cn   China (Great Firewall)

Simple character-level perturbations (English) and homophone substitutions (Chinese), combined with LLM instruction-following prompts directing the model to use word substitutions in its output, successfully bypassed all input and output filters for all 41 input-blocked and 197 output-blocked queries across five major Chinese LLM services (Baidu-Chat, DeepSeek, Doubao, Kimi, Qwen). Every input-blocked query contained at least one keyword combination that alone triggered the filter, confirming keyword-matching rather than semantic classification.

2026-ablove-characterizing §VII-D defense

Cross-national experiments conducted from Singapore, South Korea, and Taiwan during February 19–24, 2025 found no variance in blocking implementations, event syntax, or server infrastructure across all five Chinese LLM services. Input blocking was enacted identically in all three international locations, and services connected to the exact same server IP addresses globally — Kimi and Baidu-Chat connected to identical IPs and DeepSeek to the same two addresses across all tested locations.

2026-ablove-characterizing §VIII-A evaluation

Input blocking in Chinese LLM services (DeepSeek, Qwen, Kimi, Doubao) is overwhelmingly consistent: all four services persistently block the exact same queries across all 5 measurement samples in both Simplified and Traditional Chinese. Output blocking is far less consistent, with only 29 out of 349 output-blocked queries blocked across all 5 samples. Baidu-Chat is exceptional: it performs almost no input blocking but instead relies heavily on post-search and output blocking (78.6% of blocks are output-phase).

2026-ablove-characterizing §VI-B evaluation

DeepSeek, Kimi, and Doubao all transmit analytics logs to the same Autonomous System (AS24429, Zhejiang Taobao Network Co., Ltd., a ByteDance/Volcengine subsidiary), with one monitoring endpoint IP directly overlapping between DeepSeek and Doubao. Additionally, all four non-Qwen services maintain connections with servers physically located in China throughout the chat session, transmitting user IDs, session IDs, viewport data, language preferences, and in Baidu-Chat's case, the full query text via URL-encoded CAPTCHA requests.

2026-ablove-characterizing §VI-D deployment

All five Chinese LLM services transmit partial or complete responses to the client machine even when output blocking is triggered, representing a major information leak. For DeepSeek and Qwen, truncated blocked responses are on average close in token length to full successful responses. For Baidu-Chat, the complete response is transmitted to the client but only partially rendered in the browser UI, with only a word or two visible on screen.

2026-ablove-characterizing §VI-C evaluation

Encrypted DNS protocols (DNS-over-HTTPS and DNS-over-TLS via Cloudflare 1.1.1.1, Google 8.8.8.8, AdGuard, or NextDNS) prevent DNS injection by encrypting the resolver query, making it opaque to in-path GFW middleboxes. The blog recommends these as a lightweight defense that avoids the maintenance overhead of static hosts entries.

2026-anon-6-github-dns §2 使用加密 DNS 服务 defense

The GFW blocks GitHub by hijacking DNS resolution to incorrect IP addresses, causing browser timeouts ('github.com 响应时间太长'). The poisoning can be confirmed by comparing nslookup results against a clean resolver (8.8.8.8) versus the local ISP resolver — divergent results confirm injection.

2026-anon-6-github-dns §5 验证 DNS 污染 detection

Static /etc/hosts bindings that hardcode correct IPs (e.g. 140.82.113.3 for github.com, 185.199.108.153 for assets-cdn.github.com) bypass DNS-injection blocking entirely, but the blog warns that GitHub IP addresses change and the file must be updated periodically to remain effective.

2026-anon-6-github-dns §1 手动修改 Hosts 文件 defense

Chinese users treat full proxy/VPN (Shadowsocks, V2Ray/Clash, commercial VPNs) as the '终极大杀器' (ultimate solution) for bypassing GitHub DNS poisoning, implying that lighter-weight DNS-only fixes fail in some network environments where the censor adds firewall-layer blocking beyond DNS.

2026-anon-6-github-dns §3 使用代理或 VPN deployment

AnyTLS's default padding scheme operates across 8 levels (stop=8), with initial padding fixed at 30 bytes, small-data padding 100–400 bytes, and medium-to-large data padding chains of 400–500 bytes continuing through multiple 500–1000 byte segments. The 'c' (continue) marker allows multi-stage padding sequences within a single connection burst.

2026-anon-anytls-anytls-sing-box-2026 §2.3 defense

As of 2026, AnyTLS lacks a standardized subscription link format (unlike VLESS/Trojan/Hysteria2), requires manual JSON configuration distribution, and is supported primarily by sing-box with limited support in v2rayNG and Shadowrocket. The guide explicitly warns it is unsuitable for production environments and recommends VLESS or Hysteria2 for production deployments and Hysteria2 for high-performance needs.

2026-anon-anytls-anytls-sing-box-2026 §1.4, §4.8, §8.2–8.3 deployment

AnyTLS implements a persistent idle-session pool with configurable parameters: idle_session_check_interval (default 30s), idle_session_timeout (default 30s), and min_idle_session (default 5). The client maintains at least 5 pre-established TLS sessions at all times to enable fast connection reuse without a new TLS handshake per request.

2026-anon-anytls-anytls-sing-box-2026 §2.4, §5.3 defense

Compared to peer protocols, AnyTLS rates 'medium' performance (vs. VLESS 'high', Hysteria2 'very high', TUIC 'high'), uses TCP/TLS transport (vs. UDP/QUIC for Hysteria2 and TUIC), and relies on padding-based obfuscation vs. REALITY/WebSocket (VLESS) or HTTP/3 framing (Hysteria2). Client ecosystem support is currently limited primarily to sing-box, vs. broad cross-client support for VLESS, Trojan, and Hysteria2.

2026-anon-anytls-anytls-sing-box-2026 §1.5, Table 1.5 evaluation

AnyTLS is a TLS-based proxy protocol maintained by the sing-box team, designed in 2024 and first released in the sing-box dev-next branch. Its core mechanism wraps arbitrary proxy traffic in standard TLS and applies a configurable padding scheme (Padding Scheme) to enhance traffic concealment while maintaining compatibility with standard TLS infrastructure.

2026-anon-anytls-anytls-sing-box-2026 §1.1–1.3 defense

Rule-based proxy tools (Clash, Shadowsocks, V2Ray) are documented as the most reliable solution for accessing GitHub from China, with split-tunneling rules routing only GitHub traffic through the proxy while keeping domestic traffic on the direct path. Git command-line tools require explicit proxy configuration (git config --global http.proxy http://127.0.0.1:7890) to route clone/push operations, as they do not inherit system proxy settings automatically.

2026-anon-github-2026-6-dns §方法二 defense

Configuring encrypted DNS (DoH/DoT) via Cloudflare (1.1.1.1 / https://cloudflare-dns.com/dns-query), Google (8.8.8.8), or Alibaba Cloud (223.5.5.5) is documented as a practical countermeasure to ISP-level DNS hijacking of GitHub in China. Browser-level DoH (Chrome/Edge settings) is highlighted as accessible to non-technical users without installing additional software.

2026-anon-github-2026-6-dns §方法四 defense

The GFW blocks GitHub via DNS poisoning across at least four domains — github.com, assets-cdn.github.com, github.global.ssl.fastly.net, and raw.githubusercontent.com — causing connection timeouts and page-load failures for mainland China users. The block is persistent as of February 2026, affecting both browser access and command-line git operations.

2026-anon-github-2026-6-dns Introduction / §方法一 detection

As of early 2026, GitHub mirror sites (FastGit at hub.fastgit.xyz, CNPMJS at github.com.cnpmjs.org, GitClone at gitclone.com) remain operationally accessible as reverse-proxy workarounds for read-only access and git clone acceleration from mainland China. The blog explicitly warns users against authenticating to GitHub accounts via these mirrors due to credential-theft risk, indicating that mirror operators are not fully trusted by the end-user community.

2026-anon-github-2026-6-dns §方法三 deployment

Bypassing system DNS via local hosts-file entries (e.g., mapping github.com → 140.82.113.4) is documented as the most widely used free workaround for GFW DNS poisoning of GitHub as of 2026. The technique is fragile: GitHub IP addresses change, requiring users to re-query and update entries manually, making it unsuitable as a reliable long-term defense.

2026-anon-github-2026-6-dns §方法一 defense

LetsVPN's exit is described as part of a broader pattern: a wave of 'airport' (proxy subscription service) outages across multiple providers in April 2026, documented in a companion article titled '2026年四月份各大机场断线详解,' indicating coordinated or systematic GFW blocking affecting the circumvention ecosystem broadly during this period.

2026-anon-letsvpn-vpn §协议写死，特征太明显 (reference to companion article) deployment

Two documented enforcement actions against VPN users were reported in April 2026 in China: one user was summoned, given a warning, and fined 300 RMB for using LetsVPN to access foreign platforms; a second user in Dalian was fined 500 RMB on April 2, 2026 for using 快喵VPN to log into Telegram.

2026-anon-letsvpn-vpn §流量形同裸奔，查水表隐患大 policy

The blog author, drawing on evaluation experience, concludes that LetsVPN's failure was not caused by IP exhaustion or ordinary node instability but by precise protocol-signature identification: once the GFW extracts a client handshake feature, it can simultaneously block all connections sharing that signature across hundreds of thousands of users.

2026-anon-letsvpn-vpn §公告里的几句大实话 detection

LetsVPN permanently exited the Chinese mainland market in late April 2026 after its technical team spent 20 days making hourly adjustments and confirmed it could not restore connectivity. The official announcement designated April 8, 2026 as the effective service-termination date and initiated a full refund program.

2026-anon-letsvpn-vpn Official announcement & §Introduction deployment

The article documents that large-scale 'one-click' commercial VPN providers with static protocol stacks have become effectively non-viable in China, while subscription-based proxy node services using open-source clients (Clash, Shadowrocket) with server-side rapid IP and datacenter switching demonstrate substantially greater resilience to GFW blocking waves.

2026-anon-letsvpn-vpn §为啥傻瓜式一键VPN越来越难活 & §应该怎么选替代方案 evaluation

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 policy

The report maps specific Belt and Road Initiative Digital Silk Road projects through which Chinese technology vendors have transferred censorship and surveillance infrastructure to Iran, including fiber backbone investments, data-center co-location agreements, and equipment supply chains. Specific vendors named include Huawei and ZTE as network infrastructure providers, with the report noting that equipment exports include filtering-capable hardware that Iran's ISPs have deployed at network choke points.

2026-article19-tightening-the-net §4, §5 deployment

Brussee measures a systematic pattern of Chinese government websites actively blocking access from outside China (the "reverse Great Firewall"), publishing a CSV dataset of affected domains (available at zenodo.org/records/18172145). The paper frames this outbound geo-blocking as a cybersecurity-motivated practice — Chinese authorities classify foreign access to domestic government infrastructure as an attack surface — distinct from the inbound information control goal of the GFW.

2026-brussee-reverse-great-firewall §3, §5 deployment

Brussee develops a conceptual framework distinguishing two logics of government geo-blocking: (1) information control (blocking inbound foreign content from domestic users) and (2) data sovereignty / attack-surface reduction (blocking outbound access by foreign actors to domestic systems). Chinese government site blocking of external IPs is motivated primarily by the second logic, creating an asymmetric internet topology where CN citizens cannot reach the outside world, and outside actors cannot probe CN government infrastructure.

2026-brussee-reverse-great-firewall §2, §4 policy

The April 2026 enforcement wave against Chinese VPN resellers operates primarily through administrative "reporting + line-cutting" (通报+拔线) mechanisms enforced via Ministry of Industry and Information Technology bulletins, not packet-level DPI changes. Operators report that newly acquired upstream resources are reported and cut with recovery periods described as "uncontrollable," and that upstream providers typically do not refund resellers after enforcement actions.

2026-ermao-april-airport-outage §一句话结论 / §这轮波动到底发生了什么 policy

China Telecom Group issued directives to Guangdong Telecom requiring comprehensive rectification of cross-border dedicated-line (IEPL/跨境专线) services used for circumvention. Guangzhou launched enforcement first; other Guangdong cities were expected to follow, threatening widespread IEPL line interruptions for providers using Guangdong Telecom as their domestic ingress.

2026-ermao-april-airport-outage §广东方向专项整治传闻的影响 deployment

China Telecom Group reportedly issued directives to Guangdong Telecom in April 2026 requiring comprehensive rectification of cross-border leased-line (IEPL/专线) businesses used for circumvention, with Guangzhou leading enforcement and other Guangdong cities expected to follow sequentially. The targeting is infrastructure-class-specific (IEPL lines as a category) rather than generalized protocol blocking.

2026-ermao-april-airport-outage §广东方向专项整治传闻的影响 policy

The dominant enforcement mechanism in April 2026 was administrative 'reporting + line-cutting' (通报 + 拔线) backed by MIIT bulletins, not protocol-level DPI changes. Operators reported that newly acquired upstream resources were reported to authorities quickly after acquisition, recovery timelines were uncontrollable, and some upstream providers refused refunds after enforcement actions, producing sustained capacity contraction across the shared VPN-reseller ecosystem.

2026-ermao-april-airport-outage §这轮波动到底发生了什么 deployment

Under April 2026 enforcement pressure, surviving VPN resellers converged on three strategies: raising prices to cover higher infrastructure costs, switching from transit to direct-connect (higher latency, worse peak-hour performance), or deploying proprietary protocols with dedicated clients — the last option breaking compatibility with standard Clash and Shadowrocket clients and fragmenting the interoperable ecosystem.

2026-ermao-april-airport-outage §5月以后机场可能怎么-活下去 deployment

Operators facing the April 2026 enforcement wave described three survival paths: (1) price increases to pass on resource costs, (2) switching entirely to direct-connect, or (3) deploying proprietary protocols with dedicated clients — making standard Clash/Shadowrocket clients non-functional for those providers. The commercial forecast is for low-price high-quality plans to disappear and for month-by-month billing to become the default as users hedge against provider collapse.

2026-ermao-april-airport-outage §5月以后机场可能怎么活下去 deployment

The April 2026 enforcement cycle created a resource-scarcity feedback loop: upstream providers cut lines with no obligation to refund resellers, newly acquired replacement resources can themselves be reported and cut within days, and stable-resource availability windows are described as "越来越短" (increasingly short) while costs rise concurrently. The overall effect is systemic capacity contraction forecast to continue through at least May 2026.

2026-ermao-april-airport-outage §这轮波动到底发生了什么 / §四月后的趋势判断 deployment

Shared domestic-entry transit architectures (国内入口 + 海外转发) suffered disproportionate impact because all nodes sharing a single domestic entry point went down simultaneously when that entry was reported and cut. Operators described configurations degrading from 'three-line redundancy to single entry,' eliminating failover capacity under enforcement pressure.

2026-ermao-april-airport-outage §为什么中转机场这次受冲击更明显 detection

Transit/relay architectures (国内入口 + 海外转发) suffered disproportionate impact because multiple nodes share a single domestic entry point: when that entry is reported or cut, the entire batch of nodes fails simultaneously. Operators described this as "三线变单线" (three-line to single-line collapse), with only direct-connect fallback remaining — at higher latency and with worse peak-hour performance.

2026-ermao-april-airport-outage §为什么中转机场这次受冲击更明显 evaluation

NATA requires no endpoint compromise, no Tor-browser modification, and no payload decryption; it operates solely from (1) an upstream gateway controlling Tor TCP connections via standard Linux tc/wondershaper rate-limiting and (2) one or more adversary-controlled exit relays passively recording packet traces. The shaper identifies Tor connections using flow-level metadata (client IP, relay IP, port, transport protocol), meaning the adversary needs only ISP or AS-level vantage, not host-level access.

2026-fan-activeflowmark-assessing-tor §III-A, §IV-A detection

The zig-zag traffic analysis attack (confirmed supported in Geedge TSG leak) rapidly enumerates all static proxy pools. With ζ_watch ∈ {4, 6} steps and a best-quality classifier (ρ_TP=0.99, ρ_FP=0.001), almost total proxy enumeration and user blockage occurs well before step 300. Even ζ_watch=2 leaves ~50% of users blocked. Collateral damage is high across all settings when ζ_watch ≥ 4: eventually ~50% of innocent servers are also blocked. However, Snowflake-style ephemeral proxies resist zig-zag effectively: reachability remains above 95% after 360 steps because churn prevents the censor from expanding its known proxy set beyond agents' direct assignments.

2026-fares-game §5.1, Fig 3, Fig 4 detection

Assemblage's anti-censorship collateral damage argument rests on the economic and social value of AI-generated image communities. Blocking DeviantArt (65M MAU), Reddit (1.21B MAU), X/Twitter (611M MAU), or Telegram (1B MAU) to suppress steganographic circumvention would cause massive collateral damage to legitimate users—and to Chinese companies' revenue in the case of platforms popular in CN. The paper observes that even in authoritarian regimes, everyday users actively post AI-generated content, making blanket platform blocking politically and economically costly.

2026-jois-assemblage §3.3 (Rendezvous), §5 (Feasibility) defense

CensorLess's function refresher automatically retires serverless bridges and deploys fresh ones in batches across diverse regions; the expected time until a bridge is identified and blocked in practice is 2 days (per Fifield et al.), while Tor bridges in China are discovered within 2–36 days. The old bridge is only removed after all clients have completed live migration to a new URL, maintaining uninterrupted connectivity.

2026-kang-censorless-serverless §4.5 defense

CensorLess's threat model explicitly relies on a rational-censor assumption: the censor will not block entire cloud-provider IP ranges or domain namespaces because the collateral damage to legitimate business services would be politically and economically unacceptable. AWS Lambda's inherent IP-address ephemerality (new IPs on each invocation, function lifetime up to 15 minutes) means even censors willing to attempt enumeration face a continuously shifting target distributed across the cloud provider's global address space.

2026-kang-censorless-serverless §4.2 defense

Both Firefox and Chromium leak cleartext DNS before establishing encrypted DNS connections: they first send an unencrypted UDP DNS query to resolve the DoH server's domain (e.g., doh.opendns.com). An in-path censor can intercept and poison this initial query, making encrypted DNS in browsers completely ineffective without additional circumvention of the resolver-lookup step. Additionally, Chromium always includes the SNI extension in the encrypted DNS TLS handshake (e.g., "doh.opendns.com"), leaking the resolver identity even after the initial lookup. No resolver requires SNI to be present for certificate validation when the resolver's IP certificate is configured.

2026-lange-towards §2.4, §7, §10 detection

DNS censorship of encrypted protocols is inconsistent in both China and Iran. In China, Yandex resolvers are censored only when the SNI extension is present; omitting SNI bypasses censorship for these resolvers. In Iran, DoH requires SNI omission for Quad9, Google, Adguard, CleanBrowsing, and NextDNS resolvers, but works with SNI for Yandex and Cisco resolvers. These inconsistencies suggest resolvers have been accidentally missed by censors, highlighting the value of automated tools that trial all resolver-mode combinations rather than hard-coding a single strategy. The support evaluation found 47 resolvers supporting DoH, 16 supporting DoH3, and only 8 supporting DoQ out of ~65 tested.

2026-lange-towards §6.2, Table 2 evaluation

DPYProxy-DNS tested 8 circumvention modes against DNS censorship from vantage points in Iran (AS201295, Mashhad) and China (AS4837, China Unicom). In Iran, DoQ was entirely uncensored even with the SNI extension present; DoH3 worked for all Cloudflare and NextDNS resolvers. Iran's censor operates in-path (not on-path like the GFW), making the "Last Response" mode (wait 3s for the last UDP reply) ineffective in Iran but highly effective in China. Auto-mode averaged 12.32s (median 8.28s) in Iran and 13.78s (median 12.90s) in China to discover a working combination.

2026-lange-towards §6.2, §6.3 evaluation

TCP segmentation (splitting a DNS message into 20-byte TCP fragments) successfully circumvented DNS censorship in China for nearly all resolvers that support TCP. In Iran, TCP segmentation was only partially effective due to the censor's ability to reassemble TCP fragments when system load permits—some runs succeeded completely, others failed entirely across all resolvers. The "Last Response" mode (wait 3 seconds for the final UDP reply) was highly effective against China's on-path GFW injector for all resolvers except the fully IP-blocked Cloudflare 1.1.1.1 resolver.

2026-lange-towards §4.1, §6.2.1, §6.2.2 defense

As of October 2024, 22% (~220K) of Tranco top-1M domains support QUIC; of those, only 12.8% (~28K) are fully QUICstep-compatible (support IP-address migration). However, port-migration support grew 20% in 3 months (26,234 → 31,262 domains from August to late September 2024). Cloudflare hosts 74.6% of QUIC-supporting domains but only 0.2% support connection migration; if Cloudflare enabled it, 87.2% of QUIC-supporting domains would become compatible. Among QUIC-SNI-blocked domains in China (28,458 total), 2,404 (8.45%) support QUIC and 828 (34.4%) of those are QUICstep-compatible today.

2026-lee-quicstep §4.2, Table 1, Fig 3 deployment

QUICstep successfully circumvents the GFW's QUIC SNI censorship (active since April 2024) in live testing. Using an Alibaba VM in mainland China as client and an AWS instance in North Virginia as server, a native QUIC client was blocked after several fetches of youtube.com SNI, while QUICstep consistently succeeded across 50 consecutive fetches. 7 tiktokcdn.com subdomains that were QUIC-SNI blocked were also reliably accessible via QUICstep. The approach routes only QUIC long-header (handshake) packets through a WireGuard tunnel; all subsequent short-header (data) packets travel the native path.

2026-lee-quicstep §4.3.2, §3.2.3 evaluation

A censor attempting to block QUICstep by dropping all QUIC connections that arrive without a preceding Initial/Handshake packet would cause significant collateral damage. Analysis of 24-hour campus traces (3,786,050 unique QUIC connections) found 29.1% (1,100,439 connections) lacked QUIC Initial or Handshake packets—representing legitimate connection migration from mobile handoffs and similar events. This high baseline rate means blanket "no handshake" blocking would disrupt roughly 1-in-3 QUIC connections unrelated to circumvention.

2026-lee-quicstep §5 (Blocking all QUIC connection migrated traffic) detection

All major browsers (Firefox, Chromium) issue an unencrypted DNS-over-UDP query to resolve their configured DoH resolver's domain before initiating any encrypted DNS session. In Iran, nearly all tested DoH resolver domains are directly censored at the DNS layer (returning block-page IPs), which renders browser-native encrypted DNS ineffective regardless of whether the underlying encrypted protocol would otherwise succeed. Additionally, browsers always include the SNI extension in TLS handshakes with DNS resolvers even though no tested resolver requires it.

2026-niere-dpyproxy-dns §7 detection

DPYProxy-DNS's automated probe-and-select mode identified a working DNS circumvention in an average of 13.78 seconds (median 12.90s) in China and 12.32 seconds (median 8.28s) in Iran across 100 runs each; best-case startup was 0.32s (China) and 0.47s (Iran) when the first-tried combination succeeded, while worst-case exceeded 30.72s in China and 58.16s in Iran due to the slow Last Response mode (3s fixed wait per attempt) being selected early in the randomized probe order.

2026-niere-dpyproxy-dns §6.3 evaluation

The GFW operates as an on-path censor that injects forged DNS responses faster than the real resolver but cannot suppress the legitimate response from also arriving. Waiting approximately 3 seconds and accepting the last-received UDP response circumvented GFW DNS injection for 40 of 41 tested public resolvers in China; the single exception (Cloudflare 1.1.1.1) was IP-blocked via packet dropping rather than injection racing.

2026-niere-dpyproxy-dns §6.2.1 defense

TCP segmentation — splitting DNS-over-TCP messages into 20-byte fragments — successfully circumvented DNS censorship for 40 of 41 tested resolvers in China. In Iran, TCP segmentation is inconsistently effective: it succeeds in some scan runs and fails entirely in others, suggesting the Iranian censor can reassemble TCP fragments when processing capacity permits.

2026-niere-dpyproxy-dns §6.2.1, §6.2.2 defense

The largest single source of censored domains in the GNL is MESA lab's SNI monitoring dataset (E21-SNI-Top200w.txt) containing 57,362 censored domains, and E21-SNI-Top120W-20221020.txt with 36,467 domains—totaling over 93K domains from network tap data alone for a single country (E21 = Ethiopia per InterSecLab attribution). A separate Xinjiang dataset (XJ-CUCC-SNI-Top200w.txt) contains 13,604 domains. These datasets "do not seem to come from popular domain lists, and instead appear to be gathered from network taps," confirming that Geedge builds censorship target lists directly from passive traffic observation.

2026-sheffey-geedge §4.2, Table 3 detection

Of 6,915,266 domains extracted from the 572 GiB Geedge Networks Leak (GNL), 298,955 censored domains (93.7% of all GNL-censored domains) appear in neither Tranco top-1M nor CitizenLab test lists. Measurements across China (Guangzhou/Nanjing), Myanmar, Pakistan, and Algeria confirmed censorship via DNS injection and SNI-based TLS connection termination. The GNL covers 25–62% of Tranco-censored domains across countries, showing substantial but incomplete overlap. This vendor-side ground truth reveals a censorship surface roughly two orders of magnitude larger than curated academic test lists.

2026-sheffey-geedge §4.1, Table 2 detection

The GNL reveals that Geedge actively maintains dedicated VPN-infrastructure tracking datasets. The China-specific component includes 7,016 domains in a "vpn-finder-plugins" repository (mesalab_git/intelligence-learning-engine), 4,810 NordVPN server domains, and a Pakistan-specific file listing 68 Psiphon CDN domains (geedge_docs/TSGEN/.../Psiphon-CDN_20240430.json) dated April 2024. A Myanmar deployment file (M22-VPN List.html, 27 domains) further confirms country-specific VPN blocklists are operationally maintained. The "Appsketch" program reverse-engineers VPN apps to extract domains and IP addresses for blocking.

2026-sheffey-geedge §4.2, Table 3 detection

Obscura proxies resist active probing by never exposing open ports or accepting incoming connections; combined with a large ephemeral volunteer pool (analogous to Snowflake's scale), the vast IP address space and rapid proxy rotation make exhaustive enumeration infeasible without causing sufficient collateral damage to deter the censor — consistent with the absence of observed blind-blocking campaigns against Snowflake.

2026-vilalonga-obscura-enabling-ephemeral §5.1 defense

Authoritarian regimes blocked Snowflake primarily through DPI targeting fingerprints in Pion's DTLS handshake and TLS fingerprints in complementary WebRTC protocols, not through ML-based traffic analysis — confirming that cost-effective censors consistently favor simple, deterministic methods over computationally expensive classifiers.

2026-vilalonga-obscura-enabling-ephemeral §1 detection

Systematic measurement platforms (OONI, Censored Planet, Cloudflare Radar, NetBlocks) have inherent blind spots due to geographic coverage and protocol-specific test constraints; critical censorship discoveries — including GFW fully-encrypted protocol blocking and regional Chinese censorship — were first surfaced by user reports on forums and GitHub issue pages of circumvention tools, not by automated measurement infrastructure.

2026-zohaib-extended §1 evaluation

Across all 7 LLMs tested (GPT 4o, GPT 4o Mini, Gemini 1.5 Flash, Gemini 1.5 Pro, Llama 3.2, Claude 3.5 Haiku, Claude 3.5 Sonnet), statistically significant evidence of censorship bias was found in at least one evaluation metric per model: responses to Simplified Chinese prompts were more neutral, more similar to sanitized text, and less opinionated than semantically identical Traditional Chinese prompts (p < 0.05 across refusal-rate, sentiment, CensorshipDetector classification, and word-embedding analyses).

2025-ahmed-llm-censorship-bias Table 4, §6 evaluation

CensorshipDetector, an XLM-RoBERTa model fine-tuned on 587,819 Baidu Baike articles (censored) and Chinese Wikipedia (uncensored), achieved 91% accuracy on a held-out validation set of Chinese news articles, correctly classifying 93% of Chinese state media articles as censored and 87% of New York Times Chinese articles as uncensored, with average censorship scores of 0.93 and 0.13 respectively.

2025-ahmed-llm-censorship-bias §4.7, §4.7.2 evaluation

A systematic search of the Common Crawl dataset — the training corpus attributed to most major LLMs including Llama, GPT, and Gemini — found content from 325 of 326 Chinese government and state media domains searched, confirming that sanitized content is pervasive in LLM pretraining data and providing a concrete mechanism for how Chinese information controls propagate into Western-built models.

2025-ahmed-llm-censorship-bias §3.3 evaluation

Using English as a pivot language (prompting the model in English while requesting Chinese-language responses) reduced but did not eliminate censorship bias: CensorshipDetector scores showed less bias in English-pivoted responses than in direct Simplified Chinese prompts, but sentiment analysis and word-embedding analyses still found statistically significant bias in most models, indicating censorship bias is a function of both prompt language and response language.

2025-ahmed-llm-censorship-bias §8.2 evaluation

The study finds that LLM censorship bias affects Chinese-speaking diaspora populations who reside outside mainland China: because user language — not user location — determines exposure to sanitized outputs, Chinese speakers globally receive information shaped by CCP information controls when using popular AI chatbots in Simplified Chinese, constituting an extraterritorial export of domestic censorship infrastructure.

2025-ahmed-llm-censorship-bias §8.3 policy

Analysis of 5.1 billion Wallbleed responses revealed that the leaked memory contains fragments of live network traffic processed by the injection device: IP/TCP/UDP/HTTP headers and payloads (including plaintext traffic not related to DNS), x86_64 Linux stack frames with ASLR-consistent pointer patterns, and what appear to be glibc stack canaries. The 166 million UPnP/SSDP snippets in leaked memory suggest the GFW device shares a memory pool with traffic from private RFC 1918 addresses, hinting at internal management-plane traffic co-located with the censorship infrastructure. A side channel — the fixed cyclic ordering of false IP addresses across injection processes — distinguishes individual GFW injector processes from each other.

2025-fan-wallbleed §4–§5 detection

Wallbleed was a buffer over-read in the GFW's DNS injection subsystem that caused middleboxes to append up to 125 bytes of their own process memory to forged DNS responses. The bug persisted for at least two years (confirmed from October 2021); the GFW issued an incorrect partial patch in November 2023 (Wallbleed v2 remained exploitable) and fully patched it in March 2024. Over 5.1 billion Wallbleed responses were collected during continuous measurement, and an IPv4-wide scan found 242 million IP addresses across 381 autonomous systems receiving Wallbleed-injected responses — including some traffic whose source and destination were both outside China, due to routing through China's network border.

2025-fan-wallbleed §1–§3, §7 deployment

The September 2025 leak of ~600 GB from Geedge Networks and the MESA Lab (Institute of Information Engineering, Chinese Academy of Sciences) is the largest known document disclosure from the GFW vendor ecosystem. It establishes a direct lineage: MESA Lab (founded 2012 by Fang Binxing's team, annual contracted revenue >35M RMB by 2016) spun out Geedge Networks in 2018, with MESA alumni filling key engineering roles (e.g. Zheng Chao as CTO). The leak includes ~64 GB of MESA git repositories, ~35 GB of MESA internal documents, ~15 GB of Geedge internal documents, and a ~3 GB Jira export — providing direct access to source code, work logs, and internal communications behind GFW R&D.

2025-geedge-mesa-leak §4 deployment

Internal Geedge documents confirm active contracts to deploy GFW-derived censorship and surveillance infrastructure in Myanmar, Pakistan, Ethiopia, Kazakhstan, and at least one additional unidentified country under the Belt and Road framework, in addition to domestic deployments in Xinjiang, Jiangsu, and Fujian. The exported product (the Tiangou Secure Gateway / TSG line) is not a stripped-down export variant — leaked TSG documentation shows DPI, active-probing, ML classifiers, and granular per-region traffic control rules that mirror the domestic GFW capability set.

2025-geedge-mesa-leak §5, §6 deployment

The August 20, 2025 unconditional RST event revealed an asymmetry in the GFW's triggering mechanism: for traffic originating inside China, both the client SYN and the server SYN+ACK each independently triggered three injected RST+ACK packets (six total per connection). For traffic to China from outside, only the Chinese server's SYN+ACK triggered RSTs — the foreign client's SYN alone was insufficient. This asymmetry implies the responsible device observed the SYN+ACK from the Chinese server as the trigger condition, not a port-match rule on the SYN.

2025-gfw-port443-rst §2.1, §2.2 detection

On August 20, 2025 from approximately 00:34 to 01:48 Beijing Time (74 minutes), the GFW unconditionally injected TCP RST+ACK packets on all port 443 traffic, regardless of payload content, disrupting all TCP/443 connections between China and the rest of the world. The injected packets came in triples with incrementally increasing TTL and window size fields — a fingerprint that does not match any previously catalogued GFW device — indicating either a new device or a known device in a novel or misconfigured state. The blocking was port-443-specific: ports 22, 80, 8443, and others were unaffected during the same window.

2025-gfw-port443-rst §1, §2.3, §3 detection

Drivel evaluates its design against the GFW's fully-encrypted-traffic detector (documented in Wu et al. 2023). The thesis demonstrates that switching to post-quantum primitives does not by itself change the traffic's appearance to a statistical censor classifier — the fully-encrypted detection problem is independent of the underlying cryptographic algorithm and must be addressed at the traffic-shaping layer regardless of key-exchange choice.

2025-himmelberger-drivel §3, §4 detection

Drivel is an obfs4-style fully-encrypted proxy protocol that replaces obfs4's pre-quantum cryptographic primitives with post-quantum alternatives. It is one of the first circumvention protocols explicitly designed to remain secure under a quantum adversary, addressing the forward-secrecy threat to deployed circumvention traffic recorded today for future decryption.

2025-himmelberger-drivel §1, §2 defense

Most deployed circumvention protocols (obfs4, Shadowsocks, Trojan, VMess, etc.) still rely on pre-quantum primitives (X25519, AES-GCM, ChaCha20). Drivel is the first published treatment of how to perform this migration in the specific context of a fully-encrypted pluggable transport, providing a design template and security analysis that does not exist elsewhere in the circumvention literature.

2025-himmelberger-drivel §2, §5 defense

InterSecLab frames the Geedge/TSG export program as the commoditization of national firewall capability: rather than each censor state independently developing detection infrastructure, they contract Geedge for a turnkey system incorporating the cumulative R&D of MESA Lab (>10 years, National Science and Technology Progress Award winners). This structural shift means the marginal cost for an autocratic government to acquire GFW-grade censorship is now a procurement decision, not a multi-year engineering program. The report identifies that Geedge's relationship with the MESA Lab gives customer states indirect access to ongoing academic R&D improvements, not just a static product.

2025-interseclab-internet-coup §2, §6–§7 (InterSecLab report) policy

InterSecLab's 76-page analysis of the Geedge/MESA leak (based on nine months of indexing and translating >100,000 documents) characterizes the Tiangou Secure Gateway (TSG) product line as a commercially deployable detection stack that combines deep packet inspection, real-time mobile subscriber monitoring, active probing, ML-based traffic classifiers, and granular per-region rule sets. TSG is not a research prototype — leaked documentation includes deployment timelines and client government interactions for Kazakhstan, Ethiopia, Pakistan, Myanmar, and one unnamed country, with censorship rules explicitly tailored to each region.

2025-interseclab-internet-coup §3–§5 (InterSecLab report) detection

The report traces the specific corporate pathway through which Geedge Networks exported GFW-derived technology to Myanmar: via front companies, shell entities, and Belt and Road Initiative contract frameworks that obscure the Chinese state's direct involvement. The report names at least three intermediary entities used to transfer equipment and technical personnel to the Myanmar military, and documents that the same export channel was used for ongoing product updates post-deployment.

2025-jfm-silk-road-surveillance §4, §6 policy

Justice for Myanmar documents that Geedge Networks supplied Myanmar's military junta with GFW-derived surveillance and censorship infrastructure under Belt and Road frameworks following the February 2021 coup. The deployed system (Tiangou Secure Gateway / TSG) incorporates the same DPI, active-probing, and ML-classifier capabilities as the domestic Chinese GFW, giving Myanmar one of the most technically capable censorship systems in Southeast Asia.

2025-jfm-silk-road-surveillance §3, §5 deployment

In China, multiple URLs show 100% failure rates across 3–7 ASNs with near-zero confirmed blockpage rates (e.g., hkleaks.ru, blockdx.co, libgen.space each at 100% failure, avg_confirmed ≈ 0), indicating that China increasingly uses non-blockpage mechanisms — connection drops, TCP anomalies — that evade blockpage-based detection while achieving complete access denial.

2025-lipphardt-1-800-censorship §4.4, Table 4 evaluation

Neither China nor Iran directly block ECH ClientHello messages; instead both effectively prevent ECH by censoring encrypted DNS resolvers. China blocks Cloudflare's DoH/DoT resolver (mozilla.cloudflare-dns.com) via SNI-based blocking in TLS and QUIC, causing residual censorship of up to 360 and 180 seconds respectively. Iran blocks both Cloudflare and NextDNS DoH hostnames via DNS block-page injection, TLS TCP RST, and HTTP block pages. Iran cannot analyze QUIC, so DoQ is uncensored and enables ECH in Iran. China's NextDNS IP blackholing affected only one of two resolved IPs, leaving an uncensored path.

2025-niere-encrypted §5, Table 1, Figure 5 detection

Chrome and Firefox send GREASE ECH extensions in every ClientHello message, meaning a censor that blocks all ECH-containing ClientHellos would block all Chrome and Firefox TLS traffic. Cloudflare's static outer SNI "cloudflare-ech.com" in all its ECH configurations makes real ECH connections trivially distinguishable from GREASE ECH — censors can block real ECH connections to Cloudflare without triggering GREASE collateral damage. Cloudflare rejects ECH handshakes with omitted or invalidated outer SNI values; non-Cloudflare ECH deployments accept missing and invalid outer SNIs.

2025-niere-encrypted §2.1, §4.1, §6 detection

Censorship classifiers and traffic analysis attacks consistently exploit the initial seconds of a proxy connection, where packet-size, inter-arrival-time, and burst features are maximally discriminative. Cited work demonstrates that website fingerprinting classifiers trained solely on the first few seconds of Tor traffic achieve high accuracy, and real-world GFW detection of fully-encrypted protocols also targets early-connection bytes.

2025-pereira-extended §1 detection

All six Chinese browsers (Baidu Searchbox, UC Browser, QQ Browser, OPPO, Redmi/Mi, VIVO) transmit the full URL of every page visited—including HTTPS pages—along with page titles and search terms out-of-band to vendor servers, entirely bypassing VPN tunnel protection. In five of six cases this data is transmitted with no cryptography or weak cryptography (purely symmetric AES with hardcoded keys, or textbook RSA with a 128-bit modulus factorable in under 3 seconds), making it readable by any on-path actor between the VPN egress and the vendor's servers.

2025-rodriguez-revisiting §4.1 detection

Chinese browsers transmit GPS coordinates alongside persistent user IDs (IMEI, GAID, CUID) and client IPs to vendor servers with poor transport security; an attacker with access to this stream can trivially detect VPN use without any DPI—GPS coordinates placing a user inside China combined with a non-Chinese client IP is an unambiguous VPN-use signal. This correlation attack succeeds against VPNs with perfect traffic obfuscation because the detection side-channel is entirely outside the encrypted tunnel.

2025-rodriguez-revisiting §5, §6 detection

Of the four Chinese browsers offering incognito mode (Baidu Searchbox, UC Browser, QQ Browser, Redmi/Mi), all four continue to leak PII and three continue to transmit full browsing activity including URLs; UC Browser specifically sends data during incognito sessions encrypted with hardcoded AES/CBC key "Ine34@32b#jeRs2h" and a zero initialization vector to crash-upload endpoints. Incognito mode in these browsers provides no protection against vendor-side or on-path surveillance and creates false privacy expectations for circumvention tool users.

2025-rodriguez-revisiting §4.2 evaluation

PWA-based circumvention tools that display their name or any identifying string in the browser URL bar or page title expose that identifier to all six Chinese browser vendors' telemetry servers, since all six browsers collect page titles and full URLs. Browser SDKs with READ_PHONE_STATE and elevated permissions can monitor PWA activity at the OS level in ways not possible with standard browsers, making browser selection as security-critical as the circumvention tool itself for the Tor Browser threat model.

2025-rodriguez-revisiting §5, §6 defense

All six browsers grant dangerous Android permissions (READ_PHONE_STATE, INTERNET, ACCESS_NETWORK_STATE) to third-party SDKs; built-in phone browsers grant significantly more such permissions than app-store browsers. Baidu Mobile Tongji Analytics SDK—present in all six via Baidu as default search engine—collects IMEI, UUID, CUID, GAID, device MAC, and Bluetooth MAC, creating a persistent cross-app device fingerprint that identifies users across VPN sessions and survives IP changes.

2025-rodriguez-revisiting §4.3 detection

The blocking-resistance of CenPush derives from the collateral damage a censor would incur by blocking APNs or FCM: doing so would break push notifications for every app on iOS or Android respectively. This is the same collateral-damage deterrent mechanism that makes CDN-based domain fronting and TLS-over-CDN transports resilient, applied to the control plane rather than the data plane.

2025-sharma-cenpush §2, §4 defense

Two of the 8 handshake-accepting injected IPv4 addresses host active services reachable both inside and outside China: 103.230.123.190 runs OpenSSH 8.2p1 on port 22, and 103.246.246.144 redirects 0.164% of all censored-domain requests to a website serving forbidden adult content.

2025-sheffey-extended §2.2.1 evaluation

The authors recommend that users encrypt DNS queries (DoT or DoH) to prevent the GFW's on-path injectors from intercepting and poisoning them, and additionally block all outgoing traffic to the known pool of GFW-injected IP addresses to avoid silently connecting to potentially surveillance-oriented infrastructure.

2025-sheffey-extended §4 defense

GFW DNS AAAA responses for censored domains return 622 IPv6 addresses: 30 from Facebook's 2a03:2880::/32 network (all sharing interface identifier face:b00c:0:25de), and 592 malformed Teredo addresses in the 2001::/32 range that directly hex-encode entries from the IPv4 pool in the lower 32 bits rather than following RFC 4380 Teredo structure. The Teredo addresses' server IPv4 (0.0.0.0) and port (0) fields are nonsensical.

2025-sheffey-extended §2.1, Appendix A evaluation

Of 1922 IPv4 addresses collected from GFW-injected DNS A responses to 5,000 queries for censored domains, 8 (0.4%) actually accepted TCP handshakes when probed from within China. The other 1914 addresses were either silent or unreachable.

2025-sheffey-extended §2.2 evaluation

Six injected IPv4 addresses (8.7.198.46, 39.109.122.128, 46.82.174.69, 59.24.3.174, 93.46.8.90, 103.97.3.19) accept TCP SYN→SYN+ACK from within China but immediately reply RST when the client sends application data (PSH flag). These hosts mirror IPID values from probe packets, show no response from outside China, and appear to operate statelessly — suggesting GFW-controlled surveillance infrastructure that collects connection metadata without revealing itself.

2025-sheffey-extended §2.2.2 detection

Proxy placement requirements vary dramatically by country topology: Turkmenistan requires just 1 AS for 75% coverage, Oman requires 3, Afghanistan 5, Iran 10, and China 12. Turkmenistan's extreme centralization means a single transit AS intercepts virtually all paths, whereas China's fragmented routing fabric demands far more deployment sites to achieve equivalent coverage.

2025-umesh-improved §5.4, Table 4, Figure 6 evaluation

Snowflake's sustained operation in heavily censored regions demonstrates that WebRTC must remain accessible to users, which in turn requires that TURN servers remain unblocked to support NAT traversal for peer-to-peer WebRTC connections. This transitive unblockability makes TURN service providers viable rendezvous channels for the Bridge Distribution Problem.

2025-vilalonga-extended §3.2 Bridge Distribution Problem defense

The system targets a threat model where the censor performs passive DPI to fingerprint and block the client-to-TURN-proxy channel, and also conducts active enumeration attacks to discover and block proxy endpoints. The paper explicitly notes that traffic splitting may introduce distinct fingerprints of its own that require empirical evaluation — acknowledging that multi-path approaches are not fingerprint-free.

2025-vilalonga-extended §3.1 Threat Model defense

Among surveyed channels, Skyhook, PushRSS, SQS, AMPCache, and Meek satisfy all three UP channel properties (unidirectional, no client auth, higher bandwidth); CloudTransport and Raven do not because they require authenticated user accounts; Tor's email- and Telegram-based bridge distribution also fails the no-auth requirement. The analysis was prompted in part by the 2022 GFW entropy-based blocking event, which required software updates to be pushed to users before fully-encrypted protocols could resume functioning.

2025-vines-extended §3 defense

Active mid-connection bandwidth throttling (e.g., 100 Mbps → 50 Mbps) cleanly separates BBR from Hysteria and TCP-Brutal: BBR converges to the new rate within a few probing cycles, while Hysteria and Brutal interpret reduced bandwidth as increased packet loss and raise their sending rate further. This active probing technique resolves the BBR ambiguity that passive measurement alone cannot.

2025-wang-custom §4.4 detection

BBR, a rate-based CCA already available in the Linux kernel, comes close to Hysteria's throughput performance when packet loss is below 20% — the typical range for cross-border Chinese links (5–15%, peak up to 50% per prior studies). Above 20% loss, Hysteria and Brutal maintain a significant throughput advantage over BBR, but the paper finds no compelling justification for custom CCAs given the marginal gains in that regime versus the fingerprinting cost.

2025-wang-custom §4.2, §6 defense

Hysteria and TCP-Brutal maintain fixed sending rates regardless of packet loss, causing them to transmit at rates several orders of magnitude higher than loss-based CCAs (TCP/QUIC Cubic) at a 5% packet loss rate on a 100 Mbps link with 60ms RTT. This non-compliance with standard congestion backoff is reliably detectable across RTTs from 15ms to 300ms and loss rates from 0.1% to 20%.

2025-wang-custom §4.1 detection

The GFW detects fully encrypted protocols using ad-hoc rules including the percentage of printable ASCII characters per packet (threshold: over 50%) and the observation that FEP entropy is considerably higher than normal encrypted TLS traffic. These rules are subject to frequent changes, making rigid FEP designs unable to adapt.

2025-wilson-extended §1 detection

Since August 2023, Henan Province has operated its own TLS SNI-based and HTTP Host-based censorship middleboxes that inspect and block traffic exiting the province—a second filtering layer on top of the national GFW. The Henan Firewall is fingerprinted by a unique TCP RST+ACK injection carrying a fixed 10-byte payload (0x01 02 03 04 05 06 07 08 09 00), IP ID 0x0001, and an observed TTL of 58. Unlike the GFW, it injects resets only toward the client, performs no residual censorship, and requires no TCP handshake to trigger. Longitudinal testing (Nov 2023–Mar 2025, Tranco top 1M daily + 227M CZDS domains weekly) found the Henan Firewall blocked a cumulative 4.2 million domains—more than five times the GFW's cumulative blocklist—and at peak blocked ten times more domains than the GFW.

2025-wu-regional-censorship §4.4 / §5 detection

The Henan Firewall only inspects traffic leaving Henan Province toward the rest of the world—it does not inspect domestic intra-China traffic nor inbound traffic entering the province. This contrasts with the GFW, which operates bidirectionally at China's national border. Measurement across seven CN cities (Beijing, Shanghai, Chongqing, Guangzhou, Nanjing, Chengdu, Zhengzhou) found no evidence of comparable provincial firewalls in the other six locations, making Henan the only documented province with an autonomous censorship layer as of March 2025. The Henan Firewall also uses the same blocklist for both HTTP Host-based and TLS SNI-based censorship, whereas the GFW maintains separate domain lists per protocol.

2025-wu-regional-censorship §3 / §4.2 / §5.1 detection

The Henan Firewall is stateless in two exploitable ways: (1) it requires the TCP header to be exactly 20 bytes—enabling any TCP option (e.g., TCP Timestamps, which Windows disables by default) to bypass it entirely; (2) it does not perform TCP reassembly, so splitting a TLS ClientHello across two TCP segments such that the SNI extension straddles the boundary bypasses the censor. Both bypasses require only client-side changes and have already been implemented in Xray, GoodbyeDPI, and Shadowrocket. TLS record fragmentation (splitting the ClientHello across multiple TLS records within one TCP segment) also defeats both the Henan Firewall and the GFW, since neither performs TLS reassembly.

2025-wu-regional-censorship §4.3 / §6 defense

IMAP/SSL traffic on port 993 constitutes less than 1% of total ISP traffic but accounts for nearly one third of all false positives in the RTTdiff exploit, because IMAP's non-RESTful multi-connection pattern violates the request-response correlation assumption. The overall per-flow FPR is bounded at 0.6–0.7% (on par with GFW's estimated FPR against fully-encrypted proxies), but implementing a pre-filter to whitelist IMAP traffic reduces the FPR by approximately one third, making the fingerprint substantially more precise.

2025-xue-discriminative §VI-C-3, Table III detection

Cross-layer RTT discrepancy (RTTdiff) is a protocol-agnostic fingerprint that exploits an inherent architectural property of all proxy setups: transport-layer sessions terminate at the proxy while application-layer sessions remain end-to-end. Evaluation across 10 proxy protocols—including VMess, Shadowsocks, VLESS, Trojan, XTLS-Vision, and obfs4-wrapped SOCKS—shows near-identical detection rates for all except obfs4, confirming the fingerprint is not tied to any specific obfuscation scheme. At FPR=0.01, per-website detection rates exceed 70% across all tested client and proxy location combinations.

2025-xue-discriminative §I, §VI-C detection

The computational cost of decrypting QUIC Initial packets limits the GFW's throughput: blocking effectiveness drops measurably as cross-border QUIC traffic increases and exhibits a diurnal pattern, falling during China's peak traffic hours. In a controlled experiment, sending QUIC Initial packets at 100–1500 kpps (TTL-limited so they reach the GFW but not end-hosts) caused GFW censorship effectiveness to decrease monotonically with sending rate, while equal-rate random-payload UDP traffic produced no such degradation—confirming the bottleneck is QUIC decryption, not raw bandwidth. A related availability attack using IP-spoofed QUIC Initials from one machine can cause the GFW to drop all UDP traffic between arbitrary Chinese hosts and any foreign endpoint for the 180-second residual window.

2025-zohaib-quic-sni §3.4 / §5 detection

Since April 7, 2024, the GFW decrypts every QUIC client Initial packet at China's national border and blocks connections whose TLS ClientHello SNI matches a QUIC-specific blocklist. Blocking takes the form of dropping all subsequent UDP packets sharing the same (src-IP, dst-IP, dst-port) 3-tuple for 180 seconds—with no RST injection. The GFW applies a source-port heuristic: packets with src-port ≤ dst-port are not inspected, capturing >92% of real QUIC client Initials while processing only ~30% of all UDP traffic. The QUIC blocklist contains 58,207 unique FQDNs (Tranco, Oct 2024– Jan 2025), approximately 60% of the DNS blocklist in size; 33% of blocked FQDNs do not actually support QUIC, suggesting the list was derived from an existing domain-name blocklist rather than live QUIC service discovery.

2025-zohaib-quic-sni §3 / §3.1 / §3.3 / §4 detection

The GFW's QUIC censor does not reassemble QUIC client Initial packets that are split across multiple UDP datagrams, nor does it reassemble QUIC CRYPTO frames split within a single datagram. Three practical bypasses follow: (1) send any UDP datagram with a random payload before the QUIC Initial—the GFW uses 60-second UDP flow state and won't inspect a mid-flow packet; (2) fragment the TLS ClientHello SNI across multiple QUIC CRYPTO frames; (3) use an unknown QUIC version number in the first packet (Version Negotiation bypass, payload undecryptable). Chrome independently exploits (2) through its Chaos Protection feature (since 2021) and post-quantum Kyber key-agreement (since v124, Sep 2024), whose larger key sizes force fragmentation across UDP datagrams. As of January 2025, the GFW also does not block ECH-containing QUIC payloads unless the outer (cleartext) SNI is on the blocklist.

2025-zohaib-quic-sni §3.2 / §7 defense

WATER (WebAssembly Transport Executables at Runtime) defines a pluggable-transport architecture in which the transport logic is compiled to a WASM module that is loaded and executed at runtime by a thin Go host process. This separates the stable host ABI (dial, accept, read, write) from the rapidly-evolving transport logic, allowing new or updated transports to be delivered as small WASM binaries without recompiling or redeploying the host application.

2017-frolov-water-pluggable §2–3 defense

The paper proposes a black-box methodology for detecting censorship bias in LLMs by comparing responses to identical prompts in Simplified vs. Traditional Chinese — scripts for the same spoken language — controlling for translation quality while exploiting that Simplified Chinese training data is disproportionately sourced from mainland China's censored internet. Each prompt is repeated ten times and scored for similarity to censored text using an XLM-RoBERTa classifier fine-tuned on Baidu Baike (censored) vs. Chinese Wikipedia (uncensored) with scores from 0 to 1.

2024-ahmed-extended §2 / §2.4 evaluation

Of 326 websites known to adhere to CCP censorship laws — including Chinese government sites and state media — 325 were found indexed in the Common Crawl dataset commonly used to train major LLMs including GPT-3. Only the official government site of Macao (www.gov.mo) was absent, indicating that LLM training corpora are broadly contaminated with CCP-censored content.

2024-ahmed-extended §3.1 evaluation

Because LLMs such as ChatGPT (over 100 million weekly active users) reflect CCP information-control requirements when prompted in Simplified Chinese, they effectively export Chinese domestic censorship to diaspora communities and non-China-based Chinese speakers worldwide — extending the reach of information manipulation beyond any jurisdiction where Chinese censorship law applies.

2024-ahmed-extended §1 / §3.2 policy

Exploratory testing of GPT-3.5 Turbo showed significant response divergence between Simplified and Traditional Chinese prompts on politically sensitive topics. Simplified responses glossed over or omitted details on Tiananmen Square casualties, Uyghur genocide allegations, Taiwan's sovereignty status, and Xi Jinping's human rights record; Traditional Chinese responses described these topics in substantially more critical and detailed terms.

2024-ahmed-extended §3.2 / Table 2 evaluation

Snowflake's blocking resistance rests on a large, constantly changing pool of volunteer WebRTC proxies implemented as lightweight JavaScript browser extensions or web pages. Because the proxy population is in constant churn and new addresses appear faster than censors can enumerate and block them, IP-list blocking is structurally ineffective. The system is designed so that when an in-use proxy goes offline, the client seamlessly migrates to another with no disruption to upper network layers.

2024-bocovich-snowflake §1, §2 defense

WATER (WebAssembly Transport Executables Runtime) separates transport logic from the host application by compiling it to a WASM module (WATM) that is distributed and loaded independently at runtime. Deploying a new or updated circumvention technique requires only distributing the new WATM binary and optional configuration — no change to the host application and no app-store update cycle is required.

2024-chi-just §1, §3 defense

Traditional circumvention tool development and deployment is slow because new strategies must be developed, integrated into each tool separately, and then distributed via platform app-stores. WATER's WASM module architecture specifically addresses this asymmetry: censors evolve blocking techniques quickly, while circumventors are bottlenecked by binary release cycles. The paper argues that dynamic WATM delivery breaks this bottleneck by decoupling transport updates from application releases.

2024-chi-just §1 defense

ML-based VPN classifiers report FPRs of 1.4–5.5%, all exceeding the GFW's estimated practical threshold of 0.6%, while the simple RFC-heuristic approach achieves 0.11%; this indicates that real-world censors are more likely to adopt lightweight heuristic detectors than opaque ML pipelines.

2024-hanlon-detecting §4.2 Overall Classifier Results evaluation

A protocol-agnostic classifier that identifies RFC-mandated TCP behaviors (three-way handshake, 500ms ACK, 2×RMSS acknowledgement) leaking through UDP-based VPN tunnels achieves a false positive rate of 0.11–0.29% on real campus traffic, an order of magnitude lower than ML-based VPN detection techniques (FPR 1.4–5.5%) and on par with the GFW's estimated heuristic FPR of 0.6%.

2024-hanlon-detecting §3–§4.2 detection

GFWeb discovered that the GFW's bidirectional blocking is not symmetric: certain domains trigger blocking only when probed from inside China, not from outside. This overturns the prior assumption that the GFW blocks the same domains symmetrically in both directions. The paper also documents that the GFW has been upgraded to fix previously-reported evasion techniques, including overblocking mitigation and improved fragmented-packet reassembly, indicating active engineering iteration on the censor side.

2024-hoang-gfweb Abstract, §5.3, §6 detection

GFWeb tested 1.02 billion domains against the GFW over 20 months and discovered 943,000 pay-level domains blocked by HTTP filters and 55,000 by HTTPS filters — the largest GFW blocklist dataset ever published. The HTTP-to-HTTPS ratio (17:1) confirms that the GFW's HTTPS keyword-based and SNI-based blocking covers far fewer domains than its HTTP host-header blocking, likely because HTTPS blocks carry higher collateral-damage risk.

2024-hoang-gfweb Abstract, §5.1 detection

Longitudinal GFWeb data spanning 20 months shows the GFW actively patched previously-published evasion findings during the measurement period: overblocking bugs reported in academic papers were fixed, and fragmented-packet reassembly failures that researchers used to bypass blocking were corrected. This demonstrates that the GFW operator monitors published research and iterates on the system in response to disclosed vulnerabilities.

2024-hoang-gfweb Abstract, §5.4, §6 detection

NetShuffle targets edge networks — small autonomous systems and entities that obtain IP address blocks from upstream providers — as a new class of support base for circumvention infrastructure. This class has received scant attention from prior work, which has focused on cloud providers and volunteer desktop machines. Edge networks represent a large pool of diverse IP space that is harder to block via ASN blackholing compared to a small number of major cloud providers.

2024-kon-netshuffle §1, §2 defense

China's Great Firewall showed anomalous inconsistency: 13 test vectors produced mixed outcomes—TCP RST injection on some executions and a clean server response on others—with circumvention rates between 10% and 35% across 100 executions per vector. The authors attribute this to heterogeneous GFW infrastructure components applying different HTTP parsing logic, a departure from the GFW's usual consistency.

2024-m-ller-turning §5.2 detection

HTTP Request Smuggling—a web-security vulnerability that exploits CL/TE header parsing ambiguities between a front-end (censor) and back-end (web server)—can be systematically repurposed as a censorship circumvention technique. By hiding a censored Host in the body of a benign outer request, the censor parses only the uncensored outer request while the destination server processes both, successfully bypassing HTTP censorship in China (19 vectors), Iran (254 vectors), and Russia (all 2,015 vectors) from the evaluated vantage points.

2024-m-ller-turning §3 / §8 defense

China's GFW exhibited unusually inconsistent HTTP censorship behavior: 13 of the evaluated HRS test vectors circumvented the GFW in some executions but not others, with per-vector success rates between 10% and 35% across 100 executions per domain. The authors attribute this to two distinct parts of GFW infrastructure employing different HTTP censorship mechanisms, a departure from the GFW's typical consistency.

2024-niere-http-smuggling §5.2 (China paragraph), §5 intro detection

HTTP request smuggling (HRS) vectors that exploit CL/TE header parsing divergence between a censor-as-middlebox and a destination web server can circumvent HTTP censorship in China, Iran, and Russia. Of 4,488 test vectors derived from prior HRS research, 2,015 (44.9%) were accepted by at least one web server; CL*/TE vectors achieved a 99.0% web-server acceptance rate while TE/CL* vectors achieved 0%.

2024-niere-http-smuggling §3, §5.1, Table 1 defense

TLS-Attacker implements more than 330 cipher suites, including uncommon GOST and SM cipher suites specified by the Russian and Chinese authorities, covering SSL 3.0 through TLS 1.3 as well as DTLS 1.0 and DTLS 1.2. This breadth lets researchers test whether authority-mandated or jurisdiction-specific cipher suite selections alter TLS fingerprint classification by censors in those countries.

2024-niere-tls-attacker §2 Development evaluation

The SQS rendezvous method was deployed in Snowflake v2.9.0 / Tor Browser 13.0.10 (February 2024) and as of 2024-06-22 had served over 14,808 client connections from over 20 countries including Iran, China, the United States, and Russia, while remaining within the AWS Free Tier limit of 1 million requests per month and incurring no monetary cost.

2024-pu-exploring §4 deployment

Across five popular translation services available in China (Alibaba, Baidu, Tencent, Youdao, and Microsoft Bing), researchers discovered 11,634 unique censorship rules in total. Every service — including the American-operated Bing Translate — implemented automatic censorship that silently omits content, with only Alibaba displaying any notification ('Query csi check not pass') to the user.

2024-ruo-lost §6 Results / Table 2 evaluation

Alibaba and Bing Translate scan only the user's input text for censorship triggers, not the translation output, while Baidu and Tencent apply the same censorship rules to both input and output. Youdao censors input and output using different rule sets. Because Chinese-language censorship rules dominate all services' blocklists, users translating from a non-Chinese language into Chinese using Alibaba or Bing experience materially less censorship than users of the other services.

2024-ruo-lost §7 Effect of Translator Output / Table 6 evaluation

Among 286 randomly sampled censorship rules across all five services, only one rule targeted erotic content, while the vast majority targeted political dissidents, CCP leaders, Tiananmen Square, Falun Gong, and government criticism. The paper interprets this near-total absence of pornography censorship as evidence that the censors did not anticipate their rules being audited, or are no longer interested in concealing the overtly political agenda of Chinese information control.

2024-ruo-lost §6.2 Content Analysis / §6.2.6 Eroticism detection

On Tencent Translate, 15 distinct representations of Xi Jinping's name — including romanizations (xijinping, XiJinping, XIJINPING, xIDaDa, xidada), character variants (习近平, 习大大, 习主席, 习书记, 习总书记, 近平习, 反习大大), and a romanized reversed form (JinpingXi, jinpingxi) — each triggered censorship of the translator's entire output rather than just the offending sentence. Between 4–5% of Tencent's discovered rules were inconsistently enforced, which the paper attributes to load-balanced servers implementing different rule sets or rapid rule churn.

2024-ruo-lost §6.3 Censorship Behavior / Table 5 detection

Evidence from Youdao Translate suggests it deploys a machine-learning or NLP-based classifier alongside keyword rules: measured rules included repeated components (e.g., 螺+螺+螺+螺+螺+螺+蟢+D+哒+大) and nonsensical multi-token sequences that no human rule author would write, yet which consistently triggered censorship. Youdao returned 9,414 unique rules from the general test set — the most of any service — while also producing the most structurally anomalous rule patterns.

2024-ruo-lost §6 Results / §10 Future Work evaluation

The GFW DNS injector vulnerability enabled reflective amplification attacks with a baseline factor of 4.04× (46-byte payload → 186-byte response). Combined with routing loops — approximately 1,000 destination IP addresses in China were found to loop packets across the GFW more than 30 times, with 159 persisting after two days and a maximum of 119 loop iterations per query — the effective amplification factor reached 481.17×, sufficient to generate 100 Gbps of attack traffic from just over 200 Mbps of source traffic.

2024-sakamoto-bleeding §5.2 Reflective Amplification Attack evaluation

The GFW patched the out-of-bounds read vulnerability city by city in October–November 2023, updating from least to most international traffic: CERNET/Beijing before October 26, Guangzhou on October 30, and Shanghai in two distinct phases on October 31 and November 1, with all updates occurring around 11 a.m. CST. Shanghai, which terminates the most international submarine cables, was updated last and in two steps to minimize side effects.

2024-sakamoto-bleeding §4.5 Maintenance and Update deployment

The GFW's DNS packet injector (Injector 3, identified by TTL mirroring and zero IP ID) contained an out-of-bounds read vulnerability: due to missing label-length and null-terminator validation, malformed DNS requests caused the injector to copy adjacent stack memory into forged responses. Over three days in October 2023, researchers collected over 1 TB of data containing over 13 billion leaks, ~87.43% with non-duplicate content, including live Internet traffic transiting China's backbone and stack frames of the GFW's packet-handling processes.

2024-sakamoto-bleeding §3 Vulnerability deployment

Automated pattern analysis of 13 billion leaked GFW memory frames found over 52.8 million HTTP/1.x protocol signatures, 984,567 Authorization headers, 1.9 million Cookie headers, 79,090 password-in-URL occurrences, and 59,326 SMTP/IMAP plaintext credential sequences — yielding over 3 million pieces of potentially sensitive data collected at a deliberately limited rate of 5,000 exploit packets per second.

2024-sakamoto-bleeding §4.3 Traffic Patterns, Table 2 evaluation

Analysis of leaked stack frames confirmed the GFW's packet injector processes run on x86-64 Linux with ASLR and PIE enabled but without stack canaries, implying that buffer overflow vulnerabilities in the GFW may lack effective mitigation. Each injector process was inferred to use exactly four packet-handling threads, identified by up to four unique stack-address groups per return address (each group spanning within the 8 MB default Linux stack size).

2024-sakamoto-bleeding §4.4 Process Characteristics deployment

The automated probe list generation system discovered 45.79 potentially blocked domains per 1,000 domains crawled, compared to 4.11 for FilteredWeb — over 10× higher efficacy. It uncovered 1,490 potentially blocked domains in crawls of just 71,960 URLs, versus 1,255 blocked domains found by Hounsel et al. in crawls of 1,000,000 URLs, with 1,473 of the 1,490 domains not overlapping with prior work.

2024-tang-automatic §5.5 evaluation

GFW verification tests confirmed over 90% of OONI-detected DNS anomalies as true blocks: 429/457 domains in Beijing and 422/461 in Shanghai. In total, 527 unique domains were confirmed censored via DNS, HTTP, and HTTPS filters; an additional 718 domains suspected blocked due to IP-address-level blocking of their hosting servers rather than domain-level entries.

2024-tang-automatic §5.6 detection

Only 36.66% of the 139,957 source list URLs (51,313) survived sanitization as live, meaningful pages, with 18,911 URLs removed for lack of content and many more for dead links — underscoring how rapidly manually curated probe lists decay. In Beijing and Shanghai, over 20% of known domains were consistently inaccessible, versus fewer than 4.5% at all other vantage points, and over 68% of known domains remained blocked, suggesting censored topics stay sensitive even as URLs go stale.

2024-tang-automatic §3.1, §5.2 evaluation

Among inaccessible URLs that also triggered OONI anomalies, approximately 58% were generated by the Top2Vec-Trends pipeline (combining Top2Vec topic modeling with Google Trends keyword expansion), while LDA-TFIDF and Top2Vec alone each accounted for only 13–14%. BERTopic-generated pages were least effective at producing censored candidates.

2024-tang-automatic §5.4 evaluation

Google Cloud Pub/Sub is blocked entirely in China, limiting the system's applicability in the highest-censorship environment. Azure Pub/Sub is a structurally weaker candidate for rendezvous channels because each created resource receives a unique per-resource domain, enabling censors to block it with minimal collateral damage compared to blocking a shared Google or AWS endpoint.

2024-vilalonga-looking §4.1 deployment

China's local censorship operates through 'extra-institutional governance' (EIG) — practices that transgress the official identity and authorized means of the CAO system, including outsourced private surveillance, unpaid personnel secondment, and mass reporting via personal accounts — which upper-level offices tolerate but do not formally authorize, preserving plausible deniability when practices are ethically or legally questionable. The paper documents these as widespread implicit norms across China, not isolated to District T.

2024-zhang-toothless §Discussion and Conclusion policy

A county-level CAO in east China (District T, ~500,000 residents) operated with only 7 formal employees yet was tasked with monitoring more than 60 social media platforms, detecting unwanted voices in text, image, video, and audio formats, and submitting hourly reports to upper-level offices — a workload the authors characterize as a 'mission impossible' for a county-level office.

2024-zhang-toothless §The case: the CAO in District T deployment

The District T CAO's 'Cavalry Team' of approximately 100 members used coordinated mass reporting — timing reports within 5–10 minutes of a post appearing, using different IP addresses and devices, and submitting long complaints invoking phrases like 'threatening social stability' — to achieve a documented weekly takedown success rate of 95.01% (286 of 301 targeted posts removed).

2024-zhang-toothless §Coping strategy 2: organized mass reporting evaluation

The District T CAO outsourced surveillance to a commercial SaaS platform ('Public Opinion Assistant') capable of scanning 180 million social media posts per day, processing 20 million posts per minute, and using supervised learning to classify 'negative voices' with performance comparable to human moderators. The platform generates ready-to-submit bureaucratic reports and maintains localized keyword lists that include euphemisms and homophones of censored terms as netizens update evasion strategies.

2024-zhang-toothless §Coping strategy 1: outsourcing surveillance to private service providers deployment

Chinese social media platforms detect and downweigh accounts that over-use the reporting function, reducing their future report credibility. The CAO's counter-response was to recruit 'fresh accounts' from visitors, borrow civilian accounts from seconded staff, and store credentials in an unencrypted Excel file circulated via WeChat — indicating the censor relies on high account turnover rather than persistent infrastructure to maintain reporting effectiveness.

2024-zhang-toothless §Coping strategy 2: organized mass reporting detection

DeResistor-generated evasion strategies achieve an overall success rate of up to 98.61% against GFW (across vantage points in Qingdao, Shanghai, and Beijing) for the best strategy, and 100% in both India (Bangalore) and Kazakhstan (Oral) for the top-performing strategy, while standalone Geneva strategies tested in the same environment achieve comparable or slightly lower rates on some censors but are blocked at the IP level before training completes.

2023-amich-deresistor §6.3, Table 2 evaluation

DeResistor's two-objective fitness function (balancing evasion success and detection probability) reduces flow-level detection rates from 96.27% → 45.06% against China's GFW, 99.50% → 34.93% against India, and 99.50% → 49.22% against Kazakhstan over 5 training generations, while in all cases preventing TRW from reaching an IP-block decision that would terminate training.

2023-amich-deresistor §5.1, §6.2, Table 1 defense

Geneva packet-manipulation probing traffic exhibits distinctive features — corrupt data-offset fields, smaller packet sizes, overlapping TCP segments, TTL variance, and non-zero SYN packets — that allow simple ML classifiers (Decision Trees, Random Forests, Logistic Regression, SVM) to detect it with AUC > 0.99. A subsequent TRW-based IP-level detector can then block the source IP with high confidence after inspecting only 2 Geneva probing flows.

2023-amich-deresistor §4.1–§4.2 detection

GFW employs layered blocking for high-value targets: DNS poisoning for domains like google.com and wikipedia.org combined with null-routing of their hosting IPs, meaning packet-manipulation tools that operate at the TCP/HTTP layer (e.g., Geneva, DeResistor) cannot generate or test evasion strategies because no response is received to the initial SYN — the blocking occurs below the layer those tools target.

2023-amich-deresistor §6.1 detection

Interleaving a single normal benign flow (jump size J=1) after each detected probe prevents the TRW likelihood ratio from converging to the IP-block threshold across all 11 simulated censors and all three real-world censors tested; setting J>1 risks triggering a history-aware TRW reset that can paradoxically accelerate IP-level detection.

2023-amich-deresistor §5.2, §6.2 defense

DNS censorship complexity varies sharply by country: Iran injects static forged IPs exclusively from 10.0.0.0/8 and Turkmenistan uses only 127.0.0.1, making detection trivial, while China's constant fake-IP churn across ASes demands dynamic ML approaches; models trained without country-specific ASN features still perform well, enabling transfer to countries where GFWatch-equivalent infrastructure does not exist.

2023-brown-augmenting §5 detection

By mapping ML-predicted censored probes back to their DNS response IPs, the authors discovered 748 forged IP addresses used by China's GFW as DNS blocking signatures that OONI's heuristics missed; supervised and unsupervised models also identified several ISP-specific injected IPs absent from even GFWatch's comprehensive signature list, demonstrating that static signature lists substantially undercount active GFW DNS censorship.

2023-brown-augmenting §4.2, Table 4 evaluation

OONI and Satellite (Censored Planet) agree on roughly 75% of tested Chinese domains as uncensored, but DNS anomaly agreement is poor: each platform flags fewer than 0.5% of domains as anomalous in any given biweekly window, and the two platforms frequently disagree on which domains are censored because China's GFW uses dynamic fake-IP injection that defeats static rule-based heuristics.

2023-brown-augmenting §2.2, Figure 1 evaluation

XGBoost supervised models trained on DNS probe features achieve TPRs of 100% (Satellite) and 99.8% (OONI) at FPRs of 0.0% and 0.2% respectively when using platform-native anomaly labels; cross-source training with GFWatch labels applied to the same records yields 99.4% TPR for Satellite and 86.7% TPR for OONI, with SHAP analysis confirming that ASN and organization name of the returned DNS response IPs are the dominant predictive signal.

2023-brown-augmenting §4.1, Table 2 evaluation

Unsupervised one-class SVM models trained only on clean (uncensored) records detect GFW DNS censorship with 99.1% TPR at 17.4% FPR on Satellite data; over half of apparent false negatives are truly uncensored probes where the GFW transiently failed to inject a forged response, confirming that GFW DNS injection is not perfectly consistent at the individual probe level.

2023-brown-augmenting §4.1, Table 3 evaluation

In a survey of 2,415 young Chinese online gamers, 73.9% (1,786) were affected by addiction prevention systems (APS) while minors, and 37.7% (674) of those successfully evaded the APS. 15 of 35 interview participants also actively evaded the GFW at interview time (verified by Twitter live-post retrieval), supporting the hypothesis that mandatory APS evasion for trivial gaming activities normalizes and desensitizes minors to GFW circumvention.

2023-feng-study §5, §9.2 evaluation

Domestic Chinese search engines (e.g., Baidu) return no valid results for direct VPN or '翻墙' (climb the wall) queries, but 16 of 18 GFW ladders mentioned by participants remained discoverable via Chinese jargon and homonyms (e.g., '蕃蔷' as a homonym for 'climbing the wall'). Word-of-mouth through college friends, gaming forums (Baidu Tieba), and QQ group chats were primary alternative distribution channels.

2023-feng-study §8.1 evaluation

17 of 35 interview participants used game accelerators or GFW ladders interchangeably to connect to international gaming platforms; several popular VPNs bundle game acceleration, and open-source accelerators (e.g., Steam++, rebranded as Watt Toolkit) provide partial GFW-evasion covering GitHub, Google Authenticator, Pixiv, Discord, and Twitch. The paper recommends CRSes market as gaming accelerators to provide plausible deniability, while capping active accounts or rebranding periodically to avoid attracting censor attention as popularity grows.

2023-feng-study §9.2, §9.3 defense

The GFW engages in a continuous IP-blocking race against VPN services: participants reported that when one VPN goes down, others fail simultaneously, and banned services recover 'after a while,' suggesting coordinated blocking waves followed by IP rotation. Major foreign providers (ExpressVPN, NordVPN) now have no mainland China server nodes, rendering them ineffective for Chinese users.

2023-feng-study §8.2 detection

Five participants confirmed installing GFW evasion tools exposed them to malware; prior work cited in the paper found >38% of Android apps using the VPN permission contain malware. Participants additionally reported fake gaming platforms that install adware and credential-stealing phishing pages; notably, VirusTotal did not flag any of the fake platform URLs identified by participants, indicating conventional AV tools provide insufficient protection.

2023-feng-study §8.4 evaluation

Despite fully encrypted protocols existing since obfs2 in 2012, the first documented evidence of the GFW passively detecting them purely by randomness appeared only in 2021 — approximately a decade later — and was limited to certain foreign IP address ranges and a subsampled fraction of traffic. Meanwhile, the GFW had been discovering obfs2/obfs3 servers via active probing as early as 2013, indicating censors found active-probing-based address discovery cheaper and more reliable than passive statistical classifiers for this protocol family.

2023-fifield-comments §5 evaluation

VMess's encrypted command block used a non-keyed hash over variable-length fields in a MAC-then-encrypt construction where the receiver cannot locate the hash without first parsing the protected data, enabling an active distinguishing attack: by replaying an authentic request 16 times with the padding-length field P set to 0000–1111, an attacker observes that a VMess server reads exactly P+N+4 bytes before disconnecting, with max and min byte counts differing by exactly 15 with every intermediate value present. V2Ray mitigated this in v4.23.4 by disconnecting after a timeout rather than after receiving a full command block.

2023-fifield-comments §4 detection

Starting October 1, 2023, the GFW began injecting HTTP 301 and 302 responses to connections destined for 1.1.1.1:80, redirecting clients to China's National Anti-Fraud Center (182.43.124.6, AS58519 China Telecom Cloud). Over 6,169 HTTP requests from a Tencent Cloud Beijing vantage point (AS45090), the GFW injected 301 responses at a 9.06% rate and 302 responses at a 28.5% rate.

2023-gfw-blocking-1111 Major observations / Analysis on the injection to 1.1.1.1:80 detection

From September 5–20, 2023, the GFW blocked 1.1.1.1:443 via TCP RST injection; starting October 1, 2023, the mechanism shifted to HTTP packet injection on port 80, while port 443 behavior became inconsistent across ASes — from one AS45090 vantage point, HTTPS connections to 1.1.1.1 still succeeded while other observers confirmed RST injection.

2023-gfw-blocking-1111 Major observations detection

Injected GFW packets for 1.1.1.1:80 carry a consistent IP TTL of 251 (matching the real Cloudflare server), IP IDs of 0x99b3 (301 responses) and 0x4c57 (302 responses), and TCP flag patterns of PSH+ACK (301) versus PSH+ACK+FIN (302), providing stable per-injection-type fingerprints observable in packet captures.

2023-gfw-blocking-1111 Experiment (Table: IP ID, TTL, TCP Flags) evaluation

The GFW's HTTP injection for 1.1.1.1:80 does not suppress the real Cloudflare response: the legitimate 301 from the actual server arrives after the injected packet, confirming the GFW operates as a race-condition injector rather than a transparent drop-and-replace proxy.

2023-gfw-blocking-1111 Analysis on the injection to 1.1.1.1:80 detection

Protocol fingerprinting — including DPI-based identification of VPNs, circumvention tools, and E2EE messengers — was active in only 6% of countries during the measurement period (13% all-time), but all confirmed instances came from focused individual studies, not from mass measurement platforms like OONI or Censored Planet. The authors flag encrypted traffic analysis (ETA) tools and next-generation firewalls (NGFWs) capable of blocking Signal or Tor Browser as an emerging threat to freedom of expression.

2023-master-worldwide §4.3 detection

Residual censorship — where a censor detects an objectionable connection via one method and then blocks all traffic between the same 3-tuple (client IP + server IP + port) or 4-tuple (client IP + port + server IP + port) for a short duration — was documented in China, Iran, and Kazakhstan. This means a single detected circumvention attempt can trigger temporary IP-level blocking of the entire endpoint regardless of protocol.

2023-master-worldwide §4.3 detection

TLS-based filtering (SNI blocking) was active in 41% of 70 surveyed countries during the June 2020–May 2021 measurement period and 44% historically, driven by the 82% global HTTPS adoption rate (Mozilla telemetry, Oct 2021). China took the unprecedented step of blocking ESNI traffic entirely, and the authors note that widespread ECH deployment could render this entire censorship category obsolete.

2023-master-worldwide §4.2, Table 2 evaluation

The GFW's SNI inspection is a stateless single-record parser: it cannot detect the SNI extension when the ClientHello is split across multiple TLS records, even when all records are contained within the same TCP segment. In contrast, the GFW does detect SNI when it appears fully within the first TCP segment despite TCP fragmentation, indicating the reassembly gap is specific to the TLS record layer.

2023-niere-poster §3 detection

TCP fragmentation before the SNI extension circumvents the GFW, but TCP fragmentation placing the SNI in the first TCP segment does not. The paper notes the GFW is showing 'the first signs of successfully handling TCP fragmentation,' indicating active hardening of TCP-layer circumvention that makes TLS-layer techniques increasingly necessary.

2023-niere-poster §3, Table 1 detection

TLS record fragmentation is implementable entirely in userspace at the application layer and requires no elevated privileges, unlike TCP segmentation which requires raw socket access. The authors' DPYProxy tool demonstrates a MITM approach that wraps TLS messages into smaller records before transmission without breaking the TLS handshake, since TLS records are unprotected during the handshake phase.

2023-niere-poster §2, §5 defense

96.21% of CitizenLab-tracked censored domains (1,092 of 1,135 scanned) and 92.36% of Tranco Top 1M domains (766,909 of 830,357 scanned) already support TLS record fragmentation, with support exceeding 90% across all Tranco rank ranges. This broad server-side compatibility makes TLS record fragmentation deployable without any server-side changes.

2023-niere-poster §4, Table 2 evaluation

TLS record fragmentation successfully circumvents the GFW in all tested configurations: splitting the ClientHello across multiple TLS records — whether the split falls before or after the SNI extension — bypasses GFW SNI-based blocking in every case (Table 1). TCP fragmentation after the SNI extension fails, but any TLS-layer fragmentation succeeds.

2023-niere-poster §3, Table 1 defense

In Censored Planet DNS measurements of 75 .gov and .mil domains on April 11, 2021, only 36.06% of measurements from China resolved correctly. Of the failures, 19.06% returned SERVFAIL codes caused by US-based nameservers geoblocking Chinese recursive resolvers—server-side access control, not GFW censorship—causing prior studies that did not account for geoblocking to systematically over-estimate DNS blocking in China.

2023-raman-advancing §3.3.2 evaluation

Censoring middleboxes predominantly use RST injection rather than in-path packet dropping because injecting forged RST/RST+ACK packets does not require the middlebox to sit in the data path — off-path copies of packets suffice. The GFW specifically injects both RST and RST+ACK packets simultaneously after an offending PSH, a known idiosyncratic signature, while Iran's censor uses post-handshake RST injection (⟨SYN;ACK→RST⟩) and packet drops at the same stage.

2023-raman-global §2.1, §4.1 detection

CERTainty identifies DNS manipulation by attempting a full TLS handshake with the IP returned by a remote resolver and inspecting whether the resulting certificate belongs to the legitimate origin or to an injected blockpage destination. This certificate-based ground truth substantially reduces false positives compared to prior DNS measurement systems that could not distinguish intentional manipulation from CDN geo-DNS or captive portals.

2023-ramesh-certainty Abstract / §1 evaluation

CERTainty measured DNS manipulation across thousands of resolvers in 102 countries, identifying state-level censorship in China, Iran, and Russia, among others. The breadth of coverage — both resolver count and country count — demonstrates that TLS certificate validation scales to Internet-wide vantage-point studies.

2023-ramesh-certainty Abstract / §5 evaluation

CERTainty demonstrates that state-level DNS censorship in China, Iran, and Russia operates through resolver-level injection: queries sent to in-country resolvers return IPs whose TLS certificates do not correspond to the queried domain, revealing blockpage or sinkhole destinations. This pattern is distinguishable from CDN or geographic DNS behavior precisely because blockpage servers cannot present a valid certificate for the censored hostname.

2023-ramesh-certainty Abstract / §5–6 evaluation

In China, it is typically the publisher (not the government) who self-censors translated books to avoid punishment including harsh scrutiny of future publications, book confiscation, and suspension of publishing rights. Authors are often unaware their translations were altered until well after publication. This self-censorship dynamic produces more restrictive outcomes than direct government censorship because publishers err on the side of caution without clear rules.

2023-streisand-where §1 Introduction policy

A case study on Chapter 5 of Chinese Literature: A Very Short Introduction (Knight) found 7 censored topics, 5 removed paragraphs, 31 removed sentences, and 2 removed/altered words in the Chinese translation. Censored topics included 2000 Nobel laureate Gao Xingjian, the Tiananmen Square Massacre, Mao Zedong, the Cultural Revolution, the Great Leap Forward, the plasma economy scandal in Henan, and a discussion of book censorship itself.

2023-streisand-where §3 Case Study / Table 1 evaluation

ChatGPT correctly identified missing sentences in a partially censored translation and correctly judged a complete translation as complete in a control condition, demonstrating that LLMs are a viable complementary detection method. The paper notes that having multiple independent detection approaches (NLP alignment, bitext mining, LLM-based reasoning) improves overall robustness by enabling cross-validation.

2023-streisand-where §4 Discussion / Appendix C detection

The paper proposes detecting translation censorship by back-translating the Chinese text to English via Google Translate, embedding each paragraph with distiluse-base-multilingual-cased-v1, and solving a linear-sum-assignment bipartite matching weighted by negated cosine similarity. Paragraphs below a similarity threshold are flagged as cut; matched paragraphs are recursively compared at sentence level to detect alterations.

2023-streisand-where §2 Methodology detection

The paper argues that an effective counter to translation censorship is to actively trigger the Streisand effect: publishing detected censored content side-by-side with the original on a public website causes the censored text to reach a broader audience — including people who would not have read the censored version — and makes the censorship itself backfire. Censors deliberately avoid publicizing removals precisely to prevent this outcome.

2023-streisand-where §1 Introduction / §5 Conclusion defense

The proposed crowdsourced system runs multiple isolated Geneva training pools on a controlled server — one pool per censorship system (initially China and Iran) — and instructs volunteer browsers via JavaScript to send forbidden requests to isolated ports, with no download or software installation required from the user. The server monitors per-strategy success or failure to drive genetic evolution entirely from the server side.

2023-tran-crowdsourcing §3 Design defense

Browsers cannot independently set the HTTP Host header or TLS SNI field, blocking the standard censorship-trigger methods used in Geneva training. The paper proposes two workarounds: (1) keyword-based HTTP censorship triggers using forbidden strings in URL parameters, limited to censors that employ keyword filtering; and (2) registering domains whose strings contain a censored substring to exploit censor overblocking via overbroad regular expressions (e.g., registering a domain matching torproject.org's regex to also catch mentorproject.org).

2023-tran-crowdsourcing §3 Design — Triggering Censorship defense

The GFW detects Shadowsocks by flagging apparently high-entropy connections that are not TLS or HTTP, but this detection is brittle: connections are explicitly allowed if the first 6 bytes of the first packet of a flow are all printable ASCII characters (range 0x20–0x7E). Adding a 6-byte alphanumeric preamble to the Shadowsocks message definition is sufficient to bypass this heuristic and requires only a short patch to the protocol specification file.

2023-wails-proteus §3.2 detection

Combining all three active probing attacks in an Internet-wide scan of 30 million HTTPS servers identified approximately 15,000 hosts (0.05%) behaving like ShadowTLS relays; of these only 6,000 presented TLS certificates for Alexa Top 1000 domains. The scan successfully discovered all four researcher-operated ShadowTLS relays planted as ground truth.

2023-wang-chasing §3.2, Table 2 evaluation

The root vulnerability in ShadowTLS is that the relay cannot authenticate post-handshake data from the real mask site, causing it to silently absorb censor probes. The fix — deployed in ShadowTLS v0.2.3 — has the client re-derive the Application Data encryption key from the server random and the client-relay shared secret; unrecognized records (lacking the shared secret) are transparently forwarded to the mask site, so all censor-visible responses come from the real mask server.

2023-wang-chasing §4 defense

ShadowTLS relays are detectable via three active probing techniques exploiting behavioral discrepancies from the mask sites they mimic: (1) responding to plaintext HTTP on port 443 with FIN-ACK rather than an error (only 17% of TLS servers share this behavior), (2) silently ignoring non-TLS record data post-handshake rather than sending a fatal alert (only 0.14% of 30M hosts behaved this way), and (3) silently ignoring corrupted TLS Application Data records rather than sending a bad_record_mac alert (only 0.12% of hosts silent).

2023-wang-chasing §3.2 detection

ShadowTLS is structurally limited to TLS 1.2 because in TLS 1.3 the Finished message is sent as encrypted Application Data (record type 0x17), preventing the relay from detecting handshake completion without decrypting the session. This forces ShadowTLS to advertise TLS 1.2, which is an increasingly anomalous fingerprint as TLS 1.3 adoption grows.

2023-wang-chasing §2.2 detection

ShadowTLS's TLS ClientHello fingerprint (JA3 hash ebaa863800590426) was not observed in the TLSFingerprint.io dataset collected from a university network tap, making the client fingerprint unique to the tool and trivially blockable by censors maintaining a TLS fingerprint blocklist.

2023-wang-chasing §3.2 detection

Hong Kong Twitter users are 33% more likely than a random control sample to have protected their accounts, and over 247% more likely to have deleted past Tweets, after enactment of the June 2020 national security law (NSL). These differences are statistically significant at p ≤ 1.74e-48 for all account-protection and Tweet-deletion metrics.

2023-wang-self-censorship §4.1 / Table 2 policy

Hong Kong Twitter discussion of COVID-19 continued declining after mid-2020 and did not resurge during Hong Kong's large March 2022 COVID wave, unlike the control group whose COVID discussion tracked local transmission rates. The authors interpret this anomalous pattern as a generalized chilling effect: NSL legal risk suppressed even politically ambiguous health discussion that mainland China had censored but that may not clearly fall under the NSL.

2023-wang-self-censorship §4.2 / Figure 2c policy

Of inaccessible Tweets from 2019, those containing NSL-sensitive political keywords are disproportionately deleted or protected by both Hong Kong users (36.38% inaccessibility) and Taipei users (34.89%), compared to New York City (29.45%) and Tokyo (30.80%). This suggests that NSL legal exposure — which extends extraterritorially under Article 38 — may be chilling speech even among users outside Hong Kong who transit or have ties to mainland China.

2023-wang-self-censorship §4.1 / Table 3 policy

While Hong Kong users sharply reduced discussion of NSL-sensitive political topics after July 2020, their rate of Tweeting about non-sensitive topics (travel, food, art, media) remained stable and mirrored control-group trends. This targeted suppression — rather than a general withdrawal from Twitter — confirms the NSL produced specific self-censorship of covered speech rather than platform abandonment.

2023-wang-self-censorship §4.2 / Figure 2b policy

After the NSL entered into force in July 2020, the proportion of Hong Kong Tweets containing NSL-sensitive political keywords declined steadily and never returned to prior levels. By contrast, the control group's equivalent keyword usage rebounded (e.g., surging around the August 2021 Taliban takeover and March 2022 Ukraine invasion), indicating the Hong Kong decline is attributable to legal chilling rather than global topic cycles.

2023-wang-self-censorship §4.2 / Figure 2a policy

The GFW's fully-encrypted detector (deployed Nov 2021) operates by exempting likely-benign traffic and blocking the rest. Five inferred exemption rules applied to the first TCP payload (pkt): Ex1 — popcount(pkt)/len(pkt) ≤ 3.4 or ≥ 4.6 (bits/byte); Ex2 — first 6+ bytes are printable ASCII [0x20–0x7e]; Ex3 — more than 50% of bytes are printable ASCII; Ex4 — more than 20 contiguous printable ASCII bytes; Ex5 — first bytes match TLS or HTTP fingerprint. Traffic failing all five exemptions is blocked. Experiments confirmed all rules still held as of February 2023.

2023-wu-fully-encrypted-detect §4, Algorithm 1 detection

The GFW applies the fully-encrypted detector probabilistically and only to a targeted subset of IP address space. Each qualifying connection is blocked with probability p = 26.3% (geometric distribution fit over 109,489 affected IPs in a 10% IPv4 scan); residual censorship then blocks the same 3-tuple (client IP, server IP, server port) for 180 seconds after a first block. The detector only monitors ~26% of connections and targets specific IP ranges of popular data centers (VPS providers such as Alibaba US, Constant, DigitalOcean, Linode); large CDNs (Akamai, Cloudflare) and most residential/enterprise IPs are unaffected. 98% of scanned IPs were unaffected. Simulated on live university traffic, the rules would block ~0.6% of normal connections as collateral damage.

2023-wu-fully-encrypted-detect §6, §6.3 detection

After blocking all *.google.com subdomains on September 22, 2022, China's censor lifted the block specifically for FCM endpoints on October 1 while leaving other Google services (Docs, Groups, Sites) blocked through at least February 2023. This selective whitelist exception — made after only days of blocking — indicates the censor judged the collateral damage to apps relying on FCM to be unacceptable.

2023-xue-use §5.1, Figure 5 deployment

Over 7 months of Hyperquack measurements across 5,555,298 probes targeting 1,632 unique ASes, only a small number of ASes actively interfered with HTTPS connections to FCM endpoints. The majority of blocking incidents occurred in China during September 22–30, 2022, coinciding with the Party's National Congress, when nearly all measurements failed with TCP reset.

2023-xue-use §5.1, Figure 4 evaluation

PushProxy with N=100 parallel push receivers achieves a median 10 MB download time of 16.46s (~4.86 Mbps) without exceeding FCM's 5,000 messages/hour per-deviceToken rate limit, compared to 2.70s for Shadowsocks and 9.68s for OpenVPN (UDP). This throughput significantly exceeds other service-tunneling systems: dnstt (1.5 Mbps) and CensorSpoofer (64 Kbps).

2023-xue-use §5.2, Figure 6 evaluation

PushProxy decouples upstream (XOR-obfuscated UDP) from downstream (FCM push notifications), implementing triangular routing that prevents per-flow traffic analysis: a network adversary with limited visibility cannot correlate upload and download flows since they use different transport protocols and paths. Median TTFB was 572ms versus 492ms (Shadowsocks) and 508ms (OpenVPN), while performance remained stable during Chinese peak hours (20:00–02:00 GMT+8) when Shadowsocks download times increased from 3s to over 100s.

2023-xue-use §4, §5.2, Figure 7–8 defense

Chinese DNS censorship operates symmetrically — injecting forged responses for both inbound and outbound DNS packets regardless of whether any real service exists at the destination IP. This means any DNS response received for a probe sent to a closed-port IP inside China is unambiguously a censorship injection, not a legitimate resolver reply.

2022-bhaskar-many §3.1 detection

In a 75-domain, 492-destination experiment, domains that showed small-scale routing-induced censorship changes — where some (source IP, source port) combinations bypassed censorship while others did not — were exclusively domains first censored within the last 2 years, indicating inconsistent GFW censorship-node configuration during rollout.

2022-bhaskar-many §5.4 evaluation

Routing-induced censorship variation is persistent across time: packet retries do not resolve observed differences, and manual re-measurement days later yielded identical censorship outcomes for the same (source IP, source port, destination IP) tuples across 12 iterative experiment rounds, ruling out transient packet loss or short-term routing fluctuations.

2022-bhaskar-many §4.5, §5.2 evaluation

The lowest 3 bits of the source IP nearly double the number of destinations experiencing censorship measurement changes, consistent with routers XOR-ing low-order bits of source and destination IPs for load-balancing decisions. Varying source IPs produced a mean of 89 routing nodes and 134 distinct paths, versus 55 nodes and 110 paths when varying only source ports.

2022-bhaskar-many §5.3 evaluation

Across 10,000 destination IPs in China, 37% showed some change in censorship behavior depending on source IP and source port, spanning 56% of measured ASes. The dominant form of variation (95% of cases) was all-or-nothing: a given (source IP, source port) pair either experienced no censorship or 'expected' censorship, with no intermediate states.

2022-bhaskar-many §5.2 evaluation

Starting October 3, 2022, more than 100 users reported simultaneous blocking of TLS-based circumvention servers running Trojan, Xray, V2Ray TLS+WebSocket, VLESS, and gRPC. Blocking was port-specific initially (mainly port 443, but also non-443 ports), then escalated to full IP blocking when users switched ports. Domain names were not added to DNS or SNI blocklists. naiveproxy was notably not affected. The blocking was dynamic in at least some cases (browsers could still reach the port, but circumvention tools could not), strongly indicating protocol-level identification rather than blind port blocking.

2022-blocking-tls-circumvention full post deployment

The October 2022 blocking wave is the confirmed operational deployment of the fully-encrypted-traffic detector later formalized in Wu et al. (USENIX Security 2023). The detector was therefore in live production from at least late 2022, more than a year before the academic paper describing it was published. This event establishes that the GFW's passive fully-encrypted classifier operates at scale in adversarial real-world conditions, not just in controlled experiments.

2022-blocking-tls-circumvention full post deployment

The COVID-19 Wuhan lockdown caused geolocating Twitter users in China to increase 1.4-fold immediately, remaining 10% above pre-crisis baseline long-term; approximately 320,000 new Chinese users joined Twitter due to the crisis, and the available VPN application's ranking on the Chinese iPhone App Store jumped significantly around 23 January 2020 and maintained that elevated rank.

2022-chang-covid-19 Crisis Increased Censorship Circumvention evaluation

In countries with no Great Firewall-equivalent censorship (Germany, Italy) and in less-censored authoritarian states (Iran — Persian Wikipedia; Russia — Russian Wikipedia) that experienced comparable COVID-19 outbreaks, no analogous spillover to politically sensitive content was observed; Wikipedia engagement in those countries increased generally but did not show disproportionate access to historically censored topics, confirming the gateway effect is specific to high-censorship environments.

2022-chang-covid-19 Comparison with Other Countries Affected by the Crisis / Table 1 evaluation

Once mainland China users circumvented the Great Firewall during COVID-19, they disproportionately followed politically sensitive accounts: international news agencies at 1.31x the expected rate, Chinese citizen journalists at 1.42x, and political activists at 1.23x — all relative to Hong Kong users as a control — while state media accounts saw only a 1.06x increase and entertainment accounts a 0.85x decrease, confirming a selective gateway to censored political content.

2022-chang-covid-19 Crisis Provided a Gateway to Censored Political Information / Types of Twitter accounts evaluation

Circumvention activity varied strongly by geographic proximity to the crisis: Hubei province, the epicenter, saw Twitter volume double relative to pre-lockdown baseline and sustain that doubling 30 days after the crisis, while mobility decreases from Baidu location data correlated with Twitter user increases across provinces — but two weeks after lockdown, the elevated Twitter usage could no longer be explained by mobility restrictions or New Year seasonality, indicating crisis-induced circumvention becomes self-sustaining.

2022-chang-covid-19 Increases in Circumvention Occurred throughout China / Fig. 4 evaluation

Chinese-language Wikipedia views grew from 12.8 million per day in December 2019 to 13.9 million during the Wuhan lockdown (24 January–13 March) and peaked at 14.7 million per day from mid-February through April 2020; the crisis disproportionately increased views of pages selectively blocked by the Great Firewall prior to 2015, of historical Chinese leaders since Mao, and of current officials — categories expected only under a gateway effect — and these elevated levels persisted through May 2020.

2022-chang-covid-19 Crisis Provided a Gateway to Censored Political Information / Fig. 3 and Fig. 7 evaluation

Among 18,199 stable open DNS resolvers discovered in Shanghai's IPv4 space, 136 were completely immune to GFW DNS filtering and correctly resolved all 83 blocked domains. On average, each blocked domain had more than 436 open resolvers with ACR ≥ 0.5 capable of returning its correct IP address.

2022-cheng-in-depth §5.1, Figure 12–13 evaluation

Chinese public (pDNS) and ISP (iDNS) DNS resolvers exhibit highly variable filtering bypass rates: some resolvers return correct IPs for specific blocked domains with ACR > 0.6 (e.g., wsj.com, vpnintouch.com), while the same resolver queried from a different ISP or region may have ACR < 0.1. The paper identifies three factors that determine effective bypass: DNS resolver identity, client vantage-point location, and the specific blocked domain.

2022-cheng-in-depth §4.2–§4.3, Figure 7–9 evaluation

The authors implement a system that identifies correct IP addresses of blocked domains inside a censored network by exploiting the predictable characteristics of forged IPs returned by GFW DNS filtering devices. The system achieves 100% accuracy in identifying valid IPs within a short time period, using 1.7 billion DNS records collected over 40 days across 86,876 resolvers.

2022-cheng-in-depth §6 (Abstract, §1 Introduction) defense

GFW DNS filtering effectiveness shows diurnal variation: correct response rates are lowest in the early morning hours (before 6:00 a.m.) and rise throughout the day, suggesting filtering devices fail to process all DNS queries during peak traffic periods. However, the overall variance across time is small — maximum standard deviation of 0.03 — indicating the filtering mechanism is broadly stable over the 40-day measurement window.

2022-cheng-in-depth §4.3, Figure 11 evaluation

Queries from inside China to non-Chinese public DNS resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1) that pass through GFW DNS filtering devices yield an Absolute Correct Rate (ACR) of less than 1% for blocked domain lookups, regardless of the client's region or ISP. Even a self-built US resolver (45.63.86.214) was affected by the national-level DNS filtering mechanism.

2022-cheng-in-depth §4.1 evaluation

Extending Geneva's genetic algorithm to the application layer automatically discovered 77 unique HTTP evasion strategies and 9 DNS evasion strategies against censors in China, India, and Kazakhstan — all requiring only unprivileged usermode modifications with no TCP/IP header access. Against India's Airtel censor, 56 of the 77 strategies succeeded; 29 worked against Kazakhstan; 22 evaded China's keyword-based HTTP censorship and 27 evaded its Host-header censorship.

2022-harrity-get §5.1, §6 evaluation

China's Great Firewall runs three independent DNS censorship injectors in parallel; elevating the DNS qdcount field to 2 (despite only one query being present, violating RFC 1035) evades all three injectors simultaneously with 100% success rate across 1,000 trials — but only Cloudflare (1.1.1.1) among eight tested open resolvers responds to such queries. DNS compression paired with an elevated qdcount also achieves 100% evasion of all three injectors but is supported only by Cloudflare and Google (8.8.8.8).

2022-harrity-get §6, Table 3 evaluation

China's GFW keyword-based and Host-header HTTP censorship can be simultaneously defeated by a 'sandwich' strategy: a header with a name ≥64 bytes must appear before the Host header, the Host header value must start ≥1,281 bytes from the start of the headers, and the final header must be ≥129 bytes total — and the Host header must not be first or last. A 64+ byte header name alone is sufficient to defeat Host-header censorship because it prevents the GFW from reading further headers.

2022-harrity-get §5.2 defense

A central finding of the paper is that RFC-compliance in the censor creates evasion opportunities: the more faithfully a censor parses HTTP/DNS per the RFC, the more RFC-permitted variants it will pass that servers also accept, yielding more viable evasion strategies. In contrast, India's Airtel censor was the most brittle (56/77 strategies bypassed it) precisely because it failed on many legitimate RFC variants; China's more sophisticated parser left fewer openings.

2022-harrity-get §5.1, §7 detection

DNS manipulation is widespread across China (305 domains via local resolvers, 300 via public resolvers) and Russia (251 local, 205 public), but simply switching to a public DNS resolver already evades local-resolver-only filtering for many domains, reducing apparent censorship at the public-resolver layer. On-path filtering systems that poison queries to public resolvers represent a harder threat class requiring encrypted DNS.

2022-hoang-measuring §4.1, Table 2 evaluation

Using DoH plus ESNI, DNEye successfully unblocked 130/230 (56%) of DNS-filtered domains in China and 53/56 (95%) in Russia, but 0/49 (0%) in Iran. The primary failure mode in China (84 domains) and Iran (47 domains) was SNI-based filtering at the TLS layer for domains that do not support ESNI, which remains visible in the ClientHello.

2022-hoang-measuring §4.3, Table 3 evaluation

DNEye detected DoTH (DoT and DoH) blocking across the largest number of ASes in China, with interference against Cloudflare, Quad9, AdGuard, and CleanBrowsing resolvers emerging in early March 2021. Blocking patterns varied per-AS rather than following a centralized GFW DNS-level policy, indicating individual ISP implementation. Saudi Arabia, by contrast, showed coordinated SNI-based blocking of the same DoH resolvers across different ASes, indicating centralized policy.

2022-hoang-measuring §4.2, Table 5 detection

Only 1.5–2.25% of domains from TLD zone files have a valid ESNI key, with 15.4K of the top 100K and 143.3K of the top 1M popular domains supporting ESNI. All ESNI-supported domains are hosted by Cloudflare, making ESNI-enabled connections trivially distinguishable from the vast majority of TLS traffic and a low-collateral-damage blocking target for censors.

2022-hoang-measuring §4.2 evaluation

China's GFW blocks all ESNI traffic via RST packet injection following a TLS ClientHello with an encrypted SNI field, confirmed since July 2020. Russia blocks ESNI in a decentralized, ISP-level fashion across at least three identified ASes (AS28890, AS52207, AS41754), each injecting RST packets independently.

2022-hoang-measuring §4.2 detection

Even with tls-auth/tls-crypt HMAC protection making OpenVPN servers nominally 'probe-resistant' (silent to unauthenticated clients), the framework fingerprints servers via TCP-level timing side channels: a complete 16-byte client-reset probe triggers an immediate connection drop (HMAC validation fails after full packet reassembly), while a 15-byte truncated probe causes the server to stall awaiting the final byte until a server-specific handshake timeout expires. Over 97% of non-OpenVPN endpoints have RST thresholds below 500 or above 4,000 bytes, versus OpenVPN's characteristic 1,550–1,660 bytes derived from default MTU configurations.

2022-xue-openvpn §6.3 detection

In AS45090 (China), the Cloudflare CDN IP 104.16.248.249 succeeds 100% of the time with SNI 'cloudflare-dns.com' but triggers TLS handshake resets 93% of the time with SNI 'mozilla.cloudflare-dns.com'. Follow-up measurements using those same SNIs against unrelated HTTPS servers (example.org, hbl.fi) reproduced the same resets, confirming that the GFW performs SNI-keyed TLS blocking independent of the destination IP.

2021-basso-measuring §V-E, Table VI detection

Dominant failure modes differ systematically by country: China (AS45090) shows connect timeouts in 75% of DoT failures (IP-level blocking); Kazakhstan (AS48716) shows post-TLS-handshake timeouts in 72% of DoT failures (likely ACK or segment discard after handshake); Iran (AS197207) shows TLS handshake timeouts in 80% of DoT failures. Packet capture analysis confirmed that timeouts during and after the TLS handshake correspond to unacknowledged TCP segments, not connection resets.

2021-basso-measuring §V-F, §V-G, Table VIII evaluation

In AS197207 (Iran, MCI), approximately 50% of DoT endpoints failed consistently — the only case across all tested ASN/protocol combinations where failure exceeded 20%. In Kazakhstan (AS48716) and China (AS45090), more than 80% of DoT and DoH endpoints were always reachable.

2021-basso-measuring §V-F, Table VII evaluation

Internet-wide IPv4 scanning found 386,187 IP addresses yielding amplification factors ≥ 100× via TCP middlebox reflection, with 82.9% of responses from the top 1 million IPs confirmed as originating from on-path middleboxes rather than endpoints. Nation-state censorship infrastructure dominates: China's GFW alone accounts for approximately 154 million responding IP addresses sharing a 3× RST+ACK (54 bytes each) fingerprint.

2021-bock-weaponizing §5.3, §5.5, Table 4 evaluation

Nation-state censors produce characteristic TCP response fingerprints: China's GFW sends 3× RST+ACK (54 bytes each) from ~170 million IPs; Iran's infrastructure sends 402–405-byte FIN+PSH+ACK plus 54-byte RST+PSH+ACK from 8.6 million IPs (75.7% of responsive Iranian addresses); Saudi Arabia sends a 97-byte PSH+ACK plus 2× 1,354-byte PSH+ACKs at 18.9× amplification from 400,000+ IPs. Most nation-state censors produce less than 4× amplification due to compact block pages.

2021-bock-weaponizing §5.5, Table 4 detection

Routing loops within censoring infrastructure create effectively infinite TCP amplification: 53,041 of the top 1 million responding IP addresses showed routing loop behavior spanning 2,763 /24 prefixes. Two Russian ISP censorship systems with infinite routing loops continuously sent amplified traffic for approximately 6 days after a single 2-packet trigger sequence, and 6 GFW IP addresses in China sent data indefinitely.

2021-bock-weaponizing §5.6, §6 evaluation

A low-bandwidth attacker can sustain indefinite availability attacks by periodically re-triggering residual censorship: China's 3-tuple HTTP system requires only 4 spoofed packets every 3 minutes. For 4-tuple systems requiring full source-port coverage (65,535 ports), Kazakhstan needs 1,093 packets/sec (~634 kbps HTTP) and Iran needs 729 packets/sec (~422 kbps HTTP)—achievable with commodity hardware. Iran achieved 100% attack success against all 17 geographically disparate victim vantage points tested.

2021-bock-your §V.B, §VI evaluation

Switching source IP via VPN, Tor, or HTTP proxy is the primary victim-side mitigation because residual censorship is tuple-keyed; however, if the proxy entry node's path also crosses the censor, the attacker can redirect the attack at the proxy itself. On the censor side, null-routing middleboxes could eliminate the vulnerability by validating TCP sequence/acknowledgment numbers before dropping traffic, or by replacing null routing with an explicit block-page response.

2021-bock-your §VII defense

Residual censorship—where a censor continues blocking all traffic on a 3- or 4-tuple after an initial censorship event—is active in China (HTTP: 90s 3-tuple RST injection; ESNI: 120–180s 3+4-tuple null routing), Iran (HTTP+SNI: 180s 4-tuple null routing, occasionally up to 5 minutes; protocol filter: 60s), and Kazakhstan (HTTP+SNI: 120s 4-tuple null routing). A December 2020 Quack scan found 3-tuple stateful disruption in 33 countries and null-routing censorship in 18, suggesting much broader applicability.

2021-bock-your §IV, Table I evaluation

All tested censors (China, Iran, Kazakhstan) can be triggered statelessly—without completing a TCP 3-way handshake—using a SYN with decremented sequence number followed by a PSH+ACK containing the forbidden payload. This stateless triggering enables fully off-path, source-spoofed attacks: an adversary with packet-spoofing capability can residually censor a victim pair they have no on-path access to.

2021-bock-your §IV, §V.A detection

Iran and Kazakhstan reset the residual censorship timer whenever the censor observes any matching packet from the victim, so TCP retransmissions from the victim's own stack inadvertently extend the blocking window far beyond the nominal 120–180s. China's HTTP residual censorship has only ~50% per-request reliability from some vantage points due to heterogeneous GFW middlebox load-balancing, but reliability plateaus near 100% after 7 repeated censorship triggers sent ahead of time.

2021-bock-your §IV (timer reset), §IV (reliability), Fig. 2 evaluation

In China (AS45090), HTTP/3 over QUIC has a lower overall failure rate (27.1%) than HTTPS over TCP (37.3%), but hosts that time out during the TCP handshake (TCP-hs-to, indicating IP blocking) always also fail over QUIC — while hosts blocked via TLS-hs-to or conn-reset (SNI-based methods) nearly always succeed over QUIC.

2021-elmenhorst-web §5.1, Table 1, Figure 3a evaluation

Only approximately 5% of domains from the combined Citizen Lab and Tranco Top-4000 test lists supported QUIC in early 2021, heavily skewing the measurable set toward large global .com domains (e.g., Google properties). This bias means the study predominantly captures censorship of internationally targeted sites rather than country-specific domains.

2021-elmenhorst-web §4.3 evaluation

Across all four studied countries (China, Iran, India, Kazakhstan), HTTP/3 over QUIC had consistently lower failure rates than HTTPS over TCP: 27.1% vs 37.3% in China, 16.2% vs 34.4% in Iran, and 12.0% vs 15.0% in India (AS55836). The only QUIC-specific interference method observed was black-holing during the QUIC handshake (QUIC-hs-to); no RST injection or SNI-based QUIC filtering was detected.

2021-elmenhorst-web §5, Table 1 evaluation

GFWatch tested 534M distinct domains over 9 months (averaging 411M/day) and detected 311K censored domains, the largest such measurement in the literature. Of 138.7K base domains, only 1.3% appear in the top 100K most popular domains, confirming the GFW targets large numbers of obscure and unpopular domains far beyond well-known sites like Facebook or Twitter.

2021-hoang-great §4, Figure 3 evaluation

A circumvention strategy of holding DNS responses and filtering those matching the known forged-IP pool achieves 99.8% accuracy, correctly classifying 1,005,444,476 of 1,007,002,451 poisoned resolutions. From inside China, 99% of forged responses arrive within 364ms before the legitimate response, establishing 364ms as the recommended hold-on duration; from outside China, 11% of forged responses arrive after the legitimate one, making the IP-blocklist check necessary to avoid misclassifying genuine responses as poisoned.

2021-hoang-great §7.1, §7.2, Figure 11 defense

The GFW's bidirectional DNS filtering — which poisons DNS queries regardless of whether they originate inside or outside China — has polluted the caches of major public DNS resolvers worldwide: Google (74,715 censored domains), Cloudflare (71,560), OpenNIC (65,567), and OpenDNS (63,295), with 77K censored domains found polluted in total. This is compounded by the fact that 38% of base censored domains (53K) have at least one authoritative name server inside China, ensuring systematic external pollution for those domains.

2021-hoang-great §6.1, §6.2, Table 2 evaluation

GFWatch discovered 1,781 unique forged IPv4 addresses used in GFW DNS poisoning, yet injection is non-random: only 600 (33.6%) account for 99% of all censored responses, with the remainder in a long tail responsible for just 1%. The forged IPv4 pool is dominated by addresses belonging to Facebook (783 IPs, 44%), WZ Communications (277, 15.6%), Twitter (200, 11.2%), and Dropbox (180, 10.1%); all forged IPv6 responses use the bogus Teredo prefix 2001::/32.

2021-hoang-great §5.1, §5.2, Figure 8 detection

The GFW uses substring-matching regular expressions rather than exact domain matching, causing 41K of 311K censored domains to be overblocked — unrelated domains that happen to contain a censored domain string. The three base domains causing the most overblocking (919.com, jetos.com, 33a.com) collectively caused 15K unrelated domains to be inadvertently censored.

2021-hoang-great §4.1 detection

Current randomized-payload circumvention tools (obfs4/ScrambleSuit, SkypeMorph, VoIP-tunneling) rely on censors 'defaulting open' — treating unidentified traffic as innocuous. If censors instead block all traffic not explicitly recognizable as meaningful plaintext, these tools fail entirely. The paper notes anecdotal evidence this is already occurring, including blocking of some TLS 1.3 connections.

2021-kaptchuk-meteor §1 Introduction detection

Meteor is proven secure against chosen-hiddentext attacks: any PPT adversary distinguishing Meteor output from honest model output can be reduced to breaking the underlying PRG. The scheme produces stegotext provably indistinguishable from the generative model's own output distribution, and requires only a shared public model — not a secret channel — making the model analogous to a common random string. On GPU the encoding overhead is ~1× model-load time; on CPU ~4.6×; on mobile ~49.5×.

2021-kaptchuk-meteor §5.2 / §6 / Table 2 defense

Only 8% of keywords censored by Chinese chat clients (WeChat, Sina Weibo — ~63,200 total terms) are also censored by GFW packet inspection, demonstrating independently maintained blocklists. The GFW's packet-inspection chat-derived blocklist contains up to 1,221 distinct censored keywords for outbound traffic; just 68 keyword components account for all censored terms from Beijing, with 「六四」(June Fourth) alone responsible for more than half.

2021-rambert-chinese §4.2, §4.2.2, §4.3 evaluation

The GFW only inspects two locations within an HTTP request for censored keywords: the path component of the request line and the Host header, in UTF-8 and GB 18030 encodings (with %-decoding applied). Cookie headers, custom headers (e.g., X-Tension), and POST body fields are not monitored. Even in monitored positions, only approximately 75% of requests containing censored keywords actually trigger a TCP RST disconnection.

2021-rambert-chinese §4.4 detection

After a censored connection, 50–75% of subsequent connections from the same client IP to the same server IP and port are blocked for 90 seconds even without censored keywords ("penalty box"). The penalty box is strictly scoped to the (client IP, server IP, server port) triple — other ports at the same server IP or other server IPs are unaffected. The GFW monitors HTTP keyword traffic on every TCP port, not just port 80.

2021-rambert-chinese §4.4, §4.5 detection

The GFW enforces SNI-based blocking on every TCP port (not just 443), triggering TCP RST injection and a penalty box for known-censored hostnames (e.g., facebook.com, zh.wikipedia.org) in the TLS ClientHello. The SNI blocklist is separate from the HTTP keyword blocklist — keyword-derived subdomains in the SNI did not trigger censorship. No evidence was found for indiscriminate HTTPS decryption or certificate substitution.

2021-rambert-chinese §4.6 detection

The GFW maintains two HTTP keyword sublists: 15 terms censored unconditionally, and approximately 60–63 additional terms censored only when the English word "search" also appears in the request URL. No other English word among the 10,000 most common, no Chinese search synonym (搜索, 查找, 关键词), and no common URL parameter abbreviation ("q", "kw", "s") replicates this expanded-censorship trigger.

2021-rambert-chinese §4.1, §4.2.1 detection

The GFW's passive classifier uses two features of the first data packet to flag probable Shadowsocks traffic: (1) high Shannon entropy (per-byte entropy > ~7 bits strongly correlates with replay probability, which is nearly 4x higher at entropy 7.2 than at 3.0) and (2) packet length in the range 160–700 bytes with specific remainders mod 16. A single data packet after the TCP handshake is sufficient to trigger the downstream active-probing pipeline.

2020-alice-shadowsocks-detection §4.2 detection

The GFW's active probers originate from thousands of distinct IP addresses, but a network-level side-channel (shared IP ID counter sequences) reveals they are controlled by a small number of centralized structures. Probe delay from legitimate connection to first active probe can be as short as 0.28 seconds, ruling out any reactive defense that relies on out-of-band blocking before probes arrive.

2020-alice-shadowsocks-detection §3.3, §3.5 detection

Once passive analysis flags a connection, the GFW sends seven distinct active probe types in staged sequence: five replay-based (R1–R5, where R1 is an identical replay and R2–R5 alter specific byte offsets to attack stream vs. AEAD cipher variants) and two non-replay random-length probes (NR1, NR2). The system operates in stages: R3/R4/R5 probes are withheld until the server responds to R1/R2, meaning a server with replay protection (like Shadowsocks-libev ≥ v3.3.1) never receives stage-2 probes, while one without (original OutlineVPN) escalates to full probing.

2020-alice-shadowsocks-detection §3.2, §4.2, §5.3 detection

The GFW's DNS injection infrastructure comprises three distinct packet injectors, fingerprinted by combinations of IP-DF bit, IP-TTL behavior, DNS-AA flag, and DNS-TTL: Injector 1 (IP DF=0, incrementing IP TTL, DNS AA=1, DNS TTL=60) filters 88 domains including most Google properties; Injector 2 (IP DF=1, randomized IP TTL, DNS AA=0) handles ~24,729 domains; Injector 3 (IP DF=0, IP ID=0, fixed IP TTL, DNS AA=0) covers ~22,948 domains as a subset of Injector 2's domains. Over a 9-month study (Sept 2019–May 2020) sending 2.8 billion queries, 119.6 million forged responses were observed.

2020-anonymous-triplet-censors §4.1, Table 3 detection

Injector 3 mirrors the probe packet's IP TTL in its injected reply rather than using a fixed TTL. This defeats TTL-limited localization probes: the injected reply only reaches the prober when the probe's initial TTL equals 2n−1 (where n is the hop distance to the injector); at lower TTLs the mirrored TTL is too small for the reply to return. All three injectors appear co-located (inter-probe delays within 0.2 ms of each other), confirmed from 7 vantage points across 5 continents, and the behavior is consistent across 62% of all 36K tested Chinese IP prefixes.

2020-anonymous-triplet-censors §4.3 detection

Protozoa's encoded media tunneling achieves an AUC of 0.59 against a state-of-the-art ML traffic classifier using packet-size and inter-arrival-time features—near the 0.5 random-guessing baseline—compared to >99% detection rates for prior tools such as Facet and DeltaShaper. To block 80% of Protozoa flows (TPR=0.8), a censor would erroneously flag approximately 60% of legitimate WebRTC flows (FPR=0.6). This resistance holds across trace durations from 10–60 seconds (AUC range 0.56–0.61) and across RTT, bandwidth, and packet-loss variations.

2020-barradas-poking §6.2, Table 1, Figure 8 evaluation

Protozoa successfully bypassed censorship in China, Russia, and India using whereby.com as a carrier. Despite several WebRTC services being blocked in China (appr.tc, discordapp.com, hangouts.google.com, messenger.com), at least seven alternatives remained reachable (aws.amazon.com/chime, coderpad.io, gotomeeting.com, slack.com, whereby.com, and others), ensuring carrier availability. Covert sessions over the alternative services coderpad.io and appr.tc achieved AUCs of 0.58 and 0.60, respectively, and average throughput of 1388–1420 Kbps.

2020-barradas-poking §7.2, Table 3 evaluation

Protozoa uses the economic and social indispensability of popular WebRTC conferencing services as a censorship deterrent: blocking all WebRTC traffic imposes prohibitive collateral damage on legitimate commerce and communication. This 'parasitism' strategy means the circumvention tool inherits the blocking immunity of the carrier without requiring any protocol mimicry at the network level. Protozoa requires only one reachable WebRTC service to function, and Table 3 confirms at least five services remained unblocked in China during testing.

2020-barradas-poking §3, §7.2 defense

When a censor controls the WebRTC signaling plane, it can mount MITM attacks against CRON's vanilla covert encoding because the encoding 'fully replaces the video payload with an apparently random covert data signal that results in a scrambled video image at the receiver's endpoint.' By replaying the captured video through a WebRTC gateway, the censor obtains direct visual evidence of payload manipulation.

2020-barradas-towards §4.2 detection

CRON's stego circuits defend against adversary-controlled WebRTC services by embedding covert data into encoded video frames at the compressed data domain using video steganography algorithms, maintaining the visual characteristics of the video feed rather than replacing it entirely. Endpoint authentication uses public-key encryption with keys exchanged out-of-band, preventing MITM key substitution through the censor-controlled signaling server.

2020-barradas-towards §4.2 defense

Even when individual WebRTC flows pass traffic analysis, a censor can identify CRON users via three long-term statistical attack types: S1 (simultaneous video calls, atypical for normal users), S2 (sudden connections to previously unknown parties), and S3 (calls at anomalous times, frequencies, or durations). Relay nodes in multi-hop circuits are particularly exposed via S1 because conducting multiple simultaneous video calls is highly atypical in normal user profiles.

2020-barradas-towards §4.1 detection

All 25 applicable client-side Geneva strategies failed when mechanically translated to server-side analogs against China's GFW, even when the only structural difference was which endpoint sent the insertion packet. Experiments with the server placed inside China and client outside also failed, indicating the GFW tracks connection initiator identity and processes client versus server packets asymmetrically—meaning server-side circumvention requires a completely independent discovery approach.

2020-bock-come §3 evaluation

China's GFW uses distinct, co-located censorship boxes—each with its own independent network stack implementation and bugs—for each application-layer protocol it censors. TCP-level strategies that exploit transport-layer bugs show dramatically different success rates per protocol: Strategy 1 (Simultaneous Open + Injected RST) achieves 89% for DNS but only 14% for HTTPS; Strategy 8 (TCP Window Reduction) achieves 100% for SMTP but only 2–3% for DNS, HTTP, and HTTPS. TTL-limited probes confirm all protocol boxes are co-located at the same network hop.

2020-bock-come §6, Table 2 detection

The paper identifies three distinct GFW resynchronization-state triggers with protocol-specific behavior: (1) a server payload on any non-SYN+ACK packet causes resync on the next SYN+ACK or client ACK-flagged packet for all protocols; (2) a server RST causes resync on the next client packet for all protocols except HTTPS; (3) a SYN+ACK with a corrupted acknowledgment number triggers resync only for FTP. Strategy 1's 50% per-attempt success rate for HTTP is confirmed to result from the 50% probability of the GFW entering the resynchronization state on an injected RST, consistent with Wang et al. [36].

2020-bock-come §5.1 detection

The paper presents 11 purely server-side censorship evasion strategies requiring zero client-side software, successfully bypassing censorship in China, India, Iran, and Kazakhstan across DNS-over-TCP, FTP, HTTP, HTTPS, and SMTP. All strategies manipulate only TCP handshake packets (primarily the SYN+ACK) and were verified against 17 versions of 6 client operating systems (Windows XP–Server 2018, MacOS, iOS, Android, Ubuntu, CentOS) with unmodified clients.

2020-bock-come §1, §5, Table 2 defense

TCP Window Reduction (Strategy 8)—reducing the SYN+ACK TCP window to 10 bytes and stripping wscale options, forcing the client to segment its request—achieves 100% evasion success against HTTP in India and Kazakhstan, 100% against HTTP and HTTPS in Iran, and 100% against SMTP in China, because none of these censors can reassemble TCP segments. The strategy is compatible with all 17 tested client OS versions when implemented without SYN+ACK payloads, making it the most broadly deployable server-side strategy found.

2020-bock-come §5.1, §5.2, §7, Table 2 defense

Manually-crafted decision trees combining probe non-response, FIN/RST close type, and connection timing achieved a false-positive rate below 0.001% for obfs4, Lampshade, Shadowsocks, and OSSH across 1.9 million endpoints; for OSSH specifically, 7 of 8 flagged Tap endpoints were confirmed genuine Psiphon proxies by developers. MTProto was the sole exception, producing 3,144 false positives (0.56% of Tap, 0.02% of ZMap) because its infinite-timeout behavior is shared by a non-negligible population of common hosts.

2020-frolov-detecting §V-A, Table IV evaluation

Across 433,286 endpoints from a 10 Gbps university ISP passive tap, 94% responded with data to at least one of 8 protocol probes (TLS, HTTP, STUN, S7, Modbus, DNS-AXFR, random bytes, empty); all five tested probe-resistant proxies (obfs4, Lampshade, Shadowsocks, MTProto, OSSH) never responded with data to any probe. This single filter reduces the suspect set from 433,286 to ~26,000 endpoints and rules out 94% of ISP-observed hosts as non-proxies with zero false negatives against the tested protocols.

2020-frolov-detecting §V, Table III detection

Each probe-resistant proxy exposes a unique TCP close-threshold fingerprint: obfs4 closes with FIN at 8,192–16,384 bytes and RST at the next multiple of 1,448 bytes beyond that; Lampshade at FIN 256 bytes / RST 257 bytes; Shadowsocks-python and -outline both at FIN 50 bytes (outline also RST at 51); OSSH at FIN 24 bytes / RST 25 bytes. A binary-search tool using random probes can discover these thresholds remotely without knowing any shared secret, providing a protocol-specific fingerprint independent of payload content.

2020-frolov-detecting §IV-C, Table II detection

The GFW was observed detecting Shadowsocks servers by sending follow-up active probes after an initial Shadowsocks-sized client message, including permuted replays of the client's message and random-data probes of various sizes up to and exceeding Shadowsocks' unique 50-byte data limit. This defeats shadowsocks-libev's replay cache because the GFW permutes the replayed bytes rather than resending them verbatim.

2020-frolov-httpt §2 Background detection

HTTPT achieves replay-attack immunity by tunneling over TLS, which incorporates bidirectional nonces (client and server randoms) into key agreement so each connection uses unique cryptographic keys. Censors that replay a legitimate client's observed initial bytes are therefore unable to trigger a proxy response, unlike approaches that rely only on application-layer replay caches.

2020-frolov-httpt §1.1, §3.3 defense

Frolov et al. (2020) found that over 94% of Internet servers respond with data to at least one popular protocol probe, making probe-resistant proxies that remain entirely silent statistically anomalous. Censors can further fingerprint silent proxies by their unique timeout or data-limit behaviors before connection close (e.g., Lampshade closes immediately after 256 bytes of unrecognized data, or waits exactly 90 seconds before timing out).

2020-frolov-httpt §2 Background detection

Splitting the TLS ClientHello so that the first TCP segment is ≤4 bytes (less than the 5-byte TLS record header) defeats the GFW's ESNI detection with near 100% reliability. Geneva expressed this as `[TCP:flags:PA]-fragment{tcp:4:True}-|` (client-side) or a server-side window-size reduction to 4 bytes that forces the client to segment. This suggests the GFW's ESNI classifier cannot reassemble TCP segments across all protocol contexts.

2020-gfw-esni-blocking Strategy 2: Four Byte Segmentation defense

Geneva discovered 6 client-side and 4 server-side TCP-layer evasion strategies against GFW ESNI blocking within 48 hours of training, all achieving near 100% reliability. Effective strategies include desynchronization attacks (triple SYN with corrupt sequence number, FIN+SYN flag confusion, TCB turnaround via pre-handshake SYN+ACK) and TCB teardown via corrupted-checksum RST injection. All strategies operate at the TCP layer and require no changes to the application sending ESNI.

2020-gfw-esni-blocking Evasion strategies / Summary on Circumvention Strategies defense

The GFW's ESNI detector is keyed specifically to extension value `0xffce` (ESNI draft-01). Replacing `0xffce` with ECH draft values `0xff02`, `0xff03`, or `0xff04` produced no blocking as of August 2020. This indicates the GFW deployed a detector matching on a specific extension ID rather than detecting encrypted SNI generically.

2020-gfw-esni-blocking The GFW censors ESNI, but not omit-SNI / New extension values are not blocked detection

The GFW blocks ESNI by dropping client-to-server packets whenever a TLS ClientHello containing the `0xffce` encrypted_server_name extension is sent over a completed TCP handshake. Unlike GFW censorship of SNI and HTTP (which uses RST injection to both endpoints), ESNI censorship uses unidirectional packet dropping with no injected packets. The blocking applies on all ports from 1 to 65535.

2020-gfw-esni-blocking Details About the Blocking detection

After a GFW ESNI block is triggered, residual censorship persists for 120–180 seconds (varying by vantage point), blocking all traffic on the same (srcIP, dstIP, dstPort) 3-tuple. Additional ESNI handshakes sent during the residual window do not reset the timer, and it takes at least 1 second for the GFW to enable blocking rules after the triggering packet.

2020-gfw-esni-blocking Residual Censorship detection

Survey data indicates 31% of Chinese Internet users use VPN services compared to Tor's approximately 2 million daily users globally, and centralized non-anonymous systems like Lantern and Psiphon dominate adoption over anonymity-focused tools. The paper argues this demonstrates that the majority of censored users prioritize blocking resistance over anonymity, supporting a separation-of-properties design principle.

2020-nasr-massbrowser §III-B policy

The majority of censored websites are blocked in only one or two countries, with political and news content showing the strongest geographic specificity. Figure 3 shows that of domains blocked in China, Iran, and Turkey, only 29 are blocked in both China and Turkey, while 27,852 are China-only and 1,564 are Iran-only, demonstrating that cross-region client-to-client proxying is broadly applicable.

2020-nasr-massbrowser §III-C, Figure 3 evaluation

Anonymization and circumvention tools (VPNs, Tor, etc.) are among the three most commonly blocked content categories across all commercial filters surveyed, alongside pornography and gambling. This holds across diverse products including Fortinet, Cisco, and government-deployed firewalls in Iran, Saudi Arabia, and Bahrain.

2020-raman-measuring §V-A-1, Fig. 7 evaluation

FilterMap identified 90 blockpage clusters from 90 vendors and actors across 103 countries using 374 million measurements from ~45,000 vantage points against 18,736 sensitive domains; 87 of these signatures were previously unknown. Commercial filters were detected in 36 out of 48 countries rated 'Not Free' or 'Partly Free' by Freedom House, with Fortinet alone present in at least 60 countries.

2020-raman-measuring §V deployment

The Great Firewall of China does not inject blockpages — it resets connections via TCP RST injection — making it invisible to blockpage-based detection systems. In contrast, the Iran firewall accounted for 97.1% of disruptions observed in Iranian vantage points, and the Bahrain and Saudi Arabia firewalls caused 71.2% and 80.2% of disruptions respectively, all using application-layer blockpage injection.

2020-raman-measuring §V-A-2 detection

Frolov et al. (2020) found that obfs4, Shadowsocks Outline, Psiphon's OSSH, and Lantern's Lampshade are all identifiable by TCP flag and timing patterns when servers close connections on error, because each tool's timeout value and FIN/ACK behavior are distinct. Their recommended mitigation—'forever read' on errors so the prober always closes first—forces the server to terminate with FIN/ACK consistently across all code paths.

2020-v2ray-weaknesses §Our comments defense

V2Ray clients emitted TLS ClientHello messages with a hardcoded, rarely-seen ciphersuite (fingerprint ID 8c48b95f67260663 on tlsfingerprint.io) that allowed a machine-learning classifier to identify V2Ray TLS traffic with 0.9999 accuracy; the same classifier could not accurately identify the traffic after the fingerprint was changed. The blocking rule based on the unique ciphersuite could be expressed in a single iptables line.

2020-v2ray-weaknesses §Unique TLS ClientHello Fingerprints detection

V2Ray's HTTP obfuscation mode prepends an HTTP header only to the first TCP payload per connection and uses a hardcoded HTTP 500 response for all failure cases, making the mimicry trivially detectable: legitimate HTTP servers send headers on every response, and do not return 500 for protocol errors a real HTTP server would never encounter.

2020-v2ray-weaknesses §Failed to Mimic the HTTP Server detection

VMess servers exhibit inconsistent TCP connection-draining behavior depending on error type: a first-seen (Encryption IV, Encryption Key) pair waits for more data before closing, while a replayed pair closes immediately. This timing asymmetry allows a prober to distinguish VMess servers from non-VMess servers with a three-connection probe sequence (M1, M2, M2 replay), as documented by @nametoolong in June 2020.

2020-v2ray-weaknesses §Replays that trigger inconsistent draining behaviors detection

VMess authentication uses a timestamp-based credential with a maximum 120-second (average ~60-second) expiration window, allowing an attacker to replay a captured legitimate request within that window. By making 16 connections with altered Encryption Key bytes that enumerate all 16 possible Margin P padding-length values, a prober can confirm a VMess server by observing a non-repeated set of connection-close byte counts spanning a delta of 15.

2020-v2ray-weaknesses §Replay Attacks against the VMess Protocol detection

The GFW's dominant exploitable discrepancy is accepting data packets whose TCP sequence number is ≤ the initial sequence number (ISN), while Linux rejects such packets as out-of-window. This single 'SEQ ≤ ISN' strategy accounts for the majority of the 3,152 successful evasion-packet cases against the GFW out of 4,587 total successful evasions.

2020-wang-symtcp §VIII.C detection

SymTCP uses selective symbolic execution over Linux's TCP implementation (S2E + KLEE) to enumerate all packet sequences reaching 47 binary-level accept or drop points from LISTEN to ESTABLISHED, then conducts differential testing against a blackbox DPI to confirm discrepancies; the open-sourced system requires no DPI source access and covers 37 of 47 drop points within the operationally relevant handshake window.

2020-wang-symtcp §IV, §VIII.A–B defense

SymTCP generated 56,787 candidate insertion/evasion packets in approximately one hour using concolic execution over Linux's TCP stack. Evaluating a sampled set of 10,000 test cases against real DPI systems yielded 6,082 evasions against Zeek, 652 against Snort, and 4,587 against the Great Firewall of China — discovering 14 novel evasion strategies beyond those found by prior manual approaches.

2020-wang-symtcp §VIII.C evaluation

Hop-by-hop bottleneck localization showed that in more than 71% of measured paths the first lossy hop is located deep inside China (beyond the border), with only 34.45% of bottleneck hops coinciding with the GFW hop as detected by RST injection probing — suggesting Chinese ISP infrastructure underprovisioning rather than GFW intervention as the primary cause.

2020-zhu-characterizing §5, Figure 13 evaluation

The bottleneck exhibits strong and consistent diurnal patterns: 80–95% of receiver–sender pairs show a standard deviation of less than 3 hours in daily slowdown duration, and the patterns persist unchanged across weekends and national holidays (May 1–2 and October 1 national day). Packet loss is strictly asymmetric — occurring only for traffic entering China (inbound data and outbound ACK packets), not for traffic leaving China.

2020-zhu-characterizing §4.2 Observation 2, Observation 3, Figure 10 evaluation

The Great Bottleneck of China affects 79% of measured receiver–sender pairs, with more than 70% of those pairs suffering throughput below 1 Mbps for more than 5 hours every day. M-Lab NDT data independently corroborates this: in 64% of 75,464 tests from China, download speed was below 500 kbps.

2020-zhu-characterizing §3, §4.2 Observation 1, Figure 5 evaluation

Hong Kong is the sole geographic exception: it experiences no measurable slowdowns when accessing the foreign Internet, and Chinese mainland receivers accessing Hong Kong as a sender averaged only ~3 hours of slowdown per day — compared to 5–17 hours for US, European, and most Asian senders — making it an effective high-performance relay between mainland China and the rest of the world.

2020-zhu-characterizing §3, §4.2 Observation 1, Figure 7 evaluation

A/B testing across HTTP, HTTPS, VPN, and Shadowsocks traffic found no measurable difference in packet loss rates, ruling out censorship-targeted protocol throttling as the cause. Even at probe rates as low as one packet per 10 seconds, loss rates were similar across all protocol variants, indicating no per-connection or per-protocol speed throttling by the GFW.

2020-zhu-characterizing §4.2 Observation 4, Experiment 3 detection

Frolov and Wustrow show that every major TLS-based circumvention tool (Tor Browser, Lantern, OpenVPN, Psiphon, etc.) produces a TLS ClientHello fingerprint that is statistically distinguishable from real Chrome or Firefox: differences include cipher-suite ordering, extension set, extension ordering, ALPN values, and curve preferences. A passive observer with a classifier over ClientHello fields can identify the tool with high precision without decrypting any traffic.

2015-frolov-the-use-of-tls §3–4 detection

Beyond the ClientHello, circumvention tools diverge from real browsers in TLS record-layer behavior: Go's crypto/tls splits the first application-data write differently than NSS or BoringSSL, and Go does not send a TLS ChangeCipherSpec in the same byte sequence as Chrome. These post-handshake divergences are detectable even when the ClientHello has been patched with uTLS, requiring record-layer mimicry in addition to hello-field mimicry for full fingerprint resistance.

2015-frolov-the-use-of-tls §4.3 detection

The paper introduces the uTLS library, which allows a Go TLS client to impersonate a specific browser's TLS fingerprint by replaying a recorded ClientHello template (including exact cipher suites, extensions, and GREASE bytes) rather than constructing one from Go's crypto/tls. Using a Chrome 70 uTLS template reduces fingerprint-distinctiveness to near zero against a passive classifier trained on real Chrome traffic.

2015-frolov-the-use-of-tls §5 defense

Evasion strategies are strongly censor-specific: TCB Teardown strategies that achieve 80–96% against the GFW fail completely (0%) against Kazakhstan's HTTPS MITM; India's Airtel is defeated uniquely by a 'Stutter Request' (duplicating the PSH/ACK and replacing IP length to 64) at 100% success, which scores only 3% against the GFW. Geneva converged on distinct species for each censor within 4–8 hours of live training.

2019-bock-geneva Table 1, §5.1–5.4 evaluation

Geneva, a genetic algorithm using four packet-manipulation primitives (drop, tamper, duplicate, fragment), independently re-derived 30 of 36 (83.3%) previously published evasion strategies in controlled lab experiments and discovered successful strategies in 23 of 27 live training sessions against China's GFW, yielding 4 unique species, 8 subspecies (5 novel), and 21 fundamentally different variants. Each training session ran for 4–8 hours against a real censor.

2019-bock-geneva §5, Abstract defense

Geneva experiments revealed that the GFW determines TCP three-way handshake completion using only the presence of the ACK flag — without validating sequence numbers. Upon receiving a RST or RST/ACK before the handshake completes, the GFW enters a resynchronization state approximately 50% of the time rather than tearing down its TCB; strategies that exploit this pre-handshake window achieve 92–95% success rates (Strategies 3 and 4).

2019-bock-geneva §5.2 Species 2: TCB Teardown detection

The GFW does not verify TCP checksums or validate RST flag combinations: Strategy 5 using the entirely invalid flag set FRAPUN with TTL 10 achieved 96% success. Separately, increasing the TCP data offset (dataofs) field to 10 in an insertion duplicate causes the GFW to reinterpret the beginning of the HTTP payload as TCP header bytes, preventing keyword detection and achieving 98% success (Strategy 2) — while the destination server discards the malformed packet.

2019-bock-geneva §5.2 Species 1 and Species 2 detection

Geneva's Segmentation species — fragmenting HTTP requests at the TCP layer without IP fragmentation, segment overlapping, or insertion packets — achieved 94–98% success against the GFW, 100% against India's Airtel ISP, and 100% against Kazakhstan's HTTPS MITM, making it the only strategy class effective across all three tested censors. These strategies require neither raw sockets nor root privilege.

2019-bock-geneva §5.2 Species 3: Segmentation defense

As of July 2019, approximately 10.93% of the Alexa top 1 million websites support ESNI (all via Cloudflare CDN, which enabled ESNI across all its platforms in September 2018), with 92.56% of Cloudflare-hosted sites using encrypted SNI over TLS 1.3. However, fewer than 0.01% of observed TLS ClientHello messages in the wild contained an ESNI extension, revealing a severe gap between server-side readiness and client-side adoption.

2019-chai-importance §4.2, §5.1 evaluation

The paper identifies 47 Cloudflare IP addresses that are already blocked by the GFW despite being shared by at least 85 websites, contradicting the prior assumption that censors avoid blocking shared CDN IPs due to collateral damage. This suggests censors will accept significant collateral damage to block CDN-hosted content when the set of co-hosted non-forbidden pages is deemed manageable.

2019-chai-importance §4.3 detection

Of the Alexa top 1 million websites censored in China, 84.5% are blocked by IP address, meaning that even if both DNS hijacking and SNI filtering are fully circumvented, the vast majority of blocked sites remain inaccessible. Only 66 currently censored sites can be unblocked by ESNI alone (combined with an encrypted DNS channel), while 101,049 ESNI-supported sites remain blocked by IP.

2019-chai-importance §4.1, §4.3 evaluation

Monitoring ESNI-related censorship across 14 geographic regions — including Mainland China, Iran, UAE, South Korea, and 10 others — found no blocking of ESNI traffic or interference with ESNIKey retrieval via DNS TXT records as of mid-2019, contradicting a widely circulated report claiming South Korea had already blocked ESNI. Additionally, the GFW's residual censorship window after a triggered RST was measured at 60 seconds (down from the previously reported 90 seconds).

2019-chai-importance §4.4, §6 evaluation

In China's Great Firewall, SNI filtering is almost never the sole blocking mechanism: only 70 of the 21,446 SNI-filtered sites are exclusively censored via SNI. The GFW uses SNI filtering as a 'third gatekeeper' — applied after DNS hijacking and IP blocking — and maintains separate blacklists for SNI filtering and DNS hijacking, evidenced by 2,764 sites under DNS injection but not SNI filtering.

2019-chai-importance §4.1 detection

The GFW's robustness depends principally on suppressed citizen demand for uncensored information, not solely on access barriers. Calibration shows censorship remains stable even if the unencouraged access rate were substantially expanded, because low demand and moderate social transmission prevent information from reaching population-wide tipping points. However, censorship is fragile to demand stimulation: scaling the encouragement intervention to all students would, per the model, inform the entire student population.

2019-chen-impact §V policy

When given a free 18-month subscription to a premium VPN (retail value US$25/month), only 55% of treated Chinese university students activated the tool, and less than 5% of active users regularly browsed blocked foreign news websites. By contrast, 86% activated a placebo free Youku (Netflix-equivalent) account within a week, isolating low demand—not friction—as the barrier.

2019-chen-impact §III.A, Table 2 evaluation

Acquisition of politically sensitive information produced broad, durable attitude change: access-plus-encouragement moved the median student from the 47th to the 56th percentile across all measured outcome dimensions. Students became more pessimistic about Chinese economic growth (elicited incentive-compatibly), more skeptical of government performance, more likely to plan exit via foreign graduate school, and more likely to report having withdrawn stock-market investments.

2019-chen-impact §IV, §III.C (Figure 1) evaluation

Peer-to-peer knowledge spillovers were statistically significant but small: a student who actively browsed foreign news and learned of a sensitive event made her dormitory roommate 12.7 percentage points more likely to answer a quiz on that event correctly. Model calibration showed this transmission rate is insufficient to propagate knowledge to the broader student population given the low share of initially informed students.

2019-chen-impact §IV.B evaluation

Modest financial incentives (US$2.50 per quiz requiring a visit to the NYT Chinese edition) produced a persistent increase in foreign-news browsing: after the 4-month encouragement ended, Group-AE students spent 3.4 min/week more on top foreign news sites than access-only peers (6.7 min/week among active users). By the experiment's end, 23% of newly exposed students paid US$4.50/month to continue uncensored access out of pocket.

2019-chen-impact §III.B–C, §II.B evaluation

For IPv4, Conjure derives both the phantom host IP and TCP port from the client's registration seed, making exhaustive scanning infeasible: a censor enumerating from a /10 of potential client source IPs (4 million addresses) against a /16 of phantom IPs (65K addresses) across all 65K ports would require approximately 50 years at 10 Gbps with ZMap. Phantom hosts are additionally firewalled to respond only to the registering client IP, defeating single-vantage-point ZMap scans.

2019-frolov-conjure §6.2.1 defense

Conjure phantom hosts resist active probing by requiring knowledge of a per-client registration seed secret before the station responds. A ZMap scan of over 1 billion random IP/port combinations found that 99.4% of responding servers returned no data after a random OSSH-style probe and 7.42% closed with TCP RST — behavior indistinguishable from Conjure's OSSH transport — meaning censors face steep false-positive rates when attempting to identify phantom proxies via active probing.

2019-frolov-conjure §7.1 defense

China's GFW poisons DNS responses from major open resolvers (Google 8.8.8.8/8.8.4.4, Cloudflare 1.1.1.1/1.0.0.1, OpenDNS 208.67.222.222/220) for I2P domains, returning public IPs belonging to Facebook, SoftLayer, and other non-Chinese organizations. Blocking is non-uniform: AS9808 (Guangdong Mobile) appended a loopback 127.0.0.1 record alongside falsified IPs—a pattern not seen at other ASes—while the I2P mirror site remained accessible from most Chinese locations despite the homepage being blocked.

2019-hoang-measuring §5.1 detection

DNS injection from China's GFW leaked into South Korean networks: queries sent from Korean ASes (AS38676, AS9848) to open resolvers returned the same falsified IP addresses observed inside China, because geographic proximity caused transit routing through Chinese infrastructure. This demonstrates that the GFW censors both egress and ingress traffic, producing cross-border poisoning as a side effect. Sporadic rather than consistent injection at these ASes confirmed the leakage hypothesis rather than intentional Korean blocking.

2019-hoang-measuring §5.1 detection

Over one month, 54K measurements from 1.7K ASes in 164 countries detected I2P blocking in exactly five countries: China (DNS poisoning of homepage and 3 of 10 reseed servers), Iran (TCP RST injection with HTTP 403 on mirror site), Oman and Qatar (SNI-based blocking of HTTPS homepage plus TCP injection with block-page redirect on HTTP mirror), and Kuwait (TCP injection on mirror site at AS47589 only). All other tested countries left I2P fully reachable.

2019-hoang-measuring §5, Table 2 evaluation

A measurement infrastructure built on VPN Gate's 192K volunteer-operated residential vantage points (3.5K ASes, 181 countries) detected I2P blocking events that were missed entirely by both OONI—which had no test data for four of the five affected countries—and ICLab—which had vantage points in only two of the five countries and obtained only intermittent connections there. Residential vantage points reveal filtering policies invisible from datacenter-hosted probes, with ISP-level granularity confirming partial national blocking (one of six Kuwaiti ASes, heterogeneous Chinese AS behavior) that aggregate measurements would miss.

2019-hoang-measuring §5.4, §7 evaluation

The Chinese GFW enumerated all Tor bridges within approximately one month by deploying censoring agents that impersonated regular users, demonstrating that CAPTCHA- and email-based proxy distribution mechanisms are ineffective against resourceful state-level censors who can create large numbers of accounts and use human-based CAPTCHA-solving platforms.

2019-nasr-enemy §I, §II-B detection

Omnipresent censors who distribute censoring agents across diverse geographic locations obtain significantly more proxies than circumscribed censors confined to a single subnet, because location diversity improves their utility scores in proximity-weighted proxy assignment systems.

2019-nasr-enemy §VII-B detection

The component-aware binary splitting algorithm (CompAwareBinSplit) requires on average 35.47 messages per article to isolate a sensitive keyword combination — 10.3% as many as the 342.72 required by the previously used algorithm — and is the only evaluated algorithm that correctly handles overlapping keyword components and multiple co-occurring combinations.

2019-xiong-efficient §5.4, §6, Table 1 evaluation

WeChat, Alibaba Wangwang, Zhihu, and Sina Weibo all implement keyword combination filtering — messages are blocked only when every component of a blacklisted combination appears simultaneously, regardless of order. This allows censors to target sensitive contexts (e.g., 习近平 + 三连任 [Xi Jinping + three consecutive terms]) without filtering neutral mentions of individual terms.

2019-xiong-efficient §3 detection

The previously used bisection algorithm required an average of 342.72 messages per news article to isolate a triggering keyword combination, and produced incorrect results in 44% of test cases — primarily because the Unilateral Elimination Flaw caused it to miss components that appeared multiple times in an article.

2019-xiong-efficient §4, §6 evaluation

Server-side keyword enumeration on Chinese platforms has become increasingly uneconomical: platforms now require non-virtual phone numbers for account registration, and test accounts are banned after sending a threshold volume of sensitive content. The paper's 5,521-article dataset and 1,956 confirmed keyword combinations were collected via sample testing between September 2017 and October 2018, with registration costs being the primary limiting factor for research scale.

2019-xiong-efficient §1, §7 deployment

WeChat censors messages even when keyword components overlap within the message text — e.g., the combination 帶來 + 調整 + 整體 + 領域 triggers filtering in the fused form 帶來abc調整體xyz領域 where 調整 and 整體 share a character. No previously published algorithm correctly identified overlapping components; only CompAwareBinSplit resolves this by advancing the search window from index i+1 rather than past the full matched span.

2019-xiong-efficient §4.2, §5.4 detection

For China (a highly connected, routing-capable adversary), the gossip protocol combined with any symmetric decoy routing design requires only 5 heavyweight downstream stations plus 880 lightweight upstream gossip stations — versus 880 heavyweight stations for purely symmetric designs. Five downstream stations alone impact 78% of routes from Chinese users, while a single downstream station already covers nearly 25% of traffic.

2018-bocovich-secure Table 2 / §3.2 evaluation

By 2018 the GFW shifted from blocking Tor bridges by (IP, port) tuples to blocking the entire IP address. A blocked bridge remains inaccessible for exactly 12 hours; the block renews to 12 hours if any additional Tor connection attempt is made during that window, after which the GFW re-scans and removes the IP from the blacklist if Tor is no longer running.

2018-dunna-analyzing §4.2 detection

The authors attracted 934 unique scanner IPs over 44 hours, all geolocated to China, with TTL values clustered at 48–50 and MSS of 1400 (with a secondary cluster at 1368 from IP 111.202.242.93). 908 IPs conducted exactly one scan and 26 conducted two; no IP scanned more than twice, indicating deliberate distribution to resist IP-based blacklisting of scanners.

2018-dunna-analyzing §4.3 detection

Meek over Azure CDN successfully established Tor circuits from China in all tests; meek over Amazon was inconsistent and often failed mid-circuit. Meek requires TLS on the bridge — without it the GFW blocks the bridge within minutes and purges it from the blacklist, suggesting a separate meek-specific detection and blocklist is maintained.

2018-dunna-analyzing §5.1 evaluation

obfs4 successfully established Tor circuits on the authors' own unpublished bridge relays but failed to connect to any public obfs4 bridge, consistent with the GFW having scraped and blacklisted public bridge addresses. This demonstrates that address confidentiality is a prerequisite for obfs4's effectiveness, independent of its obfuscation properties.

2018-dunna-analyzing §5.1 evaluation

Configuring iptables to drop incoming Tor packets whose TCP MSS equals 1400 (the value observed on GFW scanners) prevented bridge IPs from being added to the blocklist across the entire 44-hour experiment. This technique requires changes only on the relay, unlike pluggable transports that require both client and server upgrades.

2018-dunna-analyzing §5.2 defense

Of approximately 32K active I2P peers observed daily during a three-month measurement (February–April 2018), roughly 6,000 peers came from 30 countries with poor Press Freedom scores (index > 50); China led with more than 2,000 peers, followed by Singapore (~700) and Turkey (~600). This suggests I2P is being used as a Tor/VPN alternative in heavily censored regions, despite China configuring I2P peers to hidden mode by default.

2018-hoang-empirical §5.3.2 evaluation

New Twitter users who joined because of the Instagram block were initially apolitical (80% Chinese-language preference vs. 39% for existing Chinese Twitter users; ~80% of first follows were entertainment/sports accounts) but within two days their rate of political discussion about Hong Kong converged with that of established users. This confirms the gateway effect operates without pre-existing political motivation and without a Streisand-style backlash.

2018-hobbs-sudden 4. Politicization policy

Blocked Chinese-language Wikipedia pages received approximately 160,000 more views on September 29, 2014 (the day Instagram was blocked) than in the preceding week, covering politically sensitive topics — Tiananmen Square, mainland leaders, and the PRC blocked-sites list — that long-term VPN users would not be browsing for the first time. By November 1, Chinese-language Twitter accounts had accumulated 33,750 more followers than pre-block trend projections.

2018-hobbs-sudden 4. Politicization / Figure 4 / Figure 5 evaluation

When governments suddenly block previously uncensored, habitual-use platforms, affected users acquire VPN/proxy tools to restore access — and those tools then incidentally unlock all long-blocked content. The authors call this the 'gateway effect': sudden censorship backfires not through political backlash but through habit-driven evasion that permanently expands information access. The effect is strongest for indispensable, hard-to-substitute services.

2018-hobbs-sudden Theory: Gateway effects in information access policy

China's September 29, 2014 Instagram block caused VPN Express to jump from rank 1,229 to rank 6 among all iPhone app downloads in China in a single day, and four of the top ten free productivity apps that day were VPNs (VPN Express, GreenVPN, VPNArtifact, VPN in Touch). The prior day, no VPN appeared in the top 10.

2018-hobbs-sudden 2. Effects of the Instagram block on VPN acquisition evaluation

On the day Instagram was blocked, geo-located Twitter users from mainland China increased ~30% and new account creation jumped more than 600%. A full 53% of previously active Instagram users (estimated 8–16 million people) continued accessing Instagram via evasion tools after the block, compared with roughly 0.026% of all Chinese Internet users who used Twitter before the block — demonstrating the Firewall's baseline efficacy and the magnitude of the gateway-driven surge.

2018-hobbs-sudden 3. Expanded Access to Blocked Websites / 1. Direct effects of the Instagram block evaluation

China actively censors websites far outside the popular-traffic tier: many discovered censored domains appear in the tail of the Alexa Top 1,000,000, and some are absent from Alexa entirely. This demonstrates the GFW pursues content-classified hosts regardless of traffic rank, not only high-visibility platforms.

2018-hounsel-automatically §5.2, Figure 3 detection

The 1,125 newly discovered censored domains span a broad taxonomy: Chinese human rights organizations, Tibetan rights outlets, Falun Gong and religious freedom sites, minority news, privacy-enhancing technology providers, and sources covering Tiananmen and the 1989 democracy movement—none appearing on the Alexa Top 1,000 or FilteredWeb's blocklist. Privacy-enhancing technology providers appear explicitly as a censored category alongside political and religious content.

2018-hounsel-automatically §1, §5.1, §6 detection

Multi-word Chinese phrases as search seeds discover qualitatively different censored sites than individual English words: the phrase 'Chinese human rights violation' surfaces Chinese activist homepages and culture-specific outlets, while individual constituent words return only well-known Western media. TF-IDF scoring against a Chinese corpus ranks culturally rare phrases (e.g., '自由亚洲电台' / Radio Free Asia) as high-signal seeds and discards common filler phrases.

2018-hounsel-automatically §3.1–3.2 evaluation

Using NLP phrase extraction on Chinese-language censored pages, the system discovered 1,125 new censored domains not present on any publicly available blocklist, producing a list 12.5× larger than the standard Citizen Lab list (220 web pages, 85 domains). Across three evaluations (unigrams, bigrams, trigrams, each capped at 1,000,000 URLs), only 3 of the top 50 discovered domains overlapped with FilteredWeb's top 50.

2018-hounsel-automatically §5.1, Table 1 evaluation

Culturally specific Chinese phrases are strong predictors of censorship: unigrams for controversial figures—Wang Qishan (74%), Li Hongzhi (64%), Guo Boxiong (62%), Hu Jintao (56%)—returned the highest block rates. Trigrams such as 'Beidaihe meeting' (54%), 'CCP's religious policy' (42%), and 'Tiananmen Square demonstrations' (32%) showed similar patterns, confirming King et al.'s finding that references to collective political dissent are disproportionately targeted.

2018-hounsel-automatically §5.3, Tables 2–4 detection

WeChat's OCR filter performs blob merging to reconstruct characters from disconnected components. Filling character strokes with tiled letter patterns evaded OCR filtering in 100% of tests (vs. 92% for tiled square patterns), because tiled letters distract the blob-merging stage into finding the letter tiles rather than the composed characters.

2018-knockel-analysis §3.1.2 detection

WeChat's OCR-based image filter converts images to grayscale using the luminosity formula (0.299r + 0.587g + 0.114b) before text recognition. All 150 test images with colored text on a luminosity-matched gray background evaded OCR filtering, while average and lightness formulas failed to evade filtering for most colors.

2018-knockel-analysis §3.1.1 detection

WeChat normalizes uploaded images by their shortest dimension before blacklist comparison. Adding blank space equal to 50–200% of the longest dimension caused 4/5 wide images and 3/5 tall images to evade filtering; adding space along the shortest dimension never evaded filtering, consistent with a shortest-dimension resize hypothesis.

2018-knockel-analysis §3.2.4 detection

WeChat's visual-based image filter compares uploads against a specific blacklist using a perceptual similarity metric rather than ML classification. Semantic-preserving transformations — mirroring, cropping, adding whitespace — evaded all 15 tested blacklisted images, and images filtered visually were typically removed within 10 seconds, faster than OCR-filtered images (5–30 seconds).

2018-knockel-analysis §3.2.2 detection

WeChat's visual filter compares images as a whole rather than via a sliding window. Adding 3 or more duplicate copies of a blacklisted image to its canvas caused 8/10 images to evade filtering with no evasion attributable to compression artifacts (Figure A.13), whereas blank canvas extensions evaded mostly only through compression artifacts.

2018-knockel-analysis §3.2.5 detection

Information Gain feature selection from 408 candidates identified informal language markers (informal, nonflu, swear), Chinese modal and general particles signaling mood and relational framing, and physical-feeling words used metaphorically as the top predictors of censored Weibo content — all with statistically significant differences between censored and uncensored classes.

2018-ng-detecting §5, §6 detection

A Naive Bayes classifier built on 17 LIWC-derived and keyword features achieved 79.34% accuracy (10-fold cross-validation) predicting censorship of Sina Weibo posts, with precision 0.80 and recall 0.85 for the censored class — outperforming all single-domain feature sets including the full 408-feature combination (0.69 accuracy).

2018-ng-detecting §5, Table 1 detection

A 598-term sensitive-keyword blacklist (sourced from Wikipedia and China Digital Times) achieved only 53% classification accuracy on Weibo censorship — below the 66% achieved by punctuation features alone — and appeared in only 31 of 152 uncensored posts versus 60 of 192 censored posts, confirming keywords are not the primary driver of platform censorship decisions.

2018-ng-detecting §4.2, §6, Table 1 detection

Sentiment analysis features (Baidu and Boson tools) achieved only 57% accuracy individually; censored posts averaged 53.9% negative sentiment (General model) versus 49.3% for uncensored — a difference too small to be operationally useful — indicating that sentiment polarity does not reliably distinguish censorable content from permitted content on Weibo.

2018-ng-detecting §4.3–4.5, §6, Table 1 detection

Across all tested countries, circumvention and anonymization tools are the most consistently blocked category: www.hotspotshield.com is blocked in 5 of 13 detected censoring countries, and three Tor Project properties (bridges.torproject.org, www.torproject.org, ooni.torproject.org) each appear in the top-10 most broadly blocked domains. Collateral damage is also documented — Iran blocks psiphonhealthyliving.com as a substring match for the psiphon.ca circumvention domain.

2018-vandersloot-quack §6.2, Figure 12 evaluation

By comparing echo-server (bidirectional) versus discard-server (inbound-only) results across 11 censoring countries, Quack finds that only 4 countries (China, Egypt, Jordan, Turkey) also block inbound traffic; the remaining 7 apply DPI exclusively to outbound data. Direction-sensitive blocking is a confirmed capability of deployed middleboxes.

2018-vandersloot-quack §6.3 detection

Stateful DPI disruption in censoring countries disengages within approximately 100 seconds in 99.9% of observed cases, with roughly 50% of servers recovering within 60 seconds. A 2-minute empirically determined delay is sufficient to distinguish stateful per-connection blocking from persistent blocking when retrying with innocuous payloads against the same server.

2018-vandersloot-quack §6.1, Figure 3 detection

32 of 108 identified censoring ASes leak their censorship policies to other ASes, and 18 leak to other countries. Sweden's AS1299 leaked censorship to 9 countries including the United States, Ukraine, and Singapore; China's AS4812 leaked to 5 countries. Censorship leakage occurs when a transit AS implements filtering that affects traffic for users outside the censor's jurisdiction.

2017-cho-churn §3.3, §4, Table 3 evaluation

High-power seed domains including uyghuramerican.org, dw.com, hrw.org, and eastturkistaninfo.com each produced TF-IDF descriptive tags that led to discovery of more filtered URLs from other domains than the total number of URLs crawled from those seeds themselves. Content-category analysis of the 1,355 poisoned domains showed filtering-avoidance tools, news, educational content, and human-rights sites among the most heavily targeted categories.

2017-darer-filteredweb §V-B, §V-D, Fig. 2, Fig. 7 evaluation

Sending DNS queries to eight non-DNS IP addresses within the Chinese IP range reliably detects GFW DNS poisoning: any response indicates the censor intercepted and replied to the query, since a legitimate non-DNS server would not respond. This external vantage-point technique discovers poisoned domains without in-country volunteers or local infrastructure.

2017-darer-filteredweb §IV-C evaluation

Approximately 95% of the 115,337 filtered URLs discovered in China were concentrated in just 15 large domains; the overall hit rate across the full crawl was 4.11 poisoned domains per 1,000 domains crawled. This concentration means aggregate filtered-URL counts in existing lists are dominated by a few major platforms while the broader tail of blocked domains remains largely undiscovered.

2017-darer-filteredweb §V-A, §V-C, Fig. 4 evaluation

FilteredWeb discovered 1,355 DNS-poisoned domains and 115,337 filtered URLs in China through 54,000 web searches by February 2017 — 30 times more poisoned domains than the most widely-used published filter list (Citizen Lab, which identified 44 domains). Of the 1,355 domains, 759 fell outside the Alexa Top 1,000, demonstrating that automated search-based discovery surfaces obscure filtered content missed by manual and volunteer-driven lists.

2017-darer-filteredweb §V-A, Table I, Table II evaluation

The classifier uses a 3,000-dimension binary vector recording which upstream and downstream packet sizes appear across the full session, combined with aggregate biflow statistics (total packets, burst length, transmission time, incoming/outgoing fractions). This packet-size histogram is the highest-dimensionality feature in the set.

2017-deng-random §IV.B, Table 1 detection

The authors trained on 1 GB of captured Shadowsocks traffic and 1 GB of non-Shadowsocks traffic from a single host, then tested on over 1 GB of each from 26 randomly selected hosts. The cross-host generalization of the model is demonstrated but no explicit false-positive or false-negative rates are reported.

2017-deng-random §V.B–C evaluation

A Random Forest classifier with 100 CART trees and a sqrt(C) feature-selection strategy achieves over 85% accuracy detecting Shadowsocks traffic from biflow statistics. Accuracy increases monotonically with train-set and test-set size before plateauing.

2017-deng-random §V, Abstract detection

Shadowsocks traffic appears as ordinary TCP with no payload keywords or obvious protocol markers because the entire payload is encrypted; firewalls cannot distinguish it from generic TLS without behavioral flow analysis. This makes signature- and keyword-based detection ineffective against it.

2017-deng-random §III.A detection

The paper identifies that Shadowsocks can also serve as a transport layer for Tor and VPN connections, meaning a Shadowsocks flow detector functions as a first-stage classifier that unmasks compounded anonymity systems. The authors explicitly cite this as a motivation for detection.

2017-deng-random §II detection

The 30 key ASes computed from globally popular sites also intercept over 90% of paths to country-specific popular sites in nine censorious nations (China, Venezuela, Russia, Syria, Bahrain, Pakistan, Saudi Arabia, Egypt, Iran), covering 93.3% of paths to the top-50 country-specific sites. The same key AS set remained stable across repeated experiments conducted four months apart, suggesting durability over time.

2017-gosain-devil-s §6.1–6.2, Figure 8 evaluation

Only ~30 ASes intercept more than 90% of paths to popular websites globally, regardless of the target destination set (Alexa top-10 through top-200). The top 2 ASes alone (AS3356 Level-3 Communications and AS174 Cogent) intercept 45.1% of all 4,497,547 paths to Alexa top-100 sites; the full set of 30 intercepts 92.4%. This is approximately 30× fewer ASes than prior work required for a single adversary country (858 ASes for China alone).

2017-gosain-devil-s §5.1, Figure 3, Table 1 evaluation

If China attempts the Routing-Around-Decoys (RAD) attack by blackholing paths that transit the 30 key ASes, 92.25% of all paths transiting Chinese ASes (306,874 of 332,742) originate at ASes outside China, making such filtering self-defeating through severe collateral damage to foreign transit customers. The 30 key ASes cover 98.8% of paths from Chinese ASes to globally popular destinations and at least 80% for nearly all adversary countries studied.

2017-gosain-devil-s §6.2, Figure 7, Figure 9 defense

Router-level mapping of the 30 key ASes reveals that 11,709 individual routers must be replaced with Decoy Routers (non-censorious ASes only), at a hardware cost exceeding $10.3 billion USD. Individual large ASes require hundreds to over 1,600 router replacements (e.g., AS3356 needs 576, AS209 Quest Communications needs 1,662). Even targeting the weakest adversary studied, Syria (containable by 3 ASes at AS level), requires 1,117 DRs.

2017-gosain-devil-s §5.2, §6.4, Table 3–4 evaluation

Chinese mobile games widely implement keyword censorship client-side — blacklists were found embedded in plain text, XML, JSON, compiled Lua, compiled C++, and encrypted formats requiring reverse engineering to extract. The client-side implementation exposed 132 keyword lists from 113 different games in the first experiment alone. Games must submit their blocked keyword list to regulators (MOC/SAPPRFT) to obtain a publication license, making keyword filtering a regulatory compliance artifact rather than purely an operational choice.

2017-knockel-measuring §2, §3.1 detection

Analysis of over 183,111 unique keywords collected from 200+ Chinese mobile games found no central state or provincial authority controlling keyword list generation. The only consistently significant predictors of keyword list similarity were whether games shared the same developer (Mantel r=0.17, p<0.001) or publisher (r=0.15, p<0.001); city, province, and genre showed no significant correlation (p>0.58). This indicates Chinese companies have substantial flexibility in determining which content to block under the 'self-discipline' intermediary liability framework.

2017-knockel-measuring §4.1–4.2 policy

When controlling for shared-developer as a confound, shared-publisher correlation collapsed to r=0.047 (p=0.0015) in the first experiment and r=0.064 (p=0.015) in the second; when controlling for shared-publisher, shared-developer remained r=0.095 (p<0.001) and r=0.13 (p<0.001) respectively. This demonstrates that development teams — not publishing entities — are the primary locus of keyword list authorship in the Chinese mobile gaming ecosystem.

2017-knockel-measuring §4.1–4.2 evaluation

Forensic analysis of keyword list formatting artifacts — C-style escapes appearing in XML files, XML entities appearing in non-XML files, and double-backslash encoding traceable to a 2004 leaked QQ keyword list — provides evidence that developers copy and circulate keyword lists across companies through informal channels including old web applications and bulletin boards. This keyword propagation mechanism explains partial overlap between unrelated companies' lists without implying a central authority.

2017-knockel-measuring §5.1 detection

Content analysis of 7,000 randomly sampled keywords (±1.1% at 95% confidence) found Social content (gambling, illicit goods, competitor references) was the dominant theme at 51.16%, followed by Technology/URLs at 16.81%, Political content at 15.00%, People (officials, dissidents) at 6.57%, and Event-related keywords at only 4.89%. Gaming keyword lists lacked references to current events from 2016–2017 that were found actively censored on Chinese chat applications during the same period, suggesting games face lower scrutiny for real-time event censorship than communication platforms.

2017-knockel-measuring §5.2 evaluation

Never-once avoidance succeeds for 75% of source-destination pairs that do not already terminate in the US (a highly routing-central country) at δ=0.5, and for nearly all pairs avoiding less central countries. Russia is the hardest case at ~35% success (δ=0.5) due to proximity to the dense European node cluster. The median successful source-destination pair has over 1,000 valid DeTor circuits when avoiding the US and 500 when avoiding China.

2017-li-detor §6.2.1, §6.2.4 evaluation

Middlebox classification state is ephemeral: the testbed carrier-grade DPI device flushes results after 120 seconds (or 10 seconds after a TCP RST), and the GFC flushes state after 40–240 seconds depending on time of day. A strategically timed pause before the matching payload, or a TTL-limited RST packet, causes the classifier to re-evaluate the connection as unclassified traffic.

2017-li-lib-cdot-erate §4.3, §5.3 detection

TCP segment splitting and out-of-order delivery evades DPI classification in the testbed, T-Mobile, and Iran, but fails against the GFC—which performs extensive packet validation and correctly reassembles reordered streams—and AT&T, which uses a transparent HTTP proxy that normalizes all traffic before inspection. Payload splitting to one byte in the first packet is sufficient to defeat packet-count-limited classifiers.

2017-li-lib-cdot-erate §4.3, Table 3 evaluation

lib·erate's TTL-limited inert packet insertion—sending a decoy packet with TTL set to expire at the middlebox but carrying a misclassifying payload—successfully evades classification in a carrier-grade testbed DPI device, T-Mobile's Binge On, and the Great Firewall of China, but fails against Iran's censor and AT&T (Table 3). When bilateral server support is available, inserting a single dummy packet at flow start evades classification in all four deployments.

2017-li-lib-cdot-erate §4.3, Table 3 evaluation

None of the operational networks tested—T-Mobile, AT&T, the Great Firewall of China, and Iran—classify UDP traffic; the authors describe this as 'a surprisingly easy way to evade their policies.' Iran's censor inspects the entire TCP flow but leaves UDP flows untouched across all tested applications.

2017-li-lib-cdot-erate §1 (key findings), §6 detection

Measured packet loss rates under GFW censorship (Feb–Apr 2017, client at Tsinghua University/CERNET): Tor with meek obfuscation suffers 4.4% average PLR; Shadowsocks (AES-256-CFB) suffers 0.77% PLR; native VPN (PPTP/L2TP) and OpenVPN both achieve ~0.21% PLR. For comparison, the same tools accessed from a US vantage point show PLR below 0.1%, confirming the excess loss is GFW-induced. The GFW's DPI and active probing techniques specifically target Tor and Shadowsocks protocol signatures.

2017-lu-accessing §4.3 evaluation

China's Internet censorship ecosystem is bilateral: the GFW handles technical blocking while separate government agencies (MIIT, TCA, MPS, MSS) handle non-technical regulation, and 'these two components do not operate synchronously.' Google Scholar is considered a legal service by Chinese regulators but is incidentally blocked as collateral damage because it falls under the google.com domain, blocked since 2010.

2017-lu-accessing §2 policy

ScholarCloud's 'message blinding' — a non-public byte mapping (f: [0, 2^8) → [0, 2^8)) applied between domestic and remote proxy — successfully evades GFW deep packet inspection with 0.22% average packet loss rate, statistically indistinguishable from native VPN (0.21%). The paper reports that even this simple encoding suffices because the GFW cannot classify the traffic; confidentiality of the algorithm is the operative property, not cryptographic strength. Because the operator controls both proxy endpoints, the blinding scheme can be rotated at any time without requiring client-side updates.

2017-lu-accessing §3 defense

ScholarCloud was launched in January 2016 and by late 2017 served over 2,000 registered users with 700 daily active users. It operates on two commodity VM instances at a daily operational cost of 2.20 USD. Legal operation inside China was achieved by registering the service as an ICP with the TCA (China ICP Reg. #15063437) and restricting the proxy whitelist to verifiably legal but incidentally-blocked domains — a strategy that places the service outside the GFW's aggressive technical blocking while also satisfying regulatory scrutiny from MPS/MSS.

2017-lu-accessing §1, §3 deployment

Shadowsocks imposes an extra per-session TCP connection for user/password authentication plus a 10-second keep-alive timeout, causing an average page load time of 3.7 seconds and a sharp PLT inflection when concurrent clients exceed 60. In contrast, ScholarCloud (split-proxy, no per-session auth handshake) achieves 1.3 seconds average PLT with linear scalability up to 180 concurrent clients. Native VPN and OpenVPN also scale linearly; Shadowsocks is the only tested solution with a non-linear degradation point.

2017-lu-accessing §4.3 evaluation

77% of public bridges offer only vanilla Tor, which is trivially detectable via TLS certificate pattern matching. An additional 15% offer Pluggable Transports with conflicting security properties (e.g., obfs4 + obfs3 + obfs2 co-deployed on the same bridge), allowing a censor to confirm and block the bridge via the weakest PT and thereby disable all stronger PTs on the same IP — including active-probing-resistant transports like obfs4 and ScrambleSuit.

2017-matic-dissecting §V-C, Table I defense

Default bridges — whose IP addresses are hardcoded in the Tor Browser Bundle — carry 91.4% of all bridge clients globally in April 2016, and 86.1% in Iran and 69.2% in Syria. Because these addresses are trivially obtainable from the Tor Browser Bundle configuration files, a censor can block the vast majority of bridge users in a country at any time.

2017-matic-dissecting §V-E, Table II evaluation

Four OR ports (443, 8443, 444, 9001) account for 82% of all active public bridge fingerprints as of April 2016, down from 95% in March 2013 but still concentrated. Scanning just three of these ports (443, 8443, 9001) is sufficient to deanonymize 71% of all active public bridges. Additionally, CollecTor's published per-bridge usage statistics allow a censor to rank bridges by client count per country and identify the highest-impact OR ports to scan next.

2017-matic-dissecting §V-D, Figure 6, Table IV detection

Through Internet-scale BGP simulation against China, downstream-only decoy routing (Waterfall) with a single decoy AS provides equivalent resistance to routing attacks as a traditional upstream decoy system (e.g., Telex) with 53 decoy ASes. This efficiency gain arises because censoring ISPs can selectively re-route upstream traffic per destination but must re-route all or none of downstream traffic through each provider AS, making downstream-only routing far more expensive to evade.

2017-nasr-waterfall §4.1.1 defense

Table 2 shows that with 50 decoy ASes, the most powerful practical routing attack on downstream-only systems (rewiring-I) impacts 93% of China's routes (22.4% unreachable, 70% re-routed), compared to only 18.2% total impact from RAD on traditional upstream designs. Table 3 shows that even for Syria, the rewiring-II attack with just 1 downstream-only decoy AS already impacts 81% of routes versus 1.5% for RAD on upstream systems.

2017-nasr-waterfall §4.2.1, Table 2, Table 3 evaluation

BGP simulation shows that a censor's source-block attack against 100 downstream-only decoy ASes disconnects 23% of Chinese Internet destinations, versus only 8% when applying the standard RAD attack against 100 upstream decoy ASes — imposing nearly 3× more unreachability collateral damage on the censor for the same decoy count.

2017-nasr-waterfall §4.1.1, Figure 3 evaluation

Iris detected 41,778 manipulated DNS responses (0.31% of 13.5 million queries) across 58 countries and 1,408 domains in a two-day measurement window in January 2017. Iranian resolvers exhibited the highest median manipulation rate at 6.02% per resolver; China followed at 5.22%. Iran and China together accounted for roughly 55% of all manipulated responses despite contributing only approximately 6% of total query volume.

2017-pearce-global §5.2, Table 6 evaluation

Iranian DNS censorship returns special-purpose/private IPv4 addresses in 99.99% of manipulated responses (only 0.01% public), whereas Chinese manipulation returns public IPs 99.46% of the time—often addresses that host no services at all. The 10 most frequent Chinese censor-injected IPs constituted approximately 75% of all Chinese manipulated DNS responses.

2017-pearce-global §5.2, Table 8 detection

DNS manipulation is heterogeneous within countries, not uniform across ISPs. In Iran, one cluster of domains is manipulated by approximately 80% of in-country resolvers while a second group is manipulated by fewer than 10%, consistent with differential blackholing by separate DNS manipulation infrastructure tiers. China shows a similar bimodal split (~80% vs ~50%), while Greece and Kuwait exhibit more homogeneous cross-resolver manipulation.

2017-pearce-global §5.3, Figure 7 evaluation

Tested across 11 vantage points in 9 Chinese cities against 77 Alexa-ranked websites (50 trials each, April–May 2017), most prior TCB evasion strategies are largely broken: TCB creation with SYN achieves only 6.9% success (88.9% Failure 2), TCB teardown with FIN achieves only 11.1% success (87.9% Failure 2), while in-order data overlapping with TTL-based insertion still achieves 90.6% success and only 3.7% Failure 2. Without any evasion strategy the baseline success rate is 2.8%.

2017-wang-your §3, Table 1 evaluation

The GFW evolved to create a TCB not only on SYN packets but also on SYN/ACK packets, and enters a 're-synchronization state' upon seeing multiple SYN packets, multiple SYN/ACK packets, or a SYN/ACK with an incorrect acknowledgment number. Once in this state, it re-synchronizes its TCB using the next client-to-server data packet or server SYN/ACK, invalidating prior TCB-creation evasion strategies that assumed the GFW used only the first SYN sequence number.

2017-wang-your §4 detection

INTANG, a measurement-driven tool that caches the best-performing TCP evasion strategy per server IP, achieves an average success rate of 98.3% (range 93.7%–100%) from vantage points inside China. Four combined new strategies — Improved TCB Teardown, Improved In-order Data Overlapping, TCB Creation + Resync/Desync, and TCB Teardown + TCB Reversal — each independently achieve average success rates of 94.5%–96.2% inside China and 84.6%–92.7% outside China, with Failure 2 rates below 1.1%.

2017-wang-your §7, Table 4 defense

Packets carrying an unsolicited TCP MD5 option header (RFC 2385) are silently ignored by modern Linux servers (kernel ≥ 2.6) that have not negotiated MD5 authentication, yet are accepted and processed by the GFW as normal packets that update its TCB. Crucially, none of the observed middleboxes dropped packets with MD5 options, making the MD5 header the most universally applicable insertion packet type — usable with any TCP flag (SYN, RST, or data) and immune to middlebox filtering.

2017-wang-your §5.3, Table 3 defense

Client-side middleboxes at every tested vantage point interfere with IP-layer evasion tactics: Aliyun (6/11 nodes) discards all IP fragments, while the Tianjin China Unicom node drops packets with wrong TCP checksums or no TCP flag. IP-layer discrepancies that survive routers (e.g., IP total-length > actual length) are still dropped by some middleboxes, making IP-layer manipulations unreliable across Chinese ISPs. TCP-layer manipulations are significantly more consistent across paths.

2017-wang-your §3, Table 2 evaluation

China's Great Firewall adds sites to its blacklist within hours of their becoming newsworthy and drops them again just as quickly; conversely, Pakistan's pornography crackdown used a rarely-updated blocklist, causing 50% of consumption to shift to unlisted sites. An outdated probe list will therefore underestimate GFW effectiveness and overestimate effectiveness in countries with static lists.

2017-weinberg-topics §1 detection

A censor tracking which deleted posts are resurrected can apply Bayesian inference to identify content-preservation system users: for each resurrected post r observed by set O(r), each observer's suspicion score updates by factor (|O(r)|−1)/|O(r)|, while observers of non-resurrected deletions can be ruled out with certainty. The attack requires only that the censor join the preservation system with a few sock-puppet accounts spread across multiple followed-user lists.

2016-douglas-ghostpost §5 detection

A censor with platform-side control can definitively confirm a single suspected user by injecting a unique fake post visible only to that user, then querying the preservation system for resurrected posts attributed to that fabricated author. Presence of the fake post in the resurrection feed is binary confirmation of user membership. This targeted attack defeats automated post-alteration countermeasures when a human examines the result.

2016-douglas-ghostpost §5.1 detection

Simulation on a 1,000,000-user scale-free Weibo topology shows that at 1% GhostPost user adoption the system preserves over 70% of postviews against the daytime censor (2-hour median deletion) and nearly 90% against the nighttime censor (10-hour median deletion). Even a highly aggressive censor deleting posts within 30 minutes on average cannot prevent a 1.5% GhostPost deployment from resurrecting the majority of postviews. Steep coverage gains plateau around 0.5% adoption, after which marginal returns diminish.

2016-douglas-ghostpost §4.2, Figure 1 evaluation

GhostPost's client-server coordination channel transfers only metadata and small text payloads, making it neither bandwidth-intensive nor latency-sensitive. The paper explicitly concludes that 'practically any means of communication, including low-performance covert channels, are adequate' for the coordination channel, enabling operation over DNS tunnels, steganographic channels, or other constrained transports when the central server's HTTPS endpoint is blocked.

2016-douglas-ghostpost §2.1 defense

Sina Weibo's deletion workforce exhibits strong diurnal variation: posts published 3–9 AM have median lifetimes of 8–9 hours, while posts from 10 AM–midnight have median lifetimes around 2 hours. Over 90% of eventually-deleted posts are removed within 24 hours, but the nighttime slowdown creates a predictable window where post survival is 4–5× longer than daytime.

2016-douglas-ghostpost §4.2 evaluation

Salmon simulations show that a censor with agents comprising 1% of 10,000 users can block at most 4A servers (one block per agent per full group) against a system with 1,000–2,000 servers; server groups with a hard cap of M=10 users that fill entirely with legitimate users before any agent joins become permanently invincible to server discovery. The censor's optimal strategy is to ensure each agent is always alone in its group at the time of joining, which requires knowing the user arrival rate — information Salmon withholds by not publishing user statistics.

2016-douglas-salmon §5.1 / §5 evaluation

Without recommendation-tree grouping logic, a censor starting agents at trust level 6 who each recommend 1–2 additional agents (requiring 4–5 months of waiting) can cut off over 95% of users even at agent percentages in the 15–30% range, as shown in Figure 6. With recommendation-tree grouping enforced, the same attack at equivalent agent fractions produces dramatically lower service disruption because agents cluster among themselves rather than spreading across innocent user groups.

2016-douglas-salmon §5.3 / Figure 6 detection

Salmon's trust-level mechanism (7 discrete levels; promotion from level n to n+1 requires 2^(n+1) days; banning triggered when suspicion exceeds T=1/3) reduces the fraction of users cut off by an attacking censor by more than 3× relative to rBridge under the same agent-percentage conditions. Simulations with 10,000 users (1–10% censor agents) and 1,000–2,000 servers show that trust levels keep high-seniority innocent users isolated from newer users where agents concentrate.

2016-douglas-salmon §5.2 / §3.6 defense

A single harvesting script running for 9 days on one free Amazon EC2 instance verified 3,101 working VPN Gate servers by testing 44,039 IP addresses, demonstrating that VPN Gate's collective defense mechanism — which relies on detecting automated scanning patterns — can be fully bypassed by routing successive queries through previously verified VPN servers. This result implies that a censor could, with no collateral damage, essentially completely shut down VPN Gate by blocking all verified servers.

2016-douglas-salmon §4.1 evaluation

Salmon's defense against the active zig-zag attack — where a censor blocks a known server to force users onto new ones and watches for correlated reassignments — requires both per-user authentication (unique login credentials per server so unauthorized probes receive a plausible HTTPS page) and traffic camouflage. Without authentication, the server must respond as a functioning proxy to any connection, fully exposing itself to the censor; without camouflage, even a rejected connection may reveal the server's nature.

2016-douglas-salmon §3.10 defense

All bridges in a given Tor Browser release batch were blocked simultaneously within a 20-minute window, and every blocking event occurred during China Standard Time business hours (between 10:40 and 17:00 CST). The combination of unpredictable multi-day delay followed by abrupt simultaneous batch blocking suggests a semi-manual process: human analysts discover bridges after an irregular delay, then an automated system applies blocks.

2016-fifield-censors §4 Results, Table 3 evaluation

China's firewall never blocked a bridge before its public Tor Browser release, despite bridges being discoverable earlier via bug-tracker tickets and source code commits. The four bridges distributed only in Orbot (not Tor Browser) remained unblocked throughout the experiment, indicating the GFW monitors end-user software releases rather than upstream repositories or alternative distribution channels.

2016-fifield-censors §4 Results detection

The Great Firewall of China blocked newly published obfs4 Tor Browser default bridges after delays of 7, 2, 18, 11, and 36 days following the first public software release, and up to 57 days after bridges were first discoverable via bug-tracker ticket filing. Iran showed no blocking of the same default bridges across the entire five-month measurement period.

2016-fifield-censors §4 Results, Table 2 evaluation

Some obfs4 bridges exhibited a roughly 24-hour periodic semi-blocking pattern from China, where bridges cycled between reachable and blocked states with a ~24-hour period. This diurnal pattern differed between the two China probe sites and between bridges, and one blocking failure coincided with a documented nationwide GFW outage that also briefly restored access to Google services.

2016-fifield-censors §4 Results, Figure 3 evaluation

GFW blocking was keyed on both IP address and port number, not IP address alone. Bridges with port 22 (SSH) open had that port remain reachable even as other ports on the same IP were blocked, confirming per-(IP, port) tuple granularity in the GFW blocklist.

2016-fifield-censors §4 Results detection

The Great Firewall detects Tor bridges through a two-stage active-probing pipeline: GFW DPI first flags a flow as a potential Tor connection, then random Chinese IP addresses initiate Tor handshakes to the suspected bridge; if the handshake succeeds, the bridge IP:port combination is blocked.

2016-khattak-sok §2.4.1 detection

The paper's threat model explicitly assumes censors can enforce client-side VoIP software (e.g., TOM-Skype in China) giving the adversary access to the pre-encoding audio signal at both endpoints. Despite this, SkypeLine forces the censor into an all-or-nothing position: intercepting hidden data requires blocking the entire VoIP service, since no network-layer observable (packet headers, timing, encrypted payload) distinguishes steganographic from legitimate calls.

2016-kohls-skypeline §3.1, §6.1 detection

Internet connectivity is the primary determinant of RAD attack strength across nation-state censors: China (573 ASes, 858 ring ASes) achieves a censorship metric of 0.277 under profile T1, while Syria (4 ASes, 5 ring ASes) achieves only 0.101 with the same decoy budget. Venezuela, despite fewer total ASes than Saudi Arabia (44 vs. 107), achieves a higher censorship metric (0.210 vs. 0.197) owing to its disproportionately large ring AS count (835 vs. 176), confirming that ring AS count predicts RAD capability better than raw AS count.

2016-nasr-game §6.4 / Table 6 evaluation

Optimal RAD by a QoS-cautious wealthy Chinese censor (profile T1, F/ρ₀ = 5×10^6) forces 10.8% of routes onto non-valley-free (NVF) paths and 1.2% onto less-preferred routes, while still leaving 16.3% of routes traversing decoy ASes—zero routes become unreachable at this budget. The NVF and less-preferred-route fractions rise and then fall as decoy budget increases, as further RAD routing gains diminish past a crossover point.

2016-nasr-game §6.4 / Figure 1 detection

The game-theoretic optimal decoy placement (ε-Nash equilibrium via best-response dynamics against an optimal RAD adversary) achieves a censorship metric of 0.2 at budget ratio F/ρ₀ = 10^8, versus 0.42 for the best prior heuristic ('sorted' placement from Houmansadr et al. [14]) under the same budget—a 2× improvement in censorship resistance per dollar. Prior comparisons used ad hoc RAD deployments rather than the optimal adversary, understating the benefit of principled placement.

2016-nasr-game §6.4 / Figure 3 evaluation

Game-theoretic simulation shows that a QoS-cautious, wealthy Chinese censor (profile T1/T4) cannot reduce decoy-accessible routes below ~27% (censorship metric ≈ 0.277) via the RAD attack regardless of budget. An irrational censor can achieve a censorship metric of 1.000 but only by making 70.3% of all Internet routes unreachable to Chinese users—a collateral-damage threshold that constrains rational nation-state censors in practice.

2016-nasr-game §6.4 / Table 5 defense

In the autonomous (non-centrally-funded) deployment model, the decoy service fee γ (ratio of decoy revenue to transit revenue per MB) is the primary lever for censorship resistance: for China with profile T1, γ = 5 leaves 9.6% of routes usable for circumvention after optimal RAD, compared to 16.3% under the centrally-funded model at budget ratio F/ρ₀ = 5×10^6. Higher fees compensate ASes for RAD-induced transit revenue loss and sustain participation, but the autonomous model delivers roughly half the censorship resistance of a centrally-funded deployment at comparable incentive levels.

2016-nasr-game §6.5 / Figure 5 defense

Naive interference measurement systematically misclassifies CDN geographic routing as blocking (and vice versa): when China or Russia resolves twitter.com to a non-US IP, a naive detector must decide whether that is a CDN point of presence or interference. Joint iterative analysis of DomainSimilarity and IPTrust scores is required to separate authentic CDN footprints from block-page redirections.

2016-scott-satellite §1, §2.4, §2.4.1 detection

Censors can evade external DNS measurement systems like Satellite by injecting spoofed DNS responses only for resolvers located within the censored country, returning correct answers to external probes. This targeted injection would be 'much less visible to Satellite' while remaining fully effective against in-country users; the paper flags this as a fundamental limitation of single-vantage external measurement.

2016-scott-satellite §4.3 detection

Camouflage bypassed GFW censorship in China across one month of daily testing with no plugin blocked. The GFW's primary mechanism was identified as keyword filtering on web content rather than DNS hijacking (avoided due to risk of collateral international impact). Dropbox was inaccessible inside China during testing, demonstrating that plugin substitutability is operationally necessary: at least one alternative protocol must remain reachable in any given censored environment.

2016-zarras-leveraging §5.3 evaluation

A survey of the top 10,000 Alexa websites found that only 6% (Class 1) are fully hosted on shared CDNs with HTTPS deployments that allow removal of destination leakage — the only class browsable with plausible unobservability against a competent DPI-equipped censor — while 64% are partial-CDN sites (Class 4) whose CDN-hosted content (images, videos) can still be reached via content wrappers or dynamic mirrors at negligible operational overhead.

2016-zolfaghari-practical §5.1 evaluation

A domain-based website fingerprinting attack against CDNBrowsing traffic — using the per-domain packet volume exchanged during a browsing session as a decision-tree feature vector — achieves 0.991 ± 0.002 accuracy against CacheBrowser on 100 China/Iran-blocked HTTPS pages, modestly outperforming the state-of-the-art k-NN classifier of Wang et al. (0.94 ± 0.002) while being two orders of magnitude faster: 0.60 CPU-seconds training and 10 µs classification versus 90 CPU-seconds and 0.05 CPU-seconds on an Intel Xeon 3.5 GHz processor.

2016-zolfaghari-practical §3.2 detection

Real-world CDN HTTPS deployments leak the identity of visited websites through three distinct channels — TLS certificate contents (A2, B1, B2 deployments), the plaintext SNI field (B1), and dedicated IP address mappings (B2) — enabling censors to block CDNBrowsing connections via standard DPI or IP filtering without collateral damage to non-forbidden CDN content. Each leakage channel requires inspecting only a single packet from an HTTPS connection, making the attack low-cost and deployable on off-the-shelf censorship boxes.

2016-zolfaghari-practical §3.1 detection

Winter and Lindskog [157] (2012) documented that the GFW used TLS SNI inspection in combination with IP/port filtering and TCP disruption to block Tor, as recorded in the survey's Table 1. This is one of the earliest published accounts of the GFW applying SNI-based blocking specifically to a circumvention protocol, demonstrating that the GFW correlated multiple detection signals rather than relying on any single technique.

2015-aceto-internet Table 1 detection

Table 1 of the survey documents that by 2013–2014 censors were deploying simultaneous blocking across BGP, DNS, IP/port filtering, TCP disruption, TLS, and application-layer keyword filtering. No single detection tool in the survey covers all six layers; the most comprehensive, OONI (2012), covers DNS, IP/port, TCP, TLS, keyword, and HTTP but notes only partial BGP coverage.

2015-aceto-internet Table 1 detection

Applying a regional binomial hypothesis test (p=0.7, significance 0.05) to Encore measurements independently confirmed censorship of youtube.com in Pakistan, Iran, and China, and of twitter.com and facebook.com in China and Iran, validating passive cross-origin measurement against prior independent reports of filtering.

2015-burnett-encore §7.2 evaluation

Encore collected 141,626 measurements from 88,260 distinct IPs in 170 countries over seven months (May 2014–January 2015) using as few as 17 volunteer webmaster deployments, demonstrating that passive cross-origin measurement can achieve broader geographic vantage-point coverage than custom-software deployments without recruiting individual end-users.

2015-burnett-encore §7 evaluation

GFW probes originate from a dedicated /16 subnet of Chinese IP addresses distinct from ordinary client traffic, and a single suspicious connection can trigger dozens of independent probe connections from different source IPs within the same subnet. Blocking this probe-source range does not prevent blocking — the GFW blocks at a separate decision point — but it does make probe traffic distinguishable from legitimate users.

2015-ensafi-active-probing §4.2 detection

The GFW's active-probing system launches probes at suspected circumvention servers within seconds (typically under 3 minutes) of observing a suspicious connection, making reactive defenses (e.g., delaying or rate-limiting probe responses) insufficient on their own to avoid detection and blocking.

2015-ensafi-active-probing §4 detection

The GFW sends protocol-specific probe payloads tailored to each circumvention tool: Tor bridges receive a TLS ClientHello mimicking Tor's own; obfs2/obfs3 servers receive random-looking payloads; Shadowsocks servers receive random bytes. A server that responds differently to these crafted probes versus innocent traffic (e.g., by sending a valid protocol handshake in response to a probe) reveals itself and is subsequently blocked.

2015-ensafi-active-probing §5 detection

The GFW blocks Tor primarily by dropping SYN/ACK segments entering China from blacklisted IP/port pairs, not by dropping SYN segments leaving China. Of 142,802 CN→Tor-Relay measurements, 81.52% were Server-to-client-dropped versus only 0.55% Client-to-server-dropped. Blocking Tor directory authorities also showed substantial Client-to-server drops (19.61%), suggesting authorities may be treated differently.

2015-ensafi-analyzing §4.1, Table 1 detection

GFW filtering failures — cases where blocked Tor traffic passed through — showed no conspicuous geographic patterns across China. The maximum observed Pearson correlation coefficient between neighboring clients' failure counts was 0.26 (near-zero), and failure cases were geographically distributed in proportion to Internet penetration, not clustered by province or ISP region.

2015-ensafi-analyzing §4.2, Figure 6, Figure 8 evaluation

GFW failures are both persistent and intermittent: four client/server pairs showed all 22 hourly measurements over a full day returning No-packets-dropped (entirely unblocked), while many others showed only sporadic failures. Temporal analysis showed failures cluster in bursts of hours, with probability of a second failure decaying sharply beyond ~5 hours after the first.

2015-ensafi-analyzing §4.1, §4.2, Figure 7 evaluation

Routing is the dominant structural factor in GFW failures. CERNET (the Chinese Educational and Research Network) accounted for 503 of 135 destination IPs' failures — by far the most of any network — and packets transiting CERNET→CERNET links reached Tor destinations at an r=0.9896 ratio, near 1.0. Within CHINANET and CNC Group backbones, the Tor-to-non-Tor traversal ratio dropped to 0.403 and 0.272 respectively (Table 4), indicating heavy intra-ISP filtering.

2015-ensafi-analyzing §5.2, §5.3, Table 3, Table 4 evaluation

The hybrid idle scan technique converts approximately 1% of the total IPv4 address space into passive measurement vantage points without requiring control of either the censored client or the destination server, enabling full bipartite connectivity measurements across 161 geographically stratified Chinese clients and 176 servers over 27 days. After data pruning for quality, 36% of raw measurements were usable; ARMA modeling was sufficient (over Hidden Markov Models) because only level-shift detection was needed.

2015-ensafi-analyzing §2.3, §3.2.1, §4 evaluation

Domain fronting exploits the fact that major CDN providers (Google, Amazon CloudFront, Akamai, Microsoft Azure) terminate TLS at the edge before inspecting the Host header, so the SNI visible to a censor names a permitted CDN domain (e.g., www.google.com) while the inner HTTP Host header routes the request to a blocked destination. Blocking the fronted service requires blocking the entire CDN, creating collateral damage that most censors are unwilling to accept for major providers.

2015-fifield-blocking-resistant §2 defense

The meek pluggable transport, implementing domain fronting over HTTPS, achieved median download throughput of roughly 1–2 Mbps in controlled tests from censored regions (China, Iran), confirming that CDN-fronted tunnels are viable for real users at consumer broadband speeds. Latency overhead compared to direct connections was measurable (tens of milliseconds per round-trip through the CDN edge) but acceptable for browsing workloads.

2015-fifield-blocking-resistant §5 evaluation

The paper formally characterizes the censor's visibility gap: the SNI field in the TLS ClientHello and the HTTP Host header inside the tunnel are the two places that reveal destination, and CDNs that terminate TLS before forwarding HTTP requests prevent censors from correlating them. Any censor capable of correlating SNI to inner-Host (e.g., through CDN cooperation or plaintext HTTP/2 framing) can defeat domain fronting without CDN blocking.

2015-fifield-blocking-resistant §3 detection

Locally curated URL lists elicit 3–5× higher blocking rates than global lists in high-censorship countries. In China and Yemen, local content was blocked three to five times more than globally sensitive content, attributed to language filtering and active censorship of local political discourse; China's 99% block rate on 'falun' in HTTP path vs. 81% for 'falun' in domain name further illustrates trigger sensitivity.

2015-gill-characterizing §5.4, §4.9, Fig. 13 evaluation

Across MENA countries (UAE, Tunisia, Oman, Iran, Qatar, Yemen, Saudi Arabia, Burma), over 80% of blockpage-delivering tests delivered the blockpage without DNS redirection, indicating transparent web proxies performing deep HTTP inspection rather than the cheaper DNS-intercept approach dominant in China. McAfee SmartFilter was identified in Qatar, Saudi Arabia, and UAE; Netsweepr in Qatar, UAE, and Yemen.

2015-gill-characterizing §5.1, Table VI evaluation

Blocking all homophones of 422 censored keywords would generate approximately 47,000 false-positive weibos per day per keyword, totaling roughly 20 million false positives daily — approximately 20% of Sina Weibo's daily message volume — making blanket homophone blocklisting operationally infeasible without massive collateral censorship of innocent traffic.

2015-hiruncharoenvate-algorithmically Analysis: Cost to adversaries (RQ3) evaluation

Homophone-transformed weibos lasted on Sina Weibo an average of 3.94 hours (σ=5.51) before removal, versus 1.3 hours (σ=1.25) for unaltered originally-censored posts — a threefold difference (W=1830, p<0.01) — while ultimate censorship rates were not significantly different between conditions.

2015-hiruncharoenvate-algorithmically Experiment 1 / Results evaluation

Falling back to human review to defeat the homophone technique would cost the Sina Weibo censorship apparatus more than 15 additional human-hours per day per censored keyword — derived from an efficient censorship worker reading approximately 50 weibos per minute (Zhu et al. 2013) applied to ~47,000 daily false-positive matches per keyword — a burden that scales with the number of simultaneously banned keywords, which may number in the thousands.

2015-hiruncharoenvate-algorithmically Analysis: Cost to adversaries (RQ3) evaluation

Replacing censored keywords with algorithmically-generated homophones increased the initial publication rate on Sina Weibo from 90.79% for unaltered posts to 94.74% for transformed posts (χ²=6.219, p=0.01), demonstrating that the technique successfully bypasses automatic keyword matching at the publication gate even when posts are ultimately censored at similar rates.

2015-hiruncharoenvate-algorithmically Experiment 1 / Results — Table 1 evaluation

Native Chinese-speaking Amazon Mechanical Turk workers understood the content of 605 out of 608 homophone-transformed posts (99.51%), with only 2.85% of all impressions (52/1,824) reporting difficulty; workers unable to identify transformed keywords were significantly more likely to report confusion (p<0.001 for original keywords, p=0.03 for transformed keywords).

2015-hiruncharoenvate-algorithmically Experiment 2 / Results — Table 2 evaluation

Of GFW-blocked websites in the Alexa top 1000, 82% are already hosted on CDN infrastructure; for news websites specifically, the figure rises to 85%. This was measured by scraping GreatFire.org blocked-site data and verifying CDN hosting for each domain.

2015-holowczak-cachebrowser §5.2 evaluation

Akamai's China-based edge servers self-censor, returning HTTP 403 for GFW-forbidden content, while Akamai's mapping system (located outside China) returns valid edge server IPs to Chinese users even for forbidden domains, and non-Chinese Akamai edge servers serve all content freely. This partial self-censorship structure is driven by the requirement to operate CDN infrastructure inside China.

2015-holowczak-cachebrowser §3.2.1 detection

CacheBrowser bypasses GFW DNS poisoning by directly fetching CDN content from known edge server IPs, using a low-bandwidth out-of-band bootstrapper to seed its edge-server database. The SWEET email-based bootstrapper achieves median 5.4-second resolution latency with 95% of queries answered within 10 seconds across 100 runs—acceptable because CDN provider migrations occur only every few months.

2015-holowczak-cachebrowser §4, §5.4 defense

CacheBrowser achieves significantly lower download latency than Tor when fetching CDN-hosted content from China, because content is retrieved directly from CDN edge servers without traversing third-party proxies. Fetching from non-default alternative CDN edge servers increases latency relative to the CDN-mapped optimum, but the overhead is not prohibitive for real-world browsing; geographically proximate alternative servers minimize the penalty.

2015-holowczak-cachebrowser §5.3 evaluation

The GFW universally uses DNS poisoning rather than IP blocking to censor CDN-hosted content. Across all tested CDN providers (Akamai, CloudFlare, CloudFront, EdgeCast, Fastly, SoftLayer), no CDN edge server IPs were IP-filtered, because a single provider like Akamai hosts content on 170,000 shared edge servers—blocking any IP would collaterally block hundreds of thousands of unrelated publishers.

2015-holowczak-cachebrowser §3.2, §3.3 detection

Spam-cloaked censorship measurements were correctly classified as spam by Proofpoint (the authors' university spam filter), validating surveillance evasion; separately, MX queries sent from a PlanetLab node in China confirmed that the GFW injected bad A DNS responses for both A-record and MX-record lookups for twitter.com and youtube.com, validating measurement accuracy.

2015-jones-can §3.2.3 evaluation

9158 version 6.9, in addition to its explicit keyword filter, asterisks out all English alphabet letters in any chat message containing six or more consecutive English letters. Combined with explicit keywords for 'http', 'www', and 'com' on its filter list, this constitutes a blanket URL-suppression mechanism that also incidentally blocks arbitrary English-language communication.

2015-knockel-every §4.3 detection

Reverse engineering of four Chinese social video platforms (YY, 9158, Sina Show, GuaGua) yielded 42 keyword lists totaling 17,547 unique keywords. Jaccard similarity clustering shows very little overlap between lists from different companies, consistent with prior work that found only 3% overlap in unique keywords across TOM-Skype and Sina UC (4,256-keyword dataset). This provides the largest unbiased cross-platform evidence that Chinese platform censorship is decentralized rather than governed by a monolithic ruleset.

2015-knockel-every §5.1 evaluation

Between February and May 2015, YY High received 21 updates and 9158 Chat received 8 updates. Updates correlated directly with current events within days: Zhou Yongkang's name was added to 9158 Chat on May 6, days after his April 3 corruption indictment; YY Normal added and then removed Chinese Christian song titles between April 23 and April 30 during a church demolition controversy. GuaGua does not download keyword updates at all.

2015-knockel-every §5.3 detection

SVP keyword lists from all four platforms explicitly target both government criticism and collective action, contradicting King et al.'s claim that criticism is tolerated while collective action is suppressed. All four platforms censor Falun Gong and current CPC leaders (including phonetic homonyms like '习尽平'); over 90% of YY's event-related keywords (2,535 total) reference the June 4 1989 Tiananmen Square Massacre, and derogatory phrases such as '共匪' (Communist gangsters) appear alongside collective action event keywords.

2015-knockel-every §5.2 evaluation

YY version 7.1 silently exfiltrates the full text of any triggering message via HTTP GET to sere.hiido.com, including sending user ID, receiving user ID, and the triggering keyword. The surveillance endpoint authenticates using md5(⌊unix_epoch/1000⌋ + ";username=report;password=pswd@1234") with hardcoded credentials, making the surveillance traffic structurally distinguishable from normal YY traffic.

2015-knockel-every §4.1.1 detection

On a 370-node PlanetLab deployment, Alibi Routing achieved near 100% success avoiding both the USA and China (Tables 1–2) with an average search cost of 1.0–1.66 nodes contacted (Table 4). In simulation over 20,000 globally distributed nodes, success rates were 93–100% at δ=0.5–1.0 with average search cost under 40 nodes (Table 3), capping TTL at 7.

2015-levin-alibi §6.3, Tables 1–4 evaluation

For the vast majority of source-destination pairs avoiding the USA or China on PlanetLab, Alibi Routing introduces less than 50% latency inflation; some pairs even see latency improvement due to overlay shortcutting (Figure 9). Latency inflation is relatively insensitive to the inequality factor δ when relays are successfully found.

2015-levin-alibi §6.3, Figure 9 evaluation

Alibi Routing fails for source-destination pairs close to or inside the forbidden region: approximately 10% of pairs cannot provably avoid China and 22% cannot avoid the USA at δ=1.0 (Figure 5), with a strong monotonic correlation between proximity to the forbidden region and the number of available relays (Figure 6). Additionally, about 50% of nodes in target regions fail the alibi condition when avoiding the USA due to its BGP routing centrality causing actual paths to transit it despite geographic distance (Figure 7a).

2015-levin-alibi §6.1–6.2, Figures 4–7 evaluation

Analysis of GreatFire.org's server logs (16.6M requests, 13K unique source IPs, March 18–19 2015) showed 67% of DDoS attack traffic originated from Taiwan and Hong Kong, while mainland China accounted for only 18 requests — confirming the GC weaponizes foreign browsers by intercepting traffic at China's network border, not domestic ones. The dominant attack vector (38% of requests) was pos.baidu.com (Baidu's ad network), meaning any user globally visiting a non-Baidu site that loads Baidu ad scripts became an unwitting DDoS participant without visiting any Chinese site directly.

2015-marczak-analysis §5, §7.1 policy

The Great Cannon (GC) operates as a distinct in-path system — not an extension of the GFW — capable of both injecting and suppressing traffic, enabling full man-in-the-middle capability against targeted IP addresses. Unlike the on-path GFW, the GC only examines the first data packet of each connection (avoiding TCP bytestream reassembly), targets specific destination IP addresses rather than all border traffic, and maintains a per-source-IP flow cache of approximately 16,000 entries to ignore already-processed connections.

2015-marczak-analysis §3, §3.1 detection

The GC acted probabilistically, responding to only approximately 1.75% of eligible requests (526 out of 30,000 from three measurement IP addresses) and completely ignoring one of four measurement source IPs. Flow-cache exhaustion tests confirmed the probabilistic decision is made per-flow at cache insertion time: once the ~16,000-entry cache was filled, injections resumed on previously-ignored source ports, ruling out connection-tuple hashing as the selection mechanism.

2015-marczak-analysis §3.1 evaluation

TLS/HTTPS provides complete protection against GC-style content injection: the GC can only replace unencrypted HTTP responses and cannot inject into TLS-encrypted streams. GitHub's universal TLS enforcement prevented the GC from selectively targeting GreatFire.org's repositories despite sustained attack — China had previously attempted to block GitHub entirely but reversed the block within two days due to domestic programmer backlash, leaving TLS as the effective barrier.

2015-marczak-analysis §6, §8, §9 defense

Both GFW and GC injected packets share a distinctive implementation side-channel: the IP TTL field progressively increments on successive packets injected into the same connection, paired with an incrementing TCP window size. Using this compound fingerprint, the authors identified GC activity in 8 months of Lawrence Berkeley National Laboratory enterprise border traces with only a single false-positive source IP, and used per-hop TTL probing to localize both the GFW and GC to the same network link on China Telecom (hop 12–13, 144.232.12.211→202.97.33.37) and China Unicom (hop 17–18, 219.158.101.61→219.158.101.49).

2015-marczak-analysis §3.1, §4, §6 detection

The Encore system collected censorship measurements from 88,260 distinct IP addresses across 170 countries over seven months via installations by at least 17 volunteer website operators. China, India, the United Kingdom, and Brazil each contributed at least 1,000 measurements; Egypt, South Korea, Iran, Pakistan, Turkey, and Saudi Arabia each contributed more than 100.

2015-narayanan-no Introduction evaluation

ACM SIGCOMM 2015's program committee accepted the Encore paper with an unprecedented 'signing statement' after heated ethical debate. The committee's core objections were: (1) users accessing censored URLs might face repercussions in regimes without due process; (2) most users under censorship would be unlikely to consent to the measurements; and (3) unlike ad-tracker third-party requests, Encore requests do not reflect any user intent.

2015-narayanan-no Ethical Oversight by Program Committees policy

Encore's architecture turns ordinary web visitors into measurement vantage points, which the researchers argue prevents censors from detecting and disabling dedicated measurement probes. However, this benefit comes with the trade-off that the individuals whose browsers are co-opted face potential legal or physical risk that differs by country and by the specific censored content accessed.

2015-narayanan-no Background / Analysis policy

The GFW does not distinguish DNS query traffic directionality, injecting forged replies for both inbound and outbound queries on monitored links. This causes collateral censorship of DNS resolvers outside China when they contact authoritative nameservers located in or whose paths transit China, even for non-Chinese clients.

2014-anonymous-towards §2 detection

Testing approximately 130 million domain names uncovered 35,332 censored domains from which 14,495 keywords were extracted across 7 distinct matching patterns. The blocklist grew by approximately 10% over eight months (August 2013–April 2014), and more than two-thirds of censored domains had expired registrations, suggesting the GFW rarely removes entries.

2014-anonymous-towards §6 detection

The GFW deploys DNS injection nodes only at China's border, within 2–3 hops of international transit points, across 16 border ASes. Internal probing found only 0.04% of 42,849 domestic routing paths exhibited DNS pollution, versus ~80% of externally-facing /24 subnets.

2014-anonymous-towards §5 detection

Probing ~150,000 open DNS resolvers inside China over two weeks found that more than 99.85% provided polluted answers for blocked domains. The small fraction of clean resolvers achieved this by forwarding queries to Google Public DNS or OpenDNS via uncensored tunnels, or by locally dropping responses containing known GFW 'Bad IP' addresses (174 identified IPs).

2014-anonymous-towards §4 evaluation

A single GFW node employs approximately 360 distinct processes, load-balanced by source and destination IP address, which collectively inject censored DNS responses at an average rate of ~2,800 packets per second, ranging from 1,100 to 4,000 pps over a day.

2014-anonymous-towards §7 detection

Because CloudTransport uses the same network servers as legitimate cloud services, blocking it requires statistical classification of every cloud connection; false positives will disrupt popular and business-critical cloud applications (enterprise software, games, file backups), raising the economic and social costs of censorship. Empirical evidence shows that Chinese censors declined to block Amazon S3 even after it was used to mirror censored websites because doing so would disrupt 'thousands of services in China' with significant economic consequences. Due to the base-rate fallacy, even an accurate classifier will either miss many CloudTransport connections or cause collateral damage to non-circumventing cloud users.

2014-brubaker-cloudtransport §4.1, §7 defense

Approximately 10% of China's IP addresses respond to IPID probes, and 13% of those exhibit globally incrementing IPIDs, meaning roughly 1% of China's total IP address space can serve as passive measurement vantage points with no cooperation from host owners. In contrast, Tor bridge blocking from Chinese clients was observed in 58.91% of server-to-client cases versus 0% for non-China Asia-Pacific clients.

2014-ensafi-detecting §5, Table 1 evaluation

The GFW blocks Tor primarily via stateless SYN/ACK dropping based on the server's source IP address and port (server-to-client direction, 73.04% of CN,Tor-dir cases). Two specific Tor directory authorities account for 98.8% of client-to-server (null-routed) blocks and 72.7% of error cases, indicating selective deeper blocking of specific IP addresses beyond the common return-path filter.

2014-ensafi-detecting §5 detection

Over 5 days of measurement, 73.04% of connections from Chinese clients to Tor directory servers were blocked server-to-client (stateless SYN/ACK dropping), 16.73% were blocked client-to-server (null routing), and only 0.63% were unblocked. Of all censored Tor directory server connections measured across all regions, 98% originated from Chinese clients.

2014-ensafi-detecting §5, Table 1 evaluation

Under the RAD attack a large fraction of China's routes to Internet destinations shift to non-valley-free (NVF) paths, which impose direct monetary costs because ASes must pay for traffic they would normally earn revenue transiting. Among valley-free paths that survive, 6%–21% switch to less-preferred (more expensive) routes, 20%–43% become longer, and average path length increases by 1.12×–1.40× depending on placement strategy.

2014-houmansadr-no §VII-B, §VII-C evaluation

Even under the most censor-favorable (random-no-ring-1) decoy placement, launching the RAD attack increases average Internet route latency from China by over 4×; under strategic placements the average latency increase factor reaches 8×. These increases arise because RBGP is forced onto lower-capacity, less-popular transit ASes even when path hop-count is unchanged.

2014-houmansadr-no §VII-C, §I evaluation

The feasibility of the RAD attack scales sharply with the censor's network connectivity. Strategic placement of decoys in just 1% of ASes disconnects China from 18% of Internet destinations, Venezuela from 54%, and Syria from 87%. Countries with fewer controlled ASes and ring ASes have dramatically less routing flexibility and are far more vulnerable to even small decoy deployments.

2014-houmansadr-no §I, §VII evaluation

The RAD attack requires converting a large number of Chinese edge ASes into transit ASes: placing decoys in 2% of global ASes (random-no-ring-1, China-World scenario) forces 59 edge ASes to become transit ASes, nearly doubling China's 30 existing transit ASes. One Chinese transit AS must carry approximately 122× its normal load; the abstract reports a peak of 2,800× in a more aggressive scenario, a threshold the paper considers operationally infeasible.

2014-houmansadr-no §VII-D evaluation

The RAD paper's random decoy placement is heavily biased in favor of the censor: 86.2% of all Internet ASes are edge ASes with customer cone size 1, so random selection rarely hits transit ASes. Replacing random with sorted-no-ring placement (decoys chosen from ASes that appear most on adversary BGP routes) disconnects China from 30% of Internet destinations using only 2% decoy coverage, versus the 4% disconnection reported in the original RAD paper.

2014-houmansadr-no §V, §VII-A defense

By deploying covert channels inside legitimate high-traffic web services (e.g., OpenSearch sites), Facade raises the censor's cost of blocking to unacceptable collateral damage: blocking Facade requires blocking the legitimate web service, which harms local businesses and normal users. Facade explicitly assumes censors are unwilling to block major platforms such as AWS or popular search services.

2014-jones-facade §3.2, §5.1 defense

Facade routes all encoded HTTP requests through a Selenium-controlled Chrome browser instance, so every message the censor observes is generated by a real browser implementation. This defeats 'parrot attack' fingerprinting, which exploits discrepancies between a protocol emulator's responses to error conditions and those of the genuine client or server.

2014-jones-facade §4, §5.1 defense

Chinese censorship does not primarily target criticism of the state or its leaders — vitriol against top officials is routinely published. The decisive variable is collective action potential: posts that organize, incite, or reference crowd formation outside the Internet are censored regardless of whether they are pro- or anti-government, a distinction the authors formally establish and experimentally test for the first time.

2014-king-reverse-engineering Results detection

The automated keyword-filtering tier is acknowledged to be largely ineffective at text classification due to well-known poor performance of keyword-matching approaches; the government compensates by deploying tens of thousands of human censors who manually review posts held by automated filters. The automated system affects large numbers of posts on fully two-thirds of Chinese social media sites surveyed.

2014-king-reverse-engineering Participant Observation / Research Design detection

By operating their own Chinese social media site using commercially available software, documentation, and vendor support, the authors confirmed that censorship enforcement is delegated to platform operators via configurable off-the-shelf software. By default the software shipped with no automated review or blocking; webmasters activate keyword lists and gain controls for bulk deletion, IP blocking, user banning, and per-post-type restrictions.

2014-king-reverse-engineering Participant Observation deployment

Chinese social media censorship operates at two sequential stages: an instantaneous automated review that holds flagged posts before they receive a public URL, followed by human censors who read each held post and decide within roughly 24 hours whether to publish or delete it. The ex ante automated stage is invisible to observational methods that only monitor published content, creating a systematic blind spot in prior censorship measurement research.

2014-king-reverse-engineering Participant Observation / Fig. 2 detection

The Chinese censorship apparatus detects collective action potential through volume-burst monitoring: it identifies a spike in social media posts about a topic area, traces the spike to a real-world event, classifies the event as having collective action potential, and then censors all posts in that burst — regardless of individual post stance or content.

2014-king-reverse-engineering Theory / Collective Action Potential Hypothesis detection

Cascade-based censorship (ICM model) and uniform random deletion produce measurably different topological signatures: cascade removal causes greater increases in network diameter and radius as the censorship fraction γ increases and a substantial increase in assortativity at mid-removal levels (γ=0.2–0.5), whereas uniform deletion shows slower, more gradual changes across these same metrics.

2014-morrison-toward §4.1 evaluation

An SVM classifier using a 60-dimensional feature vector — 10 topological network metrics (assortativity, clustering coefficient, diameter, radius, betweenness centrality, degree distribution exponents) plus 50 Laplacian eigenvalues — can detect network-level censorship without any content analysis. The classifier successfully distinguishes censored from uncensored reply-graphs even at the lowest tested censorship level of γ=0.1 (10% edge removal), using 10-fold cross-validation repeated 10 times.

2014-morrison-toward §3–4 detection

Censors on Sina Weibo were documented retroactively removing entire repost cascades started from a single sensitive post. Extrapolating from sampled data, prior work estimated that up to 4,200 workers working eight-hour shifts would be required to match the censorship demand on Sina Weibo alone, with documented peak hours for deletion activity.

2014-morrison-toward §2 Related work evaluation

A random sample of Sina Weibo messages found that 16.25% were deleted overall, with geographic distribution having a strong impact: up to 53% of messages from some Chinese provinces were deleted. Nearly 30% of all deletions occurred within the first 5–30 minutes of posting, and up to 90% within 24 hours of the posting.

2014-morrison-toward §2 Related work evaluation

Collaborative spy detection aggregates VPN connection logs (complete, incomplete, and tiny calls) across all volunteer nodes to a central log analyzer, which identifies censor probe IPs by looking for clusters of incomplete or tiny calls from the same /24 block, then distributes a Spy List back to every server so probing packets are silently dropped before the handshake completes. A single server cannot distinguish a spy from a regular client in time; the cross-server aggregate makes pre-response spy identification feasible.

2014-nobori-vpn §4.3 defense

After VPN Gate blocked the GFW's original probe IP (210.72.128.200, operated by China Science and Technology Network / CSTNET), the GFW authority immediately pivoted to Amazon EC2 and commercial hosting (Gorilla Servers) to enumerate relay lists, using a Python-urllib user agent at fixed polling intervals. Following this adaptation, approximately 80% of all VPN Gate servers became unreachable from China.

2014-nobori-vpn §6.3, Figure 13 detection

The GFW authority discovered VPN Gate and deployed an automated IP-blocking tool within four days of launch: the List Server was blocked on March 11, 2013 (day 3), and automated scanning of the full server list began by March 12 (day 4). This automated tool polled and blocked all listed IP addresses several times per day.

2014-nobori-vpn §6.3 detection

Innocent IP mixing — inserting IP addresses of critical Internet infrastructure (DNS roots, Windows Update servers, popular mail servers) into the relay list distributed to users — forces the censor to manually verify each address before blocking. In March 2013, the GFW blocked every IP VPN Gate mixed in within 30 minutes, demonstrating it was trusting the list without verification; after the technique was noticed (March 20), the GFW switched to verifying IPs first, substantially slowing its blocking cadence.

2014-nobori-vpn §4.2, §6.3 defense

After deploying innocent IP mixing and collaborative spy detection, VPN Gate raised server reachability from China from a low of ~30% to 78.5% by June 19, 2013, sustaining 60–70% reachability through end of August. On August 29, 2013, VPN Gate served 9,000 daily unique IP addresses from China versus Tor's estimated 3,000.

2014-nobori-vpn §6.2, Figure 12 evaluation

DNSSEC fails to withstand legal attacks because governments can legally compel DNS authority operators to manipulate entries and certify the changes; the trust chains DNSSEC establishes mirror DNS zone delegations and therefore inherit the same jurisdictional vulnerabilities. A Danish police incident demonstrated the collateral damage: 8,000 legitimate domains were accidentally removed when censorship procedures were executed against a single target. Chinese DNS injection has been shown to have worldwide effects on name resolution through out-of-bailiwick NS record chains.

2014-wachs-censorship-resistant §1, §2.2 policy

GNS bounds the trusted computing base (TCB) for any individual name resolution to fewer than approximately 125 entities (constrained by name label length) and makes the full trust chain transparent to the user. By contrast, even simple DNS lookups can silently depend on correct answers from over 100 DNS zones; China's DNS injection caused global collateral damage precisely because out-of-bailiwick NS record chains made the full trust graph invisible to resolvers and users alike.

2014-wachs-censorship-resistant §5 evaluation

GoHop without traffic shaping achieved 76.8–78.5 Mbps (virtual NIC) on a 1 Gbps LAN; traffic shaping reduced this to 58.1 Mbps (~26% overhead from fragmentation). In a Beijing-to-Seattle real-world download test, GoHop delivered 960–999 KB/s against a 1,544 KB/s direct baseline, with the 96.7 Mbps WAN link—not GoHop—as the bottleneck. This compares to Tor's 40–300 KB/s (30–80 KB/s with obfuscation plugins such as SkypeMorph).

2014-wang-gohop §V.B, Table II, Table III evaluation

A pre-shared key enables encrypting the entire GoHop packet—header, payload, and padding bytes—achieving true randomness in the full byte stream. Standard VPN protocols such as OpenVPN encrypt only the payload while leaving headers in plaintext, exposing protocol-identifying fields to DPI without payload inspection. This design choice is a prerequisite for defeating header-based fingerprinting.

2014-wang-gohop §III.A defense

Spreading UDP datagrams across a randomized port range breaks traditional 5-tuple-based session tracking, randomizes per-port inter-arrival times, and reduces per-port throughput to a small fraction of the aggregate—making per-flow statistical analysis significantly harder. Critically, the number of random ports does not reduce aggregate throughput: GoHop measured 76.8 Mbps (1 port) versus 78.5 Mbps (100 ports) at the virtual NIC.

2014-wang-gohop §III.C, §V.A, Table II defense

GoHop's naïve traffic shaping targeting a uniform packet-size distribution (0–MTU) successfully morphed both HTTP and SSH flows: K-S test D values were 0.019 (HTTP) and 0.022 (SSH), both below the 0.025 rejection threshold, with p-values of 0.20 and 0.11 respectively. After shaping, packet-size CDFs and statistical metrics (mean ~782–783 bytes, variance ~163,600) for both protocols became nearly identical, eliminating the size signals that distinguish them.

2014-wang-gohop §V.A, Table I evaluation

Censorship on Weibo does not produce a measurable chilling effect on discussion: Spearman's ρ = 0.198 (p = 0.011) between the percentage of censored tweets and unique tweeters per topic, indicating that censored topics attract more unique participants. No significant negative correlation was found for any of five engagement variables (comments per tweet, comments per user, total comments, unique commentors, unique tweeters).

2013-chen-tweeting §5.2, Table 3 evaluation

Comments on Weibo (~18M per day) are not independently censored: when a tweet is deleted, its comments are deleted as a cascade, but no instances of standalone comment censorship were observed in 36.5M tweets and associated comments. This creates a structural asymmetry — there are an order of magnitude more comments than tweets, yet comments persist unless their parent tweet is removed.

2013-chen-tweeting §2.3, §4.2 detection

Weibo users circumvent keyword-based censorship by substituting censored terms with morphs — abbreviations, anglicizations, homophones, homographs, and neologisms. 11 of 37 trending topics in a 44-day crawl of 280K users contained morphs, and morph usage was concentrated in heavily censored topics, with up to 5 morphs per topic observed.

2013-chen-tweeting §2.3, §6.1 defense

Morph adoption in censored topics begins within hours of censorship being imposed, and in some topics users adopt morphs preemptively before censorship is applied, demonstrating rapid community-level awareness of keyword filtering. Temporal analysis of the Lushan and Taxi topics (Figures 19–20) shows morph usage rising sharply in parallel with or ahead of censor action.

2013-chen-tweeting §6, Figures 19–20 evaluation

Weibo employs keyword-based censorship with highly uneven application across topics: 82% of tweets in the Lushan topic (criticism of a local official) were censored, while 27 of 37 trending topics exhibited <2% censorship; overall ~1% of the 36.5M crawled tweets were censored. The Chinese government prioritizes censoring content that could incite public protest over content that is merely critical.

2013-chen-tweeting §5.2, Table 1 detection

An FTE-tunneled Tor circuit using intersection, manual, and auto HTTP formats successfully traversed the Great Firewall of China from a VPS inside China to a server in the United States on port 80. A persistent tunnel polling a censored URL every five minutes remained active for one month until VPS account termination, with no blocking observed.

2013-dyer-protocol §6 deployment

Default Tor connections to a private bridge inside China were detected by the Great Firewall via active probing: an initial connection succeeded, followed by a probe from a Chinese IP address approximately 15 minutes later that performed a TLS handshake and then blacklisted the (IP, port) combination. Subsequent connection attempts resulted in a successful SYN followed by spoofed TCP RSTs terminating both the client and bridge connections.

2013-dyer-protocol §6 detection

SkypeMorph and FreeWave both overlay a client-proxy communication model onto a peer-to-peer VoIP network; because Skype clients attempt direct peer contact before falling back to supernodes, initiating a call to a FreeWave proxy reveals its IP address directly to the caller, and proxy nodes accumulate user-to-bridge ratios that reached 8–12× in Syria/Iran and up to 120:1 in China (Figure 8), producing concentration signatures uncharacteristic of normal P2P call distributions. These architectural mismatches allow enumeration and fingerprinting attacks independent of traffic-content analysis.

2013-geddes-cover §5, Figure 8 detection

FreeWave routes client VoIP connections through oblivious intermediary nodes (e.g., Skype supernodes) rather than directly to the FreeWave server, so even if a censor discovers the server's VoIP ID or IP address it cannot block clients via IP filtering. This 'server obfuscation' is absent from SkypeMorph and StegoTorus; the authors note that Chinese censors enumerated all Tor bridges—on which SkypeMorph depends—in under a month, rendering those transports instantly blockable.

2013-houmansadr-i §IX-A defense

Hypothetical fixed parrot systems (SkypeMorph+ and StegoTorus+) that correct all passive detection failures remain unambiguously detectable via active and proactive attacks (Table II). Supernode cache flushing and TCP control channel manipulation — e.g., sending RST causes genuine Skype to drop the call immediately while parrots produce no reaction — distinguish them from genuine Skype because the parrot cannot actually execute Skype protocol logic.

2013-houmansadr-parrot §VII-B, §VII-C, Table II detection

Existing censorship-resistant systems share a fundamental vulnerability: they require the user to know a finite set of entry points (bridge addresses, rendezvous points, or ISP-level collaborators) that a censor can enumerate by impersonating a legitimate user. China has blocked the majority of Tor bridges since 2010 and Iran blocked all encrypted traffic in 2012, demonstrating this attack is operationally deployed at scale.

2013-invernizzi-message §1 detection

GFW reassembles both IP fragments and TCP segments for HTTP connections, but its overlap-resolution policy diverges from receiver behavior in documented cases: it prefers the original IP fragment in all overlap configurations except when the challenger is simultaneously left-long and right-long (IP2), and prefers a later left-equal TCP segment over the original (TCP5). The paper tests all 18 possible fragment overlap cases and confirms that placing a banned keyword only in the fragment version GFW discards achieves evasion.

2013-khattak-towards §5, Table 1 (IP2, TCP5) detection

GFW exhibits three confirmed HTTP analysis gaps: it inspects only the first Request-URI and Host header in HTTP-pipelined requests (HTTP3), will not scan beyond 2,048 bytes into a Request-URI (HTTP2), and recognizes only standard percent-encoding while ignoring alternative URI encodings such as overlong UTF-8 (HTTP4). The authors classify all three as low-difficulty fixes for the censor, meaning they may be patched quickly once disclosed.

2013-khattak-towards §5, Table 1 (HTTP2, HTTP3, HTTP4) detection

GFW maintains TCP connection state for up to ≈10 hours and tolerates up to ≈1 GB of client-to-server data, but drastically reduces these limits when a sequence hole exists: it abandons state after buffering only 1 KB above the hole (TCP9) and times out holed connections in 60–90 minutes rather than ≈10 hours (TCP10). These thresholds were confirmed over repeated measurements and represent the maxima tested, not precise censor-configured limits.

2013-khattak-towards §5, Table 1 (TCP9, TCP10) detection

GFW instantiates a TCB upon observing a bare SYN before any SYN-ACK (TCP1), enabling a split-connection evasion: a client sends a low-TTL SYN visible to GFW but not the server, then opens the real connection on the same 5-tuple with a different initial sequence number. GFW tracks the phantom TCB and fails to detect banned keywords on the real, desynchronized connection. This same behavior also renders GFW vulnerable to SYN-flooding-style memory exhaustion.

2013-khattak-towards §5, Table 1 (TCP1) detection

A TTL-limited bare FIN packet (without ACK) is sufficient to induce GFW to tear down its connection state for a live TCP session (TCP6b), because GFW accepts FIN packets that violate RFC 793's requirement for the ACK flag. After induced state teardown, subsequent packets carrying banned keywords on the same connection produce no RST, confirming the monitor has lost track of the flow.

2013-khattak-towards §5, Table 1 (TCP6b) detection

GoAgent, the most widely used circumvention tool among the 1,175 surveyed users, routes traffic through Google App Engine IP addresses also used by Gmail and Google Apps for Businesses. The GFW resorts to DNS poisoning of appspot.com domains rather than IP-blocking these shared addresses because a blanket IP block would disrupt commercially critical Google services — and GoAgent bypasses the poisoned DNS by connecting directly to the unblocked IPs, making surgical separation of circumvention traffic from business traffic infeasible.

2013-robinson-collateral §2 Tool Usage, §3 Collateral Freedom Matters defense

Among 1,175 Chinese circumvention users surveyed in late 2012, purpose-built anti-censorship platforms showed severe attrition: Freegate had 44.3% former users but only 15.3% current users, while GoAgent and paid VPNs (piggybacking on commercially indispensable infrastructure) were the top two most-used tools in the past month. The median respondent had used four different types of circumvention tools, indicating frequent switching driven by blocking events.

2013-robinson-collateral §2 Tool Usage, Figure 2.1 evaluation

China's 2012 real-name registration law for consumer-facing online services (including VPNs) is designed to enable censors to segment circumvention-related consumer VPN traffic from business VPN traffic — permitting selective blocking of consumer VPNs while leaving corporate VPNs operational. The GFW had already demonstrated protocol-level VPN blocking capability; registration provides the identifying information needed to apply that capability selectively rather than as a blunt instrument.

2013-robinson-collateral §1 Introduction, §3 Collateral Freedom Matters policy

Tor, which has minimal commercial footprint and a distinctive network signature, was blocked throughout China using tailor-made GFW countermeasures and lost approximately 85% of its Chinese users as a result. In contrast to GoAgent and VPNs, China's censors can block Tor without significant economic collateral damage, making it uniquely vulnerable despite its strong privacy properties.

2013-robinson-collateral §2 Tool Usage, §3 Collateral Freedom Matters evaluation

In a survey of 1,175 Chinese circumvention users, reliability ranked as the top factor in tool selection (cited more often than speed), while privacy and trust in the developer ranked last. The overwhelming majority are versatility-first users seeking fast, reliable access to social media and search engines and are largely unconcerned about surveillance; only a small minority of journalists, dissidents, and activists are privacy-first users.

2013-robinson-collateral §2 Common Problems, Figures 2.3–2.4 evaluation

In four of five incidents (all except Syria), spam accounts were registered in temporally clustered blocks while legitimate accounts were not; in Russia and Mexico, multiple distinct registration bursts were observed. Across all five incidents, spam account usernames were automatically generated, with China'12 and Mexico accounts following a {name}{name}{number} pattern padded to exactly 15 characters (Twitter's maximum), making algorithmic reverse-engineering feasible.

2013-verkamp-five §4.1, Table 6, Figure 4 detection

Default-profile usage was significantly elevated among spam accounts in China'11 (89.4% spam vs 51.2% non-spam), Russia (57.8% vs 34.7%), and China'12 (95.1% vs 47.8%); however, Mexico inverted this trend with only 1.7% of spam accounts using default profiles vs 27.0% of non-spam accounts, indicating that newer campaigns actively customize profiles to evade appearance-based detection.

2013-verkamp-five §4.2, Table 7 detection

Across five political spam incidents, spam constituted 62–73% of all tweets in the Russia, China'12, and Mexico incidents, while Syria had only 6% spam. In the China'12 incident, 1,700 spam accounts (14% of all accounts) generated 600,000 spam tweets (73% of total), with 10 individual accounts each producing over 5,000 tweets before shutdown; in Mexico, 50 accounts sustained 1,000 spam tweets per day throughout the incident.

2013-verkamp-five §2, Table 2 evaluation

Twitter's existing automated spam-filtering mechanisms caught only approximately 50% of politically motivated spam in the Russian parliamentary election incident, as reported by Thomas et al. (2012) and noted as the baseline for this study. Spammer behavior varied sufficiently across incidents (targeting strategy, URL usage, mention patterns, default-profile adoption) that supervised machine-learning classifiers trained on one incident are unlikely to generalize to others.

2013-verkamp-five §1, §5 evaluation

China's GFW was able to enumerate all Tor bridges distributed via IP address or Gmail account in under a month, demonstrating that standard small-subset distribution strategies are insufficient against a state-level adversary controlling large numbers of accounts and Sybils.

2013-wang-rbridge §2.1 detection

Client proof-of-work puzzles are ineffective as an active-probing defense because a state-level censor with parallel hardware can solve multiple puzzles simultaneously, one per CPU core. The authors estimate that the Tor bridge churn rate (rate of new bridge IP addresses) is too low to raise a well-equipped censor's workload beyond practical limits without simultaneously making the scheme impractical for legitimate clients — the same balancing problem as PoW for spam.

2013-winter-scramblesuit §4.1.1 evaluation

ScrambleSuit defeats active probing by requiring clients to prove knowledge of an out-of-band shared secret before the server responds; a probing censor receives only silence. Two mechanisms are provided: session tickets (preferred for non-Tor applications) and an authenticated UniformDH handshake (optimized for Tor's shared-secret bridge distribution model), with both producing payloads computationally indistinguishable from random.

2013-winter-scramblesuit §4.1 defense

Tor's traffic contains a characteristic prevalence of 586-byte packets (Tor's 512-byte cells plus TLS header overhead) that form a strong flow-level fingerprint detectable from a few dozen captured packets. ScrambleSuit's packet length morphing eliminates this signature and shifts the distribution toward MTU-sized packets, but the authors note that a censor using the VNG++ classifier — which relies on coarse features like connection duration, total bytes, and burstiness — would still require only a marginal increase in ScrambleSuit's overhead to defeat.

2013-winter-scramblesuit §4.3.1, §5.1, Figure 10 detection

The censorship arms race is highly asymmetric: circumvention tool developers such as Tor operate entirely in public (code, designs, and data), while censorship systems like the GFW are black boxes. This structural imbalance means censors systematically learn more from defenders than vice versa, motivating volunteer-based in-country measurement to reduce the defender's information deficit.

2013-winter-towards §1, §3 evaluation

As of March 2013, Tor is documented as blocked in China, Iran, Syria, Ethiopia, the UAE, and Kazakhstan. Blocking techniques range from simple IP address blacklisting to a sophisticated hybrid consisting of deep packet inspection (DPI) and active probing.

2013-winter-towards §1 detection

Tor's TLS handshake exhibited multiple distinguishing fingerprints — including the client cipher list, server certificates, and randomly generated SNIs — that were used for TLS-based filtering in Ethiopia, China, and Iran. Inferring the exact byte-level pattern matched by DPI boxes required manual analysis and remains a difficult open problem as of 2013.

2013-winter-towards §3.1.5, §5 detection

A snapshot from 6 April 2012 shows TOM-Skype had 1,130 censorship keywords and SinaUC had 1,490, with only 21 words in common — all high-frequency stock keywords (e.g., 'falun', 'Epoch Times'). This near-total divergence indicates each company independently compiled its own blacklist rather than distributing from a centralized government source.

2012-aase-whiskey §4 evaluation

TOM-Skype's client-downloaded keyword blacklist was updated with current-event-specific terms (protest locations, individual names like Bo Xilai) while SinaUC's lists were not updated with current events and appeared more targeted at spam removal. This correlation between surveillance capability and more timely, politically specific keyword updates suggests censors prioritize maintaining current blacklists on clients that also perform message surveillance.

2012-aase-whiskey §4, §5 evaluation

Weibo's post-censorship system initially checks only for literal keyword strings, but after a user posts a literal blacklisted keyword the server switches to regex/wildcard matching for that user's subsequent posts — catching obfuscations like 'Fa-ccc-lun' that were not blocked before the trigger event. This per-user escalation of pattern matching means keyword obfuscation provides only one-shot protection.

2012-aase-whiskey §3 detection

Weibo's search censorship is more aggressive than its post censorship: searching for a keyword returned no results in cases where posting the same keyword was not blocked. The authors hypothesize this asymmetry reflects resource constraints — post censorship requires processing longer, more varied content at high volume, while search censorship is cheaper to apply broadly.

2012-aase-whiskey §3, §5 detection

Bigram frequency analysis of Weibo around the December 2011 Wukan village protests (Figure 1) shows censorship of the keyword 'Wukan' was applied proactively before mainstream media coverage and lifted after the government announced a peaceful resolution on 21 December 2011 — demonstrating that censors operate on a news-cycle timescale and use temporary suppression to manage narrative rather than indefinitely blocking topics.

2012-aase-whiskey §3, Figure 1, §5 evaluation

An attacker with DNS spoofing capability — the paper cites the GFW explicitly — can respond to Ultrasurf DNS discovery queries before legitimate resolvers and inject crafted CNAME records that fully control the client's single-hop path selection. In code paths where peer verification is skipped ('SkipverifyQ0' log entries), this enables complete traffic interception without any cryptographic break.

2012-appelbaum-technical §6.4, §5.6 detection

Ultrasurf's DNS bootstrapping phase uses subdomain names that are always exactly 16 characters between delimiters and exclusively target .info TLDs, producing a constant byte-width network signature. The paper concludes that filtering this bootstrapping traffic is straightforward even without reverse engineering the client binary, as the client itself acts as a network discovery oracle for censors observing its connections.

2012-appelbaum-technical §5.6, §6.8 detection

On-path censors commonly operate on traffic mirrors rather than inline (in-path), making their systems failure-tolerant and easier to deploy. This architectural choice means on-path injectors cannot suppress the legitimate DNS reply—both the forged and authentic replies reach the resolver—creating a detectable anomaly. The same structural weakness applies to TCP RST injection and other on-path packet injection attacks.

2012-duan-hold-on §I, §II.A detection

In approximately 100,000 DNS queries over 9 days from within a censored network, injected packets were reliably distinguishable: legitimate IP TTLs were stable at either 44 or 42, while injected TTL values ranged across [0–255], and injected packets arrived well before legitimate replies because the injector co-resided within the same ISP while the recursive resolver was in another country. With a TTL threshold of ±1 and an RTT threshold of 0.5× expected RTT, the Hold-On prototype achieved 0% false positive rate and 0% false negative rate.

2012-duan-hold-on §IV.B, Table I evaluation

Flash proxies successfully relayed Tor traffic from within China in December 2011, but the test relied on a simple HTTP-based rendezvous blockable by IP address; the authors identify rendezvous — getting just a few bytes (the client's IP address) out of the censored region — as the bottleneck that determines whether the entire proxy system remains operational.

2012-fifield-evading §4.4, §6 deployment

Flash proxies provide mean throughput of 79.7 KB/s when uninterrupted — comparable to direct Tor (69.5 KB/s) — but throughput drops to 56.6 KB/s (20–40% lower) when proxies alternate on 8-second duty cycles, with most variance attributable to Tor circuit reconstruction overhead rather than transport switching.

2012-fifield-evading §4.2 evaluation

The vast majority of censorship activity occurs within 24 hours of original posting, with some deletions occurring more than 5 days later. Across 11,382,221 posts from 1,382 Chinese social media sites collected in 2011, the average censorship rate is 13%, with rates of 16%, 17%, and 24% in low, medium, and high ex ante political sensitivity topic categories respectively.

2012-king-censorship Data / Collection; Figure 2 evaluation

Chinese government censorship is aimed at suppressing collective action potential, not state criticism. Average censorship magnitude is 27% for collective action events but −1% for policy and −4% for news events. Posts criticizing and supporting the state are both censored at ~80% during collective action events, compared to ~10% for non-collective-action topics.

2012-king-censorship Results / Figure 3 policy

Censors apply categorical event-level judgment — whether a post is associated with a collective action topic — rather than per-post sentiment classification. The paper explicitly states that no known statistical or machine-learning technology can achieve the accuracy required for this task, and the authors obtained 98.9% intercoder agreement (86/87 events) using human coders applying the same five-category scheme.

2012-king-censorship Analysis Strategy / Central Hypothesis; Coding Rules detection

Keyword blocking has limited effect because users evade it through homophones (e.g., 'river crab' substituting for 'harmonious society'), homographs, analogies, metaphors, and satire; the Chinese character-based writing system provides particular affordances for this evasion. Chinese social media is distributed across approximately 1,382 sites following a power-law distribution, with blog.sina alone accounting for 59% of posts, creating highly variable enforcement across the long tail of local sites.

2012-king-censorship Data / Types of Censorship policy

Chinese censors operate primarily through manual human review, not automated classification. Hand-censorship is identified as the last and most extensive form of content filtering and cannot be evaded by clever phrasing, unlike automated keyword blocking. Individual content providers each employ up to 1,000 censors, supplemented by 20,000–50,000 Internet police and an estimated 250,000–300,000 'fifty-cent party' members at all levels of government.

2012-king-censorship Data / Types of Censorship detection

A balls-and-bins analysis shows that an adversary conducting N full rounds of a rate-limited rendezvous protocol discovers only 63% of a pool of N entry points; full coverage requires N ln N rounds (the coupon collector's bound). Concretely, with three 8-hour shifts of 100 humans performing 60-minute CAPTCHA+proof-of-work challenges, an adversary discovers ~2,400 entry points per day, exhausting a static pool of 10,000 addresses in roughly 19 days.

2012-lincoln-bootstrapping §3 evaluation

The Chinese Great Firewall was observed conducting two follow-up probes for each outbound TCP/443 connection: the first with garbage binary data (target unknown) and the second specifically performing an SSL negotiation, an SSL renegotiation, and successfully building a one-hop Tor circuit to confirm the bridge. This reactive probing renders unpublished Tor entry points discoverable even when not listed in any directory.

2012-lincoln-bootstrapping §1 detection

A single malicious Tor middle router advertising 10 MB/s bandwidth discovered 2,369 distinct bridges in 14 days. The catch probability is determined solely by the aggregated bandwidth M = k·b of malicious middle routers regardless of how that bandwidth is distributed across nodes: three routers at 10 MB/s each achieve strictly greater catch probability than 512 nodes at 50 KB/s each. This means a well-resourced single node is equivalent to or surpasses hundreds of low-bandwidth Sybil nodes.

2012-ling-extensive §IV-B, §V-B, Theorem 3 detection

After a Tor client inside China connected to a US-based bridge, that bridge subsequently received a series of Tor connection-initiation messages from different Chinese hosts — consistent with GFW active probing triggered by the initial client connection. The probe burst was followed by loss of the original client connection, demonstrating a two-phase detect-then-block pattern: passive identification of suspicious traffic triggers active re-probing to confirm the protocol before blocking.

2012-moghaddam-skypemorph §1 detection

A warden can fingerprint the specific covert destination a Telex user is visiting by comparing observed latency distributions against a pre-built database of covert-destination latencies. With an intelligently filtered database of only 10 distributions (K-S inter-entry threshold 0.8), the AUC is 0.868, and with approximately 12 collected samples the false positive rate drops below 10%. Larger databases (size 50) degrade to AUC 0.537 due to distribution similarity, but threshold-based filtering restores substantial discriminative power.

2012-schuchard-routing §5.3, Figures 7, 9 detection

A routing-capable warden can enumerate over 90% of decoy-router-deploying ASes for deployments as large as 4,000 ASes using an intersection-based discovery attack: the warden probes many paths, accumulates a set of 'clean' ASes, and prunes candidate paths until a single 'tainted' AS remains. All evaluated wardens (China, Syria, Iran, Australia, France, Venezuela) achieved roughly equal detection success across all deployment sizes.

2012-schuchard-routing §4.1 detection

Containment analysis shows that surrounding China with a 'ring' of decoy routers at AS-hop depth 1 requires covering 161 ASes; depth-2 expands by a factor of more than 23, becoming untenable, while depth-3 is slightly smaller but leaves the majority of the Internet reachable via clean paths. Cutting China off from at least half the Internet would require all 96 of the world's largest ISPs to deploy decoy routers at all exit points simultaneously.

2012-schuchard-routing §6, Table 2 evaluation

Under the Cirripede 'random ASes' deployment scenario — where 0.4%–1.0% of ASes deploy decoy routers — routing-capable wardens need only disconnect themselves from 0.85%–3.04% of the Internet to obtain clean (decoy-free) paths to all remaining destinations. Even at 10% Internet-wide deployment, wardens are cut off from only 7%–9% of non-participating ASes on average.

2012-schuchard-routing §4.2, Figure 2 detection

A passive timing attack using the Kolmogorov-Smirnov test on connection latency distributions reliably distinguishes Telex users from honest hosts: K-S scores against the overt destination max out at 0.26, while scores against covert destinations (even those within 10 ms of the Telex station) range from 0.3–1.0 with a median of 0.7 for nearby servers and 1.0 for Alexa top-100 sites. The attack is effective even for clients 50–250 ms from the Telex station, with no K-S score below 0.26 observed across 40 PlanetLab hosts.

2012-schuchard-routing §5.1–5.2, Figures 5–8 detection

DNSSEC validation naturally prevents DNS injection collateral damage: both .de and .kr sign their results, allowing a validating resolver to reject the unsigned injected reply while awaiting the legitimate signed response. The paper identifies DNSSEC deployment at the TLD level as the most robust structural defense against injection-based collateral damage.

2012-sparks-collateral §5 defense

Probing 43,842 open recursive resolvers across 173 countries found 26.41% (11,579) suffer some collateral damage from Chinese DNS injection, distributed across 109 countries. The top-affected regions are Iran (88.20%), Malaysia (85.34%), South Korea (79.20%), Hong Kong (74.63%), and Taiwan (66.13%).

2012-sparks-collateral §4.3, Table 5 evaluation

DNS injection collateral damage arises from three structural properties of DNS: iterative resolution (full queries sent to root and TLD authorities), anycast routing (two resolvers may reach different physical servers via different paths), and dynamic routing through censored transit ASes. A single domain lookup may generate many queries at multiple levels, any of which can be intercepted by a censored transit AS even when both the originating resolver and the authoritative server are outside the censored network.

2012-sparks-collateral §3 detection

TraceQuery probing identified 3,120 router IPs performing DNS injection belonging to exactly 39 Chinese ASes. AS4134 (Chinanet) alone accounts for 1,952 router IPs (62.6% of injecting routers); the top 5 ASes account for over 77% of all identified injecting routers.

2012-sparks-collateral §4.2, Table 3 evaluation

TLD-level paths are the primary collateral-damage vector: 11,573 resolvers (26.40%) suffered collateral damage via censored transit to TLD authorities, while only 1 resolver (0.002%) was affected via paths to root servers. The .de ccTLD was most affected because a large fraction of US-to-Germany transit traverses Chinese networks.

2012-sparks-collateral §4.3, §4.4, Table 6 evaluation

China's censoring devices send four spoofed RST packets per filtered connection with varying sequence and ACK numbers and TTL values corresponding to roughly the hop count to the Chinese border; the IP ID field increments sequentially per TTL group, strongly implying a small cluster of out-of-band machines co-located at each border router. Because the device is out-of-band, the actual server response still arrives at the client but is preempted by the injected RSTs.

2012-verkamp-inferring §4.2 detection

China's censoring device is stateful: it inspects only the first HTTP GET request after a TCP handshake and ignores subsequent requests or those without a preceding handshake. After blocking a request, it records the (src IP, dst IP, port, protocol) tuple and denies all further communication between that machine pair for approximately 12 hours, even for traffic that would not independently trigger censorship.

2012-verkamp-inferring §4.3 detection

Across 11 countries, censorship execution falls into at least six distinct categories: DNS redirect to localhost (Malaysia, Russia, Turkey), DNS redirect with warning page (South Korea), connection timeout with no notification (Bangladesh, India), spoofed TCP RST injection (China), spoofed HTTP 403 with warning page (Bahrain, Iran), HTTP 302 redirect (South Korea, Thailand), and spoofed HTTP 200 iframe response (Saudi Arabia). Four countries censor at DNS and eight at routers, with South Korea employing both layers simultaneously.

2012-verkamp-inferring Table 3 evaluation

A censor can compare the predicted AS path from the claimed dummy host to the client against the actual observed ingress entry point of the spoofed downstream traffic; inconsistency reveals the dummy host as a cover. For clients in China Telecom (ASN 4134) and China Unicom (ASN 4837), 100% of 225 candidate dummy hosts passed AS-path consistency filtering; for clients in ASN 4538 only 18.2% (41/225) passed, sharply narrowing the usable pool for smaller ASes.

2012-wang-censorspoofer §5.2.3, Table 2 detection

CensorSpoofer decouples the upstream channel (URLs hidden via steganography in IM/Email) from the downstream channel (web content injected into spoofed UDP/VoIP flows), so the proxy's real IP is never revealed to any user. This asymmetric architecture provides perfect insider-attack resistance: even if all users are compromised, they can only learn cover dummy-host IPs, not the spoofer's address.

2012-wang-censorspoofer §4 defense

Port-scanning 10,000 randomly selected non-China IPs found 1,213 (12.1%) acceptable as VoIP dummy hosts (SIP, RTP, RTCP ports not in 'closed' or 'host seems down' states). Of 100 sampled dummy hosts tracked over time, over 90% remained usable for more than 2 hours and over 80% for more than 6 hours; the total usable pool was stable across a 7-day measurement window (Feb. 9–16, 2012).

2012-wang-censorspoofer §7.2.2 evaluation

Using G.711 or G.722-64 codecs (64 Kbps downstream), CensorSpoofer clients in China downloaded Wikipedia's HTML file in approximately 6 seconds and the full 160 KB page in approximately 27 seconds; Tor and a proxy-based system (NetShade) were measurably faster. The iLBC codec limits downstream throughput to 15.6 Kbps, and all codecs impose equivalent dummy-traffic cost on the dummy host (G.711 consumes 87.2 Kbps at the dummy host).

2012-wang-censorspoofer §7.2.1, Table 1 evaluation

Tor's fixed 512-byte cells packed into TLS 1.0 records produce a characteristic TCP payload of 586 bytes (512 + 74 bytes of TLS overhead). A perimeter filter running a simple exponential moving average (τ ← ατ + (1−α)1ₗ₌₅₈₆, α=0.1, T=0.4) identifies Tor flows within a few dozen packets; this attack succeeds at backbone rates of ~540,000 packets/second on commodity hardware. Obfsproxy does not alter packet sizes or timings and therefore does not defeat this classifier.

2012-weinberg-stegotorus §5.1, Figure 3 detection

A blocked Tor bridge becomes reachable again after approximately 12 hours if Chinese scanners are unable to reach it continuously. In the authors' experiment, one bridge (port 23941) whitelisted to their Chinese VPS via iptables was unblocked within 12 hours despite remaining actively used, while an unrestricted bridge (port 27418) stayed blocked indefinitely.

2012-winter-great §4.2 detection

Of 2819 public Tor relays in the February 2012 consensus, only 47 (1.6%) were reachable via TCP from within China. After three days, only 1 of those 47 remained reachable. The GFC blocks relays by IP:port tuple rather than by IP to minimize collateral damage to co-hosted services.

2012-winter-great §4.1, §4.3 detection

Over 3295 active-probing scans observed across 17 days, 51% (1680) originated from a single IP address (202.108.181.70), while 98% of the remaining 1615 addresses were unique. All scanner IPs belong to three Chinese ASes: AS4837 (65.7%), AS4134 (30.5%), and AS17622 (3.8%). TTL analysis of 85 connections shows the scanner IPs are likely spoofed by the GFC—post-scan ping TTLs differed by +1 from during-scan TTLs.

2012-winter-great §4.5 detection

The GFC identifies Tor connections via a unique TLS ClientHello cipher list sent by the Tor client. Once DPI boxes detect this fingerprint on outbound traffic, active scanning is initiated within minutes: scanners connect to the suspected bridge, attempt to build a Tor circuit, and if successful the IP:port tuple is blocked. This two-stage pipeline (fingerprint → confirm → block) allows dynamic bridge blocking without pre-enumeration.

2012-winter-great §2, §4.1 detection

Tor DPI fingerprinting by the GFC is applied exclusively to egress traffic (from inside China to the outside world). Simulated Tor connections between domestic Chinese nodes and between external nodes connecting inward to a Chinese VPS attracted zero active scans across multiple experimental runs, indicating the detection infrastructure is positioned on the border for outbound flows only.

2012-winter-great §4.4 detection

During a two-month run in 2011 that coincided with the Jasmine Revolution protests, China's HTTP GET request backbone blacklist showed no additions or removals of keywords on a daily, weekly, or even monthly basis. Numerous current-event terms that triggered search engine censorship produced zero GET request RST responses, indicating the two censorship mechanisms operate on entirely different update timescales.

2011-espinoza-automated §4.2 evaluation

A maximum entropy named entity extraction (NEE) model trained on Chinese-language Wikipedia achieved 89.63% recall and 83.44% specificity for person names, 96.3% recall and 69.80% specificity for place names, and 87.56% recall and 88.40% specificity for organization names. Despite 0.42% precision for person names, the system reduces the number of words requiring censorship probes by nearly an order of magnitude while retaining nearly 90% of actual named entities.

2011-espinoza-automated §4.1 evaluation

To measure Chinese search engine censorship independently of backbone GET request filtering, the authors split each search engine HTTP GET request across multiple TCP packets so the server would reassemble the full query but routers performing single-packet keyword inspection would not see a complete match. This technique allowed ground-truth measurement of search engine responses free of backbone RST injection interference.

2011-espinoza-automated §3 defense

A controlled probe of two Chinese search engines found that the query 'fuck' triggered a legal notice that results had been removed, while 'fuck you' did not, suggesting that search engine censorship suppresses websites where a sensitive term appears prominently rather than matching exact byte strings in the query itself. The paper concludes this mechanism is topical and website-removal-based, not a static keyword blacklist.

2011-espinoza-automated §4.2 detection

During the 2011 Jasmine Revolution, words such as 'Jasmine Flower,' terms linked to Liu Xiaobo's Nobel Prize, and numeric references to presidential rent criticism triggered Chinese search engine censorship (results-removed warnings) but produced no HTTP GET request RST injections. This demonstrates that search engine filtering and backbone keyword filtering are independently operated layers that diverge sharply for rapidly evolving current-event content.

2011-espinoza-automated §4.2 detection

The BBC's Geostats prototype (2010) detects censorship events by normalizing hourly traffic from two sources — a web-bug-based Livestats API and approximately 30GB/day of uncompressed Akamai streaming logs — alerting when traffic deviates ±60% from a rolling historical average keyed to hour-of-day and day-of-week. A key limitation identified is that CDN log files arrive up to 24 hours behind real-time, preventing timely detection of live blocking events.

2011-kathuria-bypassing §2.2–§2.3 evaluation

The BBC has distributed international audio and video through Akamai CDN since 2003 using URLs that do not include bbc.co.uk, making URL and IP-based blocking harder than targeting *.bbc.co.uk directly. However, individual Akamai edge machines have been blocked in China, causing thousands of co-hosted websites to become collaterally unavailable, illustrating the concentration risk when many services share CDN IP space.

2011-kathuria-bypassing §4.2 defense

During the December 2010 Nobel Peace Prize ceremony blocking in China, of two Psiphon nodes brought online for the BBC English News site, one was blocked almost immediately while the other remained available throughout the weekend, serving 387 logins on the ceremony day with no direct promotional channel available. A non-BBC-branded live-stream page promoted via a bit.ly URL released one hour before the ceremony received 4,236 clicks, with approximately 50% from China, accounting for about one-third of total stream viewers.

2011-kathuria-bypassing §3.3 deployment

BBC Chinese's multi-channel Psiphon promotion — radio broadcasts three times daily with additional trails, daily email newsletters, and ad hoc tweets — allowed its service to reach page-view parity with BBC Persian's established Psiphon deployment within eight weeks of launch in September 2010. Separately, a third-party BBC Persian iPhone app using full-text RSS feeds received over 50% of its downloads from inside China, demonstrating that syndicated full-text content distributed across multiple third-party sites and apps is difficult for censors to enumerate and block.

2011-kathuria-bypassing §3.2, §4.3 deployment

TOM-Skype maintains two separate encrypted keyword lists: one triggering both message suppression and silent upload to a Chinese server, and a second triggering surveillance only. Version 5.1.4.10 introduced a distinct surveillance-only keyfile downloaded from a separate URL (skypetools.tom.com/agent/keyfile_u), allowing the censor to monitor users without alerting them via censorship.

2011-knockel-three §2.1–§2.2 detection

TOM-Skype keyword list encryption evolved from a simple XOR cipher in versions 3.6/3.8 to 256-bit AES-ECB in versions 5.0/5.1. Surveillance traffic was encrypted with DES-ECB using hardcoded ASCII keys embedded in the binary (SURVEIL_KEY4.0 = 'X7sRUjL\0'; SURVEIL_KEY3.6 = '32bnx23l'), both recovered via known-plaintext attack and DLL injection respectively.

2011-knockel-three §2.1.1–§2.1.3 detection

The TOM-Skype keyword blacklist contained numerous user-coined neologisms added after the originals were censored—e.g., 'Lu Si' (a homophone for the Tiananmen date '64') and 'Oscar best actor winner' (a euphemism for Wen Jiabao)—demonstrating an adversarial arms race in which evasion vocabulary spreads freely until censors detect and blacklist the neologisms. The authors observed that some sensitive concepts (e.g., '64' rendered as '32+32' or '8 squared') spawn so many variants that the neologism strategy may not scale for the censor.

2011-knockel-three §4 (Conjecture 5) detection

The TOM-Skype censorship keyfile was substantially updated on 4/22/2011—possibly correlated with US-China human rights talks on 4/27–4/28/2011—and contained exact phrases lifted verbatim from 2011 Jasmine Revolution protest coordination documents, including specific intersection meeting points such as 'McDonald's in front of Chunxi Road in Chengdu'. This demonstrates real-time, operationally targeted keyword blacklisting within days of new coordination material appearing.

2011-knockel-three §3 detection

The 158-word surveillance-only keyword list in TOM-Skype 5.1.4.10 focused predominantly on specific Beijing demolition sites and addresses (e.g., 'Ling Jing Alley demolition'), plus five Shouwang church keywords—none of which triggered message suppression. Messages matching these keywords were silently uploaded to a server, demonstrating that the censor operates event-specific surveillance lists targeting localized grievance communities independent of its censorship blacklist.

2011-knockel-three §3 detection

Tor-like anonymizing overlays are easily censored because they rely on centralized, publicly visible relay lists; governments can blacklist Tor nodes or monitor all Tor exit traffic so that traffic analysis can reveal the source. Traffic to or from Tor 'essentially advertises itself as probably worth tracking.'

2011-liu-tor §1–§2 detection

The design guarantees that as long as an end host can reach any non-censoring ISP, it can trampoline to any service; the anonymity properties make it difficult for ISPs to selectively block flows without cutting off the end host from the outside world entirely. Wikileaks-like services require only one willing authority for name resolution, not universal cooperation.

2011-liu-tor §7.1 defense

China has only 3 points of control covering approximately 240 million IP addresses (roughly 80 million IPs per point of control), the lowest ratio among large-population countries. This enabled China to cut off nearly all Internet access for the Xinjiang region for ten months beginning July 2009.

2011-roberts-mapping §II, §VI deployment

Eastern Asia averages 4.80 points of control and a complexity score of 1.54 across 510 million IP addresses, while Eastern Europe averages 19.10 PoC and a complexity score of 11.35 across 74 million IPs — nearly twice the complexity of any other region. Russia specifically has 2,346 autonomous systems and a complexity score of 19.39, versus China's 177 ASes and score of 0.11.

2011-roberts-mapping §II, Table II, Table III evaluation

Over a 14-day evaluation in April 2011, CensMon tested 4,950 unique URLs from 2,500 domains across 174 agents in 33 countries, detecting 951 unique URLs from 193 domains as filtered. Manual verification of all 193 flagged domains found only 3 false positives, demonstrating high precision for an automated distributed monitor.

2011-sfakianakis-censmon §4.2 evaluation

The single Chinese PlanetLab node reported 176 censored domains — more than all other 173 agents combined. Turkey (6 domains), Jordan (5), and Hungary (1) were the only other countries with any detected filtering. 86% of agent nodes across 33 countries reported zero filtering events.

2011-sfakianakis-censmon §4.2, Table 2 evaluation

Among all filtered URLs detected, HTTP filtering accounted for 48.5%, IP address blocking for 33.3%, and DNS manipulation for 18.2%. Of the domains blocked at the HTTP layer in China, 71% were blocked due to URL keyword filtering rather than HTML response content filtering.

2011-sfakianakis-censmon §4.2, Figure 2 evaluation

CensMon detected zero instances of partial web-page content filtering across 4,950 tested URLs during April 2011, indicating that censors at that time uniformly applied coarse-grained techniques — full URL block, IP blacklist, or DNS hijack — rather than inline content modification at the sub-page level.

2011-sfakianakis-censmon §4.2 evaluation

Tor bridges that always accept incoming connections enable a three-phase 'bridge aliveness attack': an adversary collects bridge descriptors at scale, correlates bridge uptime timestamps with pseudonymous post timestamps to narrow the candidate set (winnowing), then confirms identity via circuit-clogging and timing attacks. Because bridge descriptors remain valid indefinitely and the BridgeDB rate-limits only to one descriptor set per /24 prefix per week, an adversary with botnet or open-proxy access can hoard enough bridges for the winnowing phase to succeed.

2011-smits-bridgespa §1, §1.1 detection

Censors responding to encryption-based circumvention have two escalation options: block all encrypted connections outright, or identify the underlying protocol via traffic signatures that persist even inside encrypted tunnels. The paper frames these as the two dominant censor responses to DPI being defeated by encryption.

2011-wright-fine-grained §3 detection

Open DNS resolvers, widely available across the internet as public services, make DNS poisoning trivially detectable globally: a researcher can connect to a resolver in a target country and compare responses against a trusted reference resolver, without requiring volunteer proxies or in-country infrastructure.

2011-wright-fine-grained §4.2 evaluation

National-level filtering is not homogeneous: the administrative burden of maintaining up-to-date filtering rules at national scale leads states to delegate implementation to regional authorities or individual ISPs, producing measurable filtering differences between geographic regions and providers within the same country.

2011-wright-fine-grained §2, §6 policy

At the time of writing, the Tor network had no publicly announced exit nodes located on the Chinese mainland, making direct Tor-based measurement of GFW filtering unavailable. The paper generalizes this: heavily filtered countries show systematically low availability of relay services, precisely where measurement need is highest.

2011-wright-fine-grained §4.2 evaluation

A PlanetLab node in Beijing successfully loaded all 100 Alexa top-100 websites through a prototype Telex station at the University of Michigan; without Telex, 17 of the 100 sites were blocked (including facebook.com, youtube.com, blogspot.com, and twitter.com from the top 10), using forged RST packets, false DNS results, and destination IP blackholes. The median latency overhead for routing through Telex was approximately 60% for the 83 unblocked sites.

2011-wustrow-telex §8.4 evaluation

The study located 495 router interfaces with attached IDS filtering devices across China, with CHINANET holding 79.4% and CNCGROUP 17.4%. The two ISPs use fundamentally different placement strategies: CHINANET distributes filtering across provincial networks (80% of its 21 served provinces operate their own filtering devices, Guangdong alone hosting 84 of 374 CHINANET interfaces), while 90% of CNCGROUP's 82 filtering interfaces concentrate in its backbone.

2011-xu-internet §4.4, Table 2, Table 3 evaluation

CNCGROUP's filtering interface count has grown to three times its 2007 level, now accounting for 17.4% of all 495 filtering interfaces found, while CHINANET's count has remained stable since 2007. This divergence indicates CNCGROUP is actively expanding its censorship infrastructure while CHINANET's filtering capacity has matured.

2011-xu-internet §4.4 evaluation

China's AS-level topology is shallow and concentrated: CHINANET and CNCGROUP together account for 63.9% of 133 unique foreign peerings, 87% of internal ASes are within one hop of a border AS, and just 24 border/backbone ASes serve as effective choke points for all international traffic. The TTL of GFW RST packets is now crafted to prevent IDS localization by TTL inspection, requiring TTL-incrementing probe packets to identify filtering device positions.

2011-xu-internet §3.2, §3.3, §2 evaluation

The GFW is fully stateful as of 2010: probing all 11,824 Chinese IP prefixes with single TCP packets containing the keyword 'falun' produced no RST responses, confirming that a complete TCP handshake must precede any filtering trigger. Earlier measurements (2006, 2007) reported contradictory results; this study finds statefulness is now universal across all probed prefixes.

2011-xu-internet §4.1 detection

14 of 495 filtering interfaces (2.9%) are located in non-border internal ASes, all but two belonging to CHINANET provincial subsidiaries. The paper notes that CHINANET's provincial filtering architecture creates infrastructure capable of inspecting inter-provincial domestic traffic, even though there is no current evidence it is being used for that purpose.

2011-xu-internet §4.4, Table 2 detection

Collage's threat model identifies the censor's two most dangerous capabilities as: (1) aggregate traffic-flow analysis (e.g., NetFlow statistics) to detect anomalous access patterns to specific content hosts, and (2) joining the system as a sender or receiver to discover content locations and mount denial-of-service or deniability attacks. The censor is assumed to monitor all egress traffic but is modeled as computationally limited against joint statistical distributions across arbitrary user pairs.

2010-burnett-chipping §3.1 detection

Collage leverages platform-scale user-generated content—Flickr's 3.6 billion images with 6 million new per day and Twitter's ~500K tweets/day as of 2009—as a covert channel substrate. Because the censor cannot block all UGC platforms simultaneously without removing massive amounts of legitimate content, the system achieves availability and user deniability that fixed-infrastructure proxies (e.g., Tor relays) cannot: accessing Flickr or Twitter does not implicate the user as a circumvention tool operator.

2010-burnett-chipping §1, §4.1 defense

A dynamic binary-tree partitioning algorithm solves the proxy distribution problem with at most k(1 + ⌈log₂(n/k)⌉) total proxy keys: partition n users into k groups in round 1, then halve each compromised group on each compromise event. Each of k adversaries can trigger at most ⌈log₂(n/k)⌉ compromises, bounding total proxy expenditure tightly.

2010-mahdian-fighting §4 Theorem 3 defense

The static proxy distribution problem — giving k²-adversarial users keys from m proxies so that all n−k legitimate users retain at least one uncompromised proxy — requires at most O(k² log n) keys and cannot be solved with fewer than Ω(k log(n/k)) keys. This establishes the information-theoretic cost of one-shot proxy distribution against k colluding informants among n users.

2010-mahdian-fighting §3 Theorem 2 defense

In invitation-based proxy networks (modeled on Psiphon's trust-tree), a single adversary can invite fake accounts as children in the trust tree, multiplying the effective adversary count k and invalidating sublogarithmic key budgets. For k=1 adversary on a trust tree of depth O(log n), an O(log n)-key algorithm exists by keeping the 'suspicious group' always rooted at a subtree boundary; for k>1 this remains an open problem.

2010-mahdian-fighting §5 Theorem 7 defense

The Great Firewall of China deploys at least four distinct, simultaneously-operating RST injectors with separate fingerprints (IPID 64, IPID -26, SEQ 1460, RAE). The RAE injector—which sets RST+ACK+ECN-nonce-sum flags—is the most common, with 4,162 distinct source IPs observed at UCB alone. Of 298 ICSI hosts disrupted by Chinese injectors, 102 showed fingerprints of two or more injectors acting independently on the same connection.

2009-weaver-detecting §7.1.6 detection

Injectors sending multiple RSTs with increasing sequence numbers to overcome the RST_SEQ_DATA race condition produce a detection signature (RST_SEQ_CHANGE) that cannot arise from a standards-compliant TCP endpoint: the second RST must have a sequence number exceeding both the preceding RST and any ACK yet observed from the receiver. This creates an inherent design tension — a robust injector that uses sequence-incremented multi-packet RSTs to ensure delivery is precisely the kind most detectable by passive monitoring.

2009-weaver-detecting §5 detection

Out-of-band RST injectors fundamentally face race conditions because they cannot modify in-flight packets: a data packet may pass the injector's observation point before the forged RST is generated, producing detectable out-of-sequence RSTs (RST_SEQ_DATA) or post-RST data packets (DATA_SEQ_RST). A passive detector exploiting these two race conditions, plus a third signature (RST_SEQ_CHANGE) from multi-packet injectors, reliably identifies injected RSTs across four network datasets totaling 30.2M TCP flows.

2009-weaver-detecting §5 detection

Individual RST injectors exhibit stable, idiosyncratic header-field fingerprints enabling device-level identification across geographically separated sites. Sandvine devices produce back-to-back RST pairs where the second packet's sequence number is exactly 12,503 higher than the first (a known implementation bug confirmed by Sandvine's CTO) with IPID increments of 4 then 1; 90% of 193 alerting Comcast IP addresses across all four datasets matched this fingerprint. The GFW SEQ 1460 injector always increments sequence numbers by 1,460 regardless of actual MTU or window size.

2009-weaver-detecting §7.1, Table 1 detection

The proposed countermeasure of ignoring RST packets with anomalous TTLs (to defeat GFW injection, per Clayton et al. 2006) is impractical: 28% of normal responder-terminated TCP flows have RST TTLs differing from prior data packets, with changes clustering around 64, 96, 128, and 192. Of 200 randomly sampled flows with differing TTLs, only 2 triggered the injection detector, confirming the high false-positive rate of single-field TTL heuristics.

2009-weaver-detecting Appendix C defense

Centralized proxy-discovery services are reliably disabled by censors: both Anonymizer and SafeWeb were blocked in China by targeting their central discovery sites, and Wikipedia identified and blocked all 700+ Tor anonymizing relay servers to prevent anonymous edits. Any single publicly-known host that handles proxy distribution becomes the censor's primary and sufficient target.

2008-sovran-pass §2 detection

ChinaNET (CHINANET-*) performed 324/389 = 83.3% of all filtering observed across 296 probed hosts over a two-week period, and 99.1% of all filtering that occurred at the first hop past the Chinese border, despite constituting only 77% of first-hop routers encountered.

2007-crandall-conceptdoppler §3.3.1 evaluation

GFC keyword filtering exhibits strong diurnal patterns in which filtering effectiveness drops markedly during busy network periods, sometimes letting more than one fourth of packets containing known filtered keywords pass through unimpeded; the blocking timeout after a keyword RST was measured at 90 seconds for the tested route.

2007-crandall-conceptdoppler §3.2 detection

GFC keyword filtering is distributed across the backbone, not confined to border routers: only 29.6% of filtering occurred at the first hop into China's address space, 11.8% occurred beyond the third hop (with as many as 13 hops past the border in one case), and 28.3% of the 296 probed Chinese hosts were reachable via paths with no filtering at all.

2007-crandall-conceptdoppler §3.3 detection

Latent semantic analysis applied to the Chinese-language Wikipedia (942,033 terms across 94,863 documents, k=600 rank reduction) discovered 122 previously unknown GFC-filtered keywords starting from only 12 seed concepts; each list of 2,500 candidate terms required 1.2–6.7 hours to probe, with an average of 3.5 hours.

2007-crandall-conceptdoppler §4.3 evaluation

When the GFC keyword blacklist is known, multiple server-side-only evasion techniques become viable requiring no client modification: IP packet fragmentation to split keywords across MTU boundaries, HTML comment injection mid-keyword (e.g., 'Fa<!- Comment ->lun Gong'), alternative URL percent-encodings (e.g., 'F%61lun Gong'), and spam-style character substitution ('F@1un G0-ng'); the GFC implementation was observed not to check control characters in URL requests.

2007-crandall-conceptdoppler §5 defense

A single bad Chinese DNS server queried 600 times about the same censored domain consistently returned a random address from the same pool of 8 IPs across all responses, confirming that the tampered behavior is deterministic and centrally coordinated rather than ISP-specific or probabilistic. The same 8-IP pool appeared uniformly across servers from China Telecom, China Unicom, and other carriers.

2007-lowe-great §6.1, §6.3, Table 1, Table 2 evaluation

99.88% of 1,607 tested Chinese recursive DNS servers returned tampered responses for censored domains. Tampered responses drew from a pool of only 8 IP addresses, compared to 441–454 distinct IPs returned by U.S. control servers for the same query set — with 366 censored domains sharing exactly those 8 IPs.

2007-lowe-great §6.1, Table 1 detection

Because the GFW injects forged DNS responses rather than dropping the original query packet, the legitimate response from the upstream DNS server may still arrive after the injected forgery. The authors propose two circumvention strategies: querying on a non-standard port to bypass the port-53-only injection filter, or issuing standard-port queries and selectively discarding responses matching the known bad-IP pool to recover the authentic answer.

2007-lowe-great §6.4, §8 defense

TTL manipulation experiments demonstrated that the GFW injects forged DNS responses at the router level, not at the DNS server: responses to censored domain queries exhibited inconsistent IP ident fields and wildly varying TTL values — consistent with a stateless in-path router — while control (non-censored) responses to the same server showed monotonically increasing ident and stable TTL. The injection was observed exclusively on port 53; identical queries sent to port 80 received no injected responses.

2007-lowe-great §6.4, Table 3 detection

Nonsense domains with known-censored hostnames embedded as subdomains (e.g., www.epochtimes.com.pSyfA6srAZ0qCxU63.com) triggered the same tampered responses — returning the pool of 8 bad IPs — as direct queries for the censored domain. Control-subdomain nonsense domains (e.g., www.pSyfA6srAZ0qCxU63.com) did not trigger tampering, indicating the GFW performs substring keyword matching across the full DNS query label string.

2007-lowe-great §6.2 detection

Post-trigger blocking persisted for an average of ~20 minutes (observed range: a few minutes to nearly an hour) per source-IP/destination-IP pair, but was scoped to the 128 TCP port numbers sharing the same 7 most-significant bits as the triggering connection's ephemeral port. On pseudo-random ephemeral-port systems such as OpenBSD, the probability of a subsequent connection falling in the blocked port range is only ~1 in 500; on sequential-port systems such as Windows, an average of 64 further connections are blocked.

2006-clayton-ignoring §6.1 evaluation

In measurements conducted over 10 days in early February 2006, the GFW scanned approximately two-thirds of packets from a 256-address block per hourly probe, with address selection following a structured (non-random) pattern consistent with simple modular assignment to a limited pool of IDS devices. After several days, the inspected fraction rose to nearly all addresses, suggesting a configuration change to expand capacity.

2006-clayton-ignoring §6.1 evaluation

The GFW's keyword-blocking mechanism relies entirely on endpoints honoring injected TCP RST packets; because the IDS operates out-of-band and cannot remove packets already queued in the router's transmission path, configuring both endpoints to silently discard incoming RSTs (e.g., via `iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP`) allows blocked content to transfer unimpeded. In a controlled experiment, 28 injected RSTs were ignored and the complete blocked web page was successfully retrieved.

2006-clayton-ignoring §5 defense

The GFW performs no stateful TCP stream reassembly, inspecting one packet at a time: splitting the blocked keyword '?falun' across two TCP segments is sufficient to evade detection entirely. Cross-device state is also absent — triggering a block on one border AS (e.g., AS9929) had no effect on traffic transiting a different Chinese border AS.

2006-clayton-ignoring §4.1 detection

GFW-injected RST packets are distinguishable from legitimate endpoint RSTs by TTL: in the authors' 2006 experiments forged resets carried TTL=47 while genuine server packets carried TTL=39, consistent with the IDS sitting 8 hops closer to the client than the destination server. A 20-line FreeBSD kernel patch implementing TTL-divergence filtering was developed and demonstrated positive results in practice.

2006-clayton-ignoring §7 defense

Tor's public relay list (a few thousand IP addresses as of 2006) can be trivially enumerated and blocked by a censor. The paper proposes 'bridge relays' drawn from Tor's existing user base of hundreds of thousands of people, creating a pool of frequently-changing IP addresses that is too large and dynamic for a censor to enumerate completely. Bridge relays rate-limit relayed connections to ~10 KB/s and publish descriptors only to a private bridge directory authority rather than the public consensus.

2006-dingledine-design §5.1 defense

If bridges run on predictable ports and any TCP connection to a bridge port reveals it as a Tor bridge, a censor can scan the entire address space of residential ISP ranges to enumerate and block all bridges. The paper proposes 'scanning resistance': bridges require a nonced hash of a pre-shared password before revealing Tor behavior, and respond to unauthenticated connections by impersonating an ordinary HTTPS server (e.g., default Apache page or a random legitimate website).

2006-dingledine-design §9.3 defense

Tor's 2006 TLS handshake contained multiple identifying fingerprints exploitable by censors: the X.509 organizationName field was set to 'Tor', the relay nickname appeared in the commonName field, clients always presented certificates (unlike browsers), and Tor used two-certificate chains (identity cert + per-session TLS cert) while most consumer HTTPS services use a single certificate. The paper flags these as sufficient for a censor to identify Tor traffic without deep payload inspection.

2006-dingledine-design §6 detection

The paper proposes using CAPTCHAs (hard AI problems) to gate forwarder-list access, forcing the blocker to expend human resources solving every puzzle while each blockee solves only one. However, a 'stealing cycles from humans' attack allows a censor to relay CAPTCHAs to unwitting third parties (e.g., visitors to an attacker-operated website) who solve them on the censor's behalf.

2004-k-psell-achieve §5.3 defense