mimicry   Protocol mimicry

AnyTLS is a TLS-based proxy protocol maintained by the sing-box team, designed in 2024 and first released in the sing-box dev-next branch. Its core mechanism wraps arbitrary proxy traffic in standard TLS and applies a configurable padding scheme (Padding Scheme) to enhance traffic concealment while maintaining compatibility with standard TLS infrastructure.

2026-anon-anytls-anytls-sing-box-2026 §1.1–1.3 defense

Operators facing the April 2026 enforcement wave described three survival paths: (1) price increases to pass on resource costs, (2) switching entirely to direct-connect, or (3) deploying proprietary protocols with dedicated clients — making standard Clash/Shadowrocket clients non-functional for those providers. The commercial forecast is for low-price high-quality plans to disappear and for month-by-month billing to become the default as users hedge against provider collapse.

2026-ermao-april-airport-outage §5月以后机场可能怎么活下去 deployment

Routing-guided conditional aggregation (CA) that dynamically weights header versus payload contributions using per-sample MoE routing probabilities outperforms static fusion on all six datasets, demonstrating that the relative discriminative utility of headers versus payloads varies by application type — and that classifiers can adaptively shift reliance to whichever modality is less obfuscated.

2026-he-trafficmoe-heterogeneity-aware-mixture §III-E, §IV-B detection

QUICstep successfully circumvents the GFW's QUIC SNI censorship (active since April 2024) in live testing. Using an Alibaba VM in mainland China as client and an AWS instance in North Virginia as server, a native QUIC client was blocked after several fetches of youtube.com SNI, while QUICstep consistently succeeded across 50 consecutive fetches. 7 tiktokcdn.com subdomains that were QUIC-SNI blocked were also reliably accessible via QUICstep. The approach routes only QUIC long-header (handshake) packets through a WireGuard tunnel; all subsequent short-header (data) packets travel the native path.

2026-lee-quicstep §4.3.2, §3.2.3 evaluation

A censor attempting to block QUICstep by dropping all QUIC connections that arrive without a preceding Initial/Handshake packet would cause significant collateral damage. Analysis of 24-hour campus traces (3,786,050 unique QUIC connections) found 29.1% (1,100,439 connections) lacked QUIC Initial or Handshake packets—representing legitimate connection migration from mobile handoffs and similar events. This high baseline rate means blanket "no handshake" blocking would disrupt roughly 1-in-3 QUIC connections unrelated to circumvention.

2026-lee-quicstep §5 (Blocking all QUIC connection migrated traffic) detection

MITM-DomainFronting achieves fully client-side domain fronting without any server-side infrastructure by intercepting browser TLS via a user-generated personal CA, reading the plaintext HTTP Host header, then re-encrypting outbound connections to the CDN edge with a mismatched SNI. The private CA key never leaves the device, eliminating the traditional requirement for a proxy co-located inside a CDN's network and reducing operational cost to zero.

2026-patterniha-mitm-domainfronting README / Mechanism description defense

Obscura's browser-to-browser (B-B) WebRTC connections produce DTLS ClientHello and ServerHello messages indistinguishable from genuine browser traffic: across 100 captured handshakes compared against Facebook Messenger, Google Meet, Discord, and a reference WebRTC app using the dfind tool, no unique identifiers were found in C-C connections, and the sole Firefox-specific fingerprint (ServerHello length 86 bytes, cipher TLS_AES_128_GCM_SHA256, extension field length 46 bytes) matches the default Firefox WebRTC profile — meaning blocking it would also block all legitimate Firefox WebRTC users.

2026-vilalonga-obscura-enabling-ephemeral §5.2 defense

Two Iranian ASes apply a protocol allowlist that drops traffic not matching known application-layer protocol patterns (after ~6 packets), independently of the destination IP. Experiments with fresh /26 phantom subnets showed that prefixing Conjure connections with a plain HTTP GET payload evaded this blocking for four weeks, while TLS Client Hello-prefixed and SSH-prefixed connections were blocked within 72 hours (TLS) or 72 hours after port rotation (SSH). HTTP GET on port 80 was the only tested prefix that survived the full experiment window.

2025-alaraj-iran-refraction §4.4, §5 detection

In 24-hour live proxy deployments, covertDTLS mimicry had a 18.2% DTLS handshake failure rate (vs 12.5% baseline, 27.0% randomization, 25.8% Chrome webextension). Randomization generates ≈994 billion unique fingerprint permutations (cipher shuffling: 109,600; extension shuffling: 994,218,624,000), making blocklist-based fingerprinting infeasible, but at the cost of higher connection failures due to cipher mismatches. Mimicry of DTLS 1.2 was stable and effective; DTLS 1.3 mimicry is not yet achievable with the current Pion library.

2025-midtlien-fingerprint-resistant §4.2, Table 1, §5 evaluation

The framework's GAN-based schedule generator trains on short session windows (e.g., the first 10 seconds) of real browsing traffic from the Tranco Top 1000 sites, learning joint distributions of packet sizes, inter-arrival times, and burst patterns to produce realistic synthetic schedules. This repurposes GAN architectures previously used for traffic analysis (e.g., GANDaLF) as a defense-side cover-traffic generator.

2025-pereira-extended §2.2 defense

Security arguments for existing circumvention systems are based on ad-hoc adversary models that are often incomplete or unrepresentative of real-world adversaries, leading to allegedly secure designs that fail against relatively straightforward attacks. Protocols that substitute or parasitize a cover application's encrypted traffic channel fail against application-aware adversaries who observe or induce violations of application-specific behavioral invariants — a weakness that pre-trained classifiers on custom traces fail to surface.

2025-pereira-position §1, §2 defense

MinecruftPT encodes circumvention traffic steganographically inside the Minecraft Java Edition network protocol, making a censored connection appear to a network observer as an ordinary online Minecraft game session. The cover channel is a high-volume, varied-packet-size TCP protocol with a large and active user population, making statistical fingerprinting harder than for lower-volume cover protocols.

2025-tusing-minecraft-tunnels §1, §3 defense

MinecruftPT achieves mimicry by implementing enough of the Minecraft protocol to pass as a real client-server game session, not just in header structure but in behavioral sequence. The paper evaluates it under DPI and traffic-shape analysis, finding that faithful protocol mimicry at the behavioral level (packet sequence, message types, timing) is necessary to defeat classifiers that go beyond simple byte-pattern matching.

2025-tusing-minecraft-tunnels §3, §4 defense

MinecruftPT uses the TCP-based Minecraft protocol rather than a WebRTC/UDP approach. The paper notes this gives it an availability advantage in environments where WebRTC is filtered or where UDP is blocked — a common configuration in corporate or institutional networks and some national censorship regimes. This positions it as complementary to Snowflake in the circumvention transport portfolio.

2025-tusing-minecraft-tunnels §4, §5 defense

The proposed system adopts the turbo tunnel architecture to provide a reliability layer over lossy TURN relay paths and to allow traffic reassembly at a single bridge across multiple TURN proxies. Three encapsulation modes are specified: direct application data inside TURN messages, DTLS datagrams via WebRTC data channels, and video frames inside WebRTC media streams — the latter two mimicking the encapsulation strategies of existing WebRTC circumvention systems such as Snowflake and TorKameleon.

2025-vilalonga-extended §2 System Design defense

The system targets a threat model where the censor performs passive DPI to fingerprint and block the client-to-TURN-proxy channel, and also conducts active enumeration attacks to discover and block proxy endpoints. The paper explicitly notes that traffic splitting may introduce distinct fingerprints of its own that require empirical evaluation — acknowledging that multi-path approaches are not fingerprint-free.

2025-vilalonga-extended §3.1 Threat Model defense

BBR, a rate-based CCA already available in the Linux kernel, comes close to Hysteria's throughput performance when packet loss is below 20% — the typical range for cross-border Chinese links (5–15%, peak up to 50% per prior studies). Above 20% loss, Hysteria and Brutal maintain a significant throughput advantage over BBR, but the paper finds no compelling justification for custom CCAs given the marginal gains in that regime versus the fingerprinting cost.

2025-wang-custom §4.2, §6 defense

Custom CCAs that deviate from standard TCP/QUIC congestion response fundamentally contradict the core circumvention principle of traffic indistinguishability: by failing to back off under congestion signals, they produce traffic patterns that diverge from the vast majority of Internet flows that censors value, eliminating the collateral-damage protection that makes circumvention tools hard to block wholesale.

2025-wang-custom §1, §6 detection

The threat model requires no DPI and was fully implemented as a Linux kernel module on a NETGEAR R6120 with only a 580 MHz processor, 16 MB ROM, and 64 MB RAM, adding negligible overhead. Unlike ML-based or DPI-based VPN classifiers, the statistical model operates pre-NAT on per-device private IP flows, making it immune to obfuscation techniques that alter packet payloads or disguise protocol handshakes.

2024-almutairi-fingerprinting §I, §IV detection

Prior circumvention transports that tunneled over VoIP or voice-conferencing software were identifiable to censors by their TCP retransmission fingerprint: real VoIP applications do not retransmit dropped packets in the same way, making the covert channel's reliability mechanisms a distinguishing artifact. DTLS and QUIC avoid this because they natively support both fault-tolerant and sequential delivery modes without external indicators of which mode is active.

2024-chen-extended §2 The Case for UDP detection

LZR, built on top of ZMap, can identify 99% of unexpected Internet services in five handshakes by acting as a shim between ZMap and ZGrab. This gives censors and researchers alike an efficient active-probing primitive to fingerprint proxy protocols at scale.

2024-durumeric-ten-years-zmap LZR tool description detection

TLS-Attacker's Workflow Traces and Modifiable Variables mechanisms allow testers to specify arbitrary protocol flows and apply field-level modifications — including adding, removing, or overwriting individual TLS message fields — without breaking the internal TLS state machine. This makes it the standard instrument for probing how DPI systems and active-probing detectors respond to non-standard or mutated TLS handshakes.

2024-niere-tls-attacker §1 Introduction evaluation

Discop's core algorithm is modality-agnostic and deploys unchanged across text generation (GPT-2, DistilGPT-2, Transformer-XL), image completion (Image GPT), and text-to-speech (Tacotron + WaveRNN), requiring only that both parties share the generative model, PRNG, and seed. The same zero-KLD security proof applies across all modalities.

2023-ding-discop §IV defense

17 of 35 interview participants used game accelerators or GFW ladders interchangeably to connect to international gaming platforms; several popular VPNs bundle game acceleration, and open-source accelerators (e.g., Steam++, rebranded as Watt Toolkit) provide partial GFW-evasion covering GitHub, Google Authenticator, Pixiv, Discord, and Twitch. The paper recommends CRSes market as gaming accelerators to provide plausible deniability, while capping active accounts or rebranding periodically to avoid attracting censor attention as popularity grows.

2023-feng-study §9.2, §9.3 defense

Variable bitrate encoding (e.g., the OPUS codec's 6–510 kbps range) in VoIP protocols leaks content properties through packet timing, enabling ML classifiers to distinguish protocol tunnels from real conversations. An audio tunnel without timing shaping was identifiable with auROC 0.981 and aucPR 0.959 by an AutoGluon-Tabular classifier examining 1000-packet flow windows.

2023-jia-voiceover §2, §4.2 detection

Voiceover's DCGAN, trained on ~400 hours of two-person telephone conversations, generates conversation timing templates that constrain when the tunnel transmits audio. This reduces ML classifier performance from auROC 0.981/aucPR 0.959 (unshaped baseline) to auROC 0.682/aucPR 0.482, and the improvement holds at 500-packet windows (auROC 0.68/aucPR 0.50), suggesting robustness to memory-limited adversaries.

2023-jia-voiceover §3, §4.2, Table 2 defense

Protocol mimicry that replicates only statistical or syntactic traffic properties is insufficient for unobservability: Houmansadr et al. (2013) showed SkypeMorph was trivially detectable by the absence of Skype control channels, missing login-server communication, and failure to replicate implementation-specific bugs present in real Skype—demonstrating that full behavioral replication, not just traffic shaping, is required to withstand scrutiny.

2023-jia-voiceover §2 detection

Skype for Web normalizes packet sizes such that Voiceover transmissions and genuine audio conversations produce nearly identical packet size CDFs across Ubuntu 18.04 and Windows 10, across all tested modulation parameters (carrier frequency, sampling frequency, baud rate, frame length). This makes the Skype-based tunnel inherently immune to packet-size fingerprinting without requiring explicit size shaping.

2023-jia-voiceover §4.4 evaluation

HTTP/URL/keyword filtering was the most prevalent censorship method both during the measurement period (49% of countries) and historically (69%), despite 82% global HTTPS adoption. The authors attribute this persistence to censors lacking technical sophistication to upgrade, and to uneven HTTPS adoption leaving older methods effective in underserved regions.

2023-master-worldwide §4.2, Table 2 evaluation

Protocol fingerprinting — including DPI-based identification of VPNs, circumvention tools, and E2EE messengers — was active in only 6% of countries during the measurement period (13% all-time), but all confirmed instances came from focused individual studies, not from mass measurement platforms like OONI or Censored Planet. The authors flag encrypted traffic analysis (ETA) tools and next-generation firewalls (NGFWs) capable of blocking Signal or Tor Browser as an emerging threat to freedom of expression.

2023-master-worldwide §4.3 detection

Combining all three active probing attacks in an Internet-wide scan of 30 million HTTPS servers identified approximately 15,000 hosts (0.05%) behaving like ShadowTLS relays; of these only 6,000 presented TLS certificates for Alexa Top 1000 domains. The scan successfully discovered all four researcher-operated ShadowTLS relays planted as ground truth.

2023-wang-chasing §3.2, Table 2 evaluation

The root vulnerability in ShadowTLS is that the relay cannot authenticate post-handshake data from the real mask site, causing it to silently absorb censor probes. The fix — deployed in ShadowTLS v0.2.3 — has the client re-derive the Application Data encryption key from the server random and the client-relay shared secret; unrecognized records (lacking the shared secret) are transparently forwarded to the mask site, so all censor-visible responses come from the real mask server.

2023-wang-chasing §4 defense

ShadowTLS relays are detectable via three active probing techniques exploiting behavioral discrepancies from the mask sites they mimic: (1) responding to plaintext HTTP on port 443 with FIN-ACK rather than an error (only 17% of TLS servers share this behavior), (2) silently ignoring non-TLS record data post-handshake rather than sending a fatal alert (only 0.14% of 30M hosts behaved this way), and (3) silently ignoring corrupted TLS Application Data records rather than sending a bad_record_mac alert (only 0.12% of hosts silent).

2023-wang-chasing §3.2 detection

ShadowTLS is structurally limited to TLS 1.2 because in TLS 1.3 the Finished message is sent as encrypted Application Data (record type 0x17), preventing the relay from detecting handshake completion without decrypting the session. This forces ShadowTLS to advertise TLS 1.2, which is an increasingly anomalous fingerprint as TLS 1.3 adoption grows.

2023-wang-chasing §2.2 detection

ShadowTLS's TLS ClientHello fingerprint (JA3 hash ebaa863800590426) was not observed in the TLSFingerprint.io dataset collected from a university network tap, making the client fingerprint unique to the tool and trivially blockable by censors maintaining a TLS fingerprint blocklist.

2023-wang-chasing §3.2 detection

OUStralopithecus (OUStral), a Selenium-based OUS implementing empirically-derived human browsing distributions — Weibull dwell times (λ=30s, k=0.75), Von der Weth action probabilities (45.1% internal-link clicks, 33% new-URL navigations), and Dubroy tab-switching rates — generated 471 requests with all Cloudflare Bot Management scores above the recommended blocking threshold of 30, while Slitheen and Waterfall consistently scored 1. Because Cloudflare has full HTTP-layer visibility (unavailable to a passive network censor), the paper argues a censor observing only encrypted traffic would be even less able to flag OUStral.

2021-lorimer-oustralopithecus §3.1, §5.2.1, Figure 6 defense

Traffic replacement systems that only shape individual HTTPS flows remain vulnerable to censors monitoring inter-connection patterns over time. Waterfall's OUS (reloading the same page every second), Slitheen's OUS (naïve PhantomJS with no crawling), and Slitheen++'s OUS all produced non-human connection patterns detectable at the session level even when per-flow content is well-concealed. OUStral addresses this by shaping the distribution and sequencing of connections across an entire browsing session.

2021-lorimer-oustralopithecus §1, §2.2, §3, §6 defense

Prior overt user simulators (OUS) using PhantomJS — including Slitheen, Waterfall, and Slitheen++ — received Cloudflare Bot Management scores of 1 (certainly bot-generated) and would be blocked by any operator following Cloudflare's recommended cut-off of 30. Slitheen++ improved marginally by adding user-agent randomization and brief inter-request pauses, but all PhantomJS-based OUS implementations were trivially detectable as bots.

2021-lorimer-oustralopithecus §5.2.1, Figure 6 detection

Protozoa uses the economic and social indispensability of popular WebRTC conferencing services as a censorship deterrent: blocking all WebRTC traffic imposes prohibitive collateral damage on legitimate commerce and communication. This 'parasitism' strategy means the circumvention tool inherits the blocking immunity of the carrier without requiring any protocol mimicry at the network level. Protozoa requires only one reachable WebRTC service to function, and Table 3 confirms at least five services remained unblocked in China during testing.

2020-barradas-poking §3, §7.2 defense

Slitheen++ embeds covert upstream data by applying HTTP/2-like header field compression to overt HTTP requests, using the recovered space for covert data placement. This ensures that neither timing information nor observable changes to packet sizes or delays can reveal decoy routing use to an omni-scientist passive censor. GZIP compression was explicitly avoided to prevent the CRIME side-channel attack.

2020-birtel-slitheen §4 defense

The protocol filter's HTTPS fingerprint requires only that the first 5 bytes match a TLS header (type 0x16, version 0x03 0x01–0x03, correct length field); all subsequent bytes of the Client Hello are unchecked. Any TLS-based circumvention tool naturally satisfies this fingerprint and will bypass the filter by default. Furthermore, any one of the three permitted fingerprints (DNS, HTTP, HTTPS) can be used on any of the three monitored ports to whitelist an entire flow.

2020-bock-detecting §4.3 defense

Censys scans of IPv4 HTTPS servers in June 2020 found that over 21% responded to a GET / with 400 Bad Request, 11.19% with 403 Forbidden, 8.62% with 404 Not Found, and 2.91% with 401 Unauthorized. These common error-response distributions provide a statistical baseline that HTTPT servers can match to avoid standing out to active probers.

2020-frolov-httpt §3.2.3 evaluation

HTTPT prototype performance is comparable to Shadowsocks: median Time-to-First-Byte was 612 ms for Shadowsocks, 844 ms for HTTPT (TLS 1.3, +1 RTT), and 1085 ms for HTTPT (TLS 1.2, +2 RTTs). Bandwidth overhead was approximately 2%: median time to fetch a 100 MB file was 24.65 s for Shadowsocks vs. 25.15 s for HTTPT.

2020-frolov-httpt §4.2 evaluation

HTTPT achieves replay-attack immunity by tunneling over TLS, which incorporates bidirectional nonces (client and server randoms) into key agreement so each connection uses unique cryptographic keys. Censors that replay a legitimate client's observed initial bytes are therefore unable to trigger a proxy response, unlike approaches that rely only on application-layer replay caches.

2020-frolov-httpt §1.1, §3.3 defense

Protocol Proxy uses 'protected static protocols' — UDP-based protocols whose blocking causes severe collateral damage (e.g., Synchrophasor power-grid traffic, NTP) — as cover channels. Because any detection rule that fires on Protocol Proxy traffic also fires on legitimate PMU traffic, censors face a forced trade-off between blocking circumvention and disrupting critical infrastructure.

2020-oakley-protocol §3, §5 defense

A deterministic Hidden Markov Model trained on 770,000+ real Synchrophasor samples produces interpacket timing that is statistically indistinguishable from the host protocol: the two-sample Kolmogorov–Smirnov test yields p = 0.21 (threshold 0.05, fail to reject null), and χ² homogeneity p-values for all three timing states are 0.82, 0.37, and 0.15 respectively.

2020-oakley-protocol §4, §7 evaluation

Observation-based FTE constructs each packet field exclusively from values previously observed in real host-protocol traffic, guaranteeing syntactic equivalence. Wireshark correctly decodes Protocol Proxy-generated packets as valid Synchrophasor frames with correct checksums, and the Phasor Data Concentrator hardware accepts them; any rule blocking Protocol Proxy traffic must therefore also block legitimate PMU packets.

2020-oakley-protocol §5.1, §7 defense

The Protocol Proxy achieves an observed goodput of only 182 bps against a 54 Mbps baseline link (>99.99% reduction), well below the theoretical ceiling of 15,477 bps; the gap is attributed to TCP retransmission overhead and the TCP header transiting the proxy. Tor baseline goodput measured at 7.31 Mbps by comparison.

2020-oakley-protocol §7, Table 2 evaluation

Static protocols — UDP-based with no application-layer handshake — are immune to stateful protocol analysis that defeated SkypeMorph: without a handshake state machine, a censor cannot flag discrepancies between observed and expected protocol states. This eliminates the detection vector that Houmansadr et al. (2013) exploited to identify SkypeMorph via handshake mismatch.

2020-oakley-protocol §3 defense

V2Ray's HTTP obfuscation mode prepends an HTTP header only to the first TCP payload per connection and uses a hardcoded HTTP 500 response for all failure cases, making the mimicry trivially detectable: legitimate HTTP servers send headers on every response, and do not return 500 for protocol errors a real HTTP server would never encounter.

2020-v2ray-weaknesses §Failed to Mimic the HTTP Server detection

Frolov and Wustrow show that every major TLS-based circumvention tool (Tor Browser, Lantern, OpenVPN, Psiphon, etc.) produces a TLS ClientHello fingerprint that is statistically distinguishable from real Chrome or Firefox: differences include cipher-suite ordering, extension set, extension ordering, ALPN values, and curve preferences. A passive observer with a classifier over ClientHello fields can identify the tool with high precision without decrypting any traffic.

2015-frolov-the-use-of-tls §3–4 detection

Beyond the ClientHello, circumvention tools diverge from real browsers in TLS record-layer behavior: Go's crypto/tls splits the first application-data write differently than NSS or BoringSSL, and Go does not send a TLS ChangeCipherSpec in the same byte sequence as Chrome. These post-handshake divergences are detectable even when the ClientHello has been patched with uTLS, requiring record-layer mimicry in addition to hello-field mimicry for full fingerprint resistance.

2015-frolov-the-use-of-tls §4.3 detection

The paper introduces the uTLS library, which allows a Go TLS client to impersonate a specific browser's TLS fingerprint by replaying a recorded ClientHello template (including exact cipher suites, extensions, and GREASE bytes) rather than constructing one from Go's crypto/tls. Using a Chrome 70 uTLS template reduces fingerprint-distinctiveness to near zero against a passive classifier trained on real Chrome traffic.

2015-frolov-the-use-of-tls §5 defense

Unsupervised and semi-supervised anomaly detection methods (OCSVM, Isolation Forest, shallow autoencoders) perform near-random when attempting to detect multimedia protocol tunneling: OCSVM achieves average AUC between 0.518–0.584 across all tested configurations, Isolation Forest between 0.519–0.557, and autoencoders reach a maximum AUC of 0.702 only under optimal hyperparameter search. The paper concludes that labeled training data is a hard requirement for effective covert-channel detection.

2018-barradas-effective §5, Table 5 detection

Decision tree classifiers (XGBoost) can flag 90% of Facet multimedia-tunneling traffic while erroneously flagging only 2% of legitimate Skype connections (FPR=2%). Against DeltaShaper at its most conservative configuration (h160×120, 4×4, 6, 1i), XGBoost achieves AUC=0.85, demonstrating that existing unobservability claims for all three systems (Facet, CovertCast, DeltaShaper) were flawed.

2018-barradas-effective §4, Table 3 detection

DeltaShaper embeds covert TCP/IP data into Skype's encrypted video stream using a virtual camera interface, treating Skype as a black box rather than mimicking its protocol. This approach provides active-attack resistance by design: any in-path perturbation affects covert and legitimate streams identically, because real Skype software processes both. The system achieves a goodput of 2.56 Kbps (with Reed-Solomon ECC) or 3.12 Kbps (without ECC) at optimal encoding parameters (320x240 area, 8x8 cell size, 6 bits/cell, 1 fps), with RTT of approximately 3 seconds.

2017-barradas-deltashaper §4, §5, Table 2 defense

FreeWave, the VoIP-based predecessor, was vulnerable to passive traffic analysis because its covert Skype streams exhibited packet-size distributions different from legitimate calls, enabling detection with high probability. DeltaShaper's video-based approach with EMD-constrained encoding addresses this specific failure mode, but at a severe throughput cost: FreeWave achieves 18.75 Kbps vs DeltaShaper's 2.56–3.12 Kbps goodput. Competing systems benchmark: CovertCast ~168 Kbps (no unobservability constraints), Castle 3.48 Kbps, SkypeLine 0.064 Kbps, Rook 0.024–0.04 Kbps.

2017-barradas-deltashaper §6.3, §2 evaluation

Of the 55 filters that inspected the HTTP Host header, 26 keyed only on the first Host header in a multi-Host request, 27 keyed only on the last, and only 2 examined both. Placing a benign Host header in the position the filter reads and the blocked URL in the other position bypassed the filter, and this divergence in behavior tracks RFC 7230's requirement to reject multi-Host requests with a 400 error — which none of the tested filters implemented.

2017-jermyn-autosonda §4.1 Mechanism detection

HTTP GET fuzzing via subtle token modifications bypassed large fractions of filters: removing the `\r\n` before the Host header bypassed 36–38 of 44 Host-header filters; embedding the censored URL in the middle of a long hostname string bypassed 33–35 filters; placing the URL in an after-Host field with a non-empty Host bypassed 29–36 filters. Blacklist coverage was also weak: no filter blocked all 100 of the Alexa top adult sites, and some blocked as few as 31.

2017-jermyn-autosonda §4.1 / Appendix A evaluation

Among the 44 non-DNS filters, 11 did not reassemble TCP segments and 7 did not reassemble IP fragments before inspection, meaning a censored URL split across segment or fragment boundaries evaded detection. Five filters applied fragment/segment reassembly timeouts of under 2 seconds despite maintaining HTTP request state for more than 8.5 seconds, creating a window where a deliberately fragmented flow with artificial delay avoids inspection entirely.

2017-jermyn-autosonda §4.1 Mechanism detection

Autosonda classified 76 commercial web filters in the NYC metropolitan area into three categories: 21 (27.63%) performed DNS blacklist filtering, 44 (57.89%) matched on the HTTP Host header of GET requests, and 11 (14.47%) performed a DNS lookup of the Host header value and blocked based on the resulting IP. Autosonda found circumvention paths for 100% of filters tested.

2017-jermyn-autosonda §4.1 Results evaluation

All 76 filters inspected only TCP traffic: sending the identical HTTP request over UDP bypassed censorship 100% of the time. Additionally, 17 of the 49 filters that censored requests to EC2 servers only inspected traffic on port 80 and passed through the same requests sent to port 9900 without modification. No filter triggered on URI query strings, so appending query parameters to any censored URL bypassed every tested filter.

2017-jermyn-autosonda §4.1 Mechanism detection

ScholarCloud's 'message blinding' — a non-public byte mapping (f: [0, 2^8) → [0, 2^8)) applied between domestic and remote proxy — successfully evades GFW deep packet inspection with 0.22% average packet loss rate, statistically indistinguishable from native VPN (0.21%). The paper reports that even this simple encoding suffices because the GFW cannot classify the traffic; confidentiality of the algorithm is the operative property, not cryptographic strength. Because the operator controls both proxy endpoints, the blinding scheme can be rotated at any time without requiring client-side updates.

2017-lu-accessing §3 defense

ScholarCloud was launched in January 2016 and by late 2017 served over 2,000 registered users with 700 daily active users. It operates on two commodity VM instances at a daily operational cost of 2.20 USD. Legal operation inside China was achieved by registering the service as an ICP with the TCA (China ICP Reg. #15063437) and restricting the proxy whitelist to verifiably legal but incidentally-blocked domains — a strategy that places the service outside the GFW's aggressive technical blocking while also satisfying regulatory scrutiny from MPS/MSS.

2017-lu-accessing §1, §3 deployment

Because Bangladesh's ban targeted specific named applications rather than underlying protocols, users successfully substituted functionally equivalent but unlisted apps: 'Banning Facebook, Viber, and Whatsapp for security purposes was not sufficient. For example, I used IMO to operate those apps. So, ultimately, nothing happened.' Authorities responded by expanding the blocklist to cover substitute apps, producing a reactive cat-and-mouse dynamic over the 26-day ban.

2017-morshed-when Findings – Response to the Ban detection

Waterfall's Overt User Simulator caches previously loaded overt-website responses and replays them to generate cover traffic, overcoming Slitheen's 40% downstream throughput ceiling (caused by restricting covert replacement to leaf HTTP objects only). Because downstream-only decoy routers intercept all downstream TLS records — not just leaf content — Waterfall achieves higher covert capacity while perfectly mimicking overt browsing patterns against traffic analysis.

2017-nasr-waterfall §9 defense

Slitheen replaces only 'leaf' HTTP resources (images, video) in overt-site responses with covert content, reusing all TCP/IP headers verbatim and forwarding packets immediately on arrival. This forces every observable feature—packet size, direction, inter-arrival timing—to be identical to a genuine access of the overt page, eliminating the censor's ability to apply latency analysis, website fingerprinting, or protocol fingerprinting to distinguish decoy sessions from normal traffic.

2016-bocovich-slitheen §3.1, §4.1 defense

Salmon's defense against the active zig-zag attack — where a censor blocks a known server to force users onto new ones and watches for correlated reassignments — requires both per-user authentication (unique login credentials per server so unauthorized probes receive a plausible HTTPS page) and traffic camouflage. Without authentication, the server must respond as a functioning proxy to any connection, fully exposing itself to the censor; without camouflage, even a rejected connection may reveal the server's nature.

2016-douglas-salmon §3.10 defense

In a single-round censorship game the only Nash equilibrium that keeps the channel open requires the circumvention traffic proportion (CTP) satisfy CTP ≤ F, where F = (βant+βbnt)/(αact+αbct+βant+βbnt). In repeated indefinite games a stable equilibrium exists at CTP = Z = (1−p)·CTPmax, where p is the per-round continuation probability, allowing a non-zero proportion of circumvention traffic to flow indefinitely without triggering shutdown.

2016-elahi-framework §4.1–4.2 defense

The optimal multi-protocol CRS traffic allocation distributes circumvention traffic across n cover protocols proportionally to each protocol's non-circumvention traffic volume (CTPi = Li · CTP/(1−CTP)), keeping every individual protocol below the blocking threshold. This makes individual protocol channels independently optimizable, with the sole selection criterion being maximizing cover traffic volume L rather than any other protocol property.

2016-elahi-framework §5.1 defense

The authors extend Houmansadr et al.'s 'parrot is dead' argument to WebRTC: because WebRTC is a large multi-protocol framework, superficial mimicry that fails to replicate exact DTLS version, cipher suite ordering, certificate common name ('WebRTC'), 30-day validity period, STUN server selection, and ICE packet sequence leaves detectable residual distinguishers, making deep fingerprint conformance especially hard for standalone non-browser implementations such as Snowflake's client.

2016-fifield-fingerprintability §3, §4.6 defense

Castle structurally avoids all three covert-channel pitfalls identified by Geddes et al.: architecture mismatch is avoided by supporting both client-server and P2P modes; channel mismatch is avoided because RTS games implement application-layer reliability over UDP (matching proxied TCP requirements, unlike VoIP), blocking selective-drop denial-of-service attacks; content mismatch is avoided because legitimate RTS traffic has high natural variance driven by map, strategy, and player count.

2016-hahn-games §6.3 defense

A single undergraduate ported Castle to two closed-source commercial RTS games (each with >8.5 million copies sold, from different studios) in under 6 hours per game using a ~500-LOC Python/AutoHotkey codebase; 17 of the Top 20 best-selling RTS games share the unit-command structure Castle requires, and 11 have community-decoded replay formats, enabling rapid adaptation to new titles.

2016-hahn-games §7, Table 1 defense

Castle's packet-size and inter-packet-time distributions (measured via Kolmogorov-Smirnov statistic) fall within the variance observed between legitimate human-game sessions when using ≤50 units/command at ~1 command/second; the best-performing classifier (Herrmann) achieved only ~60% accuracy—roughly 10% above random guessing—against multiple Castle configurations, while two other classifiers (Liberatore, Shmatikov timing) performed near chance.

2016-hahn-games §6.1, Figures 3–5 defense

CovertCast uses the identical video codecs, streaming protocols (RTMP/HTTPS), and server endpoints as any other YouTube live stream, making it indistinguishable from regular streaming traffic to both passive protocol-analysis and active traffic-manipulation attacks. Any active attack that disrupts CovertCast connections — such as selective packet dropping — would equally disrupt all non-circumvention viewers of the same streaming service, imposing prohibitive collateral damage.

2016-mcpherson-covertcast §7.4, §7.5, §7.6 defense

Protocol imitation systems (SkypeMorph, CensorSpoofer, StegoTorus) fail to achieve unobservability because they implement the target protocol only partially, creating statistical discrepancies that censors can detect. Houmansadr et al. (2013) demonstrated this as a fundamental flaw: unobservability by imitation is categorically insufficient as a circumvention design principle.

2016-zarras-leveraging §1, §6 detection

The paper formally defines circumvention as either preventing the trigger from being seen by the surveillance device, or countering the effects of the censoring action. This two-path decomposition — hide the trigger vs. nullify the enforcement — provides a clean design framework: a circumvention tool can succeed by making traffic unrecognizable (no trigger fires) or by routing around the blocking device (action nullified).

2015-aceto-internet §2.1 defense

Beverly et al. found that 77% of Internet clients can spoof source addresses within their own /24 and 11% can spoof within their own /16, with these characteristics holding across a wide range of countries and regions. The authors use this result to argue that IP-spoofed cover traffic — where measurement probes appear to originate from many hosts in the same AS — is broadly feasible in practice.

2015-jones-can §4.2 defense

Spam-cloaked censorship measurements were correctly classified as spam by Proofpoint (the authors' university spam filter), validating surveillance evasion; separately, MX queries sent from a PlanetLab node in China confirmed that the GFW injected bad A DNS responses for both A-record and MX-record lookups for twitter.com and youtube.com, validating measurement accuracy.

2015-jones-can §3.2.3 evaluation

Surveillance systems are fundamentally more selective than censorship systems due to storage constraints: as of 2009 the NSA could store only 7.5% of received traffic across 592 tapped 10 Gbps links with only 69 10 Gbps backhaul links, and the authors' campus network retains non-alert metadata for ~36 hours and IDS alerts for ~1 year. Censorship systems by contrast are transaction-focused and retain only enough data to process real-time requests. This asymmetry creates an exploitable gap: traffic that does not stand out from the population is discarded before reaching human analysts.

2015-jones-can §2.1–§2.2 evaluation

To mitigate harm, Encore restricted its URL list to Twitter, Facebook, and YouTube on the grounds that widgets from these domains appear in ordinary web browsing, making Encore-induced cross-origin requests statistically indistinguishable from normal traffic. The authors argued that this renders the risk comparable to baseline browsing, though the SIGCOMM committee disputed whether contextual equivalence with ad-tracking constitutes adequate ethical justification.

2015-narayanan-no Mitigating Harm policy

Because Rook runs the actual game client and server rather than mimicking them, active anti-mimicry probes receive identical responses to a normal game instance. Systems based on protocol mimicry are vulnerable to probes that expose non-conforming behavior, but Rook eliminates this attack surface entirely.

2015-vines-rook §4.2 Anti-Mimicry defense

A semantics-based attack that flags HTTP flows carrying structurally invalid PDF documents as Stegotorus produces false-positive rates as high as 43% across three campus datasets (10,847 PDF flows examined), because malformed, partial, and non-standard PDFs are common in real network traffic. By contrast, active HTTP-response fingerprinting of a suspected Stegotorus server yields only 0.03% false positives (3 matching servers out of 9,320 Alexa-top-10K servers), but requires active probing and is detectable by the proxy operator.

2015-wang-seeing §4.1–§4.2, Tables 3–4 detection

By deploying covert channels inside legitimate high-traffic web services (e.g., OpenSearch sites), Facade raises the censor's cost of blocking to unacceptable collateral damage: blocking Facade requires blocking the legitimate web service, which harms local businesses and normal users. Facade explicitly assumes censors are unwilling to block major platforms such as AWS or popular search services.

2014-jones-facade §3.2, §5.1 defense

Facade encodes 78.04 bits per HTTP GET request using search-query terms, compared to Infranet's 3 bits per URL — a ~26× improvement — while maintaining comparable statistical deniability. StegoTorus encodes 12,000 bits per URL but offers no statistical deniability against traffic-pattern analysis.

2014-jones-facade §5.2, Table 1 evaluation

Facade routes all encoded HTTP requests through a Selenium-controlled Chrome browser instance, so every message the censor observes is generated by a real browser implementation. This defeats 'parrot attack' fingerprinting, which exploits discrepancies between a protocol emulator's responses to error conditions and those of the genuine client or server.

2014-jones-facade §4, §5.1 defense

Facade faces an inverse tradeoff between upstream throughput and deniability: pure search encoding maximizes bits per request (78.04 bits) but does not reflect real user click behavior, while mixing in click-range mapping (lg(k) bits per URL, k=8 → 3 bits) reduces throughput but better models normal browsing. Neither pure strategy is optimal; the design requires tuning the search-to-click ratio.

2014-jones-facade §5.2 evaluation

Analysis of the AOL search corpus shows an average search query length of 17.42 bytes with an entropy of 4.48 bits/byte, yielding 78.04 bits of deniable information per HTTP GET request. This entropy matches real user search behavior, making entropy-based traffic analysis unable to distinguish Facade traffic from genuine search sessions.

2014-jones-facade §5.2 defense

Content inconsistency — transmitting non-native payloads (e.g., modem signals or general web traffic) over VBR-encoded VoIP/video channels — is sufficient for censors to detect camouflage systems via packet-length traffic analysis. Channel inconsistency — requiring reliable transport over a loss-tolerant UDP channel — allows selective disruption: dropping 5% of packets stalls SkypeMorph indefinitely, and dropping 90% for under one second desynchronizes the FreeWave modem.

2014-li-facet §3.3 detection

A single Facet server with 15 Mbit/s bandwidth and 4 virtual CPU cores supports up to 20 simultaneous video-streaming sessions. Server-side downstream bandwidth consumption is approximately 150 kbit/s lower than a Squid HTTP proxy for equivalent video quality (240p), because Facet fetches only the video stream without page overhead such as advertisements and images.

2014-li-facet §9.5, Table 3, Table 4 evaluation

For decentralized videoconferencing systems (e.g., Skype) where peers communicate directly, publicly distributing the Facet server's conferencing ID allows a censor to pinpoint the server's IP address via active probing. Centralized systems (e.g., Google Hangout, FaceTime) hide the proxy IP behind the provider's relay server, making active probing unable to identify the Facet server.

2014-li-facet §5 (Service Discovery), §8 detection

Without traffic morphing, a χ² packet-length classifier can identify 90% of Facet (video-over-Skype) sessions with only a 10% false positive rate on genuine videoconferencing. To block 80% of Facet connections, the censor need only disrupt 4% of genuine Skype calls; blocking 70% requires disrupting only 2%.

2014-li-facet §6, Figure 4 detection

Facet's video morphing — embedding the requested video in a fraction s of H.264 macroblocks within a randomly chosen chat video — raises the censor's required false positive rate dramatically. At steganography level s=0.125, blocking 90% of Facet connections requires disrupting over 40% of genuine videoconferencing traffic; blocking 80% requires disrupting at least 20% of legitimate calls.

2014-li-facet §7.2, §9.3–9.4, Figure 9 defense

LibFTE exposes a regex-based API (Python, C++, JavaScript) that instantiates DPI-defeating FTE schemes from a regular-expression format specification alone, without expert cryptographic knowledge. The DCRS FTE scheme implemented in the library makes ciphertexts indistinguishable from real HTTP, SMTP, SMB, or other network-protocol messages under state-of-the-art DPI, and was already integrated into the Tor Browser Bundle at time of publication.

2014-luchaup-libfte §1, §7 defense

Known attacks on existing circumvention tools include steganographic detection, enumeration of decoy-router locations, and machine-learning traffic classifiers. The paper acknowledges these defeat current approaches (Infranet, Collage, Telex, SkypeMorph, Freewave) and argues that no iterative patch can neutralize the censor's long-term structural advantage.

2014-tan-censorship §1 defense

TapDance introduces chosen-ciphertext steganography, which allows the client to embed an arbitrary-length hidden message inside a valid TLS ciphertext without invalidating the TLS MAC or session. By exploiting ciphertext malleability in both stream-cipher (counter) mode and CBC mode, the client can choose specific byte values to appear in the ciphertext while constraining plaintext to a safe ASCII range (0x40–0x7F), encoding 6 bits of tag data per ciphertext byte. This provides unbounded covert-channel bandwidth, compared to the fixed 224-bit TLS nonce used by Telex and Decoy Routing or the 24-bit TCP ISN used by Cirripede.

2014-wustrow-tapdance §3, §6 defense

Injecting a single replayed ACK packet every 100 ms into a SkypeMorph session is sufficient to permanently stall data transfer: the server continuously resets its sequence counter back to the replayed position and never advances, while legitimate VoIP call traffic is completely unaffected. The attack requires the censor to induce only a small amount of server-to-client packet loss to prevent the legitimate ACK counter from overtaking the injected value, as shown in Figure 5b.

2013-geddes-cover §4.3.3, Figure 5 detection

FreeWave's modem synchronization depends on a preamble transmitted only at connection start (approximately 0.25 seconds for a 2048-symbol preamble); a censor applying 95% packet loss for under one second at the beginning of the session reliably prevents synchronization and breaks the connection, while reducing VoIP MOS only briefly and leaving the remainder of the session intact (Figure 2). With fixed data-frame designs, the censor can repeat preamble-targeted drops on every frame, achieving complete desynchronization at low average packet loss rates tolerable to legitimate VoIP.

2013-geddes-cover §4.2, Figure 2 detection

SkypeMorph and FreeWave both overlay a client-proxy communication model onto a peer-to-peer VoIP network; because Skype clients attempt direct peer contact before falling back to supernodes, initiating a call to a FreeWave proxy reveals its IP address directly to the caller, and proxy nodes accumulate user-to-bridge ratios that reached 8–12× in Syria/Iran and up to 120:1 in China (Figure 8), producing concentration signatures uncharacteristic of normal P2P call distributions. These architectural mismatches allow enumeration and fingerprinting attacks independent of traffic-content analysis.

2013-geddes-cover §5, Figure 8 detection

By targeting SkypeMorph's deterministic ACK-flagging schedule (one ACK every ~100 ms) and capping overall packet loss at 5–20%, a censor can drop up to 47% of ACK packets, reducing SkypeMorph throughput from its normal ~200 KB/s to 5–10 KB/s (a 90–95% reduction) while VoIP call quality remains within acceptable MOS thresholds. The attack exploits the reliability mismatch between the loss-tolerant UDP cover channel and the TCP-like retransmission layer SkypeMorph builds over it.

2013-geddes-cover §4.3.2, Figure 4 detection

FreeWave's modem generates audio whose packet-length distribution has dramatically lower variance than human speech, even when transmitted through Skype's variable-bit-rate encoder; Figure 9 shows that English and Portuguese speech samples produce high-variance packet-length sequences while modem audio produces a narrow, nearly constant distribution, providing a reliable passive classifier for modem-over-VoIP traffic. This content mismatch persists even with perfect emulation of the VoIP protocol framing.

2013-geddes-cover §6, Figure 9 detection

Protocol mimicry approaches (SkypeMorph, StegoTorus, CensorSpoofer) do not execute the target protocol in full and leave detectable discrepancies: SkypeMorph fails to replicate Skype's TCP handshake, and CensorSpoofer's IP-spoofing downstream channel enables active traffic analysis by censors who can inject manipulated packets and observe whether the purported VoIP endpoint reacts. The authors state that morphing approaches provide no provable indistinguishability, and protocol evolution further invalidates mimicry over time.

2013-houmansadr-i §IX / §X detection

FreeWave-over-Skype produces traffic statistically indistinguishable from genuine Skype-Speak state: average packet rate 49.91 pps vs. 50.31 pps for Skype-Speak, and average packet size 148.64 bytes vs. 146.50 bytes. However, the Skype-Silent state generates distinctly lower rates (49.57 pps, 103.97 bytes avg), creating a detectable anomaly when both FreeWave endpoints appear to be 'speaking' simultaneously rather than alternating.

2013-houmansadr-i §VIII-C / Table II evaluation

FreeWave routes client VoIP connections through oblivious intermediary nodes (e.g., Skype supernodes) rather than directly to the FreeWave server, so even if a censor discovers the server's VoIP ID or IP address it cannot block clients via IP filtering. This 'server obfuscation' is absent from SkypeMorph and StegoTorus; the authors note that Chinese censors enumerated all Tor bridges—on which SkypeMorph depends—in under a month, rendering those transports instantly blockable.

2013-houmansadr-i §IX-A defense

Hypothetical fixed parrot systems (SkypeMorph+ and StegoTorus+) that correct all passive detection failures remain unambiguously detectable via active and proactive attacks (Table II). Supernode cache flushing and TCP control channel manipulation — e.g., sending RST causes genuine Skype to drop the call immediately while parrots produce no reaction — distinguish them from genuine Skype because the parrot cannot actually execute Skype protocol logic.

2013-houmansadr-parrot §VII-B, §VII-C, Table II detection

CensorSpoofer's IP-spoofing architecture has an unfixable detection flaw: the spoofer cannot receive or respond to SIP probe messages (INVITE, invalid SIP, BYE for random call IDs) directed at the spoofed dummy host, making four SIP probing tests (Table IV) reliably distinguish CensorSpoofer from genuine Ekiga at local-censor cost. The nmap-based dummy-host selection algorithm identifies only 12.1% of 10,000 random IPs as candidate hosts; SIP probing of 10,000 random addresses found zero IETF-based VoIP clients.

2013-houmansadr-parrot §IX, Table IV detection

The authors enumerate 12 requirements a parrot system must satisfy simultaneously (Correct, SideProtocols, IntraDepend, InterDepend, Err, Network, Content, Patterns, Users, Geo, Soft, OS) while a censor need detect only one failure. They conclude 'unobservability by imitation is a fundamentally flawed approach' and recommend embedding covert traffic in genuine encrypted payloads of a real running protocol (e.g., FreeWave in Skype voice, SWEET in email), which constrains detection to OM adversaries performing large-scale multi-flow analysis.

2013-houmansadr-parrot §XI defense

SkypeMorph and StegoTorus-Embed fail 5 of 9 standard Skype identification tests (Table I), including the TCP control channel (T9), SoM packet headers (T3), and periodic message exchanges (T6/T7). All failures are detectable by a local (LO) passive censor at line speed without requiring ISP-scale statistical analysis.

2013-houmansadr-parrot §VII-A, Table I detection

The StegoTorus-HTTP module returns '200 OK' for non-existent URIs, produces no response to HEAD, OPTIONS, DELETE, and TEST method requests, and omits xref tables from generated PDF files. Using httprecon with 9 request types, the StegoTorus server is distinguishable from any real HTTP server by an OB (resource-limited) censor that records port-80 destination IPs at line speed and fingerprints them offline.

2013-houmansadr-parrot §VIII-B, §VIII-C, Table III detection

GFW exhibits three confirmed HTTP analysis gaps: it inspects only the first Request-URI and Host header in HTTP-pipelined requests (HTTP3), will not scan beyond 2,048 bytes into a Request-URI (HTTP2), and recognizes only standard percent-encoding while ignoring alternative URI encodings such as overlong UTF-8 (HTTP4). The authors classify all three as low-difficulty fixes for the censor, meaning they may be patched quickly once disclosed.

2013-khattak-towards §5, Table 1 (HTTP2, HTTP3, HTTP4) detection

A controlled survey of 67 technically literate users in Pakistan found that ~45% primarily use public VPN services (Hotspot Shield, Spotflux), 24% use web proxies, and 11% use HTTP proxies such as Ultrasurf to bypass censorship. The survey population skews technical, so real-world adoption of low-friction tools among average users is likely higher.

2013-nabi-anatomy §4.3 evaluation

SWEET argues that mimicking complex protocols (SkypeMorph, CensorSpoofer, StegoTorus) is fundamentally breakable because comprehensive imitation of today's protocols is infeasible. The paper instead advocates tunneling inside genuine traffic from actual, widely-used protocol providers — in this case real email services — so the censor observes authentic protocol behavior rather than a simulation.

2013-zhou-sweet §1 defense

Flash proxy tunnels carry inherent network-level fingerprints that survive application-layer obfuscation: WebSocket connections begin with a plaintext HTTP upgrade handshake followed by structured binary framing, and Flash socket connections open with a crossdomain XML policy request — both are distinguishable from ordinary TCP by a DPI middlebox.

2012-fifield-evading §5.1 detection

SkypeMorph's packet size and inter-packet delay distributions are statistically indistinguishable from real Skype video calls: Kolmogorov-Smirnov tests on both the naïve traffic-shaping and enhanced Traffic Morphing outputs report p > 0.5, indicating no significant difference from the Skype target distribution. The original Tor traffic distribution, by contrast, is considerably different from Skype, validating the need for the morphing layer.

2012-moghaddam-skypemorph §7, Figure 6 evaluation

SkypeMorph achieves a goodput of 33.9 ± 0.8 KB/s (naïve shaping) and 34 ± 1 KB/s (enhanced Traffic Morphing) versus 200 ± 100 KB/s for a normal Tor bridge, with overhead of ~28% compared to 12% for normal Tor. The two traffic-shaping methods perform statistically identically (KS p > 0.5), but the overhead grows during silent periods because the transport must transmit padding to maintain Skype's constant bitrate even when the Tor buffer is empty.

2012-moghaddam-skypemorph Table 1, §8 evaluation

Encrypted channels expose only two statistical features to an external observer: packet sizes and inter-packet arrival times. Original Traffic Morphing (Wright et al. 2009) shaped only packet-size distributions, leaving inter-packet timing as an unobfuscated fingerprint identical to the source (Tor) distribution. SkypeMorph extends Traffic Morphing to jointly sample from nth-order conditional distributions of both packet sizes and inter-packet delays (tested up to n = 3), closing the timing gap.

2012-moghaddam-skypemorph §4.3, §4.4 defense

A censor can compare the predicted AS path from the claimed dummy host to the client against the actual observed ingress entry point of the spoofed downstream traffic; inconsistency reveals the dummy host as a cover. For clients in China Telecom (ASN 4134) and China Unicom (ASN 4837), 100% of 225 candidate dummy hosts passed AS-path consistency filtering; for clients in ASN 4538 only 18.2% (41/225) passed, sharply narrowing the usable pool for smaller ASes.

2012-wang-censorspoofer §5.2.3, Table 2 detection

CensorSpoofer decouples the upstream channel (URLs hidden via steganography in IM/Email) from the downstream channel (web content injected into spoofed UDP/VoIP flows), so the proxy's real IP is never revealed to any user. This asymmetric architecture provides perfect insider-attack resistance: even if all users are compromised, they can only learn cover dummy-host IPs, not the spoofer's address.

2012-wang-censorspoofer §4 defense

Port-scanning 10,000 randomly selected non-China IPs found 1,213 (12.1%) acceptable as VoIP dummy hosts (SIP, RTP, RTCP ports not in 'closed' or 'host seems down' states). Of 100 sampled dummy hosts tracked over time, over 90% remained usable for more than 2 hours and over 80% for more than 6 hours; the total usable pool was stable across a 7-day measurement window (Feb. 9–16, 2012).

2012-wang-censorspoofer §7.2.2 evaluation

The MIT ANA Spoofer project shows that over 400 ASes (22%) and 88.7 million IP addresses (15.7%) permit outbound IP address spoofing, constraining where CensorSpoofer proxy nodes can be deployed. ASes applying ingress/egress filtering make IP-spoofing-based downstream channels infeasible from those locations.

2012-wang-censorspoofer §4.2 deployment

Using G.711 or G.722-64 codecs (64 Kbps downstream), CensorSpoofer clients in China downloaded Wikipedia's HTML file in approximately 6 seconds and the full 160 KB page in approximately 27 seconds; Tor and a proxy-based system (NetShade) were measurably faster. The iLBC codec limits downstream throughput to 15.6 Kbps, and all codecs impose equivalent dummy-traffic cost on the dummy host (G.711 consumes 87.2 Kbps at the dummy host).

2012-wang-censorspoofer §7.2.1, Table 1 evaluation

The StegoTorus HTTP module degrades severely with network latency: it can sustain only a 50 kB/s stream at latencies below 200 ms and fails entirely at higher rates or latencies, because the HTTP request-response pattern transfers only one or two 512-byte Tor cells per round-trip. Plain Tor and chopper-only StegoTorus show no measurable throughput degradation at latencies up to 450 ms. Increasing parallel HTTP connections improves low-latency throughput but does not recover high-latency performance.

2012-weinberg-stegotorus §6, Figure 6 evaluation

HTTP steganography in StegoTorus expands upstream traffic by a factor of 41× and downstream by 12× compared to a direct connection (uploading 966,964 bytes vs. 23,643 bytes to transfer a 1 MB file). Chopper-only operation adds only ~2.7× upstream overhead, comparable to plain Tor. Maximum achievable goodput with the HTTP module is ~27 kB/s (~4× a 56 kbps modem), which the authors attribute to a minimum expansion factor of 8× inherent in contemporary steganographic schemes.

2012-weinberg-stegotorus §6, Table 3, Figure 7 evaluation

A naive-Bayes website-fingerprinting classifier achieves AUC > 0.94 against vanilla Tor for 8 of 9 Alexa top-ten sites (e.g., Wikipedia 0.9991, YouTube 0.9947). Against StegoTorus-HTTP, AUC drops to ≤ 0.75 for 7 of 9 sites (YouTube 0.4125, Facebook 0.5413, Google 0.6928), which the authors argue is too low for practical perimeter-scale deployment where near-perfect precision is required to avoid error floods.

2012-weinberg-stegotorus §5.2, Table 2 evaluation

TCP flow hijacking by the decoy proxy is practical under an asymmetric routing assumption: expected sequence numbers are recoverable from ACK values in client-originated packets alone, so the decoy router need not observe return traffic. The proxy forges a TCP RST to the decoy destination and mimics its TCP options (timestamp, window scale, SACK) to reduce detectability; these options are conveyed encrypted inside the sentinel's 28-byte TLS random field.

2011-karlin-decoy §3.3 defense

Clients embed HMAC-derived, time-varying sentinels into the 28-byte random field of the TLS ClientHello message, which decoy routers can scan at line rate. Sentinels are keyed to the current hour and a per-hour sequence number, providing freshness. This covert channel requires no out-of-band signaling and is invisible to passive observers who see only a normal TLS handshake toward the decoy destination.

2011-karlin-decoy §3.2 defense

Censorship operating at the infrastructure layer (hosting, DNS, ISPs) rather than the content layer produces opacity: blocklists must be kept secret lest they become menus of blocked content, accuracy cannot be examined, and harms are divided from those with incentive or expertise to oppose them. The consistent pattern in anti-censorship responses is to distribute, decentralize, encrypt, and obfuscate — making circumvention traffic indistinguishable from permitted use.

2011-seltzer-infrastructures §2.1 policy

An active man-in-the-middle adversary can hijack a live BridgeSPA TCP SYN by intercepting the ConnectionTag-bearing packet and racing to complete the bridge connection before the client's timestamp rounds to a new minute. Mitigating this requires the client to re-send the full (non-truncated) ConnectionTag after TLS is established, causing the bridge to act as a cover service (e.g., IMAP over TLS) until validated—but this mitigation is undermined by the fact that Tor bridge TLS certificates are currently distinguishable from other service certificates.

2011-smits-bridgespa §6.2.2, §7.5 detection

Censors responding to encryption-based circumvention have two escalation options: block all encrypted connections outright, or identify the underlying protocol via traffic signatures that persist even inside encrypted tunnels. The paper frames these as the two dominant censor responses to DPI being defeated by encryption.

2011-wright-fine-grained §3 detection

Telex embeds steganographic tags in TLS ClientHello nonces using elliptic-curve Diffie-Hellman, placing proxy stations at ISP level on paths between the censor's network and popular uncensored destinations. Because the cover destinations are ordinary popular HTTPS websites, the censor cannot block Telex without simultaneously blocking a large class of legitimate TLS traffic — converting the censor's own reluctance to over-block into an unblockability guarantee.

2011-wustrow-telex §2, §4 defense

The paper identifies two unresolved fingerprinting surfaces: (1) traffic-shape analysis of packet sizes and inter-arrival times could distinguish Telex flows from normal TLS, and (2) the prototype exhibits detectable deviations from real servers at the IP layer (stale IP ID fields), TCP layer (incorrect congestion windows detectable by early acknowledgements), and TLS layer (different compression methods and cipher-suite extensions). Convincingly mimicking a diverse population of TCP/TLS server implementations is flagged as requiring substantial engineering effort.

2011-wustrow-telex §9 detection

Collage's threat model identifies the censor's two most dangerous capabilities as: (1) aggregate traffic-flow analysis (e.g., NetFlow statistics) to detect anomalous access patterns to specific content hosts, and (2) joining the system as a sender or receiver to discover content locations and mount denial-of-service or deniability attacks. The censor is assumed to monitor all egress traffic but is modeled as computationally limited against joint statistical distributions across arbitrary user pairs.

2010-burnett-chipping §3.1 detection

Collage leverages platform-scale user-generated content—Flickr's 3.6 billion images with 6 million new per day and Twitter's ~500K tweets/day as of 2009—as a covert channel substrate. Because the censor cannot block all UGC platforms simultaneously without removing massive amounts of legitimate content, the system achieves availability and user deniability that fixed-infrastructure proxies (e.g., Tor relays) cannot: accessing Flickr or Twitter does not implicate the user as a circumvention tool operator.

2010-burnett-chipping §1, §4.1 defense

Because Skype relies on a central login server, it is technically possible for a censor to block Skype, but the paper observes that blocking widely-deployed services like Skype or Google inflicts real economic harm, making it a credible deterrent. Additionally, Skype's proprietary, closed-source protocol and P2P architecture make it harder to characterize and selectively filter than open protocols.

2009-cao-skyf2f §V.C defense

If bridges run on predictable ports and any TCP connection to a bridge port reveals it as a Tor bridge, a censor can scan the entire address space of residential ISP ranges to enumerate and block all bridges. The paper proposes 'scanning resistance': bridges require a nonced hash of a pre-shared password before revealing Tor behavior, and respond to unauthenticated connections by impersonating an ordinary HTTPS server (e.g., default Apache page or a random legitimate website).

2006-dingledine-design §9.3 defense

Tor's 2006 TLS handshake contained multiple identifying fingerprints exploitable by censors: the X.509 organizationName field was set to 'Tor', the relay nickname appeared in the commonName field, clients always presented certificates (unlike browsers), and Tor used two-certificate chains (identity cert + per-session TLS cert) while most consumer HTTPS services use a single certificate. The paper flags these as sufficient for a censor to identify Tor traffic without deep payload inspection.

2006-dingledine-design §6 detection