecycles (SSDLC), secrets management, and supply-chain governance. It also elevates due-diligence requirements around DPI exports in the context of human-rights risk, surveillance law, and sanctions. Regulators and civil-society groups may use these materials to conduct compliance audits and assess how monitoring technologies affect freedom of information and privacy.

Safe handling: how to study the archive responsibly

The dataset is already mirrored by Enlace Hacktivista and community archivists. Researchers recommend analyzing files only within isolated, network-segmented virtual machines, verifying checksums, and avoiding execution of binaries outside a sandbox. Static analysis and controlled detonation environments are advised to mitigate potential embedded malware or booby-trapped artifacts.

The scale and granularity of this leak provide unprecedented insight into the global market for DPI and censorship technologies. Organizations should track ongoing analyses from Great Firewall Report, Wired, and Amnesty International, evaluate potential exposure in their own environments, and reinforce policies that govern surveillance tech procurement, data handling, and cross-border compliance.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.