FINDINGS
1857 extracted findings
One- to three-sentence claims pulled from the full text of each paper, tagged against the same taxonomy as the papers themselves. Listed newest first.
-
During the June 2025 Iran shutdown, circumvention tool performance diverged sharply by transport design. Psiphon's multi-protocol architecture sustained 1.5 million concurrent users—roughly one-third of its normal Iranian base. Lantern's "proxyless" protocol (domain-fronting via CDN, ~40% of Lantern's Iranian traffic) showed moderate success. Tor usage collapsed during the blackout but bridge connections surged and rebounded quickly after lifting. BeePass (serving 500k+ daily users at shutdown onset) used live A/B testing of port/obfuscation-prefix combinations to probe the censors' blocking parameters in real time. The Ceno Browser's P2P network grew from 600 active peers on June 13 to ~8,000 by July 11, indicating that decentralized fallback paths stayed up even during peak blocking.
-
The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.
-
During the June 2025 shutdown, Iranian authorities blocked international One-Time Password (OTP) SMS delivery, preventing new sign-ins to foreign secure-messaging platforms and VPN services. This forced users toward government-approved domestic platforms that lack security and privacy protections. The blockade of OTPs effectively weaponized account-recovery flows as a secondary shutdown layer, disproportionately affecting users who needed to activate new circumvention tools during the crisis.
-
Simple character-level perturbations (English) and homophone substitutions (Chinese), combined with LLM instruction-following prompts directing the model to use word substitutions in its output, successfully bypassed all input and output filters for all 41 input-blocked and 197 output-blocked queries across five major Chinese LLM services (Baidu-Chat, DeepSeek, Doubao, Kimi, Qwen). Every input-blocked query contained at least one keyword combination that alone triggered the filter, confirming keyword-matching rather than semantic classification.
-
Cross-national experiments conducted from Singapore, South Korea, and Taiwan during February 19–24, 2025 found no variance in blocking implementations, event syntax, or server infrastructure across all five Chinese LLM services. Input blocking was enacted identically in all three international locations, and services connected to the exact same server IP addresses globally — Kimi and Baidu-Chat connected to identical IPs and DeepSeek to the same two addresses across all tested locations.
-
Input blocking in Chinese LLM services (DeepSeek, Qwen, Kimi, Doubao) is overwhelmingly consistent: all four services persistently block the exact same queries across all 5 measurement samples in both Simplified and Traditional Chinese. Output blocking is far less consistent, with only 29 out of 349 output-blocked queries blocked across all 5 samples. Baidu-Chat is exceptional: it performs almost no input blocking but instead relies heavily on post-search and output blocking (78.6% of blocks are output-phase).
-
DeepSeek, Kimi, and Doubao all transmit analytics logs to the same Autonomous System (AS24429, Zhejiang Taobao Network Co., Ltd., a ByteDance/Volcengine subsidiary), with one monitoring endpoint IP directly overlapping between DeepSeek and Doubao. Additionally, all four non-Qwen services maintain connections with servers physically located in China throughout the chat session, transmitting user IDs, session IDs, viewport data, language preferences, and in Baidu-Chat's case, the full query text via URL-encoded CAPTCHA requests.
-
All five Chinese LLM services transmit partial or complete responses to the client machine even when output blocking is triggered, representing a major information leak. For DeepSeek and Qwen, truncated blocked responses are on average close in token length to full successful responses. For Baidu-Chat, the complete response is transmitted to the client but only partially rendered in the browser UI, with only a word or two visible on screen.
-
A three-stage detection pipeline exploiting the "dual-role" behavioral fingerprint of single-IP circumvention relays achieved 23.2% recall (96/414 ground-truth relays) with a 0.18% false-positive rate against 97,651 benign TLS servers, for an overall accuracy of 99.5%. The ground-truth set covered OpenVPN, WireGuard, and SOCKS relays identified in a 17 TB single-day backbone trace (WIDE Project, April 9, 2025).
-
The paper identifies a fundamental architectural vulnerability in single-IP circumvention designs: a relay must generate new observable flows (via DNS or TLS SNI) to reach end services after receiving client connections, creating a detectable server-and-client behavioral contrast. A relay accessing user-facing domains (news, social media) scores high on a Relay Suspicion Score (w=0.9) versus infrastructure domains (w=0.1). The paper argues this host-level signal is censorship-invariant and cannot be concealed by link obfuscation.
-
Stage 1 of the detection pipeline uses a lightweight heuristic: restrict analysis to IP addresses in "VPS-dense ASNs," which censors already target for resource-intensive inspection of fully-encrypted traffic. This pre-filter dramatically reduces the search space before applying the more expensive dual-role behavioral analysis. The evaluation was conducted without Stages 1 and 3 due to dataset limitations, meaning the reported 23% recall and 0.18% FPR are conservative lower bounds on the full pipeline's performance.
-
Encrypted DNS protocols (DNS-over-HTTPS and DNS-over-TLS via Cloudflare 1.1.1.1, Google 8.8.8.8, AdGuard, or NextDNS) prevent DNS injection by encrypting the resolver query, making it opaque to in-path GFW middleboxes. The blog recommends these as a lightweight defense that avoids the maintenance overhead of static hosts entries.
-
The GFW blocks GitHub by hijacking DNS resolution to incorrect IP addresses, causing browser timeouts ('github.com 响应时间太长'). The poisoning can be confirmed by comparing nslookup results against a clean resolver (8.8.8.8) versus the local ISP resolver — divergent results confirm injection.
-
Static /etc/hosts bindings that hardcode correct IPs (e.g. 140.82.113.3 for github.com, 185.199.108.153 for assets-cdn.github.com) bypass DNS-injection blocking entirely, but the blog warns that GitHub IP addresses change and the file must be updated periodically to remain effective.
-
Chinese users treat full proxy/VPN (Shadowsocks, V2Ray/Clash, commercial VPNs) as the '终极大杀器' (ultimate solution) for bypassing GitHub DNS poisoning, implying that lighter-weight DNS-only fixes fail in some network environments where the censor adds firewall-layer blocking beyond DNS.
-
AnyTLS's default padding scheme operates across 8 levels (stop=8), with initial padding fixed at 30 bytes, small-data padding 100–400 bytes, and medium-to-large data padding chains of 400–500 bytes continuing through multiple 500–1000 byte segments. The 'c' (continue) marker allows multi-stage padding sequences within a single connection burst.
-
As of 2026, AnyTLS lacks a standardized subscription link format (unlike VLESS/Trojan/Hysteria2), requires manual JSON configuration distribution, and is supported primarily by sing-box with limited support in v2rayNG and Shadowrocket. The guide explicitly warns it is unsuitable for production environments and recommends VLESS or Hysteria2 for production deployments and Hysteria2 for high-performance needs.
-
AnyTLS implements a persistent idle-session pool with configurable parameters: idle_session_check_interval (default 30s), idle_session_timeout (default 30s), and min_idle_session (default 5). The client maintains at least 5 pre-established TLS sessions at all times to enable fast connection reuse without a new TLS handshake per request.
-
Compared to peer protocols, AnyTLS rates 'medium' performance (vs. VLESS 'high', Hysteria2 'very high', TUIC 'high'), uses TCP/TLS transport (vs. UDP/QUIC for Hysteria2 and TUIC), and relies on padding-based obfuscation vs. REALITY/WebSocket (VLESS) or HTTP/3 framing (Hysteria2). Client ecosystem support is currently limited primarily to sing-box, vs. broad cross-client support for VLESS, Trojan, and Hysteria2.
-
AnyTLS is a TLS-based proxy protocol maintained by the sing-box team, designed in 2024 and first released in the sing-box dev-next branch. Its core mechanism wraps arbitrary proxy traffic in standard TLS and applies a configurable padding scheme (Padding Scheme) to enhance traffic concealment while maintaining compatibility with standard TLS infrastructure.
-
Rule-based proxy tools (Clash, Shadowsocks, V2Ray) are documented as the most reliable solution for accessing GitHub from China, with split-tunneling rules routing only GitHub traffic through the proxy while keeping domestic traffic on the direct path. Git command-line tools require explicit proxy configuration (git config --global http.proxy http://127.0.0.1:7890) to route clone/push operations, as they do not inherit system proxy settings automatically.
-
Configuring encrypted DNS (DoH/DoT) via Cloudflare (1.1.1.1 / https://cloudflare-dns.com/dns-query), Google (8.8.8.8), or Alibaba Cloud (223.5.5.5) is documented as a practical countermeasure to ISP-level DNS hijacking of GitHub in China. Browser-level DoH (Chrome/Edge settings) is highlighted as accessible to non-technical users without installing additional software.
-
The GFW blocks GitHub via DNS poisoning across at least four domains — github.com, assets-cdn.github.com, github.global.ssl.fastly.net, and raw.githubusercontent.com — causing connection timeouts and page-load failures for mainland China users. The block is persistent as of February 2026, affecting both browser access and command-line git operations.
-
As of early 2026, GitHub mirror sites (FastGit at hub.fastgit.xyz, CNPMJS at github.com.cnpmjs.org, GitClone at gitclone.com) remain operationally accessible as reverse-proxy workarounds for read-only access and git clone acceleration from mainland China. The blog explicitly warns users against authenticating to GitHub accounts via these mirrors due to credential-theft risk, indicating that mirror operators are not fully trusted by the end-user community.
-
Bypassing system DNS via local hosts-file entries (e.g., mapping github.com → 140.82.113.4) is documented as the most widely used free workaround for GFW DNS poisoning of GitHub as of 2026. The technique is fragile: GitHub IP addresses change, requiring users to re-query and update entries manually, making it unsuitable as a reliable long-term defense.
-
Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.
-
Article 19 documents that Iran combines technical filtering with formal coercion of major foreign platforms (including Telegram, Instagram, and WhatsApp) to comply with content removal orders under threat of full blocking. The report notes that Iran's 2022 Women Life Freedom protests accelerated platform blocking when foreign operators refused compliance, demonstrating that the censorship system operates in two modes: coerce-and-allow for compliant platforms, block for non-compliant ones. Domain fronting via these platforms is therefore subject to sudden revocation if political conditions change.
-
The report maps specific Belt and Road Initiative Digital Silk Road projects through which Chinese technology vendors have transferred censorship and surveillance infrastructure to Iran, including fiber backbone investments, data-center co-location agreements, and equipment supply chains. Specific vendors named include Huawei and ZTE as network infrastructure providers, with the report noting that equipment exports include filtering-capable hardware that Iran's ISPs have deployed at network choke points.
-
Brussee measures a systematic pattern of Chinese government websites actively blocking access from outside China (the "reverse Great Firewall"), publishing a CSV dataset of affected domains (available at zenodo.org/records/18172145). The paper frames this outbound geo-blocking as a cybersecurity-motivated practice — Chinese authorities classify foreign access to domestic government infrastructure as an attack surface — distinct from the inbound information control goal of the GFW.
-
Brussee develops a conceptual framework distinguishing two logics of government geo-blocking: (1) information control (blocking inbound foreign content from domestic users) and (2) data sovereignty / attack-surface reduction (blocking outbound access by foreign actors to domestic systems). Chinese government site blocking of external IPs is motivated primarily by the second logic, creating an asymmetric internet topology where CN citizens cannot reach the outside world, and outside actors cannot probe CN government infrastructure.
-
ShieldShare demonstrates that an Android application can route all hotspot-client traffic through a VPN tunnel without root access by using a SOCKS5/HTTP/HTTPS proxy layer between the hotspot and the VPN, with per-client traffic accounting and quota management. The system works because Android's native hotspot does not forward VPN routing tables to connected clients; ShieldShare interposes a proxy that handles this. Released as open-source.
-
ShieldShare's modular architecture (VPN detection, hotspot management, HTTP/HTTPS/SOCKS5 proxy forwarding, traffic metering) shows that community-proxy deployment on commodity Android hardware is technically feasible without root, and that accurate per-client bandwidth allocation and accounting can be maintained under the constraint. The evaluation confirms reliable routing of client traffic through VPN tunnels.
-
The April 2026 enforcement wave against Chinese VPN resellers operates primarily through administrative "reporting + line-cutting" (通报+拔线) mechanisms enforced via Ministry of Industry and Information Technology bulletins, not packet-level DPI changes. Operators report that newly acquired upstream resources are reported and cut with recovery periods described as "uncontrollable," and that upstream providers typically do not refund resellers after enforcement actions.
-
China Telecom Group issued directives to Guangdong Telecom requiring comprehensive rectification of cross-border dedicated-line (IEPL/跨境专线) services used for circumvention. Guangzhou launched enforcement first; other Guangdong cities were expected to follow, threatening widespread IEPL line interruptions for providers using Guangdong Telecom as their domestic ingress.
-
China Telecom Group reportedly issued directives to Guangdong Telecom in April 2026 requiring comprehensive rectification of cross-border leased-line (IEPL/专线) businesses used for circumvention, with Guangzhou leading enforcement and other Guangdong cities expected to follow sequentially. The targeting is infrastructure-class-specific (IEPL lines as a category) rather than generalized protocol blocking.
-
The dominant enforcement mechanism in April 2026 was administrative 'reporting + line-cutting' (通报 + 拔线) backed by MIIT bulletins, not protocol-level DPI changes. Operators reported that newly acquired upstream resources were reported to authorities quickly after acquisition, recovery timelines were uncontrollable, and some upstream providers refused refunds after enforcement actions, producing sustained capacity contraction across the shared VPN-reseller ecosystem.
-
Under April 2026 enforcement pressure, surviving VPN resellers converged on three strategies: raising prices to cover higher infrastructure costs, switching from transit to direct-connect (higher latency, worse peak-hour performance), or deploying proprietary protocols with dedicated clients — the last option breaking compatibility with standard Clash and Shadowrocket clients and fragmenting the interoperable ecosystem.
-
Operators facing the April 2026 enforcement wave described three survival paths: (1) price increases to pass on resource costs, (2) switching entirely to direct-connect, or (3) deploying proprietary protocols with dedicated clients — making standard Clash/Shadowrocket clients non-functional for those providers. The commercial forecast is for low-price high-quality plans to disappear and for month-by-month billing to become the default as users hedge against provider collapse.
-
The April 2026 enforcement cycle created a resource-scarcity feedback loop: upstream providers cut lines with no obligation to refund resellers, newly acquired replacement resources can themselves be reported and cut within days, and stable-resource availability windows are described as "越来越短" (increasingly short) while costs rise concurrently. The overall effect is systemic capacity contraction forecast to continue through at least May 2026.
-
Shared domestic-entry transit architectures (国内入口 + 海外转发) suffered disproportionate impact because all nodes sharing a single domestic entry point went down simultaneously when that entry was reported and cut. Operators described configurations degrading from 'three-line redundancy to single entry,' eliminating failover capacity under enforcement pressure.
-
Transit/relay architectures (国内入口 + 海外转发) suffered disproportionate impact because multiple nodes share a single domestic entry point: when that entry is reported or cut, the entire batch of nodes fails simultaneously. Operators described this as "三线变单线" (three-line to single-line collapse), with only direct-connect fallback remaining — at higher latency and with worse peak-hour performance.
-
NATA (Non-invasive Active Traffic-correlation Analysis) injects low-frequency bandwidth waveforms (sinusoidal, square-wave, triangular) into Tor TCP connections at an upstream gateway without endpoint compromise, payload decryption, or Tor-browser modification. BM-Net, a selective state-space classifier trained on the exit-side observations, achieves a 99.65% binary detection F1 score distinguishing watermarked from natural traffic on a 20,000-trace real-world dataset.
-
BM-Net achieves a 99.65% binary detection F1 score for distinguishing bandwidth-watermarked Tor flows from natural traffic, outperforming all evaluated baselines (next best: TikTok at 75.96% F1). The accuracy gap stems from active perturbation imposing a deterministic low-frequency throughput constraint rather than relying on subtle natural metadata, making the detection task fundamentally easier than passive website fingerprinting.
-
BM-Net achieves a 99.65% binary detection F1 score distinguishing watermarked from natural Tor flows, and a 97.5% macro-F1 score for fine-grained modulation classification across sinusoidal, square-wave, and triangular patterns. The fine-grained test set contains 201 held-out samples collected from ten clients across five geographic regions (Europe, North America, Australia, Southeast Asia, East Asia), with training traces including traffic collected under WTF-PAD and Walkie-Talkie defenses.
-
Active bandwidth perturbation has an inherent detectability–stability trade-off: overly aggressive low-rate phases cause Tor SENDME-based flow control stalls, retransmissions, timeouts, or circuit replacement before sufficient correlation evidence is collected. The paper selects a 30-second modulation period and an empirically determined minimum shaping rate; the usable shaping range varies with relay load, path length, TCP congestion control behavior, and Tor multiplexing.
-
Tornettools-based simulations with a 1%-scaled Tor network show that with 1 adversary-controlled exit relay (148 Mbps), the exit-observation probability pexit ≈ 2.13%; with 5 adversary-controlled relays, pexit exceeds 10%. Tor's bandwidth-weighted path selection means high-bandwidth malicious exits attract a disproportionate share of circuits, and repeated observations over multiple circuits compound correlation risk multiplicatively even at modest relay counts.
-
Using a 1%-scaled tornettools simulation with historical Tor consensus data, a single adversary-controlled exit relay at 148 Mbps yields an exit-observation probability of approximately 2.13%; deploying 5 adversary-controlled exit relays pushes observation probability above 10%. The aggregation effect is concave — repeated observations across T independent windows compound via 1 − (1 − Pcorr)^T.
-
BM-Net achieves a 97.5% macro-F1 score for fine-grained classification of three modulation geometries (sinusoidal, square-wave, triangular) from noisy exit-side Tor observations using only 201 labeled test samples collected across cross-continental Tor paths. Residual errors concentrate between natural traffic and square-wave modulation, as abrupt low-rate transitions are partially smoothed by Tor multiplexing and network jitter.
-
Fine-grained modulation classification (natural vs. sinusoidal vs. square-wave vs. triangular) achieves 97.5% macro-F1 on a 201-sample held-out test set. Square-wave waveforms are the hardest class (F1 = 95.7%), while sinusoidal and triangular each reach 99.0% F1, because abrupt square-wave transitions are partially smoothed by Tor multiplexing and network dynamics.
-
NATA requires no endpoint compromise, no Tor-browser modification, and no payload decryption; it operates solely from (1) an upstream gateway controlling Tor TCP connections via standard Linux tc/wondershaper rate-limiting and (2) one or more adversary-controlled exit relays passively recording packet traces. The shaper identifies Tor connections using flow-level metadata (client IP, relay IP, port, transport protocol), meaning the adversary needs only ISP or AS-level vantage, not host-level access.
-
NATA (Non-invasive Active Traffic-correlation Analysis) requires no endpoint compromise, no Tor-browser modification, and no payload decryption. The adversary controls only an upstream network gateway (ISP/AS level) to impose bandwidth modulation on Tor TCP connections, and observes traffic at adversary-controlled exit relays — a Shaper–Sniffer architecture that operates purely at the network-infrastructure layer.
-
Padding-based client-side defenses including WTF-PAD and Walkie-Talkie are insufficient against active bandwidth perturbation: they reshape packet timing and burst structure but cannot remove the upstream rate limit imposed by the gateway shaper. BM-Net trained on a defense-aware dataset containing both undefended and WTF-PAD/Walkie-Talkie traces still achieves 99.65% F1, and the paper explicitly notes that 'client-side padding and burst reshaping may alter the logical traffic pattern, but they do not directly remove the rate limit imposed by the upstream bottleneck.'
-
Client-side padding defenses (WTF-PAD and Walkie-Talkie) do not remove active bandwidth watermarks because they operate on packet timing and burst-level structure, not on the upstream rate limit; BM-Net still achieves 99.65% binary detection F1 on a mixed dataset containing both defended and undefended traces. The upstream shaper's rate constraint causes delayed, queued, or dropped packets whose throughput envelope persists at the exit relay regardless of application-layer obfuscation.
-
Using tornettools-based simulations with historical Tor consensus data scaled to 1% of the real network (80 relays), the adversary's exit-observation probability p̂exit grows monotonically with adversary-controlled bandwidth: a single exit relay at 148 Mbps yields p̂exit ≈ 2.13%, and 5 adversary-controlled exit relays push p̂exit above 10%.
-
An infrastructure-level adversary must balance watermark detectability against connection stability: the paper's threat model requires a minimum shaping rate rmin to prevent Tor circuit stalls, timeouts, or circuit replacement, and notes that repeated poor-throughput events can cause the circuit to be abandoned before sufficient watermark evidence is accumulated. This detectability–stability trade-off constrains the practical attack to macroscopic (30-second) modulation periods rather than fine-grained packet-level timing manipulation.
-
WTF-PAD and Walkie-Talkie client-side defenses — which operate on packet timing, padding, and burst-level structure — do not remove the throughput constraint imposed by an upstream rate limiter. When the shaping rate decreases, excess traffic is delayed, queued, or dropped; exit-side throughput retains the imposed modulation waveform. BM-Net was trained and evaluated on a dataset that includes both undefended and WTF-PAD/Walkie-Talkie-defended traces, confirming detection persists under this mixed condition.
-
Simulations extending the ENEM19 game-theory framework show that ephemeral proxy schemes (modeled on Snowflake/Lantern) effectively neutralize both the "optimal" and "aggressive" censors from the original framework. In overprovisioned settings (proxies arriving at 250/step vs. 200 clients/step), even the null censor scenario outperforms either censor in equal-arrival settings. Over 90% of waiting users receive a proxy within 1 time step. The critical variable is not censor sophistication but proxy arrival rate relative to client demand—high proxy churn combined with high arrival rate defeats both enumeration strategies tested.
-
The host-profiling censor (passive traffic analysis: count connections per server, block those exceeding a threshold τ within a window w) blocks essentially all circumvention user traffic within 30 time steps for all classifier qualities tested (ρ_TP ∈ {0.9, 0.95, 0.99}), while causing far less collateral damage than zig-zag (never exceeding ~30% innocent server blocking). Snowflake resists this attack well: with w=3, τ=3, over 94.48% of users receive a proxy within 2 steps even with worst-classifier rules, and final unblocked server rates are 91.24–99.04%. The host profiling approach is feasible for passive censors who cannot enumerate the distribution channel.
-
Multi-censor simulations show that single-censor-optimized distribution strategies perform suboptimally in realistic multi-region deployments. When two networks have different censor strategies (e.g., one optimal, one zig-zag), the distributor cannot detect that a proxy is blocked until all censors have blocked it; this leaves clients without reachable proxies despite the proxy appearing "available" from the distributor's view. The authors conclude that "single-censor evaluation does not accurately predict more realistic deployment performance." A zig-zag censor in one region with 0.25 weight caused 44.4% collateral damage while reducing proxy lifetime to a median of 4 steps.
-
The zig-zag traffic analysis attack (confirmed supported in Geedge TSG leak) rapidly enumerates all static proxy pools. With ζ_watch ∈ {4, 6} steps and a best-quality classifier (ρ_TP=0.99, ρ_FP=0.001), almost total proxy enumeration and user blockage occurs well before step 300. Even ζ_watch=2 leaves ~50% of users blocked. Collateral damage is high across all settings when ζ_watch ≥ 4: eventually ~50% of innocent servers are also blocked. However, Snowflake-style ephemeral proxies resist zig-zag effectively: reachability remains above 95% after 360 steps because churn prevents the censor from expanding its known proxy set beyond agents' direct assignments.
-
Adversarial pre-padding — prepending stochastic byte noise to packets — degrades ET-BERT encrypted traffic classification accuracy from >99% to 25.68%, exposing a structural vulnerability in all payload-byte-dependent detection systems. White-box adversarial attacks (Ayaka AH-MSI) additionally achieve evasion rates exceeding 99.5% against standard continuous-time sequence models via Manifold Shattering, where adversaries align malicious temporal distributions with benign baselines.
-
AEGIS, a flow-physics-only ML classifier using a Hyperbolic Liquid State Space Model evaluated on a 400GB adversarial corpus including VLESS Reality, GhostBear, and AMOI-morphed traffic, achieves F1-score 0.9952, 99.50% TPR, and 0.2141% FPR at 262.27 µs inference latency on an RTX 4090. The system discards all payload bytes and classifies traffic exclusively on 6-dimensional flow physics: packet size, inter-arrival time, directionality, TCP window size, TCP flags, and payload ratio.
-
Automated proxy engines (e.g., Xray-core running VLESS Reality in automated mode) generate deterministically rigid inter-arrival time distributions because they cannot synthesize the stochastic variance of human-driven IAT, even when volumetrically anchored to benign distributions ('Fat Middle' anchoring via AMOI). The AEGIS Thermodynamic Variance Detector identifies this rigidity via Shannon Entropy of hidden states across 1,000-packet causal windows, rendering volumetric anchoring mathematically distinguishable from genuine human traffic.
-
Gaussian noise injection stress testing shows AEGIS maintains F1-scores of 0.9913 at 5% IAT noise and 0.9753 at 10% IAT noise, but degrades to 0.5939 at 15% Gaussian noise — establishing the 'Manifold Shattering Threshold.' The paper asserts that sustaining 15% IAT noise in practice corrupts the adversary's own C2 channel integrity, making this threshold operationally unachievable for high-throughput tunnels.
-
Flow-physics classifiers face a fundamental 'Human Entropy Horizon': when VLESS Reality multiplexes true human entropy (a human actively browsing web applications), AEGIS achieves a detection rate of only 1.17%, because XTLS wrappers impart near-zero mechanical overhead and the temporal physics remain entirely stochastic. This implies adversaries operating at human interaction speeds can evade flow-based detection, but must abandon automated high-throughput C2 scripts.
-
Routing-guided conditional aggregation (CA) that dynamically weights header versus payload contributions using per-sample MoE routing probabilities outperforms static fusion on all six datasets, demonstrating that the relative discriminative utility of headers versus payloads varies by application type — and that classifiers can adaptively shift reliance to whichever modality is less obfuscated.
-
Explicitly disentangling packet headers (structured, low-entropy) from encrypted payloads (high-entropy, stochastic) into separate MoE branches yields consistent gains across six datasets: 86.85% F1 on 120-class TLS 1.3 traffic (CSTNET-TLS), 97.88% F1 on USTC-TFC2016 malware/benign flows, and 92.65% F1 on imbalanced IoT traffic (CIC-IoT2022), demonstrating that headers and payloads carry fundamentally different and independently exploitable discriminative signals.
-
Pretraining on 30 GB of unlabeled mixed traffic via masked language modeling (ISCX-VPN2016 NonVPN, CICIDS2017, WIDE backbone), then fine-tuning, enables TrafficMoE to classify VPN application traffic at 88.72% F1 and VPN service traffic at 92.61% F1, exceeding all fully supervised and prior pretraining baselines without requiring labeled training data for those domains.
-
TrafficMoE achieves 97.65% accuracy and F1-score on the ISCX-Tor2016 dataset, substantially outperforming all baselines including the best pretraining-based competitor FlowletFormer (91.16% F1), by separately modeling protocol headers and encrypted payloads via dual-branch sparse Mixture-of-Experts rather than treating them as a unified byte stream.
-
An uncertainty-aware filtering (UF) mechanism quantifies per-token reliability via Shannon entropy of the cross-modal header–payload attention matrix, finding that encrypted payloads still contain low-entropy tokens with stable cross-modal alignment that serve as reliable classification anchors — demonstrating that nominally randomized byte streams retain exploitable low-entropy structure.
-
Assemblage's anti-censorship collateral damage argument rests on the economic and social value of AI-generated image communities. Blocking DeviantArt (65M MAU), Reddit (1.21B MAU), X/Twitter (611M MAU), or Telegram (1B MAU) to suppress steganographic circumvention would cause massive collateral damage to legitimate users—and to Chinese companies' revenue in the case of platforms popular in CN. The paper observes that even in authoritarian regimes, everyday users actively post AI-generated content, making blanket platform blocking politically and economically costly.
-
Lossy image compression is the primary practical barrier to deploying Assemblage on major platforms. Of 8 tested platforms, WeChat and Rednote (combined 2.6 billion MAU) failed because they serve only lossy-compressed downloads, destroying embedded steganographic content. Platforms that preserve lossless originals (Reddit, X/Twitter, DeviantArt, Discord, Imgur, Telegram) succeeded end-to-end. Discord serves ~30 KB compressed thumbnails by default but provides lossless originals via its native "Download" option.
-
Assemblage's diffusion-model steganography (Pulsar) encodes 300–618 bytes per image vector (mean ± SD by model). Generating one local state takes ~9.5 sec on an Apple M4 Pro; encoding takes ~4.4 sec; decoding takes ~4.2 sec. Sending a compressed 300-word message requires only K+h = 4+2 images using the church-256 model, with total send time ~90 sec and receive time ~30 sec. Perceptual-hash candidate detection runs in ~0.33 ms per image, making scanning all ~150 daily posts on /r/AIArt take under 1 second.
-
Assemblage inherits the bootstrapping limitation of all generative steganographic schemes: sender and receiver must share a symmetric key before communication begins. Public-key steganography exists in theory but does not currently support common image/text channels efficiently. The paper identifies three viable deployment scenarios: (1) travelers who carry a pre-shared secret before entering a censored region; (2) users in countries with episodic censorship who establish the key during uncensored periods; (3) a hybrid where a one-time signaling channel establishes the secret, after which Assemblage carries subsequent traffic.
-
Balboa's synchronous leaf-content replacement adds non-negligible timing differences that allow censors to identify its activity with up to ~90% accuracy over different network conditions. The timing anomaly arises because Balboa performs data substitution directly at each data exchange, delaying the server's response while covert data is prepared.
-
Without chunk-based padding, an XGBoost classifier identifies the target website from covert data-chunk sizes with 91% accuracy (Tranco top-100). Chunking at 2 MB reduces accuracy to 12% at a 21.3% bandwidth overhead, while 16 MB chunks reduce accuracy to near random guessing at a 480.3% overhead. Chunks as small as 64 KB already reduce accuracy to 64%, demonstrating a monotonic fingerprinting–overhead tradeoff.
-
Huma separates proxy duties between untrusted Decoy Websites (DWs), which relay encrypted messages and serve content, and trusted Shade Proxies (SPs) outside the censored region, which decrypt requests and contact covert destinations. Even if a DW is compromised, the censor learns only whether a specific UID can access the system — no destination, no content, and no client network-layer information. SP assignment is centrally managed by the Huma Authority, preventing DW-SP collusion.
-
Huma's deferred-reply / double-request receive (DRR) protocol reduces a traffic-fingerprinting XGBoost classifier's accuracy to at most 54% (near random guessing) across geographically distributed clients (San Francisco, Frankfurt, Bangalore). A Kolmogorov-Smirnov test on absolute page-load timing distributions yields D=0.03, p=0.98 for U.S. clients — substantially tighter than Waterfall of Liberty's D=0.11 at p=0.5 — confirming that Huma flows are statistically indistinguishable from benign HTTPS fetches.
-
WebSocket, required by HTTPT and WebTunnel to establish covert channels inside TLS connections, had an adoption rate as low as 6.3% of websites in 2021, sharply limiting the pool of volunteer websites that can act as proxies for these tools. By contrast, Huma's traffic replacement scheme embeds covert data in standard HTTP leaf objects (images, scripts, CSS), requiring only that the DW serve HTTP content — a near-universal property.
-
Despite AWS, Google, and Microsoft having publicly withdrawn CDN-level domain-fronting support to preserve commercial relationships with censoring states, domain fronting remains functional on AWS Lambda as of early 2026. Microsoft Azure Functions explicitly rejects mismatched SNI/Host headers, whereas AWS Lambda permits a client to present a legitimate *.lambda-url.*.on.aws SNI while routing internally to a different serverless function via the HTTP Host header.
-
CensorLess's function refresher automatically retires serverless bridges and deploys fresh ones in batches across diverse regions; the expected time until a bridge is identified and blocked in practice is 2 days (per Fifield et al.), while Tor bridges in China are discovered within 2–36 days. The old bridge is only removed after all clients have completed live migration to a new URL, maintaining uninterrupted connectivity.
-
During the cold-start phase on a newly migrated serverless bridge (approximately the first 0–50 invocations), average function duration spikes to over 6,000 ms and success rate occasionally drops below 90%. The system stabilizes between invocations 100–200, with average durations consistently below 1,000 ms and success rates above 95%; AWS Lambda by default supports up to 1,000 concurrent invocations without throttling.
-
CensorLess's threat model explicitly relies on a rational-censor assumption: the censor will not block entire cloud-provider IP ranges or domain namespaces because the collateral damage to legitimate business services would be politically and economically unacceptable. AWS Lambda's inherent IP-address ephemerality (new IPs on each invocation, function lifetime up to 15 minutes) means even censors willing to attempt enumeration face a continuously shifting target distributed across the cloud provider's global address space.
-
CensorLess vanilla mode costs $0.27/month for a single proxy processing 6.76 GB of traffic monthly, a 97.1% reduction (34.4×) over SpotProxy's optimal single-NIC configuration ($9.28/month). The private mode, which adds a t4g.micro EC2 VPS for end-to-end encryption via SOCKS, costs $3.41/month — still 63.3% cheaper than SpotProxy's cheapest option. Costs remain below $3.50/day even when scaling to 300 proxies.
-
The paper documents the compounding effect of U.S. sanctions and Iranian state censorship on app distribution: sanctions block Iranian users from Apple's App Store via IP/payment geolocation, while Iranian censorship simultaneously blocks Apple's CDN endpoints for app downloads. The combined effect forces 100% of iOS app distribution in Iran through unofficial channels, making the sanctions-censorship interaction a structural condition rather than an edge case.
-
The study finds that apps distributed via Iranian third-party iOS stores frequently contain embedded third-party tracking SDKs and piracy libraries inserted during repackaging, and that cracked/modified binaries have stripped or replaced code-signing certificates with enterprise distribution certificates. The paper quantifies developer revenue loss from piracy and documents that the repackaging process introduces both surveillance and integrity risks that users are generally unaware of.
-
Khanlari and Rahmati conduct the first comprehensive empirical study of Iranian third-party iOS app stores, collecting over 1,700 iOS app packages from three major stores. The ecosystem emerged because U.S. sanctions barred Iranian users and developers from accessing Apple's App Store and developer services, while Iranian censorship simultaneously blocked official app download infrastructure. The stores distribute both Iranian-exclusive apps (unavailable on the App Store) and cracked/modified versions of paid international apps.
-
Striding with factor 4 (early downsampling) produces the largest single-factor degradation in the ablation study: average macro-F1 drops from 0.9909 to 0.9772 and cross-dataset variance increases from 4.77×10⁻⁵ to 4.51×10⁻⁴, with worst-case dataset performance falling to MIN 0.9524. Fine-grained byte order and short-range structure — protocol headers, payload signatures, repeated byte motifs — carry essential discriminative signal that stride-based aggregation destroys.
-
Early downsampling via striding (stride=4) is the single most damaging ablation, reducing average macro-F1 from 0.9909 to 0.9772 and increasing cross-dataset variance from 4.77×10⁻⁵ to 4.51×10⁻⁴, while the worst-case dataset drops to F1=0.9524 — far larger degradation than any other design choice including Mamba-1 vs Mamba-2.
-
A burst of just 5 packets truncated to 320 bytes each (1600 bytes total) suffices for macro-F1 ≥0.9824 across all six benchmarks; the classification token reads from the final recurrent state after a 4-layer Mamba-2 stack processing this fixed-length prefix, with no additional flow-level or session-level context required.
-
Classification from the first 5 packets × 320 bytes (1600-byte burst) achieves near-perfect accuracy across Tor (F1=0.9990), VPN (F1=0.9871), malware (F1=0.9954), and IoT attack traffic (F1=0.9966), with IP addresses masked and only header and initial payload retained. The earliest portion of each packet provides sufficient discriminative information for a classification decision made within the first kilobyte of a flow.
-
MambaNetBurst classifies Tor traffic (ISCXTor2016) at F1=0.9990 and VPN traffic (ISCXVPN2016) at F1=0.9871 using only the first 5 packets (1600 bytes total) with no pre-training, matching or exceeding pre-trained baselines like ET-BERT (ISCXTor F1=0.9967, ISCXVPN F1=0.9565) and NetMamba (ISCXTor F1=0.9986, ISCXVPN F1=0.9806) at 2.5–2.7M parameters.
-
Mamba-2's constrained scalar-times-identity A-matrix acts as an implicit regularizer for packet-byte sequences: under matched settings it yields higher mean F1 (0.9909 vs 0.9874), better worst-case F1 (0.9824 vs 0.9769), and 48% lower cross-dataset variance (4.77×10⁻⁵ vs 9.21×10⁻⁵) relative to Mamba-1, while delivering 30–60% faster backward passes and 2–4× lower GPU memory usage.
-
Mamba-2 (2.5M parameters) is Pareto-optimal on the accuracy-vs-inference-time frontier: it achieves average macro-F1 of 0.9909 with 30-60% faster backward passes than Mamba-1 and 2-3× faster inference than linear Transformers with FlashAttention-2 at medium-to-large batch sizes on a single RTX 3090. Memory usage is 2-4× lower than Transformer-based counterparts, enabling single-GPU operation at sequence length 1600.
-
Supervised byte-level training without pre-training reduces total compute by an estimated 3–15× in wall-clock training time and 2–4× in training memory footprint compared to pre-trained Transformer baselines (ET-BERT, YaTC, NetMamba), while achieving equivalent or superior classification F1 across six benchmarks spanning encrypted app identification, VPN/Tor, malware, and IoT attack traffic.
-
Eliminating self-supervised pretraining reduces total wall-clock training time by an estimated 3-15× relative to ET-BERT, YaTC, and NetMamba, while achieving comparable or superior accuracy. Pretraining in representative baselines typically consumes 10-100× more compute than downstream fine-tuning; removing it also eliminates the risk of negative transfer from mismatched pretraining corpora under concept drift.
-
MambaNetBurst achieves macro-F1 of 0.9990 on ISCXTor2016 and 0.9871 on ISCXVPN2016 without any pretraining, matching or exceeding heavily pretrained baselines such as ET-BERT (F1=0.9967/0.9565) and YaTC (F1=0.9986/0.9806). High-accuracy Tor and VPN traffic classification is achievable with a compact 2.5M-parameter supervised model requiring no labeled pretraining corpus.
-
Both Firefox and Chromium leak cleartext DNS before establishing encrypted DNS connections: they first send an unencrypted UDP DNS query to resolve the DoH server's domain (e.g., doh.opendns.com). An in-path censor can intercept and poison this initial query, making encrypted DNS in browsers completely ineffective without additional circumvention of the resolver-lookup step. Additionally, Chromium always includes the SNI extension in the encrypted DNS TLS handshake (e.g., "doh.opendns.com"), leaking the resolver identity even after the initial lookup. No resolver requires SNI to be present for certificate validation when the resolver's IP certificate is configured.
-
DNS censorship of encrypted protocols is inconsistent in both China and Iran. In China, Yandex resolvers are censored only when the SNI extension is present; omitting SNI bypasses censorship for these resolvers. In Iran, DoH requires SNI omission for Quad9, Google, Adguard, CleanBrowsing, and NextDNS resolvers, but works with SNI for Yandex and Cisco resolvers. These inconsistencies suggest resolvers have been accidentally missed by censors, highlighting the value of automated tools that trial all resolver-mode combinations rather than hard-coding a single strategy. The support evaluation found 47 resolvers supporting DoH, 16 supporting DoH3, and only 8 supporting DoQ out of ~65 tested.
-
DPYProxy-DNS tested 8 circumvention modes against DNS censorship from vantage points in Iran (AS201295, Mashhad) and China (AS4837, China Unicom). In Iran, DoQ was entirely uncensored even with the SNI extension present; DoH3 worked for all Cloudflare and NextDNS resolvers. Iran's censor operates in-path (not on-path like the GFW), making the "Last Response" mode (wait 3s for the last UDP reply) ineffective in Iran but highly effective in China. Auto-mode averaged 12.32s (median 8.28s) in Iran and 13.78s (median 12.90s) in China to discover a working combination.
-
TCP segmentation (splitting a DNS message into 20-byte TCP fragments) successfully circumvented DNS censorship in China for nearly all resolvers that support TCP. In Iran, TCP segmentation was only partially effective due to the censor's ability to reassemble TCP fragments when system load permits—some runs succeeded completely, others failed entirely across all resolvers. The "Last Response" mode (wait 3 seconds for the final UDP reply) was highly effective against China's on-path GFW injector for all resolvers except the fully IP-blocked Cloudflare 1.1.1.1 resolver.
-
As of October 2024, 22% (~220K) of Tranco top-1M domains support QUIC; of those, only 12.8% (~28K) are fully QUICstep-compatible (support IP-address migration). However, port-migration support grew 20% in 3 months (26,234 → 31,262 domains from August to late September 2024). Cloudflare hosts 74.6% of QUIC-supporting domains but only 0.2% support connection migration; if Cloudflare enabled it, 87.2% of QUIC-supporting domains would become compatible. Among QUIC-SNI-blocked domains in China (28,458 total), 2,404 (8.45%) support QUIC and 828 (34.4%) of those are QUICstep-compatible today.
-
QUICstep successfully circumvents the GFW's QUIC SNI censorship (active since April 2024) in live testing. Using an Alibaba VM in mainland China as client and an AWS instance in North Virginia as server, a native QUIC client was blocked after several fetches of youtube.com SNI, while QUICstep consistently succeeded across 50 consecutive fetches. 7 tiktokcdn.com subdomains that were QUIC-SNI blocked were also reliably accessible via QUICstep. The approach routes only QUIC long-header (handshake) packets through a WireGuard tunnel; all subsequent short-header (data) packets travel the native path.
-
A censor attempting to block QUICstep by dropping all QUIC connections that arrive without a preceding Initial/Handshake packet would cause significant collateral damage. Analysis of 24-hour campus traces (3,786,050 unique QUIC connections) found 29.1% (1,100,439 connections) lacked QUIC Initial or Handshake packets—representing legitimate connection migration from mobile handoffs and similar events. This high baseline rate means blanket "no handshake" blocking would disrupt roughly 1-in-3 QUIC connections unrelated to circumvention.
-
QUICstep reduces proxy (handshake channel) traffic by a median of 93% across 100 tested domains compared to full VPN tunneling. For www.youtube.com specifically, proxy traffic dropped from 3.634 MB (full VPN) to 96 KB (QUICstep), a 97.4% reduction. Page load time improved by up to 84% versus full VPN. Performance gain is greatest when the handshake channel is bandwidth-limited (1–5 Mbps): QUICstep/VPN ratios of 0.07–0.09 at 1 Mbps, 0.34–0.46 at 5 Mbps from London to nearby proxies. Psiphon's free tier (2 Mbps) and Tor (~10 Mbps median) are both well within the bandwidth regime where QUICstep provides substantial gains.
-
FreeUp achieves 86.68% AUC on CIC-IoT2023, 85.44% AUC on DoHBrw2020 (malicious DNS-over-HTTPS tunneling), and 95.53% AUC / 93.22% F1 on ISCX-Tor2016 (Tor anonymous traffic), outperforming all nine baselines by more than 3% AUC on the first two datasets. The ISCX-Tor2016 result demonstrates that frequency-decoupled ML classifiers can detect Tor-like anonymous traffic with high confidence under zero-positive (unsupervised) training.
-
FreeUp's dual-branch architecture requires only 0.73G MACs and 6.46M parameters at inference — comparable to or lower than simpler baselines (MFR: 1.01G MACs / 11.18M params; ARCADE: 0.82G MACs / 6.70M params) — while achieving substantially higher detection accuracy. The two branches can be deployed in parallel with minimal memory usage, making frequency-decoupled ML detection computationally practical for real-time network monitoring at scale.
-
Encrypted traffic exhibits a 'full-frequency' spectral property where both low- and high-frequency components are highly active with comparable intensity, unlike natural images which are dominated by low-frequency components. Fourier Transform analysis across CIC-IoT2023, DoHBrw2020, and ISCX-Tor2016 confirms this distinction is pervasive. This signature is an inherent consequence of encryption disrupting byte-level semantics into a visually disordered, noise-like spatial pattern.
-
Ablation experiments show that removing the high-frequency branch from FreeUp degrades AUC from 86.68% to 77.09% on CIC-IoT2023 (−9.6 pp) and from 95.53% to 95.10% on ISCX-Tor2016. Removing the entire frequency-decoupled framework causes the largest degradation, dropping to 82.10% AUC on CIC-IoT2023 and 81.26% on DoHBrw2020, confirming that high-frequency components are the primary discriminative signal in encrypted traffic anomaly detection.
-
FreeUp operates under a zero-positive (unsupervised) learning paradigm — trained exclusively on normal traffic with no labeled anomaly examples — yet achieves 95.53% AUC on Tor traffic and 85.44% AUC on DNS-over-HTTPS tunneling detection. This demonstrates that frequency-aware anomaly detectors generalize to novel circumvention protocols without requiring any labeled attack data, eliminating the labeling bottleneck that previously limited ML-based censorship detection.
-
When the researchers attempted to use Gemini 2.5 Flash as a third independent LLM judge via its API for evaluating moderation decisions, Gemini automatically blocked all judging attempts citing safety reasons. This occurred even though the research task (judging whether a response is more or less moderated) does not itself produce harmful content. The incident illustrates that LLM safety systems can over-block legitimate research use cases, and that different LLM providers have different thresholds— Claude Haiku 4.5 and GPT-4o completed all judging tasks without safety refusals.
-
Category-level analysis of 100 statements across 5 sensitive content categories found that interface-based moderation gaps vary significantly by topic. Sexuality showed the strongest WebUI/API gap (WebUI 7.0× more likely to be moderated than API per GPT-4o judge for Gemini). Political ideology followed at 2.0×, then hate speech at 1.0×. Miscellaneous offensive topics showed the inverse pattern (API more moderated at 0.3×). Religious content showed WebUI moderation with no API moderation. The pattern suggests public-facing WebUI interfaces prioritize reputational risk management for high-scrutiny categories.
-
API and WebUI interfaces show statistically significant response length differences in opposite directions across models. Gemini API responses averaged 2,333 characters vs. 1,746 for WebUI (34% longer API; t=5.028, p<0.0001, Cohen's d=0.50). ChatGPT WebUI responses averaged 2,752 characters vs. 1,389 for API (98% longer WebUI; t=-9.800, p<0.0001, d=-0.98). The divergent direction across models suggests fundamentally different generation parameters rather than simple post-hoc filtering, indicating architectural or policy-level differences at the provider level.
-
An empirical study of 100 sensitive statements tested on Gemini (2.5 Flash) and ChatGPT (GPT-5) found that WebUI interfaces are systematically more restrictive than their API counterparts. According to GPT-4o judge: WebUI was moderated 18% of the time vs. 9% (Gemini API) and 13% (ChatGPT API). DeBERTa classifier found 82% of WebUI responses moderated vs. 58% of API responses. The Gemini WebUI:API ratio ranged from 2.0:1 (GPT-4o) to 7.0:1 (Claude), and ChatGPT from 1.4:1 (GPT-4o) to 15.6:1 (Claude). Neither Google nor OpenAI discloses these interface-specific policies.
-
Strong classifiers can be trained from fewer than one third of available traces with gains diminishing rapidly beyond that threshold. At inference time, macro F1 rises sharply within the first 40% of observed actions across all four datasets, meaning model identity can be inferred while the agent is still actively navigating the page.
-
Passive JavaScript UI traces are sufficient to fingerprint the underlying LLM of a browser agent with up to 96% macro F1 across 14 frontier models, achieving roughly 10× random-chance accuracy. Even the weakest model pair (Qwen3.5-9B on 2WikiMultiHopQA) reaches 63.7% F1 against a ~7% random baseline for 14 classes.
-
In open-set fingerprinting (leave-one-agent-out protocol), the majority of models exceed AUROC 0.60 for unknown-agent detection, but closed-set and open-set performance are dissociated: Seed-2-lite achieves 96.1% closed-set F1 yet scores below-chance open-set AUROC (0.38–0.47 on three of four datasets), while GPT-5.4 achieves AUROC 0.84 open-set despite ranking third in closed-set F1.
-
SHAP analysis shows timing-based features — IEI standard deviation, mean click IEI, and time to first action — dominate agent identity classification under normal conditions, receiving substantially larger attributions than structural or action-type features. Agents are distinguishable primarily by their tempo: how long they pause before acting and how variable that pause is.
-
Injecting uniformly sampled random delays between agent actions substantially degrades an unadapted XGBoost classifier, but a classifier retrained on delayed traces largely recovers performance across all four datasets. Under 5-second delay injection, the classifier shifts weight onto structural features (click-coordinate dispersion, structural key ratio, link-click ratio) that survive timing perturbation.
-
At operationally realistic base rates—1 million connection pairs per hour with only 10 true stepping-stone chains—a detector with a 1% FPR generates approximately 10,000 false alarms per hour while correctly flagging all 10 intrusions, making classical statistical methods (which cannot reach FPR ≪ 10⁻²) operationally unusable; deep learning methods must target FPR ≤ 10⁻³ to be viable.
-
ESPRESSO achieves only TPR 0.132 at FPR ≤ 10⁻³ in network-mode for DNS-tunneled traffic—near chance—compared to TPR 0.992 for SSH traffic at the same threshold. The paper attributes this to the polling-based communication mechanism of dnscat2, which disrupts the timing patterns that interval-based flow correlation relies on.
-
ESPRESSO, a deep learning flow correlator combining a transformer backbone with time-aligned interval features and online triplet mining, achieves TPR >0.99 at FPR ≤ 10⁻³ for SSH, SOCAT, and ICMP stepping-stone traffic in network-mode detection, versus DCF's TPR of 0.320–0.956 across those same protocols at the same threshold. On the harder mixed-protocol dataset in network-mode, ESPRESSO achieves TPR 0.748 at FPR ≤ 10⁻³, more than double DCF's 0.334.
-
Ablation experiments show that replacing ESPRESSO's transformer backbone with a CNN ('Modified DCF') while retaining time-aligned interval features achieves performance competitive with the full ESPRESSO model across most protocols (e.g., SOCAT network-mode pAUC 0.997 vs. 0.989 at FPR ≤ 10⁻³), demonstrating that the time-interval feature representation—not the transformer architecture—is the primary driver of correlation accuracy.
-
A systematic robustness evaluation found that ESPRESSO is highly robust to packet padding alone but that even modest artificial timing jitter causes significant performance degradation, identifying timing-based perturbations as the primary vulnerability of correlation-based stepping-stone (and by extension, anonymity-network) detectors.
-
CAPTCHAs co-occurred with 'Resource Inaccessible' in 70% of CAPTCHA reports and appeared in 23% of all 'Resource Inaccessible' reports; overall 14% of the 119 reports involved one or both problems. Two CAPTCHA failure modes were identified: excessive repetitive CAPTCHAs and broken CAPTCHA servers that made the underlying website permanently inaccessible. The 'Unusual traffic detected from your computer' Google error appeared in 5% of all reports.
-
17% of ReporTor reports cited broken content; investigation found that several websites returned HTTP 403 errors through Tor Browser but loaded normally in Firefox, revealing deliberate differential treatment of Tor traffic masquerading as technical failure. Blocked resources included advertising platforms (e.g., t.co) and JavaScript files handling cookie-consent dialogs, and 8% of reports involved authentication failures where initial page load succeeded but subsequent auth steps were silently refused.
-
Two mechanistically distinct blocking categories account for Tor exit-node inaccessibility: explicit blocks (deliberate CDN/WAF configuration, e.g., Akamai Bot Manager renders AirBnB inaccessible over Tor) and dynamic blocks (abuse-detection systems that flag Tor exit-node IPs because pooled traffic from diverse users raises apparent abuse scores, triggering rate-limiting or blocking despite no explicit Tor policy). Cloudflare does not block Tor by default, but its aggressive IP scoring results in disproportionate blocking in practice.
-
'Resource Inaccessible' was the most frequently reported issue (61% of 119 submitted reports) during a month of naturalistic Tor Browser browsing, followed by CAPTCHAs (18%), Broken Content (17%), Other Issues (13%), and Timeouts (5%). These categories document the operational failure modes that degrade everyday Tor Browser usability beyond protocol-level censorship.
-
The privacy properties of Tor Browser structurally preclude automated telemetry collection, creating a persistent blind spot for diagnosing user experience failures at scale. ReporTor demonstrates that anonymous voluntary in-situ reporting — transmitted over the Tor network and stored in a password-protected onion-service database — can substitute for telemetry: 119 reports over one month from five expert users sufficed to reproduce approximately half of reported issues exactly and identify root causes for most of the remainder.
-
All major browsers (Firefox, Chromium) issue an unencrypted DNS-over-UDP query to resolve their configured DoH resolver's domain before initiating any encrypted DNS session. In Iran, nearly all tested DoH resolver domains are directly censored at the DNS layer (returning block-page IPs), which renders browser-native encrypted DNS ineffective regardless of whether the underlying encrypted protocol would otherwise succeed. Additionally, browsers always include the SNI extension in TLS handshakes with DNS resolvers even though no tested resolver requires it.
-
DPYProxy-DNS's automated probe-and-select mode identified a working DNS circumvention in an average of 13.78 seconds (median 12.90s) in China and 12.32 seconds (median 8.28s) in Iran across 100 runs each; best-case startup was 0.32s (China) and 0.47s (Iran) when the first-tried combination succeeded, while worst-case exceeded 30.72s in China and 58.16s in Iran due to the slow Last Response mode (3s fixed wait per attempt) being selected early in the randomized probe order.
-
The GFW operates as an on-path censor that injects forged DNS responses faster than the real resolver but cannot suppress the legitimate response from also arriving. Waiting approximately 3 seconds and accepting the last-received UDP response circumvented GFW DNS injection for 40 of 41 tested public resolvers in China; the single exception (Cloudflare 1.1.1.1) was IP-blocked via packet dropping rather than injection racing.
-
Iran's DNS censorship is largely ineffective against encrypted DNS: DoQ is not censored at all (with or without SNI present), DoH3 works for all tested Cloudflare and NextDNS resolvers, and most DoT/DoH resolvers work when the SNI extension is omitted. Iran's censorship of unencrypted DNS is in-path (queries never reach the real resolver), which means the GFW-style 'last response' technique fails entirely in Iran because the client's original query is dropped before reaching its destination.
-
TCP segmentation — splitting DNS-over-TCP messages into 20-byte fragments — successfully circumvented DNS censorship for 40 of 41 tested resolvers in China. In Iran, TCP segmentation is inconsistently effective: it succeeds in some scan runs and fails entirely in others, suggesting the Iranian censor can reassemble TCP fragments when processing capacity permits.
-
Ephemeral defenses were integrated with a WireGuard fork and deployed as Mullvad VPN's 'DAITA' (Defense Against AI-guided Traffic Analysis) opt-in feature across Android, iOS, macOS, Linux, and Windows for over one year, serving a growing number of thousands of daily users. Individual defenses are derived deterministically from seeds in 43.6 ± 4.7 ms on a commodity laptop, making per-connection unique defenses practical at VPN scale.
-
Ephemeral blocking defenses reduce DF accuracy from 89.0% (undefended) to 10.2% and RF from 90.1% to 14.7% with standard 30-epoch training, at 97.5% bandwidth and 68.4% delay overhead; under infinite training, DF rises to only 29.2% and RF to 24.3%, still far below undefended baselines of 92.7% and 94.7%. Defenses are tunable at deployment time by adjusting Maybenot framework-wide limits, enabling overhead-vs-protection trade-offs without redeployment.
-
The ephemeral property — using a unique seed-derived defense per connection — prevents attackers from training classifiers on the exact deployed defense variant. Stacked combinations with height H=5 from N=1,000 base defenses yield 6.88×10^25 unique defenses (polynomial growth O(N^{2H})). Attacks trained on ephemeral defenses also generalize significantly better across other randomized defense families than attacks trained on static defenses.
-
Padding-only defenses that inject bursty traffic cause severe additional delay under realistic network bottlenecks: Break-Pad's delay overhead increases from 0% to 332.6% and FRONT's from 0% to 111.2% under a per-trace simulated PPS bottleneck. Even ephemeral padding defenses induce 43.9% delay overhead under bottleneck conditions, compared to 0% without a bottleneck, due to congestion from dummy packets.
-
With infinite training time, Laserbeak achieves 93.5%, 95.9%, and 95.9% accuracy against ephemeral padding, FRONT, and Interspace respectively, compared to 96.5% undefended — confirming that padding-only defenses provide no meaningful protection against a sufficiently trained deep-learning WF adversary. Only ephemeral blocking defenses retain measurable protection, reducing Laserbeak to 71.8% accuracy under infinite training versus 96.5% undefended.
-
MIRAGE's differentially private routing function provably bounds adversary inference: for a routing protocol satisfying ε-DP with ε = ln(4), any hypothesis test achieving a true positive rate of 80% necessarily incurs a false positive rate of at least 20%. The TPR-to-FPR ratio is bounded by e^ε for any ε-DP routing function, providing a formal privacy guarantee against routing-level statistical disclosure attacks.
-
Embedding explicit TTL values in mesh-routed messages leaks proximity information — a recipient can infer that a high-TTL message originator was recently nearby. MIRAGE mitigates this with memoryless TTLs: carriers independently discard messages with probability q per epoch, implementing a branching process with replication factor R ≤ nmax·(1−q). Setting q > 1 − 1/nmax ensures sub-critical message extinction with expected lifetime ≈ −ln(nmax)/ln(R) epochs.
-
MIRAGE delivers 15× more messages than random-walk protocols and significantly outperforms probabilistic flooding in delivery rate. On the pedestrian YJMob100K dataset at p=0.6, MIRAGE achieved a delivery rate of 36.9%, compared to 9.1% for probabilistic flooding (4.1×) and 3.2% for handoff (11.5×). MIRAGE incurs substantially lower network load than maximal flooding (86.9% delivery) while maintaining better delivery rates than all non-flooding baselines.
-
The PPBR (probabilistic profile-based routing) protocol leaks user community membership through observable routing decisions: in a controlled experiment with 800 majority and 200 minority users, a statistical disclosure attack achieved a true positive rate of 100% and false positive rate of 0% when identifying minority users. Even under a conservative PPBR configuration (top 1/3 fraction acceptance), the attack achieved 100% TPR and only 0.4% FPR.
-
MIRAGE constructs a global mobility graph using locally differentially private per-user submissions, requiring only O(ln(|M|/β) / (α²ε²)) users to achieve per-edge accuracy α with probability 1−β. For a 100-district map with ε=0.05 and α=0.5, fewer than 1 million users suffice for top-2 district reporting; for top-3 districts the requirement drops to under 200K users.
-
Russia's Ministry of Digital Development issued guidelines effective April 15, 2026 requiring popular apps to detect and restrict access from VPN-using devices. RKS Global's analysis of 30 popular Russian Android apps found that 22 of 30 implement VPN detection, and 19 of those transmit the detected VPN status to their servers. This represents a shift from network-layer blocking (TSPU) to app-layer enforcement as an additional censorship vector.
-
Banking apps from major Russian institutions (Sber, T-Bank, VTB, Alfa-Bank) combine VPN detection with behavioral biometrics — screen pressure, touch coordinates, and gesture timing — enabling cross-account re-identification of users behind proxies. 11 apps received a "RED" (maximum surveillance) rating. T-Bank, Yandex services, and MAX additionally deploy active anti-analysis features that detect research tooling on the device (rooted devices, emulators, Frida, etc.).
-
The RKS Global report documents a two-tier Russian censorship architecture: TSPU network-layer blocking (documented by Xue et al. 2024) at the ISP level, now supplemented by mandated app-layer VPN detection in the 30 most popular Russian Android apps. This layered approach means a circumvention tool that successfully bypasses TSPU at the network layer can still be detected and reported by the app layer, closing the gap that network-only circumvention leaves open.
-
CNN-based passive traffic analysis failed to deanonymize I2P services when transferred from a controlled lab to the public I2P network. Lab-trained models produced mostly unusable results: the 'Without port' variant misclassified Class 2 packets at 71.6–88.4× the true count, and the 'Without payload' variant was only marginally better (12.8–13.2× false positives), demonstrating that lab-learned patterns do not generalize to real-world I2P traffic.
-
Fano's inequality establishes a theoretical lower bound on deanonymization error probability as a function of anonymity set size |Θ|, prior uncertainty H(X), and mutual information leakage I(X;Y). For a network of N sufficiently large nodes with uniform routing, Pe ≥ (log N − 1) / log(N−1), approaching 1 (perfect anonymity). The authors found that closed-form estimation of I(X;Y) from I2P traffic features was analytically intractable, requiring ML approximation — and that ML also failed in practice.
-
Applying Fano's inequality, the paper proves Pe ≥ (H(X)−1)/log|Θ|, showing that deanonymization error rate approaches 1 (perfect anonymity) when the anonymity set |Θ| is large and mutual information leakage I(X;Y) between observed traffic Y and target identity X is minimized. A uniform default tunnel length of 3 hops across all nodes, for example, contributes no differential leakage because p(y=3)=1, illustrating that standardized network parameters reduce identifiability.
-
Lab-trained CNN models completely failed to generalize to real public I2P network traffic: the 'without payload' variant produced 12.8–13.2× more false positives for the target service class than ground-truth packets actually existed (Table VIII), rendering all models forensically unusable. The authors conclude that heterogeneity and dynamism of real-world I2P traffic prevents lab-derived classifiers from achieving practical deanonymization.
-
I2P payload entropy is close to 8 bits per packet (Figure 9), confirming strong encryption that renders payload content analytically unusable. Across all CNN experiments, models trained on payload data alone achieved 72.5–76.5% accuracy versus 95.17–99.5% for metadata-only variants; encrypted payload acted as 'noise that confused the model' rather than as a signal.
-
I2P payload entropy was measured at close to 8 bits per byte across sampled packets (Figure 9), confirming that payload content is cryptographically indistinguishable from random noise and provides no usable signal for classification. All experimental variants using raw payload alone achieved poor and high-variance accuracy (72.5–76.5%), while excluding payload improved accuracy to 99.5% in lab conditions.
-
Unsupervised k-Means clustering over I2P flow features (port, payload length, protocol) found no natural cluster structure: distortion decreased nearly linearly with k up to k=20 with no elbow, indicating I2P traffic lacks the simple separable patterns that enable clustering-based traffic classification. The 435-packet dataset yielded one cluster of 75 and clusters as small as 3, with no forensically useful groupings.
-
Unsupervised k-Means clustering on I2P traffic features (port, payload length, protocol type) produced no natural cluster structure — distortion decreased almost linearly with k showing no elbow point — confirming that I2P's obfuscation successfully destroys simple separable patterns that shallow classifiers rely on. CNNs were required to detect any signal at all.
-
Under controlled lab conditions, a CNN trained on packet metadata (ports, sizes, TCP sequence numbers) achieved 99.5% accuracy classifying I2P packets with the 'Without payload' variant, versus only 72.5–76.5% using encrypted payload alone. However, when applied to the full recorded dataset, the 'Without payload' model's accuracy for the dominant irrelevant-traffic class dropped to 95.17% while maintaining 100% on target-class packets — but with a high false-positive rate making it forensically unreliable.
-
CNN models trained on I2P lab traffic achieved 99.5% validation accuracy using metadata alone (packet sizes, ports, TCP sequence numbers) versus only 72.5–76.5% accuracy when using encrypted payload only. This demonstrates that packet metadata is far more discriminating than payload content for traffic classification in encrypted anonymity networks.
-
The largest single source of censored domains in the GNL is MESA lab's SNI monitoring dataset (E21-SNI-Top200w.txt) containing 57,362 censored domains, and E21-SNI-Top120W-20221020.txt with 36,467 domains—totaling over 93K domains from network tap data alone for a single country (E21 = Ethiopia per InterSecLab attribution). A separate Xinjiang dataset (XJ-CUCC-SNI-Top200w.txt) contains 13,604 domains. These datasets "do not seem to come from popular domain lists, and instead appear to be gathered from network taps," confirming that Geedge builds censorship target lists directly from passive traffic observation.
-
Of 6,915,266 domains extracted from the 572 GiB Geedge Networks Leak (GNL), 298,955 censored domains (93.7% of all GNL-censored domains) appear in neither Tranco top-1M nor CitizenLab test lists. Measurements across China (Guangzhou/Nanjing), Myanmar, Pakistan, and Algeria confirmed censorship via DNS injection and SNI-based TLS connection termination. The GNL covers 25–62% of Tranco-censored domains across countries, showing substantial but incomplete overlap. This vendor-side ground truth reveals a censorship surface roughly two orders of magnitude larger than curated academic test lists.
-
The GNL reveals that Geedge actively maintains dedicated VPN-infrastructure tracking datasets. The China-specific component includes 7,016 domains in a "vpn-finder-plugins" repository (mesalab_git/intelligence-learning-engine), 4,810 NordVPN server domains, and a Pakistan-specific file listing 68 Psiphon CDN domains (geedge_docs/TSGEN/.../Psiphon-CDN_20240430.json) dated April 2024. A Myanmar deployment file (M22-VPN List.html, 27 domains) further confirms country-specific VPN blocklists are operationally maintained. The "Appsketch" program reverse-engineers VPN apps to extract domains and IP addresses for blocking.
-
Re-testing in 2025 on a Pixel 10 Pro XL running Android 16 with October 2025 security updates confirmed that blind in/on-path VPN inference attacks remain fully viable despite CVE-2019-9461, CVE-2019-14899, and CVE-2024-49734 having been formally closed. All three core attack primitives—VPN-assigned internal IP discovery, active connection inference, and TCP reset injection via sequence/acknowledgment window scanning—succeeded across OpenVPN, WireGuard, and NordLynx.
-
Six widely deployed VPN and circumvention tools—OpenVPN, WireGuard/NordLynx, NordWhisper, Orbot (Tor on Android), Lantern, and Psiphon—all failed to block internal IP inference, connection-state detection, and TCP reset injection under identical adversarial conditions on fully patched Android 16. Application-layer obfuscation in Lantern and Psiphon did not prevent TCP-layer disruption; Orbot's VPN-style encapsulation of Tor traffic was bypassed via the same tunnel-level side channels.
-
The CVE system is structurally incapable of tracking cross-vendor architectural vulnerabilities: in 2019 MITRE correspondence the authors were told CVE identifiers apply only to specific software implementation mistakes and that CVE-2019-14899 'should not have been assigned,' leaving the architectural VPN inference attack surface permanently untracked. Between CVE-2019-14899 (2019) and CVE-2024-49734 (2024), no new CVE was assigned despite continued reporting and confirmed exploitability, creating a five-year gap in the public record during which vendor patch claims went unchallenged.
-
The paper proposes an Internet Freedom vulnerability registry with five design principles: persistent cross-vendor tracking under shared identifiers (e.g., IF-ARCH-2025-001) as long as a risk remains reproducible; human-centered impact ratings anchored to harm potential for journalists and dissidents rather than CVSS-style exploitability scores; timestamped re-verification hooks with linked PCAPs and minimal reproduction scripts; a structured media interface to counter vendor narrative capture; and open public APIs for integration into risk dashboards so that users of tools like Orbot or Lantern can directly query their configuration's exposure to known metadata-based attacks.
-
The server-side variant of the blind VPN inference attack—where an in/on-path adversary exploits predictable NAT assignment and tunnel routing semantics to inject spoofed packets indistinguishable from legitimate encrypted traffic—has remained unacknowledged and unmitigated across all tested platforms since its concurrent disclosure in 2019. Unlike the client-side variant, which received partial fixes from Google (CVE-2019-9461, CVE-2024-49734) and Apple (iOS 17.2.1), no vendor has proposed a viable remediation or claimed ownership of the server-side attack surface.
-
Obscura's browser-to-browser (B-B) WebRTC connections produce DTLS ClientHello and ServerHello messages indistinguishable from genuine browser traffic: across 100 captured handshakes compared against Facebook Messenger, Google Meet, Discord, and a reference WebRTC app using the dfind tool, no unique identifiers were found in C-C connections, and the sole Firefox-specific fingerprint (ServerHello length 86 bytes, cipher TLS_AES_128_GCM_SHA256, extension field length 46 bytes) matches the default Firefox WebRTC profile — meaning blocking it would also block all legitimate Firefox WebRTC users.
-
A differential degradation attack (DDA) that selectively drops RTP packets carrying the last packet of a video frame — exploiting the fact that a single lost packet causes the entire encoded frame to be discarded — reduces Protozoa's covert throughput to single-digit KBps at 1920×1080 with 15% frame loss and at 426×240 with 50% frame loss, while maintaining acceptable video quality for legitimate WebRTC traffic.
-
Obscura proxies resist active probing by never exposing open ports or accepting incoming connections; combined with a large ephemeral volunteer pool (analogous to Snowflake's scale), the vast IP address space and rapid proxy rotation make exhaustive enumeration infeasible without causing sufficient collateral damage to deter the censor — consistent with the absence of observed blind-blocking campaigns against Snowflake.
-
Under baseline conditions (0% packet loss, no bandwidth constraint, 115 ms RTT), Obscura achieves average throughputs of 1.79 Mbps for Firefox-to-Firefox, 1.49 Mbps for Chrome-to-Chrome, and 1.32 Mbps for Pion-to-Pion connections; P-P connections collapse when the 2 Mbps target video bitrate exceeds the 1500 Kbps bandwidth constraint, while C-C connections remain usable at 10% packet loss with an average of 460 Kbps.
-
Authoritarian regimes blocked Snowflake primarily through DPI targeting fingerprints in Pion's DTLS handshake and TLS fingerprints in complementary WebRTC protocols, not through ML-based traffic analysis — confirming that cost-effective censors consistently favor simple, deterministic methods over computationally expensive classifiers.
-
The vanilla range-coding baseline suffers from two provable security failures that RRC corrects: (1) distortion of the token probability distribution because interval boundaries do not align with token probabilities, and (2) randomness reuse across sampling steps, which exposes detectable statistical bias. The rotation mechanism specifically addresses both by introducing fresh PRNG-seeded randomness o~U(0,1) at each step and applying a modulo rotation to the decimal state.
-
Rotation Range-Coding (RRC) steganography achieves approximately 100% entropy utilization (99.98% on GPT-2) while maintaining zero KL divergence at every generative step, outperforming all prior provably-secure baselines: SparSamp at 96.76%, Discop w/ sort at 95.17%, iMEC at 71.44%. The rotation mechanism transforms the discrete uniform random variable into a continuous uniform at each step, preserving the original LM probability distribution exactly.
-
RRC steganography achieves an embedding speed of up to 1554.66 bits/s on GPT-2 — the fastest among all provably-secure methods tested — and sustains approximately 1500 bits/s across message lengths from 64 to 1024 bits. Embedding a 128-bit secret message takes 0.082 seconds, and the method scales to at least 8192-bit messages (13.5 seconds, 99.99% entropy utilization) without an upper bound on message length.
-
Fine-tuned BERT and RoBERTa steganalysis discriminators achieve only 47.8–50.6% detection accuracy across GPT-2, OPT-1.3B, and Llama-2-7B stegotext — indistinguishable from random guessing. Human evaluators perform similarly poorly (46.6–50.6% accuracy, F1 ≤ 51.5%), while the paper notes statistical classifiers already outperform humans on this discrimination task.
-
RRC steganography is training-free, model-agnostic, and plug-and-play: it requires no modification to the underlying language model and was validated on GPT-2, OPT-1.3B, and Llama-2-7B. The symmetric-key design requires only that sender and receiver agree on a shared PRNG seed and the secret message length l before communication.
-
Empirical evaluation against nine major commercial VPN providers found all five tested connection tracking frameworks (Linux Netfilter, FreeBSD PF, IPFW, IPFilter, natd) and eight of nine providers vulnerable to at least one session manipulation attack, resulting in 19 assigned CVEs/CNVDs.
-
DNS hijacking via shared VPN NAT is feasible because the full 16-bit TxID space (up to 65,536 values) can be brute-forced in an average of 4.27 seconds, well within a typical 10-second DNS request timeout; browser DNS cache windows range from 60 seconds (Chrome/Edge) to 660 seconds or more (Firefox), with longer windows enlarging the injection race window.
-
A co-tenant attacker sharing the same VPN server can launch a port-exhaustion DoS in an average of 4 seconds with over 90% success rate, inject forged HTTP responses in 64.11 seconds at a 66.7% success rate, and hijack DNS responses at success rates of 20% to 70%.
-
When a VPN server uses Port Preservation for NAT, a co-tenant off-path attacker can infer another user's externally mapped source port by sending probe SYN packets with guessed ports through the tunnel and spoofed SYN/ACK verification packets outside the tunnel; confirmation comes from observing which port the VPN server forwards the response to, enabling targeted TCP session hijacking.
-
Spoofed TCP RST packets with sequence numbers stepped at 60,000-unit intervals sent outside the VPN tunnel can evict a victim's ESTABLISHED session entry (timeout drops from 432,000 s to 10 s in Netfilter pre-patch); approximately 71,000 RST packets suffice and can be sent in seconds on modern hardware. Controlling RST TTL to equal the hop count to the VPN server bypasses the RFC 5961 challenge-ACK countermeasure.
-
A plug-and-play Boundary Preserving Aggregation Module (overlapping window partitioning with joint packet- and burst-level features, W=20ms, stride=10ms) consistently improves existing WF baselines without architectural modification: applied to DF, AUC rises from 0.780 to 0.901 and P@5 from 0.315 to 0.545; applied to ARES'25, P@5 rises from 0.869 to 0.900 in the open-world 5-tab setting. The module's consistent gains across all three tested baselines confirm that fixed non-overlapping window segmentation is a structural vulnerability in prior WF pipelines.
-
DEMUX achieves a P@5 of 0.943 and MAP@5 of 0.961 in the closed-world 5-tab multi-tab website fingerprinting setting, outperforming the strongest prior baseline (ARES'25) by 9.2 and 6.2 percentage points respectively. ARES'25's P@K degrades from 0.900 at 2-tab to 0.851 at 5-tab (a drop of 4.9 pp), while DEMUX improves from 0.926 to 0.943 over the same range, expanding the absolute margin from 2.6 to over 9 points.
-
In the open-world 5-tab setting — where each trace contains one unmonitored site, substantially increasing noise and class imbalance — DEMUX achieves AUC of 0.998, P@5 of 0.951, and MAP@5 of 0.966, while ARES'25 achieves 0.988/0.869/0.911. DEMUX's advantage widens in the open-world setting (the P@5 gap grows from 2.6 pp to 8.2 pp versus closed-world), confirming that state-of-the-art WF attacks are not defeated by open-world conditions or unmonitored co-browsing traffic.
-
The Traffic Aggregation Matrix (TAM) representation used by the RF baseline — which counts directional packet counts over fixed time slots rather than tracking per-packet sequences — shows unexpectedly strong robustness under TrafficSliver, achieving P@2 of 0.702, substantially exceeding all other CNN-based methods under that defense. Var-CNN similarly achieves P@2 of 0.826 under TrafficSliver despite mediocre no-defense performance, suggesting that tolerance to partial packet loss is architecturally separable from peak single-observer accuracy.
-
Under the TrafficSliver defense — which splits traffic across multiple Tor entry nodes so no single observer sees more than a partial fraction of packets — TMWF collapses to a P@2 of 0.399 and ARES'23 to 0.429, while DEMUX retains a P@2 of 0.940, exceeding the next-best competitor by 2.5 points. WTF-PAD and FRONT are substantially weaker defenses, with most methods maintaining near-baseline performance under WTF-PAD.
-
CensorAlert aggregates censorship signals from heterogeneous open sources — including OONI, Cloudflare Radar, NetBlocks, GitHub Issues of circumvention tools (Hysteria, Xray), Net4People BBS, NTC Party forum, Mastodon, X, Telegram channels, and arXiv — normalizing each item into a common schema preserving timestamp, source, raw data, and provenance with a link to the original content.
-
Systematic measurement platforms (OONI, Censored Planet, Cloudflare Radar, NetBlocks) have inherent blind spots due to geographic coverage and protocol-specific test constraints; critical censorship discoveries — including GFW fully-encrypted protocol blocking and regional Chinese censorship — were first surfaced by user reports on forums and GitHub issue pages of circumvention tools, not by automated measurement infrastructure.
-
CensorAlert generates text embeddings (OpenAI text-embedding-3-small) from each item's summary, title, and tags to cluster semantically similar reports within configurable time windows; near-duplicates such as reposts, copied headlines, and translations are collapsed into a single canonical post that preserves all original source URLs and metadata.
-
CensorAlert's LLM agent scores each ingested item 0–5 on five independent dimensions — credibility, novelty, impact, timeliness, and verifiability — then computes a normalized significance score (0–10) from these components; items are processed every two hours using OpenAI GPT-5 Thinking (hosted on Azure) constrained to return structured JSON output.
-
Across all 7 LLMs tested (GPT 4o, GPT 4o Mini, Gemini 1.5 Flash, Gemini 1.5 Pro, Llama 3.2, Claude 3.5 Haiku, Claude 3.5 Sonnet), statistically significant evidence of censorship bias was found in at least one evaluation metric per model: responses to Simplified Chinese prompts were more neutral, more similar to sanitized text, and less opinionated than semantically identical Traditional Chinese prompts (p < 0.05 across refusal-rate, sentiment, CensorshipDetector classification, and word-embedding analyses).
-
CensorshipDetector, an XLM-RoBERTa model fine-tuned on 587,819 Baidu Baike articles (censored) and Chinese Wikipedia (uncensored), achieved 91% accuracy on a held-out validation set of Chinese news articles, correctly classifying 93% of Chinese state media articles as censored and 87% of New York Times Chinese articles as uncensored, with average censorship scores of 0.93 and 0.13 respectively.
-
A systematic search of the Common Crawl dataset — the training corpus attributed to most major LLMs including Llama, GPT, and Gemini — found content from 325 of 326 Chinese government and state media domains searched, confirming that sanitized content is pervasive in LLM pretraining data and providing a concrete mechanism for how Chinese information controls propagate into Western-built models.
-
Using English as a pivot language (prompting the model in English while requesting Chinese-language responses) reduced but did not eliminate censorship bias: CensorshipDetector scores showed less bias in English-pivoted responses than in direct Simplified Chinese prompts, but sentiment analysis and word-embedding analyses still found statistically significant bias in most models, indicating censorship bias is a function of both prompt language and response language.
-
The study finds that LLM censorship bias affects Chinese-speaking diaspora populations who reside outside mainland China: because user language — not user location — determines exposure to sanitized outputs, Chinese speakers globally receive information shaped by CCP information controls when using popular AI chatbots in Simplified Chinese, constituting an extraterritorial export of domestic censorship infrastructure.
-
An internet-wide scan of 500k IP addresses from an in-country VPS vantage point found TCP establishment-interception injections on 43,479 addresses (8.7% of scanned), with over 70% concentrated in two Akamai ASes (AS16625 and AS20940). The injection pattern — triggered by the first packet sent to these addresses — is consistent with targeted blocking of domain-fronting proxies hosted on Akamai CDN.
-
Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.
-
Two Iranian ASes apply a protocol allowlist that drops traffic not matching known application-layer protocol patterns (after ~6 packets), independently of the destination IP. Experiments with fresh /26 phantom subnets showed that prefixing Conjure connections with a plain HTTP GET payload evaded this blocking for four weeks, while TLS Client Hello-prefixed and SSH-prefixed connections were blocked within 72 hours (TLS) or 72 hours after port rotation (SSH). HTTP GET on port 80 was the only tested prefix that survived the full experiment window.
-
MCCI (AS197207) blocks proxy IPs proportionally to observed connection volume: the more connections a phantom IP receives, the faster it gets blocked. A controlled experiment with a fresh /27 IPv4 subnet divided into 7 /30 sub-ranges with increasing weights confirmed that higher-weighted subnets were blocked first, demonstrating that the censor infers proxy IP reputation from traffic rate rather than from a static blocklist.
-
The report documents IMSI-catcher and mobile-network interception deployments in Pakistan that complement fixed-line DPI infrastructure. Mobile broadband users (dominant internet access mode in Pakistan) face surveillance at both the carrier level and via OTT platform coercion, with major platforms (YouTube, Twitter/X, TikTok) receiving and complying with blocking and content takedown orders from PTA, reducing the scope of accessible content even for users not running circumvention tools.
-
Pakistan's PECA (Prevention of Electronic Crimes Act) and PTA (Pakistan Telecommunication Authority) regulations grant authority to block content without court orders, enabling the deployment of a persistent national filtering infrastructure. The report documents 11,000+ URLs blocked by PTA and confirms that VPN use and circumvention tools are among the targeted categories, with blocking orders issued under national security grounds.
-
Amnesty International's 102-page investigation identifies a multi-vendor surveillance stack deployed in Pakistan: Chinese DPI (Geedge/MESA-derived), Canadian social-media monitoring (Netsweeper), and Emirati commercial spyware (Pegasus and FinFisher). The system enables deep packet inspection, SNI-based filtering, and traffic-shape classification at national scale, including targeted interception of encrypted messaging apps and VPN traffic.
-
A Tor relay serving as a Bento server and hosting a CenTor instance for 10,000 simultaneous clients experienced only approximately 0.4% performance degradation compared to a vanilla relay; running 20 concurrent CenTor instances on a single relay caused roughly 1% degradation. Shadow-aware routing in a low-relay-density region (US, 933 of 6,666 relays in shadow) produced 0.7% relay degradation while delivering 3.6% client performance improvement.
-
CenTor, a CDN for Tor onion services deployed as a Bento network function, achieved approximately 56.4% reduction in download time compared to standard Tor under a geographically-aware shadow configuration, while location-unaware CenTor (reducing hops without shadow restriction) achieved a 34.5% reduction. The key mechanism is eliminating the server-side 3-hop circuit by deploying replicas in non-anonymous mode, cutting the default 6-hop onion service path to 3 hops.
-
CenTor protects origin onion service operators from DoS and deanonymization by routing all client traffic through geographically distributed Bento replicas running inside SGX-based Trusted Execution Environments (TEEs). The original operator can go fully offline after deploying static content; replicas enforce confidentiality and integrity of hosted content with ephemeral per-enclave encryption keys, preventing malicious Bento node operators from inspecting or modifying content even if they control the underlying hardware.
-
CenTor's anonymity scoring function quantifies the privacy cost of geographic shadow selection using six parameters (client density, AS-level and country-level entropy, relay density, exit density, guard density). Prior work establishes that reducing the client anonymity set by 20x—retaining at least 5% of total Tor users—still provides strong anonymity; accordingly, CenTor recommends minimum thresholds of CD, EL, EC ≥ 0.05 and RD, ED ≥ 0.2 for safe shadow operation.
-
Interactive communication on Tor incurs latencies more than 5x greater than direct Internet paths; onion services compound this by creating a 6-hop circuit (3 client-side plus 3 server-side). Shadow simulations at 100% Tor network scale (752,338 active clients, 6,666 nodes) showed that deploying 3,500 and 6,000 Bento servers caused only 4.4% and 9.6% client-side performance degradation respectively, demonstrating that programmable middlebox overlays are feasible at Tor scale.
-
VPN search demand in Iran spiked approximately 707% during the June 2025 stealth blackout, as measured by Top10VPN analytics, making it one of the highest-documented circumvention-demand spikes associated with a single shutdown event. Despite this demand, many VPN connections failed because the protocol whitelist eliminated non-HTTPS tunneling methods and HTTP-level filters could detect known VPN signatures on port 443.
-
TTL-based path analysis showed that all censorship actions (DNS poisoning, HTTP injection, TLS resets) in the June 2025 shutdown occurred at the same network hop across all tested ISPs, indicating a single centralized national border gateway—likely TCI AS gateways—rather than per-ISP enforcement. Global BGP announcements were kept intact throughout, making the shutdown invisible to routing monitors while domestic connectivity collapsed.
-
Over 90% of tested censored domains returned private IP addresses in the 10.10.34.0/24 range (chiefly 10.10.34.34) via injected DNS replies during the June 2025 shutdown, with poisoned response TTLs often very low—consistent with inline DPI injection rather than a recursive DNS lookup. A small set of domains including Google and state-approved services were whitelisted and resolved correctly.
-
Iran's June 2025 shutdown enforced a strict national protocol whitelist: only DNS (UDP/53), HTTP (port 80), and HTTPS (port 443) traffic from Iranian networks to external servers was forwarded; all other protocols—including OpenVPN (UDP/1194), SSH (port 22), and arbitrary TCP/UDP ports—were silently dropped without response by DPI at the border.
-
TLS connections to blocked services (instagram.com, telegram.org) were terminated by TCP RST immediately after the client's ClientHello, before any certificate exchange, confirming SNI-based DPI that reads the plaintext SNI extension and aborts the handshake. HTTP filtering additionally matched Host headers and URL keywords case-sensitively, with injected HTTP 403 pages or TCP RST responses, and case-change evasions were sometimes effective.
-
Simulating a shift from a 0% to 100% male dataset sample changes Shannon entropy estimates by more than 10% for User-Agent (downward) and more than 68% for WebGL Renderer (upward), revealing that prior large fingerprinting studies — Panopticlick (83.6–94.2% unique, predominantly reached via tech-oriented channels) and AmIUnique (90% desktop unique) — likely misrepresent real-world risk due to uncontrolled male bias, as confirmed by a directly comparable study showing 76.5% male participants.
-
Approximately 60% of users in the 8,400-participant US dataset had a unique overall browser fingerprint when combining 13 standard attributes, matching FingerprintJS's advertised 60% accuracy. Fingerprinting risk followed strict monotonic trends: uniqueness increased with age (65+ group most at risk) and decreased with income (household income under $25,000 group at greatest risk), while males showed more unique overall fingerprints but females showed higher uniqueness on passive-fingerprintable attributes (User-Agent, Languages).
-
A simple three-hidden-layer MLP trained on only 13 standard browser attributes achieves AUROC above 0.5 for every tested demographic group: gender 0.663–0.679, age 55+ 0.644, Hispanic ethnicity 0.60, Asian race 0.698, Black race 0.677, and high-income bracket 0.617. Because the model used only attributes already collected by mainstream fingerprinting scripts (e.g., FingerprintJS), richer real-world attribute sets would yield substantially higher demographic inference accuracy.
-
User-Agent and Accept-Language browser attributes are transmitted in HTTP request headers, enabling passive server-side fingerprinting without JavaScript execution or any browser-detectable signal. In the 8,400-user dataset, the Languages attribute placed Hispanic users (who represent only 11% of the sample) among more than 45% of users with 'es-US' as their Languages value, substantially reducing their anonymity set size versus the general population.
-
Screen resolution (572 distinct values, 4.5% unique, entropy 5.51), WebGL Unmasked Renderer (654 distinct values, 3.2% unique, entropy 6.833), and User-Agent (434 distinct values, 2.8% unique, entropy 4.613) are simultaneously the most uniquely identifying individual attributes and the strongest demographic predictors by normalized mutual information across all five demographic categories tested (gender, age, income, Hispanic ethnicity, race).
-
Analysis of 5.1 billion Wallbleed responses revealed that the leaked memory contains fragments of live network traffic processed by the injection device: IP/TCP/UDP/HTTP headers and payloads (including plaintext traffic not related to DNS), x86_64 Linux stack frames with ASLR-consistent pointer patterns, and what appear to be glibc stack canaries. The 166 million UPnP/SSDP snippets in leaked memory suggest the GFW device shares a memory pool with traffic from private RFC 1918 addresses, hinting at internal management-plane traffic co-located with the censorship infrastructure. A side channel — the fixed cyclic ordering of false IP addresses across injection processes — distinguishes individual GFW injector processes from each other.
-
Wallbleed was a buffer over-read in the GFW's DNS injection subsystem that caused middleboxes to append up to 125 bytes of their own process memory to forged DNS responses. The bug persisted for at least two years (confirmed from October 2021); the GFW issued an incorrect partial patch in November 2023 (Wallbleed v2 remained exploitable) and fully patched it in March 2024. Over 5.1 billion Wallbleed responses were collected during continuous measurement, and an IPv4-wide scan found 242 million IP addresses across 381 autonomous systems receiving Wallbleed-injected responses — including some traffic whose source and destination were both outside China, due to routing through China's network border.
-
The September 2025 leak of ~600 GB from Geedge Networks and the MESA Lab (Institute of Information Engineering, Chinese Academy of Sciences) is the largest known document disclosure from the GFW vendor ecosystem. It establishes a direct lineage: MESA Lab (founded 2012 by Fang Binxing's team, annual contracted revenue >35M RMB by 2016) spun out Geedge Networks in 2018, with MESA alumni filling key engineering roles (e.g. Zheng Chao as CTO). The leak includes ~64 GB of MESA git repositories, ~35 GB of MESA internal documents, ~15 GB of Geedge internal documents, and a ~3 GB Jira export — providing direct access to source code, work logs, and internal communications behind GFW R&D.
-
Internal Geedge documents confirm active contracts to deploy GFW-derived censorship and surveillance infrastructure in Myanmar, Pakistan, Ethiopia, Kazakhstan, and at least one additional unidentified country under the Belt and Road framework, in addition to domestic deployments in Xinjiang, Jiangsu, and Fujian. The exported product (the Tiangou Secure Gateway / TSG line) is not a stripped-down export variant — leaked TSG documentation shows DPI, active-probing, ML classifiers, and granular per-region traffic control rules that mirror the domestic GFW capability set.
-
The August 20, 2025 unconditional RST event revealed an asymmetry in the GFW's triggering mechanism: for traffic originating inside China, both the client SYN and the server SYN+ACK each independently triggered three injected RST+ACK packets (six total per connection). For traffic to China from outside, only the Chinese server's SYN+ACK triggered RSTs — the foreign client's SYN alone was insufficient. This asymmetry implies the responsible device observed the SYN+ACK from the Chinese server as the trigger condition, not a port-match rule on the SYN.
-
On August 20, 2025 from approximately 00:34 to 01:48 Beijing Time (74 minutes), the GFW unconditionally injected TCP RST+ACK packets on all port 443 traffic, regardless of payload content, disrupting all TCP/443 connections between China and the rest of the world. The injected packets came in triples with incrementally increasing TTL and window size fields — a fingerprint that does not match any previously catalogued GFW device — indicating either a new device or a known device in a novel or misconfigured state. The blocking was port-443-specific: ports 22, 80, 8443, and others were unaffected during the same window.
-
The Ahmia search engine provided the most onion addresses (18,069 in a single day, ranging 18,000–22,000 week-to-week), outperforming five other sources combined (36,028 total across six engines). However, Ahmia's intentional exclusion blacklist contains 46,000+ hashed addresses, and crawling onion services for 20 days yielded 48,745 unique v3 addresses, 11,809 of which were on Ahmia's blacklist — meaning any index-based collection systematically misses a significant share of the onion ecosystem by design.
-
Combining six onion search engines/repositories plus clearnet search engines, Tor2web-style DNS leakage, and 20 days of self-run crawling (2.9 million pages), the authors assembled 482,614 unique v3 onion addresses — the largest known collection. Verifying against HSDir blinded public keys showed the collected addresses accounted for 25% of observed blinded keys but were responsible for 66% of all successful service descriptor downloads, confirming a heavy-tailed usage distribution.
-
Drivel evaluates its design against the GFW's fully-encrypted-traffic detector (documented in Wu et al. 2023). The thesis demonstrates that switching to post-quantum primitives does not by itself change the traffic's appearance to a statistical censor classifier — the fully-encrypted detection problem is independent of the underlying cryptographic algorithm and must be addressed at the traffic-shaping layer regardless of key-exchange choice.
-
Drivel is an obfs4-style fully-encrypted proxy protocol that replaces obfs4's pre-quantum cryptographic primitives with post-quantum alternatives. It is one of the first circumvention protocols explicitly designed to remain secure under a quantum adversary, addressing the forward-secrecy threat to deployed circumvention traffic recorded today for future decryption.
-
Most deployed circumvention protocols (obfs4, Shadowsocks, Trojan, VMess, etc.) still rely on pre-quantum primitives (X25519, AES-GCM, ChaCha20). Drivel is the first published treatment of how to perform this migration in the specific context of a fully-encrypted pluggable transport, providing a design template and security analysis that does not exist elsewhere in the circumvention literature.
-
InterSecLab frames the Geedge/TSG export program as the commoditization of national firewall capability: rather than each censor state independently developing detection infrastructure, they contract Geedge for a turnkey system incorporating the cumulative R&D of MESA Lab (>10 years, National Science and Technology Progress Award winners). This structural shift means the marginal cost for an autocratic government to acquire GFW-grade censorship is now a procurement decision, not a multi-year engineering program. The report identifies that Geedge's relationship with the MESA Lab gives customer states indirect access to ongoing academic R&D improvements, not just a static product.
-
InterSecLab's 76-page analysis of the Geedge/MESA leak (based on nine months of indexing and translating >100,000 documents) characterizes the Tiangou Secure Gateway (TSG) product line as a commercially deployable detection stack that combines deep packet inspection, real-time mobile subscriber monitoring, active probing, ML-based traffic classifiers, and granular per-region rule sets. TSG is not a research prototype — leaked documentation includes deployment timelines and client government interactions for Kazakhstan, Ethiopia, Pakistan, Myanmar, and one unnamed country, with censorship rules explicitly tailored to each region.
-
Amigo introduces a decentralized continuous key agreement protocol and novel routing scheme for secure group mesh messaging over short-range radio (Bluetooth/ Wi-Fi Direct) when governments disable the Internet during protests. Extensive simulations demonstrate that prior approaches fail to scale to realistic protest environments that have high link churn, physical spectrum contention, and dense mobility — Amigo's protest-specific optimizations address these but also reveal that scaling to protests with thousands of participants remains an open challenge.
-
Simulations show that previous secure mesh messaging systems fail to provide efficient private group communication under realistic protest conditions — specifically high node mobility, link churn, and RF spectrum contention — conditions that prior work did not evaluate. Bridgefy, the most widely deployed protest mesh app, was broken cryptographically in 2021 and 2022, and even its successor designs lack the scalability needed for protests with thousands of participants.
-
The report traces the specific corporate pathway through which Geedge Networks exported GFW-derived technology to Myanmar: via front companies, shell entities, and Belt and Road Initiative contract frameworks that obscure the Chinese state's direct involvement. The report names at least three intermediary entities used to transfer equipment and technical personnel to the Myanmar military, and documents that the same export channel was used for ongoing product updates post-deployment.
-
Justice for Myanmar documents that Geedge Networks supplied Myanmar's military junta with GFW-derived surveillance and censorship infrastructure under Belt and Road frameworks following the February 2021 coup. The deployed system (Tiangou Secure Gateway / TSG) incorporates the same DPI, active-probing, and ML-classifier capabilities as the domestic Chinese GFW, giving Myanmar one of the most technically capable censorship systems in Southeast Asia.
-
The report documents that Myanmar's military has used its TSG-based infrastructure to execute targeted throttling and selective shutdowns of specific services and platforms, not only blanket internet shutdowns. This includes selective disruption of VPNs and circumvention tools during periods of civil unrest, demonstrating that Myanmar's censors have operationalized the granular per-service traffic control capabilities documented in the Geedge/MESA leak.
-
In a 600-node simulation on a 25×25 grid representing a city-wide blackout environment, Anix messages reached over 90% of users within 23 simulation steps (~23 hours) even when adversarial Sybil nodes composing 2% of the network refused to forward messages authored by legitimate users. The simulation modeled a 5-day blackout with 120 one-hour steps.
-
Anix provides two cryptographically distinct identity revocation primitives: soft revocation rotates a user's identity key pair and re-notifies only the retained subset of trusted contacts via encrypted unicast, silently excluding the revoked party; hard revocation broadcasts a signed certificate containing the compromised public key components, instructing all contacts to reject both the revoked identity and any downstream identities produced through subsequent soft revocations.
-
Bridgefy included both sender and receiver long-term identifiers on every message; Albrecht et al. found this unsafe and the deployed security upgrades proved insufficient, leaving Bridgefy unable to provide anonymity. Firechat similarly transmits long-term public user IDs with every message, uniquely identifying accounts to every recipient in the mesh.
-
Standard ECDSA signature schemes are vulnerable to public key recovery attacks that allow an adversary to recover the signer's public verification key from any signature, linking all pseudonymous messages authored under different one-time pseudonyms back to a single user identity. This attack succeeds without any side-channel — it operates solely on the message and its ECDSA signature.
-
Rangzen's transitive trust scheme suffers from two structural defects: diminishing trust (each relay hop multiplicatively reduces a message's trust score, degrading trustworthy messages from distant authors) and path dependency (the same message accrues different trust scores depending on which route it traveled, making scores incomparable across recipients). These defects prevent any user from gauging network-wide endorsement of a message.
-
Iran's DNS censor injects a correct, static IP address for 385 domains across 10 groups — including 372 Google-related domains (resolving to 216.239.38.120), 2 Bing domains, 2 DuckDuckGo domains, Yandex, CIA, MI5, and Mossad. This previously unreported behavior likely enables surveillance (routing traffic to a controlled IP) or rapid follow-on blocking (nullrouting the injected static IP is cheaper than maintaining DPI rules per domain).
-
Iran's DNS censor now injects two distinct block-page IPs: 10.10.34.36 (≈87% of 47,633 censored domains) and 10.10.34.34 (≈13%). Both originate from the same network node at Iran's border. Prior research (Aryan et al. 2013) described only 10.10.34.34. The IP injected correlates strongly with the HTTP censorship method applied: domains with 10.10.34.34 in DNS receive TCP RST via HTTP (86.8% of RST cases), while domains with 10.10.34.36 in DNS receive HTTP block pages (84.6% of block-page cases).
-
Iran's HTTP censor exhibits several parsing inconsistencies exploitable for evasion: (1) it is case-sensitive and ignores lowercase method variant "gET"; (2) it does not censor the Host header for HTTP version strings "HTTP", "1.1", and "example" (suggests a version regex of HTTP/.*); (3) when the Host header is absent, the path is not censored for versions "HTTP" and "HTTP/1"; (4) the body is never analyzed regardless of version. All HTTP and DNS censorship occurs at the same last-hop border node, suggesting centralized architecture.
-
Iran's DNS censor temporarily null-routed all DNS requests containing the string "wpad" at any position, including benign domains like wpad.net, showpad.com, and meowpad.me. The overblocking was no longer reproducible at the time of publication, suggesting a censor configuration error later corrected. The affected domains are unrelated to proxy auto-discovery in most cases, indicating a substring-match rule without context.
-
Strict anonymity requirements in Tor onion services render conventional DoS mitigation strategies inapplicable, forcing the Tor community to revive the client-puzzle approach as the only feasible admission-control mechanism compatible with unlinkability guarantees.
-
OnionFlation attacks succeed by inflating puzzle difficulty without causing detectable congestion at the targeted service, meaning the attack leaves no noticeable traffic-volume signature at the victim — standard congestion-based anomaly detection cannot identify the attack in progress.
-
The Tor client-puzzle mechanism has an inherent design trade-off: the system is forced to choose between inflation resistance (preventing adversarial difficulty inflation) and congestion resistance (absorbing legitimate traffic surges), but cannot achieve both simultaneously. This trade-off is identified as the root cause of OnionFlation.
-
The OnionFlation attack family artificially inflates the required client-puzzle difficulty for all connecting clients without causing noticeable congestion at the targeted onion service, rendering any existing onion service largely unusable at an attack cost of a couple of dollars per hour.
-
OnionFlation attacks can render any existing Tor onion service largely unusable at an attack cost of approximately a couple of dollars per hour, by artificially inflating the required client puzzle difficulty for all connecting clients without causing noticeable congestion at the targeted service.
-
The paper offers practical guidance for Tor onion service operators aimed at balancing mitigation of OnionFlation attacks against maintaining service availability for legitimate clients, recognizing that no complete solution exists within the current puzzle architecture.
-
The Tor client puzzle mechanism contains a fundamental architectural trade-off: the system is forced to choose between inflation resistance (preventing attackers from artificially raising puzzle difficulty) and congestion resistance (preventing the service from being overwhelmed), but cannot achieve both simultaneously — a root-cause vulnerability acknowledged by the Tor Project.
-
Following real-world DoS attacks against onion services, the Tor community revived and shipped an official client puzzle mechanism, which has since been adopted by several major onion services as their primary DoS mitigation strategy.
-
Client-puzzle DoS mitigation has been adopted in an official Tor protocol update and is in active use by several major onion services. An ethical live-network evaluation of OnionFlation attacks confirmed the vulnerability on the production Tor network, and the Tor Project has acknowledged the findings.
-
In China, multiple URLs show 100% failure rates across 3–7 ASNs with near-zero confirmed blockpage rates (e.g., hkleaks.ru, blockdx.co, libgen.space each at 100% failure, avg_confirmed ≈ 0), indicating that China increasingly uses non-blockpage mechanisms — connection drops, TCP anomalies — that evade blockpage-based detection while achieving complete access denial.
-
DNS censorship leaks geographically: Russia's neighbors show materially elevated censorship rates despite low independent censorship of their own — Lithuania 21.73%, Norway 12.04%, Finland 12.03% — compared to Russia itself at 43.59%, consistent with DNS queries from those countries transiting Russian infrastructure and being hit by Russian DNS injection.
-
Russian transit censorship propagates to ASNs outside Russia: ASN 216071 (Netherlands) shows 38 top-10k URLs with 59% confirmed blockpage rate, ASN 6939 (Sweden) shows 4 URLs at 75%, and ASN 3214 (Germany) shows 4 URLs at 75%, all attributable to peering with Russian ASNs known to employ transit censorship.
-
Venezuela and Cuba exhibit average unblocked rates of 68.83% and 69.70% respectively across 461,114 and 5,501 OONI tests, placing roughly 31% and 30% of probes as blocked — censorship rates comparable to documented heavy-censor states — despite being routinely excluded from standard censoring-country lists.
-
Among the most commonly transit-censored popular URLs (top-10k rank, ≥90% confirmed blockpage rate from Russian transit ASNs, not blocked elsewhere in those countries), turbovpn.com appears alongside Russian opposition news and social-media pages, demonstrating that Russia's VPN-blocking lists propagate into foreign transit ASNs.
-
Ceno Browser's decentralized peer-to-peer network grew from approximately 600 active peers on June 13 to nearly 8,000 by July 11, 2025 — a 13× increase in under 30 days — with some Ceno connections remaining online throughout the full blackout, indicating that P2P architectures without fixed enumerable infrastructure can survive centralized application-layer shutdowns.
-
The June 2025 Iran shutdown achieved approximately 90% reduction in international traffic without BGP withdrawal by combining DNS poisoning, protocol whitelisting, and DPI at the national border — maintaining an outward appearance of normal connectivity for traditional monitoring tools while severing the population's access to the global Internet. Unlike the 2019 shutdown, which was implemented per-provider over 24+ hours, the 2025 operation was centralized and covert.
-
The Iranian government blocked international One-Time Passwords (OTPs) during the June 2025 shutdown, forcing citizens to abandon secure international platforms and migrate to government-approved domestic services with known security and privacy vulnerabilities — using authentication infrastructure as a deliberate chokepoint to coerce adoption of surveilled platforms at scale.
-
Lantern's proxyless protocol accounted for approximately 40% of its traffic during the June 2025 Iran shutdown, demonstrating that a direct-server / proxyless transport mode provided a significant load-bearing fallback when conventional proxy infrastructure was blocked by centralized DPI enforcement.
-
Psiphon's multi-protocol design maintained access for approximately 1.5 million users during the June 2025 Iran shutdown — roughly one-third of its normal user base — while traffic throttling rendered many single-protocol circumvention tools functionally useless for anything beyond basic text communication.
-
In 24-hour live proxy deployments, covertDTLS mimicry had a 18.2% DTLS handshake failure rate (vs 12.5% baseline, 27.0% randomization, 25.8% Chrome webextension). Randomization generates ≈994 billion unique fingerprint permutations (cipher shuffling: 109,600; extension shuffling: 994,218,624,000), making blocklist-based fingerprinting infeasible, but at the cost of higher connection failures due to cipher mismatches. Mimicry of DTLS 1.2 was stable and effective; DTLS 1.3 mimicry is not yet achievable with the current Pion library.
-
The DTLS ClientHello extensions field is the most prominent feature for fingerprinting Snowflake's Pion WebRTC stack. A passive DPI tool (dfind) validated against the MacMillan et al. dataset of 6,500 DTLS handshakes reliably identifies Pion-based implementations via unique extension byte patterns. Chrome randomized its extension list order starting with version 129.0.6668.58 (September 2024), yielding 6! = 720 unique permutations and hardening it against deterministic matching. Firefox adopted DTLS 1.3 by default from version 127 (May 2024), which changes the extension structure entirely and renders DTLS 1.2 mimicry obsolete for Firefox traffic.
-
Firefox adopted DTLS 1.3 by default for WebRTC in May 2024 (version 127); Chrome has implemented DTLS 1.3 in BoringSSL but not yet enabled it by default. DTLS 1.3's Encrypted Client Hello (ECH) extension would encrypt extension lists and make passive field-based fingerprinting of those extensions obsolete — but censors may choose to block DTLS 1.3 ECH unless browsers adopt it widely enough that blocking causes unacceptable collateral damage. The Pion library (used by Snowflake standalone proxies) has no concrete roadmap for DTLS 1.3 support, creating a growing gap.
-
Beyond business-filing cross-references, the paper introduces a method of linking VPN provider families by showing they share VPN server cryptographic credentials (Shadowsocks passwords, server TLS fingerprints) across distinct app identities. This extends prior ownership-attribution methods that relied solely on corporate registry data and code similarity, adding shared live infrastructure as a linkage signal that is harder for operators to obscure.
-
Three families of VPN apps with combined Google Play download counts exceeding 700 million share not only common ownership but hardcoded cryptographic credentials, including Shadowsocks passwords embedded in their APKs. An attacker who extracts these hardcoded passwords can passively decrypt all traffic of users of these apps. Business filing and APK analysis linked the families to the same operators; one previously-identified family (Innovative Connecting / Autumn Breeze / Lemon Clove) had already been linked to the People's Liberation Army.
-
Neither China nor Iran directly block ECH ClientHello messages; instead both effectively prevent ECH by censoring encrypted DNS resolvers. China blocks Cloudflare's DoH/DoT resolver (mozilla.cloudflare-dns.com) via SNI-based blocking in TLS and QUIC, causing residual censorship of up to 360 and 180 seconds respectively. Iran blocks both Cloudflare and NextDNS DoH hostnames via DNS block-page injection, TLS TCP RST, and HTTP block pages. Iran cannot analyze QUIC, so DoQ is uncensored and enables ECH in Iran. China's NextDNS IP blackholing affected only one of two resolved IPs, leaving an uncensored path.
-
Of 640,694 TLS 1.3 servers in the Tranco Top 1M (Feb 2025), 51.28% parse ECH extensions but only 43% actually handshake ECH — and virtually all of those are Cloudflare servers (278,040). Only 6 non-Cloudflare servers successfully handshaked ECH. Cloudflare's own servers have a 44% non-advertisement rate: servers that can handshake ECH but do not publish their ECH configuration in DNS, typically because the operator manages their own DNS outside Cloudflare. The total number of advertised ECH configurations dropped from ~180,000 in November 2024 to ~150,000 by April 2025.
-
Chrome and Firefox send GREASE ECH extensions in every ClientHello message, meaning a censor that blocks all ECH-containing ClientHellos would block all Chrome and Firefox TLS traffic. Cloudflare's static outer SNI "cloudflare-ech.com" in all its ECH configurations makes real ECH connections trivially distinguishable from GREASE ECH — censors can block real ECH connections to Cloudflare without triggering GREASE collateral damage. Cloudflare rejects ECH handshakes with omitted or invalidated outer SNI values; non-Cloudflare ECH deployments accept missing and invalid outer SNIs.
-
Russian TSPU devices directly block ECH by dropping ClientHello messages that contain both an ECH extension and the outer SNI hostname "cloudflare-ech.com" — the static outer SNI Cloudflare advertises in all its ECH configurations. Blocking affects both TLS and QUIC. ECH connections to servers with Cloudflare ECH support but outside Cloudflare's official IP ranges are NOT blocked. TCP segmentation alone or TLS record fragmentation alone did NOT bypass TSPU ECH blocking, but combining both techniques did circumvent it. TSPU has also added TCP reassembly capabilities that defeat previously effective fragmentation-only bypasses.
-
Censorship classifiers and traffic analysis attacks consistently exploit the initial seconds of a proxy connection, where packet-size, inter-arrival-time, and burst features are maximally discriminative. Cited work demonstrates that website fingerprinting classifiers trained solely on the first few seconds of Tor traffic achieve high accuracy, and real-world GFW detection of fully-encrypted protocols also targets early-connection bytes.
-
The framework confines active traffic shaping to the first N seconds of a connection (N is a user-defined parameter, e.g., N=10), after which normal unmodified traffic resumes. The authors hypothesize that this design keeps per-session throughput and latency overhead negligible, since the shaping window is a small fraction of total connection time; N can be extended to the full session if the censor is believed capable of classifying beyond early traffic.
-
The framework's GAN-based schedule generator trains on short session windows (e.g., the first 10 seconds) of real browsing traffic from the Tranco Top 1000 sites, learning joint distributions of packet sizes, inter-arrival times, and burst patterns to produce realistic synthetic schedules. This repurposes GAN architectures previously used for traffic analysis (e.g., GANDaLF) as a defense-side cover-traffic generator.
-
The proposed framework operates as a transparent shim between application and network layers, enforcing a configurable schedule over packet size, timing, and burst patterns. The shaping logic is transport-agnostic — applicable across TCP, UDP, QUIC, and TLS — and activates only after the underlying protocol handshake completes, making it reusable across heterogeneous circumvention stacks.
-
The framework is designed for adoption into existing censorship-resistant systems in the same manner as uTLS — as a drop-in Go library requiring minimal code changes. Primary integration targets are Tor pluggable transports and WireGuard-based VPNs that currently lack built-in traffic obfuscation. Predefined hand-crafted schedules are provided alongside GAN-generated ones to enable developer stress-testing without model inference.
-
Security arguments for existing circumvention systems are based on ad-hoc adversary models that are often incomplete or unrepresentative of real-world adversaries, leading to allegedly secure designs that fail against relatively straightforward attacks. Protocols that substitute or parasitize a cover application's encrypted traffic channel fail against application-aware adversaries who observe or induce violations of application-specific behavioral invariants — a weakness that pre-trained classifiers on custom traces fail to surface.
-
A machine-checked EasyCrypt proof demonstrates that a conjunctive SNI + traffic-profile adversary achieves a true positive rate of 1.0 against meek, with a false positive rate bounded by Pr[Game0(MeekEnc).main()=true] ≤ (1/10000) × (1/1000) ≈ 10⁻⁷, under the assumption that meek traffic follows a normal distribution centered at 512 bytes and background traffic a Poisson-like distribution centered at 1024 bytes. The proof is fully machine-checked in EasyCrypt.
-
An adversary's false positive rate against a circumvention tool depends critically on the statistical properties of background traffic; if background traffic is modeled inaccurately (e.g., with toy uniform distributions), formal detection bounds are not meaningful. The paper proposes a hybrid pipeline: train NetDiffusion on real packet-level traces from campus networks or backbone providers, sample synthetic background traffic, extract empirical mean/variance, and integrate those distributions into EasyCrypt formal models to produce statistically grounded detectability proofs.
-
The paper proposes modeling HCS undetectability as a simulation-based cryptographic distinguishability problem: if traces produced by the real-world HCS channel are computationally indistinguishable from ideal-world application-channel traces (T_HCS ∼ T_simulator), the HCS achieves provable security against any adversary — passive or active. The simulation paradigm is parametric in adversary capability, meaning a single proof covers the full spectrum from passive SNI monitoring to active DPI.
-
Iran's June 2025 shutdown enforced a four-layer DPI topology: ISP-administered DPI boxes, centrally commanded DPI at large ISPs under the Communications Regulatory Authority, DPI at Tehran IX that filters domestic-only transit traffic, and DPI at internationally-linked networks — almost all funneling through AS48159 (Telecommunications Infrastructure Company, TIC).
-
Between 21–25 June 2025, Iranian fixed-line networks partially restored access via TCP-based protocols (SSH, WebSockets) while mobile networks and UDP-based protocols remained heavily restricted, indicating deliberate asymmetric enforcement to restore domestic data-center operation without re-enabling VPN circumvention.
-
During the June 2025 blackout, virtually all UDP-based protocols were blocked across major Iranian networks — WireGuard, AmneziaWG, QUIC, WebRTC, and OpenVPN — with the sole deliberate exception of UDP port 53 (DNS), preserved to avoid cascading failures in internal infrastructure.
-
IP blocking during the June 2025 Iran shutdown targeted large portions of address space belonging to major VPS hosting providers — Hetzner, DigitalOcean, Linode, and others — commonly used to host VPN and proxy servers, with small exceptions carved out for infrastructure deemed critical.
-
NymVPN experienced a 387% increase in demand during the June 2025 Iran blackout but was itself caught by protocol-level UDP restrictions and could not function as a reliable circumvention tool because TCP fallback and other censorship-resistance countermeasures had not yet shipped.
-
All six Chinese browsers (Baidu Searchbox, UC Browser, QQ Browser, OPPO, Redmi/Mi, VIVO) transmit the full URL of every page visited—including HTTPS pages—along with page titles and search terms out-of-band to vendor servers, entirely bypassing VPN tunnel protection. In five of six cases this data is transmitted with no cryptography or weak cryptography (purely symmetric AES with hardcoded keys, or textbook RSA with a 128-bit modulus factorable in under 3 seconds), making it readable by any on-path actor between the VPN egress and the vendor's servers.
-
Chinese browsers transmit GPS coordinates alongside persistent user IDs (IMEI, GAID, CUID) and client IPs to vendor servers with poor transport security; an attacker with access to this stream can trivially detect VPN use without any DPI—GPS coordinates placing a user inside China combined with a non-Chinese client IP is an unambiguous VPN-use signal. This correlation attack succeeds against VPNs with perfect traffic obfuscation because the detection side-channel is entirely outside the encrypted tunnel.
-
Of the four Chinese browsers offering incognito mode (Baidu Searchbox, UC Browser, QQ Browser, Redmi/Mi), all four continue to leak PII and three continue to transmit full browsing activity including URLs; UC Browser specifically sends data during incognito sessions encrypted with hardcoded AES/CBC key "Ine34@32b#jeRs2h" and a zero initialization vector to crash-upload endpoints. Incognito mode in these browsers provides no protection against vendor-side or on-path surveillance and creates false privacy expectations for circumvention tool users.
-
PWA-based circumvention tools that display their name or any identifying string in the browser URL bar or page title expose that identifier to all six Chinese browser vendors' telemetry servers, since all six browsers collect page titles and full URLs. Browser SDKs with READ_PHONE_STATE and elevated permissions can monitor PWA activity at the OS level in ways not possible with standard browsers, making browser selection as security-critical as the circumvention tool itself for the Tor Browser threat model.
-
All six browsers grant dangerous Android permissions (READ_PHONE_STATE, INTERNET, ACCESS_NETWORK_STATE) to third-party SDKs; built-in phone browsers grant significantly more such permissions than app-store browsers. Baidu Mobile Tongji Analytics SDK—present in all six via Baidu as default search engine—collects IMEI, UUID, CUID, GAID, device MAC, and Bluetooth MAC, creating a persistent cross-app device fingerprint that identifies users across VPN sessions and survives IP changes.
-
The blocking-resistance of CenPush derives from the collateral damage a censor would incur by blocking APNs or FCM: doing so would break push notifications for every app on iOS or Android respectively. This is the same collateral-damage deterrent mechanism that makes CDN-based domain fronting and TLS-over-CDN transports resilient, applied to the control plane rather than the data plane.
-
CenPush uses mobile platform push-notification services (APNs, FCM) as a blocking-resistant control channel for distributing fresh proxy IPs and client configuration to users in censored regions. Push notification infrastructure is already widely deployed, has high collateral-damage cost to block, and is a server-push channel — meaning the client never has to initiate a query to an out-of-band endpoint that a censor could block.
-
CenPush is implemented and evaluated specifically for Tor bridge distribution, replacing the existing polled bridge-line fetching with push delivery. The design is presented as a general mechanism applicable to any circumvention tool that needs to push fresh proxy addresses to clients — not just Tor bridges — whenever censors block the tool's normal update channel.
-
Two of the 8 handshake-accepting injected IPv4 addresses host active services reachable both inside and outside China: 103.230.123.190 runs OpenSSH 8.2p1 on port 22, and 103.246.246.144 redirects 0.164% of all censored-domain requests to a website serving forbidden adult content.
-
The authors recommend that users encrypt DNS queries (DoT or DoH) to prevent the GFW's on-path injectors from intercepting and poisoning them, and additionally block all outgoing traffic to the known pool of GFW-injected IP addresses to avoid silently connecting to potentially surveillance-oriented infrastructure.
-
GFW DNS AAAA responses for censored domains return 622 IPv6 addresses: 30 from Facebook's 2a03:2880::/32 network (all sharing interface identifier face:b00c:0:25de), and 592 malformed Teredo addresses in the 2001::/32 range that directly hex-encode entries from the IPv4 pool in the lower 32 bits rather than following RFC 4380 Teredo structure. The Teredo addresses' server IPv4 (0.0.0.0) and port (0) fields are nonsensical.
-
Of 1922 IPv4 addresses collected from GFW-injected DNS A responses to 5,000 queries for censored domains, 8 (0.4%) actually accepted TCP handshakes when probed from within China. The other 1914 addresses were either silent or unreachable.
-
Six injected IPv4 addresses (8.7.198.46, 39.109.122.128, 46.82.174.69, 59.24.3.174, 93.46.8.90, 103.97.3.19) accept TCP SYN→SYN+ACK from within China but immediately reply RST when the client sends application data (PSH flag). These hosts mirror IPID values from probe packets, show no response from outside China, and appear to operate statelessly — suggesting GFW-controlled surveillance infrastructure that collects connection metadata without revealing itself.
-
152 of 5,478 crawled domains (approximately 2.8%) deployed active bot-detection measures—captcha delivery or perimeter protection—that blocked automated OpenWPM crawling entirely. The authors note this disproportionately excludes untrustworthy sites, biasing the training dataset toward well-resourced trustworthy outlets and limiting recall on the untrustworthy class.
-
A Random Forest classifier trained solely on structural features of third-party request trees achieves ROC AUC of 0.81 and 72% balanced accuracy across 4,660 news domains with ≥50 daily observations. Performance degrades to ROC AUC 0.78 and 0.68 for domains requiring ≥100 and ≥150 daily observations respectively, driven by reduced training-set size rather than feature quality.
-
The five most important predictive features are: (1) average children per non-leaf tree node, (2) 7-day rolling average of maximum tree breadth, (3) 7-day rolling average of average breadth, (4) average children per parent, and (5) 7-day rolling average of third-party requests. Temporal stability features (rolling means and daily deltas) rank ahead of most static snapshot features, indicating that behavioral consistency over time is more discriminative than point-in-time structure.
-
Of 8,004 unique third-party domains identified across 3,410 crawled news sites, 997 appear exclusively on untrustworthy websites and 2,992 appear exclusively on trustworthy ones. Domains disproportionately associated with untrustworthy sites include Yandex, Zamanta, and PayPal; domains exclusive to trustworthy sites are predominantly small-to-medium advertising and analytics actors rather than major platform giants.
-
Trustworthy news sites show dramatically more complex third-party structures than untrustworthy ones: mean MaxBreadth 39.22 vs 19.63, mean ThirdPartyRequests 137.45 vs 74.12, and mean unique third-party domains 44.15 vs 20.31. This finding reverses prior work (Han et al. 2022) and the authors attribute it to untrustworthy sites being under-resourced and optimized for content spread rather than user experience.
-
Scanning 0.91B unique SANs extracted from 3.7B certificates across 17 CT logs revealed 3,330 unique .onion addresses configured by 26,937 domains. After six months, only 2,101 onions (63%) remained reachable, of which 1,505 (72%) had matching clearnet index pages, constituting the effectively enumerable target set for a targeted OLF adversary.
-
Local onion association—periodically downloading the full set of onion associations from a CT-log-based API and performing each lookup locally—produces a traffic pattern from the guard's perspective that is indistinguishable from generic onion service access, eliminating both the OLF fingerprint and the DNS-based Website Oracle attack vector. This approach requires no per-connection clearnet exit circuit and imposes negligible overhead given the current ~1,500 stable O-L site count.
-
OLF reduces an adversary's target anonymity set from roughly 10,000 active onionsites to the ~1,500 stably available O-L sites—nearly an order of magnitude. Because O-L requires an exit circuit with a DNS lookup, a DNS-based Website Oracle further collapses the false-positive rate, making OLF effectively a closed-world attack on the enumerated O-L site list.
-
Circuit fingerprinting from a guard-relay position achieves ≥99.9% accuracy with FPR ≤0.1% for all four Tor circuit types (general, HSDir, introductory, rendezvous) using the Deep Fingerprinting classifier on the first 512 cells, despite Tor's deployed partial defenses. Onion-Location fingerprinting (OLF) combining these circuit classifiers then achieves 98.81–99.87% accuracy (FPR 0.16–1.23%) distinguishing O-L sessions from ordinary clearnet or onion-only visits.
-
Automatic Onion-Location redirect was disabled in Tor Browser 13.0.12 as a direct result of this research, because automatic redirect forces the distinguishable clearnet-then-onion circuit pattern on every visit without user awareness. Manual O-L remains in Tor Browser but is still fingerprintable with the same near-perfect accuracy since the exit→onion circuit sequence is identical whether the redirect is automatic or manually triggered.
-
Censorship enforcement varies dramatically across Iranian ASes. AS58224 (TCI, 3.6M IPs) blocks 89-98% of IPs across DNS injectors and 87.6% for UDP. AS197207 (MCCI, 2.3M IPs) and AS44244 (IranCell, 1.3M IPs) show near-zero censorship (0.15-0.76% across injectors). AS31549 (RASANA, 577k IPs) blocks 97-99% for DNS/HTTP but 64% for UDP. Some IPs— including those belonging to the Iranian President's website and Ministry of Foreign Affairs—are deliberately exempted from bidirectional censorship. Two exempted MFA IPs (109.201.19.184 and 109.201.27.67) appear linked to APT15 (Playful Taurus) C&C infrastructure.
-
IRBlock discovered that 1.7M of 3.3M blocked apex domains (52%) were attributed to blanket suffix-level blocking rules rather than individual domain listings. Examples include regex patterns targeting all Israeli domains (.il TLD), adult content (.porn), and country-coded suffixes (.com.mx, .my.id). Of 87K Tranco-ranked apex domains analyzed, 37% fell into adult content, with entertainment and gambling following. Approximately 1.27M apex domains were jointly censored by both DNS and HTTP filters, while the two filters maintained operationally independent blocklists for a significant fraction of domains.
-
Over 2.5 months (Nov 2024–Jan 15, 2025), IRBlock scanned all 11M Iranian IPv4 addresses daily, finding 6.8M IPs subject to DNS poisoning and HTTP blockpage injection, and 5.4M IPs subject to UDP-based traffic disruption. Testing over 700M FQDNs (500M apex domains) revealed 6M banned FQDNs from 3.3M censored apex domains. Of 537 active ASes in Iran, 485 (90.3%) exhibited blocking for at least 25% of assigned IPs. DNS and HTTP censorship overlapped at >99% of censored IPs; UDP blocking was a strict subset of DNS-censored IPs, affecting ~5M addresses.
-
The GFI's HTTP and HTTPS filters are now stateful (requiring initial SYN packet with matching sequence numbers) and have been activated on all TCP ports—not only standard ports 80 and 443 as reported by prior studies. This is a significant departure from previous work that found stateless HTTP/HTTPS blocking limited to standard ports. The HTTP filter injects a 403 Forbidden blockpage (not RST packets as used by the GFW), while HTTPS injects a single RST+ACK packet. The GFI also exhibits TCP non-compliance (not requiring a full three-way handshake to trigger filtering), enabling outside-in measurement without in-country servers.
-
The GFI operates three distinct DNS/HTTP injectors with different fake IP addresses (10.10.34.34, 10.10.34.35, 10.10.34.36) and partially overlapping blocklists—mirroring the GFW's triplet-censor architecture. Injector 10.10.34.35 exhibits TTL reflection (injected response TTL = probe TTL − hop count), identical to the GFW. No IP exclusively receives injections from 10.10.34.34 (a smaller, selective component); the two primary injectors 10.10.34.35 and 10.10.34.36 handle the majority of censorship. Different injectors maintain distinct domain blocklists, meaning which domains a user sees as censored depends on routing through their AS.
-
MinecruftPT encodes circumvention traffic steganographically inside the Minecraft Java Edition network protocol, making a censored connection appear to a network observer as an ordinary online Minecraft game session. The cover channel is a high-volume, varied-packet-size TCP protocol with a large and active user population, making statistical fingerprinting harder than for lower-volume cover protocols.
-
MinecruftPT achieves mimicry by implementing enough of the Minecraft protocol to pass as a real client-server game session, not just in header structure but in behavioral sequence. The paper evaluates it under DPI and traffic-shape analysis, finding that faithful protocol mimicry at the behavioral level (packet sequence, message types, timing) is necessary to defeat classifiers that go beyond simple byte-pattern matching.
-
MinecruftPT uses the TCP-based Minecraft protocol rather than a WebRTC/UDP approach. The paper notes this gives it an availability advantage in environments where WebRTC is filtered or where UDP is blocked — a common configuration in corporate or institutional networks and some national censorship regimes. This positions it as complementary to Snowflake in the circumvention transport portfolio.
-
Longitudinal AS topology studies cited by the authors show that 95% of core-to-core AS links remain unchanged year-over-year and that large transit providers adjust their peering only gradually, with almost all churn occurring at the customer edge. This implies that high-usage transit ASes identified for RN proxy deployment are likely to retain their topological position for months to years, lending temporal robustness to placement recommendations derived from a single measurement snapshot.
-
Proxy placement requirements vary dramatically by country topology: Turkmenistan requires just 1 AS for 75% coverage, Oman requires 3, Afghanistan 5, Iran 10, and China 12. Turkmenistan's extreme centralization means a single transit AS intercepts virtually all paths, whereas China's fragmented routing fabric demands far more deployment sites to achieve equivalent coverage.
-
When politically uncooperative ASes are excluded from the candidate pool — specifically Russia's AS12389 and Iranian transit ASes AS49100 and AS198154 — the framework recomputes cumulative coverage over remaining candidates and still identifies viable cooperative deployment sites for Iran. This demonstrates that geopolitical filtering can be incorporated into the placement optimization without losing coverage entirely.
-
For Iran, a greedy cumulative-coverage analysis over 22,799 resolver-to-uncensored-AS paths shows that the top 5 ASes cover 59% and the top 10 ASes cover 76.6% of all DNS resolution paths. AS3257 (GTT Communications) and AS174 (Cogent Communications) each appear in approximately 15.7% of paths and contribute nearly all their usage as unique (non-overlapping) paths.
-
An AS+IXP multigraph fusing CAIDA traceroutes (13.6M paths), 256M BGP updates from RouteViews/RIPE RIS, and IXP membership data yields 87,157 AS vertices, 1,588 IXP vertices, and 510,810 edges — an order of magnitude richer than BGP-only baselines. Hidden private peering links and IXP fabric connections invisible to BGP alone materially affect coverage estimates for refraction networking proxy placement.
-
The proposed system adopts the turbo tunnel architecture to provide a reliability layer over lossy TURN relay paths and to allow traffic reassembly at a single bridge across multiple TURN proxies. Three encapsulation modes are specified: direct application data inside TURN messages, DTLS datagrams via WebRTC data channels, and video frames inside WebRTC media streams — the latter two mimicking the encapsulation strategies of existing WebRTC circumvention systems such as Snowflake and TorKameleon.
-
Snowflake's sustained operation in heavily censored regions demonstrates that WebRTC must remain accessible to users, which in turn requires that TURN servers remain unblocked to support NAT traversal for peer-to-peer WebRTC connections. This transitive unblockability makes TURN service providers viable rendezvous channels for the Bridge Distribution Problem.
-
TURN servers used by major applications such as Facebook Messenger for media relay are hypothesized to be less likely blocked in censored regions due to collateral damage to legitimate WebRTC traffic. Providers like Cloudflare, Metered Video, and ExpressTURN supply geographically distributed TURN infrastructure that can be used without any special configuration by a censorship evasion system.
-
The system targets a threat model where the censor performs passive DPI to fingerprint and block the client-to-TURN-proxy channel, and also conducts active enumeration attacks to discover and block proxy endpoints. The paper explicitly notes that traffic splitting may introduce distinct fingerprints of its own that require empirical evaluation — acknowledging that multi-path approaches are not fingerprint-free.
-
Traffic splitting across N TURN proxies (1 ≤ N ≤ M) is hypothesized to resist active probing because each TURN server responds to probing requests identically to a regular TURN server, providing no distinguishing signal. Additionally, proxy ephemerality combined with splitting allows on-the-fly migration to new proxies when existing ones are blocked, maintaining connectivity even under partial blocking.
-
The paper enumerates five adversarial attack surfaces against a video-steganography UP channel: (1) wholesale blocking of the hosting platform, (2) mass-scanning and blocking encoded videos (noted as generally cost-prohibitive per the steganography literature), (3) enumerating videos via pseudorandom tags (feasible but hampered by tag-list overlap with unrelated content and time-window dynamics), (4) banning accounts posting encoded videos, and (5) tracking anticensorship users viewing encoded content. The pseudorandom tag window design specifically prevents preemptive enumeration because the top-n results for a tag at epoch t differ from those at t±1.
-
UP channels based on free third-party content hosting (video, audio, images, ML models) provide no-cost scalability: steganographic videos once uploaded are free to distribute to arbitrarily many users, and the channel sustains adversarial financial denial-of-service attacks without incurring operator costs. This contrasts with meek, SQS, AMPCache, and Skyhook, which face financial DoS risk because adversaries can drive up hosting costs by using those channels as intended.
-
The paper defines Unauthenticated Push (UP) channels as a distinct archetype from signaling/rendezvous channels, characterized by three properties: strictly unidirectional delivery, no client authentication or account association required, and higher bandwidth (kilobytes to megabytes) to support software updates rather than just minimal proxy-address exchanges. This design deliberately shifts operational-security burden onto senders to approach receiver anonymity.
-
Among surveyed channels, Skyhook, PushRSS, SQS, AMPCache, and Meek satisfy all three UP channel properties (unidirectional, no client auth, higher bandwidth); CloudTransport and Raven do not because they require authenticated user accounts; Tor's email- and Telegram-based bridge distribution also fails the no-auth requirement. The analysis was prompted in part by the 2022 GFW entropy-based blocking event, which required software updates to be pushed to users before fully-encrypted protocols could resume functioning.
-
A concrete UP channel implementation uses keyed steganographic encoding embedded in videos posted to a public hosting service (e.g., flickr.com), addressed via a time-epoch pseudorandom tag generator drawn from publicly known trending-topic lists. Clients query the top-n videos matching the current epoch tag and attempt decryption; real-world video size variability supports data transmissions from a few kilobytes (configuration updates) to megabytes (software updates).
-
Three open-source DPI tools (Zeek, libprotoident, nDPI) fail to identify 93–100% of UPGen flows across all tools. libprotoident misidentified 7% of UPGen flows as RTMP; nDPI and Zeek produced zero false labels. On a real-world MAWI/WIDE backbone capture, Zeek failed to recognize 90% of flows and nDPI failed on 67%, confirming that unidentified-protocol traffic is common in the wild; allowlisting without significant collateral damage (≥4%) is infeasible.
-
State-of-the-art ML classifiers (Deep Fingerprinting, Decision Tree, Random Forest, nPrintML) trained on known UPGen protocols and benign traffic always incur high out-of-distribution false-positive rates when attempting to block unknown UPGen protocols — in the vast majority of experiments the OOD FPR is 100%. The one exception (SSH OOD, Deep Fingerprinting) achieved a UPGen TPR of only 20%. By contrast, identical classifiers successfully generalize to block unknown Obfs4 flows with near-zero collateral damage in 3 of 4 cases.
-
In laboratory benchmarks, the best UPGen-generated protocol achieves 252 ms TTFB latency (vs 212 ms Obfs4, 313 ms TLS) and 4.25 Gbit/s throughput per core (vs 4.65 Gbit/s Obfs4, 9.42 Gbit/s TLS). The worst-case UPGen protocol (4.5 RTT handshake) reaches 677 ms TTFB but 3.70 Gbit/s throughput. In large-scale distributed Tor simulations, the choice of UPGen protocol had no statistically significant effect on end-to-end Tor flow performance.
-
UPGen's generator samples 18 independent parameters to produce 4.2×10^22 distinct structured encrypted protocols (entropy 38.4 bits). Each proxy is assigned a unique generated protocol, so identifying one protocol exposes only a single proxy. The generator was designed by studying 27 real-world encrypted protocols and sampling from observed structural patterns (greeting strings, handshake patterns, field orderings, key encodings).
-
Combinations of Bayesian methods, data augmentation with mixup, and NOTA defensive padding cut the open-world false positive rate by up to 92% at 0.5 recall on HTTPS-only traffic and 75% on Tor traffic relative to the deterministic MSP baseline. Even with these improvements, sustaining a world size in the hundreds of millions (approaching YouTube-scale) requires accepting recall of 0.5–0.6 and precision of only 0.1–0.2; at precision 0.5 and recall 0.5, the maximum workable world size is only 37.5M for HTTPS-only (Table 3), far below YouTube's ~10 billion video catalog.
-
Extrapolating empirical FPRs using Wang's base-rate-adjusted precision formula (𝜋_r), the best HTTPS-only approach can sustain precision 0.5 at recall 0.5 only up to a world size of 37.5M videos; precision 0.1 at recall 0.5 extends to 337.5M — still short of YouTube's ~10 billion catalog (Table 3). For Tor, the corresponding limits are 4.8M and 42.9M, making dragnet surveillance of unselected users on large platforms effectively infeasible at any acceptable precision with current techniques.
-
When a fingerprinting model is trained on traffic collected from one geographic vantage point and tested on traffic from a different continent, the HTTPS-only open-world FPR at 0.5 recall increased by factors ranging from 2.8x (EU-West-2) to 50.3x (Africa) relative to the same-vantage baseline — despite 60-way closed-world accuracy remaining above 0.99 across all vantage-point pairs (Table 5). For Tor traffic the effect was weaker but still reached 25.2x (Asia-Pacific Southeast-1), showing path diversity also disrupts Tor-based fingerprinting.
-
The paper establishes, for the first time in a large open-world scenario (64,000 unmonitored test videos), that HTTPS-only video stream fingerprinting is significantly easier than Tor-based fingerprinting because DASH adaptive bitrate selection introduces a second-order network-condition effect: clients request entirely different video segments at different quality levels depending on path conditions, causing traffic traces from different geographic vantage points to diverge at the application layer even when network conditions are nominally similar. This makes NOTA and synthetic training sample techniques less effective on Tor data due to inherent trace noisiness.
-
Tor provides substantial and measurable protection against video stream fingerprinting: the best-case FPR at 0.5 recall is 0.0000063 for Tor versus 0.0000008 for HTTPS-only connections, roughly an 8x increase. Translating to world sizes, at 0.5 recall and 0.1 precision the maximum viable platform catalog is 42.9M videos over Tor versus 337.5M over HTTPS-only (Tables 3–4), confirming Tor degrades adversary capability even after an assumed prior website-fingerprinting step that identifies video platform visits.
-
Active mid-connection bandwidth throttling (e.g., 100 Mbps → 50 Mbps) cleanly separates BBR from Hysteria and TCP-Brutal: BBR converges to the new rate within a few probing cycles, while Hysteria and Brutal interpret reduced bandwidth as increased packet loss and raise their sending rate further. This active probing technique resolves the BBR ambiguity that passive measurement alone cannot.
-
BBR, a rate-based CCA already available in the Linux kernel, comes close to Hysteria's throughput performance when packet loss is below 20% — the typical range for cross-border Chinese links (5–15%, peak up to 50% per prior studies). Above 20% loss, Hysteria and Brutal maintain a significant throughput advantage over BBR, but the paper finds no compelling justification for custom CCAs given the marginal gains in that regime versus the fingerprinting cost.
-
Custom CCAs that deviate from standard TCP/QUIC congestion response fundamentally contradict the core circumvention principle of traffic indistinguishability: by failing to back off under congestion signals, they produce traffic patterns that diverge from the vast majority of Internet flows that censors value, eliminating the collateral-damage protection that makes circumvention tools hard to block wholesale.
-
Hysteria and TCP-Brutal maintain fixed sending rates regardless of packet loss, causing them to transmit at rates several orders of magnitude higher than loss-based CCAs (TCP/QUIC Cubic) at a 5% packet loss rate on a 100 Mbps link with 60ms RTT. This non-compliance with standard congestion backoff is reliably detectable across RTTs from 15ms to 300ms and loss rates from 0.1% to 20%.
-
A two-stage threshold classifier evaluated on 10,080 synthetic flows across 1,260 network condition combinations (20 RTTs × 21 loss rates × 3 bandwidths) achieved 100% accuracy in Stage 1 separating loss-based from non-loss-based CCAs, and produced only 16 false positives from BBR flows in Stage 2, correctly flagging all 1,257 Hysteria and 1,257 Brutal flows as custom CCAs.
-
Shaperd's adaptive blocking-detection mode can integrate with external blockage-detection tools (e.g., Troll Patrol) to detect when a constraint set is no longer effective and automatically switch to an alternate constraint set, changing packet patterns to restore connectivity without user intervention.
-
The GFW detects fully encrypted protocols using ad-hoc rules including the percentage of printable ASCII characters per packet (threshold: over 50%) and the observation that FEP entropy is considerably higher than normal encrypted TLS traffic. These rules are subject to frequent changes, making rigid FEP designs unable to adapt.
-
Packet timings are a distinct detection vector for circumvention tools beyond payload content and packet lengths, as demonstrated by Wails et al. 2024. Prior FEP-specific shaping work (Fenske et al.) addressed packet lengths but explicitly left timing shaping for future work, leaving a known gap in detection resistance.
-
Shaperd's proof-of-concept prototype (~1000 lines of Go) introduces a minimal 4.1% throughput overhead for a single entropy constraint; the first additional constraint added 5.1% overhead and the second added 5.5%, with total overhead scaling with constraint count and rigor.
-
Shaperd introduces a constraint-agnostic traffic shaping system that operates on both packet content and timing in real time, designed for drop-in integration with any existing FEP. The system uses a four-component constraint definition (function, value, comparison operator, target packets) capable of expressing any rule based on a computable deterministic function over packet contents.
-
The paper concludes with design guidelines for future FIA-based privacy-enhancing technologies, identifying that path-aware routing in SCION and NDN's in-network caching both create new surveillance exposure: SCION path headers reveal routing metadata to on-path censors; NDN caching at routers means content is replicated at points under censor control. The authors recommend that PETs built on FIAs treat these architectural features as threat vectors, not privacy benefits.
-
Wrana et al. systematically assess how well existing surveillance and censorship mechanisms can target users of Future Internet Architectures (FIAs) — including NDN, SCION, XIA, and MobilityFirst — finding that DPI and flow-correlation techniques from the current internet map onto FIA traffic with moderate adaptation. The paper identifies that FIA naming/addressing schemes introduce new censorship attack surfaces (e.g., content-name-based filtering in NDN) not present in IP-based architectures.
-
Since August 2023, Henan Province has operated its own TLS SNI-based and HTTP Host-based censorship middleboxes that inspect and block traffic exiting the province—a second filtering layer on top of the national GFW. The Henan Firewall is fingerprinted by a unique TCP RST+ACK injection carrying a fixed 10-byte payload (0x01 02 03 04 05 06 07 08 09 00), IP ID 0x0001, and an observed TTL of 58. Unlike the GFW, it injects resets only toward the client, performs no residual censorship, and requires no TCP handshake to trigger. Longitudinal testing (Nov 2023–Mar 2025, Tranco top 1M daily + 227M CZDS domains weekly) found the Henan Firewall blocked a cumulative 4.2 million domains—more than five times the GFW's cumulative blocklist—and at peak blocked ten times more domains than the GFW.
-
The Henan Firewall only inspects traffic leaving Henan Province toward the rest of the world—it does not inspect domestic intra-China traffic nor inbound traffic entering the province. This contrasts with the GFW, which operates bidirectionally at China's national border. Measurement across seven CN cities (Beijing, Shanghai, Chongqing, Guangzhou, Nanjing, Chengdu, Zhengzhou) found no evidence of comparable provincial firewalls in the other six locations, making Henan the only documented province with an autonomous censorship layer as of March 2025. The Henan Firewall also uses the same blocklist for both HTTP Host-based and TLS SNI-based censorship, whereas the GFW maintains separate domain lists per protocol.
-
The Henan Firewall is stateless in two exploitable ways: (1) it requires the TCP header to be exactly 20 bytes—enabling any TCP option (e.g., TCP Timestamps, which Windows disables by default) to bypass it entirely; (2) it does not perform TCP reassembly, so splitting a TLS ClientHello across two TCP segments such that the SNI extension straddles the boundary bypasses the censor. Both bypasses require only client-side changes and have already been implemented in Xray, GoodbyeDPI, and Shadowrocket. TLS record fragmentation (splitting the ClientHello across multiple TLS records within one TCP segment) also defeats both the Henan Firewall and the GFW, since neither performs TLS reassembly.
-
Per-flow RTTdiff detection rates are only ~20% because the majority of proxy flows connect to CDN-cached content (Cloudflare, Google, Fastly) that sits within 5ms of the proxy, suppressing the discrepancy. However, aggregating across flows per website visit yields detection rates exceeding 70%—and from the abstract, approximately 80% of top-5K domains generate at least one detectable flow—with half of those detections made within the first 60 packets. This means an adversary can reliably expose client and proxy IPs after just a few website visits.
-
The paper evaluates two short-term mitigations—TCP delayed ACK on the proxy server and connection multiplexing—but finds both are limited: delayed ACK produces atypical ACK timing that may itself be fingerprintable, and multiplexing only adds entropy without eliminating the RTTdiff signal. Critically, obfs4 and ScrambleSuit's delay-based timing obfuscation are described as 'fundamentally limited' because they manipulate inter-arrival times without eliminating the underlying transport/application-layer session misalignment. The paper concludes no existing obfuscation scheme provides a principled defense against timing-based proxy fingerprinting.
-
IMAP/SSL traffic on port 993 constitutes less than 1% of total ISP traffic but accounts for nearly one third of all false positives in the RTTdiff exploit, because IMAP's non-RESTful multi-connection pattern violates the request-response correlation assumption. The overall per-flow FPR is bounded at 0.6–0.7% (on par with GFW's estimated FPR against fully-encrypted proxies), but implementing a pre-filter to whitelist IMAP traffic reduces the FPR by approximately one third, making the fingerprint substantially more precise.
-
Proxy users who resolve DNS locally (at the client) are approximately twice as susceptible to RTTdiff fingerprinting compared to users who resolve DNS at the proxy, across all tested client/proxy location combinations. Local DNS returns IPs optimally reachable from the client's region, which may be geographically distant from the proxy, increasing the proxy-to-server path distance and thus the RTTdiff discrepancy.
-
Cross-layer RTT discrepancy (RTTdiff) is a protocol-agnostic fingerprint that exploits an inherent architectural property of all proxy setups: transport-layer sessions terminate at the proxy while application-layer sessions remain end-to-end. Evaluation across 10 proxy protocols—including VMess, Shadowsocks, VLESS, Trojan, XTLS-Vision, and obfs4-wrapped SOCKS—shows near-identical detection rates for all except obfs4, confirming the fingerprint is not tied to any specific obfuscation scheme. At FPR=0.01, per-website detection rates exceed 70% across all tested client and proxy location combinations.
-
The computational cost of decrypting QUIC Initial packets limits the GFW's throughput: blocking effectiveness drops measurably as cross-border QUIC traffic increases and exhibits a diurnal pattern, falling during China's peak traffic hours. In a controlled experiment, sending QUIC Initial packets at 100–1500 kpps (TTL-limited so they reach the GFW but not end-hosts) caused GFW censorship effectiveness to decrease monotonically with sending rate, while equal-rate random-payload UDP traffic produced no such degradation—confirming the bottleneck is QUIC decryption, not raw bandwidth. A related availability attack using IP-spoofed QUIC Initials from one machine can cause the GFW to drop all UDP traffic between arbitrary Chinese hosts and any foreign endpoint for the 180-second residual window.
-
Since April 7, 2024, the GFW decrypts every QUIC client Initial packet at China's national border and blocks connections whose TLS ClientHello SNI matches a QUIC-specific blocklist. Blocking takes the form of dropping all subsequent UDP packets sharing the same (src-IP, dst-IP, dst-port) 3-tuple for 180 seconds—with no RST injection. The GFW applies a source-port heuristic: packets with src-port ≤ dst-port are not inspected, capturing >92% of real QUIC client Initials while processing only ~30% of all UDP traffic. The QUIC blocklist contains 58,207 unique FQDNs (Tranco, Oct 2024– Jan 2025), approximately 60% of the DNS blocklist in size; 33% of blocked FQDNs do not actually support QUIC, suggesting the list was derived from an existing domain-name blocklist rather than live QUIC service discovery.
-
The GFW's QUIC censor does not reassemble QUIC client Initial packets that are split across multiple UDP datagrams, nor does it reassemble QUIC CRYPTO frames split within a single datagram. Three practical bypasses follow: (1) send any UDP datagram with a random payload before the QUIC Initial—the GFW uses 60-second UDP flow state and won't inspect a mid-flow packet; (2) fragment the TLS ClientHello SNI across multiple QUIC CRYPTO frames; (3) use an unknown QUIC version number in the first packet (Version Negotiation bypass, payload undecryptable). Chrome independently exploits (2) through its Chaos Protection feature (since 2021) and post-quantum Kyber key-agreement (since v124, Sep 2024), whose larger key sizes force fragmentation across UDP datagrams. As of January 2025, the GFW also does not block ECH-containing QUIC payloads unless the outer (cleartext) SNI is on the blocklist.
-
Because WATER uses a sing-box-compatible interface, a single WASM transport module written once is immediately usable by any application that embeds the WATER host runtime — including lantern-box (Lantern's proxy SDK), any other sing-box-derived client (33k+ GitHub stars as of 2024), and standalone WATER host binaries. This gives each new transport a substantially larger deployment surface than a single-app pluggable transport achieves.
-
WATER (WebAssembly Transport Executables at Runtime) defines a pluggable-transport architecture in which the transport logic is compiled to a WASM module that is loaded and executed at runtime by a thin Go host process. This separates the stable host ABI (dial, accept, read, write) from the rapidly-evolving transport logic, allowing new or updated transports to be delivered as small WASM binaries without recompiling or redeploying the host application.
-
The paper proposes a black-box methodology for detecting censorship bias in LLMs by comparing responses to identical prompts in Simplified vs. Traditional Chinese — scripts for the same spoken language — controlling for translation quality while exploiting that Simplified Chinese training data is disproportionately sourced from mainland China's censored internet. Each prompt is repeated ten times and scored for similarity to censored text using an XLM-RoBERTa classifier fine-tuned on Baidu Baike (censored) vs. Chinese Wikipedia (uncensored) with scores from 0 to 1.
-
Of 326 websites known to adhere to CCP censorship laws — including Chinese government sites and state media — 325 were found indexed in the Common Crawl dataset commonly used to train major LLMs including GPT-3. Only the official government site of Macao (www.gov.mo) was absent, indicating that LLM training corpora are broadly contaminated with CCP-censored content.
-
Because LLMs such as ChatGPT (over 100 million weekly active users) reflect CCP information-control requirements when prompted in Simplified Chinese, they effectively export Chinese domestic censorship to diaspora communities and non-China-based Chinese speakers worldwide — extending the reach of information manipulation beyond any jurisdiction where Chinese censorship law applies.
-
Exploratory testing of GPT-3.5 Turbo showed significant response divergence between Simplified and Traditional Chinese prompts on politically sensitive topics. Simplified responses glossed over or omitted details on Tiananmen Square casualties, Uyghur genocide allegations, Taiwan's sovereignty status, and Xi Jinping's human rights record; Traditional Chinese responses described these topics in substantially more critical and detailed terms.
-
IoT devices pose the primary false-positive risk: many IoT devices (printers, smart bulbs, cameras, vacuum cleaners) maintain very few sessions with a small number of fixed cloud IPs — behaviorally similar to a VPN client. In the CIC IoT 2022 dataset, only 2 devices were misclassified (a Google Nest Cam connecting to nexusapi-us1.dropcam.com and a device using Alibaba cloud) out of the full dataset with WINDOW=300 s and T=500 packets.
-
The threat model requires no DPI and was fully implemented as a Linux kernel module on a NETGEAR R6120 with only a 580 MHz processor, 16 MB ROM, and 64 MB RAM, adding negligible overhead. Unlike ML-based or DPI-based VPN classifiers, the statistical model operates pre-NAT on per-device private IP flows, making it immune to obfuscation techniques that alter packet payloads or disguise protocol handshakes.
-
A passive, router-level VPN fingerprinting technique exploits the design convention that all user traffic is tunneled to a single VPN server IP. By counting packets per device-to-IP session at the home router and flagging sessions where PACKETS_COUNT exceeds threshold T=500 within WINDOW=300 seconds, the method achieved a 100% detection rate for all VPN implementations that route all traffic through one server, with zero false positives across uncontrolled 4-day experiments.
-
The authors propose two countermeasures: (1) widespread adoption of traffic splitting so not all user traffic is routed through a single VPN tunnel, neutralizing the single-destination session signature; and (2) VPN servers should rotate at random intervals so that no prolonged session to one IP accumulates enough packets to trigger the threshold T.
-
Testing 9 popular VPN providers (ProtonVPN, Hide.me, Turbo VPN, Kaspersky VPN, Hotspot Shield, Secure VPN, Fast VPN Pro, VPN Super, VPN Gate), 7 were successfully detected. KasperskyVPN evaded detection because it exchanged keepalive packets with a secondary server exactly every 300 seconds, matching the chosen WINDOW, causing the session counter to reset. Hotspot Shield evaded because of previously documented traffic leakage where not all traffic is tunneled.
-
Snowflake has been deployed in Tor Browser and Orbot for several years and served as a significant circumvention tool during the Russia 2021 network disruptions and Iran 2022 protests. The paper documents a history of deployment and blocking attempts, providing empirical evidence that the ephemeral WebRTC proxy design has sustained availability under real censor pressure across multiple high-profile events.
-
Snowflake's blocking resistance rests on a large, constantly changing pool of volunteer WebRTC proxies implemented as lightweight JavaScript browser extensions or web pages. Because the proxy population is in constant churn and new addresses appear faster than censors can enumerate and block them, IP-list blocking is structurally ineffective. The system is designed so that when an in-use proxy goes offline, the client seamlessly migrates to another with no disruption to upper network layers.
-
Snowflake proxies are simple enough to run as JavaScript inside a web page or browser extension, making them far cheaper to operate than a traditional VPN or proxy server. This low operational cost enables a large volunteer pool (orders of magnitude more participants than server-hosted bridge networks), which is the structural property that makes IP enumeration hard for censors.
-
Majority-vote ML inference (OCSVM + IF) over OONI data uncovered at least 5 previously undocumented DNS injection IPs active in Russia (e.g., 195.19.90.226, 95.167.13.51, 61.95.167.13.50, 188.19.132.154, 144.85.142.29.248) absent from OONI's existing blocking-fingerprints database, along with novel fingerprints in Italy, Czech Republic, and the UK. Records with fewer than 50 instances were excluded as a conservative false-positive filter.
-
XGBoost trained on a single month of OONI data achieves near-optimal performance; expanding the training window to 24 months produces deviations of only 0–5 percentage points for FNR, 0.07 PP for FPR, and 0.10 PP for accuracy — suggesting that larger windows introduce noise and overfitting rather than improving detection. Isolation Forest performance degrades more sharply, with accuracy dropping ~5 PP as training data grows beyond 6 months.
-
For the Isolation Forest model, resolver ASN (SHAP importance 0.237) and probe ASN (0.220) are the two most predictive features for DNS tampering, reflecting that censorship is topologically concentrated at specific network vantage points. For XGBoost, headers_match dominates (0.317), followed by asn_control_match (0.177), indicating that supervised models rely more on cross-layer consistency signals. DNS tampering represents only 0.5–0.8% of all OONI measurements across 2022–2023 (Figure 2), creating severe class imbalance in any training set.
-
XGBoost achieves a False Positive Rate of 0.0005, True Positive Rate of 0.9403, and overall accuracy of 0.9991 on OONI global DNS measurement data (2.5% stratified sample), vastly outperforming unsupervised alternatives: Isolation Forest achieves FPR 0.1321 / ACC 0.8699, and One-Class SVM degrades to FPR 0.9711 / ACC 0.0598, making OCSVM effectively unusable for this task.
-
Because Oscur0 starts with 0-RTT data lacking a full handshake, the station-side connection establishment is vulnerable to replay attacks. Oscur0 mitigates this by including a random 10-byte nonce in the encrypted application data of the first packet; the station checks each arriving nonce against a bloom filter of recently-seen IDs and drops duplicate connections, preventing replay without requiring a full round-trip handshake.
-
Testing from a VPS in Iran showed that standard DTLS handshakes are blocked at that vantage point, but Oscur0 avoids this blocking by transmitting only Application Data packets (with Connection ID extension per RFC 9146) after the initial one-shot setup packet, never completing a visible DTLS handshake. A proof-of-concept was implemented in approximately 600 lines of Go using the pion/dtls library.
-
Oscur0 eliminates Conjure's separate registration phase by steganographically encoding ECDH public key, phantom IP, and transport parameters into the encrypted application data of the first UDP (DTLS 1.2 with Connection ID) packet sent to the phantom IP, using Elligator encoding to make the public key indistinguishable from random bytes. This removes several round trips — registration, TCP handshake, and application handshake — compared to standard Conjure, and means censors cannot block the scheme by blocking registration alone.
-
Registration-dependent Refraction Networking schemes such as Conjure create multiple single points of failure: censors can block registration channels independently of phantom connections. Domain fronting, a primary registration channel, has been progressively banned by major CDNs — Microsoft Azure in 2021 and Fastly in early 2024 — reducing its viability as a covert registration mechanism.
-
Prior circumvention transports that tunneled over VoIP or voice-conferencing software were identifiable to censors by their TCP retransmission fingerprint: real VoIP applications do not retransmit dropped packets in the same way, making the covert channel's reliability mechanisms a distinguishing artifact. DTLS and QUIC avoid this because they natively support both fault-tolerant and sequential delivery modes without external indicators of which mode is active.
-
WATMs are designed to be generic: any application that embeds the WATER host runtime can use the same WATM binary without modification. This means a single successfully deployed transport module reaches users of every WATER-enabled application simultaneously, collapsing the per-app porting effort that traditionally delays circumvention tool updates.
-
WATER (WebAssembly Transport Executables Runtime) separates transport logic from the host application by compiling it to a WASM module (WATM) that is distributed and loaded independently at runtime. Deploying a new or updated circumvention technique requires only distributing the new WATM binary and optional configuration — no change to the host application and no app-store update cycle is required.
-
Traditional circumvention tool development and deployment is slow because new strategies must be developed, integrated into each tool separately, and then distributed via platform app-stores. WATER's WASM module architecture specifically addresses this asymmetry: censors evolve blocking techniques quickly, while circumventors are bottlenecked by binary release cycles. The paper argues that dynamic WATM delivery breaks this bottleneck by decoupling transport updates from application releases.
-
A decade of ZMap-based studies has produced documented operational norms including blocklist hygiene (organizations can opt out of scans via ZBlocklist) and ethical rate-limiting practices. The same blocklist infrastructure that protects opt-out organizations also provides a model for reducing proxy infrastructure visibility.
-
Cloud-hosted services represent an open measurement problem for ZMap because IPs are shared, ephemeral, and behind CDN layers, making traditional IP-to-service attribution unreliable. The paper identifies reconciling scan-based observation with cloud infrastructure as a key challenge for the next decade.
-
A decade of Internet-wide scanning practice has established that cloud-hosted services present a fundamental measurement ambiguity: IP ownership is ephemeral and shared, making per-IP findings unreliable and complicating the attribution of services to specific operators or censors.
-
IPv6 measurement remains an open problem for ZMap because the address space is too large for exhaustive single-packet enumeration, unlike IPv4. This asymmetry means IPv6-addressed infrastructure is structurally harder to enumerate via blocklisting.
-
LZR, built on top of ZMap, can identify 99% of unexpected Internet services in five handshakes by acting as a shim between ZMap and ZGrab. This gives censors and researchers alike an efficient active-probing primitive to fingerprint proxy protocols at scale.
-
ZMap can scan the entire public IPv4 address space on a single port in under 45 minutes on a gigabit connection; with a 10 GigE connection and PF_RING, the same scan completes in 5 minutes. This makes Internet-wide enumeration of proxy infrastructure operationally trivial for any well-resourced actor.
-
ZMap can scan the entire public IPv4 address space on a single port in under 45 minutes on a 1 Gbps connection; with a 10 GigE connection and PF_RING, the full IPv4 address space scan completes in 5 minutes. This throughput enables near-real-time Internet-wide enumeration of any service listening on a given port.
-
After a decade of ZMap-based measurement, the authors identify IPv6 scanning as an unresolved open problem: the vastly larger IPv6 address space makes exhaustive scanning infeasible, fundamentally changing the threat model for service discovery compared to IPv4.
-
CenDTect (Tsai et al., NDSS 2024) uses decision trees and a novel clustering method on Censored Planet plus OONI data to identify blocking policies and provide interpretable insights at local and country levels. A separate approach (Duncan & Chen, 2023) applies sequence-to-sequence models and CNN image classification — treating network reachability data as grayscale images — to distinguish censored from uncensored content.
-
Brown et al. (2023) combined supervised ML models trained on expert-labeled data with unsupervised models establishing a baseline of 'normal' behavior to detect DNS-based censorship from Satellite and OONI datasets, achieving high true-positive rates for both known and new DNS censorship instances. The hybrid supervised/unsupervised approach is proposed as a template for the LLM-based system.
-
The proposed LLM-based censorship detection system plans to use ICLab as the primary dataset for its semantic richness across all network-stack levels, then cross-reference with OONI and Censored Planet to reduce false negatives. The paper explicitly notes ICLab lacks the scale and geographic coverage of OONI/Censored Planet but offers richer per-measurement context suited to LLM feature learning.
-
The daily volume of network reachability data collected by censorship monitoring platforms such as ICLab, OONI, and Censored Planet surpasses the 16 GB Books Corpus and English Wikipedia that BERT was trained on. This scale mismatch motivates applying LLMs — which thrive on large unlabeled corpora — to censorship measurement data rather than hand-labeling for rule-based systems.
-
Rule-based censorship detection systems rely on predefined regular expressions designed by human experts and fail to adapt to evolving censor techniques, leading to false negatives and poor scalability as data volume grows. In contrast, learning-based models are described as thriving on large data volumes and offering contextual understanding that rule-based systems lack.
-
For Tier 2 apps (IP geo-blocking only), using a VPN with a foreign endpoint was sufficient to restore access. For Tier 1 apps (SIM + IP geo-blocking), the authors confirmed that (1) removing the Indian SIM card and accessing via WiFi, or (2) intercepting HTTP traffic with a MITM proxy to suppress or rewrite the carrier_region=IN parameter, fully bypassed server-side censorship. The authors note that Indian users primarily rely on mobile Internet, making SIM removal impractical as a user-facing solution.
-
Across four major Indian ISPs (Reliance Jio, Airtel, Vodafone-Idea, and ACT) cumulatively serving more than 95% of Indian clients, the authors found zero network-level interference with 220 banned Chinese apps. DNS resolved to legitimate addresses, TCP and TLS handshakes completed successfully with actual app servers, and responses were served directly by app publishers — not by ISP middleboxes.
-
After India imposed a permanent ban in January 2021, seven of the eight previously SIM-only-blocked apps escalated to dual-factor filtering: they continued extracting carrier_region=IN from the SIM card while simultaneously adding IP geo-blocking. Accessing these apps now requires both a VPN (for source IP masking) and SIM removal or carrier_region parameter suppression; MICO Chat remained the sole app using only SIM-based blocking.
-
Seven of the 220 banned apps (Tier 1, including TikTok, Likee, Kwai, UC Browser, FaceU, Hago, and V-Fly) used the Android TelephonyManager.getSimCountryISO() API to read the primary SIM's country code and embed a carrier_region=IN parameter in HTTP requests, enabling server-side identification and blocking of Indian users regardless of source IP or VPN state. A dual-SIM phone with an Indian SIM in the secondary slot only (primary empty or non-Indian) bypassed the check.
-
India's app-filtering architecture is three-tiered: 136/220 apps (Tier 3) are inaccessible only via official app stores and trivially accessible after sideloading; 23 apps (Tier 2) additionally enforce IP geo-blocking; and 7 apps (Tier 1) combine IP geo-blocking with SIM-based locale detection. One outlier, ChessRush, restricted content at CDN edge servers serving Indian users, requiring both a foreign source IP and a foreign CDN edge server (via foreign DNS resolver) to bypass.
-
The encapsulated TCP three-way handshake (3WHS) is detected in 80.59% of VPN flows but only 0.33% of plain UDP flows, making it—on its own—a near-practical VPN detector with 0.33% FPR; its presence is required by the classifier regardless of the compliance-rate threshold t.
-
ML-based VPN classifiers report FPRs of 1.4–5.5%, all exceeding the GFW's estimated practical threshold of 0.6%, while the simple RFC-heuristic approach achieves 0.11%; this indicates that real-world censors are more likely to adopt lightweight heuristic detectors than opaque ML pipelines.
-
Random padding alone raises the classifier FPR only slightly (0.11% to 0.15%), and connection multiplexing alone raises it to 0.53%; however, combining both defenses raises FPR to 2.57%, making the detector impractical for a real-world censor and yielding TPR of 93.40%.
-
A protocol-agnostic classifier that identifies RFC-mandated TCP behaviors (three-way handshake, 500ms ACK, 2×RMSS acknowledgement) leaking through UDP-based VPN tunnels achieves a false positive rate of 0.11–0.29% on real campus traffic, an order of magnitude lower than ML-based VPN detection techniques (FPR 1.4–5.5%) and on par with the GFW's estimated heuristic FPR of 0.6%.
-
Web browsing VPN traffic achieves only 32.35–42.44% TPR—far below SSH (99.43–99.56%) and file transfer (83.95–99.73%)—because DNS queries interleaved with TCP streams disrupt detection of the encapsulated 3WHS, confirming that connection multiplexing is a naturally occurring and effective evasion for web-browsing workloads.
-
GFWeb discovered that the GFW's bidirectional blocking is not symmetric: certain domains trigger blocking only when probed from inside China, not from outside. This overturns the prior assumption that the GFW blocks the same domains symmetrically in both directions. The paper also documents that the GFW has been upgraded to fix previously-reported evasion techniques, including overblocking mitigation and improved fragmented-packet reassembly, indicating active engineering iteration on the censor side.
-
GFWeb tested 1.02 billion domains against the GFW over 20 months and discovered 943,000 pay-level domains blocked by HTTP filters and 55,000 by HTTPS filters — the largest GFW blocklist dataset ever published. The HTTP-to-HTTPS ratio (17:1) confirms that the GFW's HTTPS keyword-based and SNI-based blocking covers far fewer domains than its HTTP host-header blocking, likely because HTTPS blocks carry higher collateral-damage risk.
-
Longitudinal GFWeb data spanning 20 months shows the GFW actively patched previously-published evasion findings during the measurement period: overblocking bugs reported in academic papers were fixed, and fragmented-packet reassembly failures that researchers used to bypass blocking were corrected. This demonstrates that the GFW operator monitors published research and iterates on the system in response to disclosed vulnerabilities.
-
An attacker who generates 10 defended copies of each training trace (re-sampling noise each time) improves Tik-Tok accuracy against DeTorrent from 31.9% to 48.2%, demonstrating that dataset augmentation with multiple defended samples is a practical countermeasure against randomized padding defenses including DeTorrent and FRONT.
-
Against the state-of-the-art DeepCoFFEA flow-correlation attacker, FC-DeTorrent reduces the true positive rate at a 10^-5 false positive rate to approximately 0.12 — less than half that of the next-best defense Decaf (TPR ≈ 0.29) — while using 97.3% bandwidth overhead, without delaying any real traffic packets.
-
DeTorrent exhibits strong diminishing returns in the bandwidth-performance tradeoff: increasing the dummy-download budget from N=1,000 to N=3,000 reduces Tik-Tok accuracy by ~19.1 percentage points, while a further increase from N=5,000 to N=7,000 yields only an additional 4.9-point reduction (accuracy floor near 20.8% at ~210% overhead). At the lowest tested budget (~40% overhead) Tik-Tok accuracy is still only 52.8%.
-
DeTorrent is implemented as a Tor pluggable transport on top of the WFPadTools/Obfsproxy framework and deployed against live Tor traffic; a modest VPS with 4 GB RAM and 2 vCPUs running at under 50% CPU utilization can defend five simultaneous connections in real time with no GPU required. Performance drops only 0.7% when the generator is trained on one dataset partition and tested on another.
-
DeTorrent reduces closed-world Tik-Tok attack accuracy from 93.4% to 31.9% on the BE dataset — 10.5 percentage points better than the next-best padding-only defense (FRONT at 42.4%) — and reduces Deep Fingerprinting accuracy from 94.3% to 30.0%, at a bandwidth overhead of 98.9%. On the larger DF dataset, Tik-Tok accuracy falls from 97.7% to 79.5%.
-
NetShuffle targets edge networks — small autonomous systems and entities that obtain IP address blocks from upstream providers — as a new class of support base for circumvention infrastructure. This class has received scant attention from prior work, which has focused on cloud providers and volunteer desktop machines. Edge networks represent a large pool of diverse IP space that is harder to block via ASN blackholing compared to a small number of major cloud providers.
-
NetShuffle decouples regular proxy services (e.g., HTTPS proxies, Tor bridges) from their network addresses via continuous in-network change using programmable switches at edge networks. Because the network location of a proxy is in constant flux, blocking by IP or address enumeration becomes structurally ineffective: the proxy service itself is unchanged but its visible address rotates continuously.
-
NetShuffle was prototyped in testbed environments and operated on a live campus network for more than one month. The evaluation shows that the in-network address shuffling provided by programmable switches is transparent to both services and clients and incurs negligible performance overhead, validating the drop-in appliance deployment model.
-
SpotProxy's active fleet-management algorithm continuously searches for cheaper Spot and regular VM instances and migrates the proxy fleet to lower-cost options. The paper demonstrates that this approach yields significant cost savings compared to operating a fixed fleet of on-demand instances, while simultaneously improving anti-blocking properties through higher IP churn.
-
SpotProxy exploits cloud Spot VMs — instances backed by excess capacity that can be reclaimed at any moment and re-spawned at new IP addresses — to create a high-churn proxy fleet. The observation is that Spot VM preemption, which is an operational liability for normal workloads, is a circumvention asset: it continuously refreshes proxy IP addresses, making censor enumeration and blocklisting structurally ineffective.
-
SpotProxy adapts both WireGuard and Snowflake to work with its active proxy migration mechanism, demonstrating that the approach is protocol-agnostic. The active migration mechanism allows clients to move between proxies seamlessly without performance degradation or connection disruption when a proxy is replaced — a requirement for any high-churn proxy infrastructure.
-
Alternative DNS resolvers trivially circumvent EU sanctions enforcement: third-party providers such as Google Public DNS and Cloudflare DNS implement no sanctions filtering regardless of user location, meaning any user who can switch their resolver can bypass most enforced blocks. The paper concludes that 'as long as a user can utilize an alternative DNS resolver, they would be able to bypass most sanctions enforcement.'
-
DNS-based blocking was the dominant EU sanctions enforcement mechanism: 87% of the 125 OONI vantage points implementing blocks chose DNS, and RIPE Atlas measurements found 50% of blocking ISPs return DNS error responses. Coverage dropped with each new sanctions package—45% of vantage points blocked first-round domains versus only 17% for fourth-round additions.
-
EU sanctions enforcement was deeply non-uniform across member states and over time: 77% of blocking autonomous systems enacted enforcement within 3 months of the initial sanctions, but adoption timelines, block-list coverage, and over/under-compliance patterns varied substantially by country and ISP. Austria blocked certain domains months after Germany despite advance specification; domains removed from the German list were eventually de-blocked with significant lag; the newly registered sputnikglobe.com was not widely blocked as of the study's writing.
-
IP-level access control was the most complete and effective sanctions enforcement mechanism—applied at or near the content destination—but was also the least commonly deployed approach. The paper attributes its rarity to the over-blocking risk when multiple services share a single IP address; one observed instance involved DDoS-mitigation providers performing IP-based enforcement that did not appear in DNS measurements.
-
Mirror domains registered by sanctioned Russian outlets (e.g., rtde.site, rtde.xyz, rtde.live, rtde.tech) remained almost universally accessible across EU member states; Table 2 shows near-100% uncensored DNS responses for mirror domains in the vast majority of countries. The EU had no effective mechanism to police domain mirroring in real time, leaving it an unmitigated circumvention strategy throughout the study period.
-
Chivo Wallet posts logs of every in-app event to NewRelic ('log-api.newrelic.com'), including keystrokes — DUI national ID numbers, phone numbers, and passwords — without privacy-policy disclosure. Separately, MiTelcel (76% Mexican mobile market share, 10M+ downloads) leaks users' phone numbers and emails to five distinct third-party servers via the HTTP 'referer' field on every 'Experiencias' tab click.
-
The Chivo Wallet app — the official El Salvador government Bitcoin wallet with 1M+ downloads — uses Microsoft CodePush to check 'codepush.appcenter.ms' for JavaScript/HTML/CSS updates each time it opens, bypassing Google Play Store review entirely. This allows the government of El Salvador to push arbitrary behavioral changes to all users' devices without any app store vetting or user notification.
-
In Latin America, censorship predominantly takes the form of targeted surveillance coupled with physical threats rather than network-level blocking. Mexico had documented Pegasus infections on journalists and activists between 2019–2022, at least 25 private spyware vendors sold surveillance tools to Mexican federal and state police, and at least 119 journalists have been killed in Mexico since 2000. Dynamic analysis of 8 widely-used LATAM apps (combined 100M+ downloads) found security failures across all three assessed categories: cleartext traffic, undisclosed PII exfiltration to third parties, and unvetted external code update mechanisms.
-
MiClaro Colombia sends device latitude and longitude to multiple third-party servers without user disclosure, in violation of its own privacy policy. Among the four Movistar country variants, the Argentina app requests access to all phone-call-related permissions while the Uruguay app requests none — demonstrating that third-party SDK inclusion, background receivers, and dangerous permissions vary substantially by country version of the same ostensibly unified telco app.
-
The SAT Móvil app (Mexico's official tax service, 1M+ downloads) consistently fetches its 'Chat' page over cleartext HTTP, exposing citizen ID numbers (CURP, RFC), passwords, and tax documents to any in-path attacker. None of the four major Latin American telco apps (MiTelcel, MiTigo, MiClaro, MiMovistar) implement HSTS on SMS-delivered external links, making all of them uniformly vulnerable to SSL strip downgrade attacks.
-
Censors employing deep learning can use DTLS connection duration as a precise identifier to classify and block Snowflake traffic. The paper proposes switching PT connections after a variable time limit as a countermeasure to prevent duration-based classification.
-
The authors propose a 'shim' pluggable transport that splits client traffic across N PT connections using unmodified existing PT bridges as proxies and a gateway bridge that correlates streams back into a Tor circuit via the Turbo Tunnel reliability pattern. This architecture enables all existing and future PTs to benefit from traffic splitting without modifying each PT's client or server code individually.
-
Initial attempts to split Snowflake traffic naively across multiple WebRTC proxies produced either no improvement in performance or a net negative effect. The authors attribute this to the wide variance in proxy network stability and bandwidth and flag it as an open problem requiring more advanced splitting algorithms.
-
Because traffic splitting is not ubiquitous network behavior, split PT traffic may appear anomalous to a censor, allowing them to distinguish normal PT use from split PT use even without classifying the underlying protocol. The authors flag this as a key open risk to be evaluated empirically and note that splitting across multiple bridges or multiple PT types may simultaneously raise and lower different detection signals.
-
When a user splits traffic across N paths, a censor observing a single path sees only a partial trace, substantially reducing the accuracy of classifiers trained on complete network traces. Prior Tor traffic-splitting work (TrafficSliver, CoMPS, multipath Tor studies) has validated this defense against website fingerprinting outside the PT context.
-
China's Great Firewall showed anomalous inconsistency: 13 test vectors produced mixed outcomes—TCP RST injection on some executions and a clean server response on others—with circumvention rates between 10% and 35% across 100 executions per vector. The authors attribute this to heterogeneous GFW infrastructure components applying different HTTP parsing logic, a departure from the GFW's usual consistency.
-
Of 4,488 total HTTP Request Smuggling test vectors, 2,015 (44.9%) were accepted by at least one web server. CL*/TE vectors had a 99.0% acceptance rate (1,103/1,114); TE*/CL had 76.0% (859/1,130); CL/TE* had only 4.7% (53/1,130); and TE/CL* had 0%. Nginx 1.25.2 accepted 1,315 vectors while Apache 2.4.57 accepted only 11, reflecting HRS countermeasures added in Apache 2.4.25 and 2.4.52.
-
HTTP Request Smuggling—a web-security vulnerability that exploits CL/TE header parsing ambiguities between a front-end (censor) and back-end (web server)—can be systematically repurposed as a censorship circumvention technique. By hiding a censored Host in the body of a benign outer request, the censor parses only the uncensored outer request while the destination server processes both, successfully bypassing HTTP censorship in China (19 vectors), Iran (254 vectors), and Russia (all 2,015 vectors) from the evaluated vantage points.
-
Iran's censor contains an implementation bug: when the Content-Length header carries an invalid (non-integer) value and a Transfer-Encoding header is also present, the censor gracefully skips the invalid CL value and attempts to parse subsequent traffic, but fails to correctly interpret the TE header—causing it to pass the smuggled (censored) request. This bug enabled 254 of 2,015 evaluated test vectors to bypass Iranian censorship, all using the CL*/TE or CL/TE* vector types.
-
Russia's censor (at the Moscow/ASN-50867 vantage point) inspects only the first HTTP packet of the first TCP segment per TCP stream and never analyzes subsequent HTTP requests—whether in the same TCP packet or a later one. This caused all 2,015 accepted test vectors to successfully evade censorship, and the bypass is achievable with standard-compliant HTTP (e.g., whitespace or case variations in header names, which HTTP/1.1 explicitly permits).
-
The root cause of port-shadow vulnerabilities is that connection-tracking frameworks maintain five shared, globally-accessible resources across all VPN clients on the same server. The paper's formal model identifies these as: the conntrack table, the NAT table, the port space, the routing table, and the ARP/neighbor cache. Any of these shared resources can be used as a side-channel. Bounded model checking confirmed that enforcing strict process isolation around all five resources eliminates the attack surface.
-
The "port shadow" exploit abuses five shared, limited resources in Linux conntrack/Netfilter (and analogous frameworks in BSD, Windows) to let an off-path attacker intercept or redirect encrypted VPN traffic, de-anonymize a VPN peer's source IP, or portscan a peer hidden behind a VPN server — all without compromising the VPN's cryptographic layer. Four concrete attacks are demonstrated; formal model checking with bounded model checking verified six process-isolation mitigations that prevent the shared-resource collision.
-
Stateful firewalls used as censorship middleboxes exhibit counter-intuitive implementation behaviors: FW-3 forwards ACK packets before a TCP handshake is initiated, and FW-1 actively spoofs RST packets in response to unsolicited traffic to thwart evasion attempts. These vendor-specific quirks create or close evasion opportunities that are invisible to rule-verification tools and not predictable from policy documentation alone.
-
Evasion attacks generated against one firewall-deployment combination do not transfer well to other settings: a deployment-agnostic approach (used by censorship circumvention tools) fails to generate effective attacks across diverse victim stacks and attacker capabilities. Pryde's deployment-aware, modular workflow finds successful attacks across configurations with and without insider threats, and against multiple attacker success criteria (data delivery vs. victim ACK vs. attacker receipt of ACK).
-
TCP-compliant packet alphabets are insufficient for modeling stateful firewall evasion. Including non-TCP-compliant traffic — specifically flipped-direction SYNs, out-of-window seq/ack numbers, and packets that form a parallel TCP connection in the reverse direction — is what unlocks discovery of deep attack paths. Prior model-inference work (Alembic) that restricted itself to compliant sequences produced models incapable of generating any of the 6,000+ attacks Pryde found.
-
Pryde generates more than 6,000 successful and unique evasion attacks against 4 popular stateful firewalls, which is 2–3 orders of magnitude higher than censorship circumvention algorithms (e.g., Geneva) and black-box fuzzing. The gap arises because circumvention tools only uncover shallow evasion sequences and cannot systematically explore the full attack-state space.
-
China's GFW exhibited unusually inconsistent HTTP censorship behavior: 13 of the evaluated HRS test vectors circumvented the GFW in some executions but not others, with per-vector success rates between 10% and 35% across 100 executions per domain. The authors attribute this to two distinct parts of GFW infrastructure employing different HTTP censorship mechanisms, a departure from the GFW's typical consistency.
-
HTTP request smuggling (HRS) vectors that exploit CL/TE header parsing divergence between a censor-as-middlebox and a destination web server can circumvent HTTP censorship in China, Iran, and Russia. Of 4,488 test vectors derived from prior HRS research, 2,015 (44.9%) were accepted by at least one web server; CL*/TE vectors achieved a 99.0% web-server acceptance rate while TE/CL* vectors achieved 0%.
-
Iran's censor injects an HTTP block page consistently but contains an implementation bug: it fails to parse the TE header when a CL header with an invalid (non-integer) value is present, causing it to pass subsequent traffic. 254 of the evaluated test vectors circumvented Iran's censor; the 'Wrapping' CL*/TE strategy (e.g., 'Content-Length: <len>\u00FF\x0aX: X') was especially effective, exploiting this graceful-degradation fault.
-
The Russian censor at the tested Moscow vantage point (ASN 50867, China Unicom-equivalent private ISP) inspects only the first HTTP packet of the first TCP segment in a TCP stream and never blocks a second HTTP request, whether coalesced in the same TCP packet or sent in a subsequent one. All 2,015 web-server-accepted test vectors evaded Russian censorship, including standard-compliant whitespace-injection vectors (e.g., 'Content-Length\x20: <len>\x20').
-
Web security vulnerabilities whose exploitation depends on parser divergence between two co-located systems are structurally isomorphic to censorship circumvention attacks, where the censor acts as the frontend parser and the destination server as the backend. The authors demonstrated this by directly converting all HRS test vectors from prior security research into circumvention probes with no modification, showing that censorship-circumvention techniques can be systematically constructed from existing vulnerability corpora.
-
TLS-Attacker implements more than 330 cipher suites, including uncommon GOST and SM cipher suites specified by the Russian and Chinese authorities, covering SSL 3.0 through TLS 1.3 as well as DTLS 1.0 and DTLS 1.2. This breadth lets researchers test whether authority-mandated or jurisdiction-specific cipher suite selections alter TLS fingerprint classification by censors in those countries.
-
The TLS-Attacker suite is being extended to cover QUIC and DTLS 1.3 under a universal analysis framework that reuses existing Workflow Trace and Modifiable Variable machinery with only protocol-specific components added. As of 2024 the QUIC dialect is functional, making TLS-Attacker the only open-source tool that can fuzz TLS, DTLS, and QUIC handshakes under a single scriptable API.
-
TLS-Attacker's Workflow Traces and Modifiable Variables mechanisms allow testers to specify arbitrary protocol flows and apply field-level modifications — including adding, removing, or overwriting individual TLS message fields — without breaking the internal TLS state machine. This makes it the standard instrument for probing how DPI systems and active-probing detectors respond to non-standard or mutated TLS handshakes.
-
TLS-Scanner, a subproject of the TLS-Attacker suite, automates handshake probes across deployed TLS hosts and has been used in published IPv4-wide scanning studies. It surfaces supported protocol versions, enabled extensions, and known vulnerabilities, providing a ready-made audit tool for circumvention infrastructure operators.
-
Reusing the same 64-bit client ID across rendezvous attempts caused approximately 3-minute delays in failure scenarios because the SQS queue deletion API can take up to 60 seconds to complete, forcing subsequent attempts to wait for the previous outgoing queue's deletion before a new queue with the same ID can be created. The fix generates a fresh random 64-bit client ID per attempt, eliminating the dependency on prior-attempt cleanup.
-
A single shared bidirectional SQS queue was rejected for Snowflake rendezvous because SQS provides no mechanism to direct messages to a specific consumer — all polling clients would receive all other clients' messages, creating a privacy violation. The adopted design uses one shared incoming queue (broker-read-only) plus per-client temporary outgoing queues identified by randomly generated 64-bit IDs, with the broker periodically deleting queues idle for more than a configurable number of minutes.
-
Amazon SQS routes client traffic through a single fixed HTTPS endpoint (https://sqs.us-east-1.amazonaws.com), making it infeasible for a censor to distinguish circumvention-bound SQS traffic from legitimate AWS service traffic; blocking this signaling channel would require blocking all Amazon SQS, imposing significant collateral damage on businesses and developers.
-
AWS credentials distributed publicly to enable client access to the SQS API were flagged by GitHub's automated secret-scanning and AWS Support requested their deletion, even though the credentials carried intentionally limited permissions. The operational workaround adopted — base64-encoding credentials before public distribution — bypasses automated scanning but provides no real security.
-
The SQS rendezvous method was deployed in Snowflake v2.9.0 / Tor Browser 13.0.10 (February 2024) and as of 2024-06-22 had served over 14,808 client connections from over 20 countries including Iran, China, the United States, and Russia, while remaining within the AWS Free Tier limit of 1 million requests per month and incurring no monetary cost.
-
Across five popular translation services available in China (Alibaba, Baidu, Tencent, Youdao, and Microsoft Bing), researchers discovered 11,634 unique censorship rules in total. Every service — including the American-operated Bing Translate — implemented automatic censorship that silently omits content, with only Alibaba displaying any notification ('Query csi check not pass') to the user.
-
Alibaba and Bing Translate scan only the user's input text for censorship triggers, not the translation output, while Baidu and Tencent apply the same censorship rules to both input and output. Youdao censors input and output using different rule sets. Because Chinese-language censorship rules dominate all services' blocklists, users translating from a non-Chinese language into Chinese using Alibaba or Bing experience materially less censorship than users of the other services.
-
Among 286 randomly sampled censorship rules across all five services, only one rule targeted erotic content, while the vast majority targeted political dissidents, CCP leaders, Tiananmen Square, Falun Gong, and government criticism. The paper interprets this near-total absence of pornography censorship as evidence that the censors did not anticipate their rules being audited, or are no longer interested in concealing the overtly political agenda of Chinese information control.
-
On Tencent Translate, 15 distinct representations of Xi Jinping's name — including romanizations (xijinping, XiJinping, XIJINPING, xIDaDa, xidada), character variants (习近平, 习大大, 习主席, 习书记, 习总书记, 近平习, 反习大大), and a romanized reversed form (JinpingXi, jinpingxi) — each triggered censorship of the translator's entire output rather than just the offending sentence. Between 4–5% of Tencent's discovered rules were inconsistently enforced, which the paper attributes to load-balanced servers implementing different rule sets or rapid rule churn.
-
Evidence from Youdao Translate suggests it deploys a machine-learning or NLP-based classifier alongside keyword rules: measured rules included repeated components (e.g., 螺+螺+螺+螺+螺+螺+蟢+D+哒+大) and nonsensical multi-token sequences that no human rule author would write, yet which consistently triggered censorship. Youdao returned 9,414 unique rules from the general test set — the most of any service — while also producing the most structurally anomalous rule patterns.
-
The GFW DNS injector vulnerability enabled reflective amplification attacks with a baseline factor of 4.04× (46-byte payload → 186-byte response). Combined with routing loops — approximately 1,000 destination IP addresses in China were found to loop packets across the GFW more than 30 times, with 159 persisting after two days and a maximum of 119 loop iterations per query — the effective amplification factor reached 481.17×, sufficient to generate 100 Gbps of attack traffic from just over 200 Mbps of source traffic.
-
The GFW patched the out-of-bounds read vulnerability city by city in October–November 2023, updating from least to most international traffic: CERNET/Beijing before October 26, Guangzhou on October 30, and Shanghai in two distinct phases on October 31 and November 1, with all updates occurring around 11 a.m. CST. Shanghai, which terminates the most international submarine cables, was updated last and in two steps to minimize side effects.
-
The GFW's DNS packet injector (Injector 3, identified by TTL mirroring and zero IP ID) contained an out-of-bounds read vulnerability: due to missing label-length and null-terminator validation, malformed DNS requests caused the injector to copy adjacent stack memory into forged responses. Over three days in October 2023, researchers collected over 1 TB of data containing over 13 billion leaks, ~87.43% with non-duplicate content, including live Internet traffic transiting China's backbone and stack frames of the GFW's packet-handling processes.
-
Automated pattern analysis of 13 billion leaked GFW memory frames found over 52.8 million HTTP/1.x protocol signatures, 984,567 Authorization headers, 1.9 million Cookie headers, 79,090 password-in-URL occurrences, and 59,326 SMTP/IMAP plaintext credential sequences — yielding over 3 million pieces of potentially sensitive data collected at a deliberately limited rate of 5,000 exploit packets per second.
-
Analysis of leaked stack frames confirmed the GFW's packet injector processes run on x86-64 Linux with ASLR and PIE enabled but without stack canaries, implying that buffer overflow vulnerabilities in the GFW may lack effective mitigation. Each injector process was inferred to use exactly four packet-handling threads, identified by up to four unique stack-address groups per return address (each group spanning within the 8 MB default Linux stack size).
-
The automated probe list generation system discovered 45.79 potentially blocked domains per 1,000 domains crawled, compared to 4.11 for FilteredWeb — over 10× higher efficacy. It uncovered 1,490 potentially blocked domains in crawls of just 71,960 URLs, versus 1,255 blocked domains found by Hounsel et al. in crawls of 1,000,000 URLs, with 1,473 of the 1,490 domains not overlapping with prior work.
-
GFW verification tests confirmed over 90% of OONI-detected DNS anomalies as true blocks: 429/457 domains in Beijing and 422/461 in Shanghai. In total, 527 unique domains were confirmed censored via DNS, HTTP, and HTTPS filters; an additional 718 domains suspected blocked due to IP-address-level blocking of their hosting servers rather than domain-level entries.
-
Only 36.66% of the 139,957 source list URLs (51,313) survived sanitization as live, meaningful pages, with 18,911 URLs removed for lack of content and many more for dead links — underscoring how rapidly manually curated probe lists decay. In Beijing and Shanghai, over 20% of known domains were consistently inaccessible, versus fewer than 4.5% at all other vantage points, and over 68% of known domains remained blocked, suggesting censored topics stay sensitive even as URLs go stale.
-
Among inaccessible URLs that also triggered OONI anomalies, approximately 58% were generated by the Top2Vec-Trends pipeline (combining Top2Vec topic modeling with Google Trends keyword expansion), while LDA-TFIDF and Top2Vec alone each accounted for only 13–14%. BERTopic-generated pages were least effective at producing censored candidates.
-
VPS-based vantage points in Singapore and India detected censorship patterns similar to 'free' locations, failing to observe blocking known to be enforced by local ISPs following government directives. This occurred because ISP-level censorship is implemented per-carrier rather than centrally, and the VPS provider's ISP did not enforce those blocks — confirmed by re-testing from a residential IP that did observe the expected blocks.
-
CenDTect, an unsupervised decision-tree system using iterative parallel DBSCAN, analyzed more than 70 billion Censored Planet data points (January 2019 – December 2022) and discovered 15,360 HTTP(S) censorship event clusters across 192 countries and 1,166 DNS event clusters across 77 countries. Manual validation against 38 known censorship events from news reports confirmed all human-identified events were recoverable from CenDTect's output. The system additionally identified more than 100 ASes in 32 countries with persistent ISP-level blocking and 11 temporary blocking events in 2022 correlated with elections, protests, and armed conflict.
-
CenDTect uses cross-classification accuracy — how well a decision tree trained on one domain's blocking pattern predicts another domain's blocking — as a distance metric to cluster domains that share the same blocking policy. This metric outperforms prior time-series approaches because it is interpretable (the resulting decision tree directly reveals the blocking mechanism: which ISP, which port, which protocol) rather than producing opaque anomaly scores. The approach scales to planetary-measurement volumes without requiring labelled training data.
-
Separating the Broker role (a server that holds and manages bridge information) from both the rendezvous channel and the censorship evasion system enables modular protocol design: the rendezvous carrier can be swapped independently of the proxy system. The authors identify broker authentication and multi-broker load distribution as open problems not addressed in the current prototype.
-
Google Cloud Pub/Sub is blocked entirely in China, limiting the system's applicability in the highest-censorship environment. Azure Pub/Sub is a structurally weaker candidate for rendezvous channels because each created resource receives a unique per-resource domain, enabling censors to block it with minimal collateral damage compared to blocking a shared Google or AWS endpoint.
-
Using Google Pub/Sub as a rendezvous channel adds 7.17 seconds of bootstrapping overhead vs. a 1.32-second direct baseline when establishing a TorKameleon WebRTC bridge connection (total: 8.49s vs. 1.32s). The dominant bottleneck is subscription creation time (5.23s), not the message exchange itself (3.26s), averaged across 10 samples with 113 ms cross-Atlantic latency.
-
The paper surveys the rendezvous channel design space and identifies at least six prior carrier approaches: domain fronting via CDNs, AMP cache proxying, Amazon SQS queues, push notification services, email tunneling (Mailet, SWEET), and cryptocurrency covert channels (MoneyMorph). Pub/Sub adds bidirectional real-time messaging with broad IoT/enterprise adoption as a new carrier class not previously evaluated for circumvention rendezvous.
-
The system uses a shared Pub/Sub topic for all users, where session IDs (SIDs) are visible to all subscribers on the broker topic. The paper argues this does not compromise user anonymity because SIDs are randomly generated per-session by client-side software with no link to user identity, and all subsequent bridge-info payloads are encrypted under a session-specific symmetric key exchanged via asymmetric encryption.
-
The paper documents that bridge distribution across major circumvention tools (Tor Browser's Moat, Snowflake) relies entirely on domain fronting (meek) for automated, user-friendly bootstrapping. This concentration means a censor that defeats domain fronting — or that pressures CDN providers to stop offering it — removes essentially all automated bridge-discovery pathways simultaneously, leaving only manual out-of-band methods (email/Telegram accounts) that require many user interactions.
-
Raceboat formalizes a decomposition of application-protocol-tunneling channels into three reusable components (Transport, User Model, Encoding) and a channel manager that supports mixing unidirectional channels. By composing seven different channels from these modular components (including email, AWS S3, and Redis variants), the paper demonstrates that the current ad-hoc one-protocol-one-implementation model wastes significant re-implementation effort: the same transport or encoding logic is duplicated across Snowflake, meek, CloudTransport, and others.
-
The paper argues that a greater diversity of signaling channels reduces the censor's leverage: when many independent services (cloud storage, email, push notifications, domain fronting) can each bootstrap a circumvention connection, a censor must block all of them to prevent access, and the collateral damage of blocking each may deter action. Skyhook specifically targets cloud storage as an additional independent pathway alongside existing channels like meek, Raven (email), and PushRSS.
-
Skyhook redesigns the 2014 CloudTransport concept as a signaling channel for bridge/proxy bootstrapping rather than a general-purpose browsing channel. By scoping to two-message exchanges (~1KB per direction, ~1 minute latency tolerance), Skyhook eliminates the requirement for censored users to create paid cloud storage accounts — the key usability barrier in the original design — and uses unilateral permissioning over AWS S3 objects so blocking Skyhook requires blocking all HTTPS traffic to an entire AWS S3 region.
-
CNN-based deep learning reduces obfs4 false positive rate by an order of magnitude versus the best decision tree (FPR 2.9×10⁻³ vs. 3×10⁻²) while maintaining 100% recall, and achieves near-perfect Snowflake data-flow detection (Precλ=1k = 0.95, Fλ=1k = 0.97). However, at realistic base rates λ > 10⁶ all CNN classifiers still yield near-zero precision, leaving per-flow deep learning alone insufficient for nation-state-scale deployment.
-
The paper identifies that circumvention systems relying on long-lived, consistent proxy servers are fundamentally vulnerable to host-based temporal detection regardless of per-flow obfuscation quality, and recommends adversarial examples, ephemeral obfuscation servers, and programmable or polymorphic protocols as countermeasures. Snowflake's volunteer-browser proxy architecture—where proxies are ephemeral and addresses are not reused—is highlighted as inherently more resistant to host-based classification than static bridge designs like obfs4.
-
State-of-the-art ML-based obfs4 detection (Wang et al. decision tree) achieves 97% precision at equal base rates (λ=1) but precision collapses to 3% at a still-conservative λ=1,000; at λ=10⁶ precision approaches zero for all classifiers tested. This base-rate failure was previously uncharacterized because prior evaluations only considered balanced or near-balanced datasets.
-
Combining a CNN flow classifier with host-based temporal accumulation eliminates all false positive classifications after observing at most 38 flows per host while maintaining perfect recall for all obfs4 and obfs⋆ bridges. The scheme requires only 14 bits of state per (IP, port) pair; tracking 4×10⁹ destination services requires no more than 50 GiB of storage, feasible on commodity hardware.
-
obfs4 and obfs⋆ produce characteristic wire patterns—bursts of roughly MTU-sized payloads followed by a randomly-sized chaff packet—that CNN classifiers detect purely from packet-size sequences without payload inspection. A trivial per-bridge entropy-biasing re-encoding (obfs⋆) completely defeats the hand-tuned decision tree (0% precision, 0% recall) but does not reduce CNN detectability, because the CNN generalizes across size-distribution variants.
-
Circumvention tools circulate through word-of-mouth and underground distribution networks rather than official app stores, making the ecosystem opaque and creating a supply-chain attack surface: adversarially-operated tools (including, per prior work, apps linked to the People's Liberation Army) reach users through the same channels as legitimate tools. The survey documents that providers are aware of misbehaving players but lack coordinated mechanisms to flag or exclude them.
-
The first multi-perspective study of the circumvention-tool ecosystem surveyed 12 leading CT providers collectively serving over 100 million users, plus CT users in Russia and China. Beyond technical blocking challenges, the study found that funding constraints, usability problems, misconceptions (users and providers hold inaccurate beliefs about each other's capabilities), and misbehaving players (tools operated by adversarial actors) are equally significant threats to the ecosystem's health — and are largely unaddressed by the academic research community.
-
Obfuscated proxy traffic (including Shadowsocks, VMess, VLESS, Trojan, obfs4, and REALITY) can be reliably fingerprinted by detecting encapsulated TLS handshakes — the inner TLS ClientHello that appears inside an outer encrypted tunnel. This fingerprint is protocol-agnostic: any proxy that wraps TLS-bearing application traffic will produce it. The authors deployed a similarity-based classifier within a mid-size ISP serving over one million users and demonstrated detection with minimal collateral damage.
-
While stream multiplexing reduces the visibility of encapsulated TLS handshakes by merging inner connections, the paper cautions that multiplexing plus random padding alone is "inherently limited" as a long-term countermeasure. Censors can adapt by monitoring burst sizes and round-trip counts at the outer-connection level, which remain correlated with the number of inner TLS sessions regardless of padding.
-
TSPU devices perform in-line packet manipulation — they can inject RST packets, drop traffic, and throttle connections — rather than routing traffic to an out-of-band sniffer that votes to block. The inline placement means TSPU can act on the first-packet payload and impose latency on all matching flows, not only on those selected by sampling. Blocking decisions are therefore applied with high recall at the ISP edge, and circumvention tools that rely on short observation windows (e.g. only obfuscating the first N bytes) are vulnerable to continued inline inspection of subsequent traffic.
-
Russia's TSPU ("Средства противодействия угрозам") system is deployed inline at individual ISP edges rather than at centralized internet exchange points, producing substantial per-ISP heterogeneity: some providers apply layer-7 SNI/Host filtering while others rely primarily on IP-prefix blocklists, and QUIC/HTTP3 is blocked at several major providers. Rollout timing and enforcement depth vary measurably across autonomous systems, meaning a single "Russia passes/fails" test fixture systematically underestimates blocking coverage.
-
China's local censorship operates through 'extra-institutional governance' (EIG) — practices that transgress the official identity and authorized means of the CAO system, including outsourced private surveillance, unpaid personnel secondment, and mass reporting via personal accounts — which upper-level offices tolerate but do not formally authorize, preserving plausible deniability when practices are ethically or legally questionable. The paper documents these as widespread implicit norms across China, not isolated to District T.
-
A county-level CAO in east China (District T, ~500,000 residents) operated with only 7 formal employees yet was tasked with monitoring more than 60 social media platforms, detecting unwanted voices in text, image, video, and audio formats, and submitting hourly reports to upper-level offices — a workload the authors characterize as a 'mission impossible' for a county-level office.
-
The District T CAO's 'Cavalry Team' of approximately 100 members used coordinated mass reporting — timing reports within 5–10 minutes of a post appearing, using different IP addresses and devices, and submitting long complaints invoking phrases like 'threatening social stability' — to achieve a documented weekly takedown success rate of 95.01% (286 of 301 targeted posts removed).
-
The District T CAO outsourced surveillance to a commercial SaaS platform ('Public Opinion Assistant') capable of scanning 180 million social media posts per day, processing 20 million posts per minute, and using supervised learning to classify 'negative voices' with performance comparable to human moderators. The platform generates ready-to-submit bureaucratic reports and maintains localized keyword lists that include euphemisms and homophones of censored terms as netizens update evasion strategies.
-
Chinese social media platforms detect and downweigh accounts that over-use the reporting function, reducing their future report credibility. The CAO's counter-response was to recruit 'fresh accounts' from visitors, borrow civilian accounts from seconded staff, and store credentials in an unencrypted Excel file circulated via WeChat — indicating the censor relies on high account turnover rather than persistent infrastructure to maintain reporting effectiveness.
-
DeResistor-generated evasion strategies achieve an overall success rate of up to 98.61% against GFW (across vantage points in Qingdao, Shanghai, and Beijing) for the best strategy, and 100% in both India (Bangalore) and Kazakhstan (Oral) for the top-performing strategy, while standalone Geneva strategies tested in the same environment achieve comparable or slightly lower rates on some censors but are blocked at the IP level before training completes.
-
DeResistor's two-objective fitness function (balancing evasion success and detection probability) reduces flow-level detection rates from 96.27% → 45.06% against China's GFW, 99.50% → 34.93% against India, and 99.50% → 49.22% against Kazakhstan over 5 training generations, while in all cases preventing TRW from reaching an IP-block decision that would terminate training.
-
Geneva packet-manipulation probing traffic exhibits distinctive features — corrupt data-offset fields, smaller packet sizes, overlapping TCP segments, TTL variance, and non-zero SYN packets — that allow simple ML classifiers (Decision Trees, Random Forests, Logistic Regression, SVM) to detect it with AUC > 0.99. A subsequent TRW-based IP-level detector can then block the source IP with high confidence after inspecting only 2 Geneva probing flows.
-
GFW employs layered blocking for high-value targets: DNS poisoning for domains like google.com and wikipedia.org combined with null-routing of their hosting IPs, meaning packet-manipulation tools that operate at the TCP/HTTP layer (e.g., Geneva, DeResistor) cannot generate or test evasion strategies because no response is received to the initial SYN — the blocking occurs below the layer those tools target.
-
Interleaving a single normal benign flow (jump size J=1) after each detected probe prevents the TRW likelihood ratio from converging to the IP-block threshold across all 11 simulated censors and all three real-world censors tested; setting J>1 risks triggering a history-aware TRW reset that can paradoxically accelerate IP-level detection.
-
DeTorOS enables provable geographic avoidance for Tor onion services by running a TEE-backed Bento function as a trusted middlebox: both the client and the onion service upload their respective 3-hop circuit halves to this enclave, which computes the never-once or never-twice avoidance proof without revealing either party's circuit to the other.
-
Computing a never-once avoidance proof for a 6-hop onion-service circuit takes an average of 64.85 seconds — incurred once at connection setup — because the system must collect round-trip timing measurements across all six relays before running the geographic proof; SGX execution overhead is nominal, and the paper notes that lower-RTT circuits (more likely to be DeTorOS-compliant) reduce subsequent data-transfer latency.
-
Never-twice provable avoidance succeeds for 72.4% of sampled source-destination pairs on 6-hop onion-service circuits, compared to approximately 98% on the original 3-hop DeTor circuits; the degradation arises because the additional hops increase round-trip time, making it harder to rule out forbidden-region traversal via speed-of-light bounds.
-
DeTorOS's security relies on the honest-but-curious model: if the onion service refuses to participate or lies about its circuit, the client receives no avoidance guarantee. The paper explicitly flags this as an open limitation and notes it cannot be closed without either requiring a TEE on the onion service side or fundamental protocol changes.
-
Tor's built-in country-exclusion mechanism is unreliable: circuits configured to exclude US Tor nodes only actually bypassed the US 12% of the time, motivating provably-avoidant circuit construction.
-
Across all years of the KIO dataset (2016–2021), a large majority of events involved full-network shutdowns and their count grew significantly from 2016 to 2019 with no significant decline observed through 2021. Censors are also increasingly employing app-specific bans and throttling alongside full shutdowns, with all three restriction categories non-mutually exclusive and rising over the period.
-
Using merged IODA and KIO data across 155 countries (Jan 2018–Aug 2021), elections increase the daily probability of an Internet shutdown by a factor of 16, coups by a factor of roughly 300, and protests by a factor of 9. These political mobilization events do not increase the probability of spontaneous outages, providing a discriminating signal between intentional and unintentional disruptions.
-
The merged KIO-IODA dataset (Jan 2018–Aug 2021) documents 219 national-scale Internet shutdowns across 35 countries and 714 spontaneous outages across 150 countries; the 35 shutdown-affected countries collectively represent more than 1 billion estimated Internet users. Myanmar (53 IODA events), Syria (52), and Iraq (38) are the most frequently affected countries in the shutdown dataset.
-
Countries where state-owned providers originate more than 50% of domestic address space show significantly higher shutdown prevalence; this state-ownership factor predicts shutdowns but shows no discernible difference for spontaneous outages. Countries with shutdowns have a median V-Dem liberal democracy score of 0.151 (maximum 0.481), compared to 0.279 for countries with spontaneous outages and 0.465 for countries with neither.
-
Over 55% of government-ordered shutdowns last a multiple of 30 minutes (vs. 15% of spontaneous outages), and 45% last precisely 4.5, 5.5, 8, or 10 hours (vs. <1% of spontaneous outages). The median recurrence interval between successive shutdown events within the same country is 1 day versus 39 days for spontaneous outages, with 67.7% of shutdowns falling exactly on 1-, 2-, 3-, or 4-day intervals versus 0.17% of outages.
-
DNS censorship complexity varies sharply by country: Iran injects static forged IPs exclusively from 10.0.0.0/8 and Turkmenistan uses only 127.0.0.1, making detection trivial, while China's constant fake-IP churn across ASes demands dynamic ML approaches; models trained without country-specific ASN features still perform well, enabling transfer to countries where GFWatch-equivalent infrastructure does not exist.
-
By mapping ML-predicted censored probes back to their DNS response IPs, the authors discovered 748 forged IP addresses used by China's GFW as DNS blocking signatures that OONI's heuristics missed; supervised and unsupervised models also identified several ISP-specific injected IPs absent from even GFWatch's comprehensive signature list, demonstrating that static signature lists substantially undercount active GFW DNS censorship.
-
OONI and Satellite (Censored Planet) agree on roughly 75% of tested Chinese domains as uncensored, but DNS anomaly agreement is poor: each platform flags fewer than 0.5% of domains as anomalous in any given biweekly window, and the two platforms frequently disagree on which domains are censored because China's GFW uses dynamic fake-IP injection that defeats static rule-based heuristics.
-
XGBoost supervised models trained on DNS probe features achieve TPRs of 100% (Satellite) and 99.8% (OONI) at FPRs of 0.0% and 0.2% respectively when using platform-native anomaly labels; cross-source training with GFWatch labels applied to the same records yields 99.4% TPR for Satellite and 86.7% TPR for OONI, with SHAP analysis confirming that ASN and organization name of the returned DNS response IPs are the dominant predictive signal.
-
Unsupervised one-class SVM models trained only on clean (uncensored) records detect GFW DNS censorship with 99.1% TPR at 17.4% FPR on Satellite data; over half of apparent false negatives are truly uncensored probes where the GFW transiently failed to inject a forged response, confirming that GFW DNS injection is not perfectly consistent at the individual probe level.
-
Discop's core algorithm is modality-agnostic and deploys unchanged across text generation (GPT-2, DistilGPT-2, Transformer-XL), image completion (Image GPT), and text-to-speech (Tacotron + WaveRNN), requiring only that both parties share the generative model, PRNG, and seed. The same zero-KLD security proof applies across all modalities.
-
Discop with Huffman-tree recursion achieves entropy utilization of 0.92–0.94 (bits embedded ÷ entropy available) and an embedding capacity of 3.48–5.29 bits/token across nucleus-sampling parameters p=0.80–0.98 with GPT-2, matching or exceeding ADG (0.78–0.84 utilization, 3.07–4.89 bits/token) while maintaining exactly zero KL divergence. Per-bit embedding time is 2.17E-03 to 5.52E-03 seconds, comparable to ADG.
-
Discop achieves provably perfect steganographic security (DKL(Pc‖Ps) = 0) by constructing multiple 'distribution copies' of a generative model's predicted distribution and using the copy index to encode the secret message. Because all copies share identical token probabilities, the stego distribution is exactly equal to the cover distribution and no steganalyzer can perform better than random guessing.
-
All prior provably-secure steganography methods introduce measurable distribution distortion: ADG achieves Max KLD of 4.54E-02 to 6.76E-02 bits/token, and Meteor with its heuristic sorting reaches Max KLD up to 9.01E+00 bits/token (Table II, GPT-2, p=0.80). These non-zero KL divergences give any statistical steganalyzer a non-negligible distinguishing advantage, violating the security definition even when average divergence appears small.
-
Replacement-based covert channels that substitute genuine media streams with ciphertext (Protozoa replacing WebRTC video, Balboa replacing audio) are immediately detectable when the censor controls or has plaintext access to the protocol gateway — for example, a WebRTC relay that decrypts and validates incoming media. Censors can also systematically suppress these channels by selectively degrading or blocking encrypted traffic for which they have no decryption trapdoor.
-
In a survey of 2,415 young Chinese online gamers, 73.9% (1,786) were affected by addiction prevention systems (APS) while minors, and 37.7% (674) of those successfully evaded the APS. 15 of 35 interview participants also actively evaded the GFW at interview time (verified by Twitter live-post retrieval), supporting the hypothesis that mandatory APS evasion for trivial gaming activities normalizes and desensitizes minors to GFW circumvention.
-
Domestic Chinese search engines (e.g., Baidu) return no valid results for direct VPN or '翻墙' (climb the wall) queries, but 16 of 18 GFW ladders mentioned by participants remained discoverable via Chinese jargon and homonyms (e.g., '蕃蔷' as a homonym for 'climbing the wall'). Word-of-mouth through college friends, gaming forums (Baidu Tieba), and QQ group chats were primary alternative distribution channels.
-
17 of 35 interview participants used game accelerators or GFW ladders interchangeably to connect to international gaming platforms; several popular VPNs bundle game acceleration, and open-source accelerators (e.g., Steam++, rebranded as Watt Toolkit) provide partial GFW-evasion covering GitHub, Google Authenticator, Pixiv, Discord, and Twitch. The paper recommends CRSes market as gaming accelerators to provide plausible deniability, while capping active accounts or rebranding periodically to avoid attracting censor attention as popularity grows.
-
The GFW engages in a continuous IP-blocking race against VPN services: participants reported that when one VPN goes down, others fail simultaneously, and banned services recover 'after a while,' suggesting coordinated blocking waves followed by IP rotation. Major foreign providers (ExpressVPN, NordVPN) now have no mainland China server nodes, rendering them ineffective for Chinese users.
-
Five participants confirmed installing GFW evasion tools exposed them to malware; prior work cited in the paper found >38% of Android apps using the VPN permission contain malware. Participants additionally reported fake gaming platforms that install adware and credential-stealing phishing pages; notably, VirusTotal did not flag any of the fake platform URLs identified by participants, indicating conventional AV tools provide insufficient protection.
-
Achieving active security (FEP-CCFA) requires that on any AEAD decryption failure a fully encrypted protocol silently return the empty string and keep the channel open indefinitely, never emitting a channel-closure signal. Any observable behavioral difference — including connection termination timing — leaks information about ciphertext-boundary locations to an active adversary.
-
Shadowsocks transmits a fixed-size AEAD-encrypted length field followed by the AEAD-encrypted payload with no support for reducing ciphertext size via fragmentation, while Obfs4 permits input-side padding but not output fragmentation. These designs impose distinct minimum output message lengths, allowing a passive adversary to distinguish between them — and identify short-message sessions — based solely on the minimum observed message length.
-
No existing fully encrypted protocol — including Obfs4, Shadowsocks, VMess, and Obfuscated OpenSSH — simultaneously satisfies passive indistinguishability (FEP-CPFA), active-manipulation resistance (FEP-CCFA), and output-length shaping. The paper presents a novel stream-based construction that provably satisfies all three using AEAD-authenticated length blocks, an output buffer supporting arbitrary fragmentation, and a padding mechanism allowing the sender to emit exactly p output bytes on demand.
-
Obfs4's data-transport phase encrypts per-record length fields with an unauthenticated stream cipher. An active adversary can overwrite this field to force a predictable TCP connection termination at a calculable byte offset; the authors experimentally confirmed that Tor-over-Obfs4 connections can be reliably distinguished from other FEPs because client initiation messages have consistent lengths.
-
Censors optimize for utility under asymmetric misclassification costs rather than raw accuracy: false positives (blocking legitimate traffic) carry economic and political costs that make censors conservative about deploying classifiers with high false-positive rates. Multi-flow stateful classifiers — such as the obfs4 Elligator probabilistic distinguisher, which requires correlating observations across multiple connections — are operationally more expensive than single-packet or connection-initiation classifiers, which the author suggests explains why probabilistic multi-flow distinguishers have not been exploited in practice even when theoretically available.
-
Despite fully encrypted protocols existing since obfs2 in 2012, the first documented evidence of the GFW passively detecting them purely by randomness appeared only in 2021 — approximately a decade later — and was limited to certain foreign IP address ranges and a subsampled fraction of traffic. Meanwhile, the GFW had been discovering obfs2/obfs3 servers via active probing as early as 2013, indicating censors found active-probing-based address discovery cheaper and more reliable than passive statistical classifiers for this protocol family.
-
Three independent implementation flaws in obfs4proxy's Elligator encoding made obfs4 public-key representatives passively distinguishable from uniform random bytes: (1) non-canonical square roots allowed a square-then-root test matching 100% of obfs4 outputs but only ~50% of random strings; (2) bit 255 was always zero; (3) only large prime-order subgroup points were encoded. A classifier exploiting these achieves 100% sensitivity (obfs4 never falsely marked as random) at less-than-100% specificity. All three were fixed in obfs4proxy-0.0.12 (December 2021) and 0.0.14 (September 2022).
-
Shadowsocks 'stream cipher' methods lacked integrity protection on ciphertexts, enabling a decryption oracle: an attacker who can guess as few as 4 bytes of plaintext prefix (5 bytes without controlling a /24) can replay a recorded session with a modified 7-byte target header, causing the server to send the decryption of the entire recorded stream to an attacker-controlled host. This provides an efficient active test for identifying Shadowsocks servers; once identified, a censor can block by IP address.
-
VMess's encrypted command block used a non-keyed hash over variable-length fields in a MAC-then-encrypt construction where the receiver cannot locate the hash without first parsing the protected data, enabling an active distinguishing attack: by replaying an authentic request 16 times with the padding-length field P set to 0000–1111, an attacker observes that a VMess server reads exactly P+N+4 bytes before disconnecting, with max and min byte counts differing by exactly 15 with every intermediate value present. V2Ray mitigated this in v4.23.4 by disconnecting after a timeout rather than after receiving a full command block.
-
Localhost TCP connections between the pluggable transport, load balancer, and Tor processes exhaust the ephemeral port space because source and destination IP addresses are both 127.0.0.1, leaving only port numbers to distinguish sockets. The mitigation uses distinct addresses across the full 127.0.0.0/8 loopback range combined with a custom orport-srcaddr option that assigns random source addresses from 127.0.1.0/24, expanding available socket four-tuples by a factor of 256.
-
Operating system defaults create two additional scaling ceilings beyond CPU: (1) the default file descriptor limit is insufficient above ~64,000 simultaneous connections, requiring LimitNOFILE=1048576 (1 million) in the systemd service; and (2) Linux's conntrack default of 262,144 tracked connections was approached during peak hours for the Snowflake bridge, necessitating doubling the table to 524,288 via sysctl net.netfilter.nf_conntrack_max.
-
A single Tor process is limited to one CPU core, creating a performance ceiling that manifests at approximately 6,000 simultaneous users and 10 MB/s of Tor bandwidth. The solution is running multiple Tor processes (starting with 4, scaling to 12) sharing the same long-term identity keys, mediated by an HAProxy load balancer, which enabled a Snowflake bridge to scale from 2,000 to ~100,000 simultaneous users between December 2021 and February 2023.
-
Multiple Tor instances initialized with copied identity keys will independently rotate their medium-term onion keys on a 28-day schedule, causing clients with cached older keys to fail circuit construction. The fix is blocking Tor's onion key rotation by pre-creating directories at the filesystem rename targets (secret_onion_key.old, secret_onion_key_ntor.old), which now effectively makes onion keys long-term secrets requiring the same protection as identity keys.
-
Starting October 1, 2023, the GFW began injecting HTTP 301 and 302 responses to connections destined for 1.1.1.1:80, redirecting clients to China's National Anti-Fraud Center (182.43.124.6, AS58519 China Telecom Cloud). Over 6,169 HTTP requests from a Tencent Cloud Beijing vantage point (AS45090), the GFW injected 301 responses at a 9.06% rate and 302 responses at a 28.5% rate.
-
From September 5–20, 2023, the GFW blocked 1.1.1.1:443 via TCP RST injection; starting October 1, 2023, the mechanism shifted to HTTP packet injection on port 80, while port 443 behavior became inconsistent across ASes — from one AS45090 vantage point, HTTPS connections to 1.1.1.1 still succeeded while other observers confirmed RST injection.
-
Injected GFW packets for 1.1.1.1:80 carry a consistent IP TTL of 251 (matching the real Cloudflare server), IP IDs of 0x99b3 (301 responses) and 0x4c57 (302 responses), and TCP flag patterns of PSH+ACK (301) versus PSH+ACK+FIN (302), providing stable per-injection-type fingerprints observable in packet captures.
-
The GFW's HTTP injection for 1.1.1.1:80 does not suppress the real Cloudflare response: the legitimate 301 from the actual server arrives after the injected packet, confirming the GFW operates as a race-condition injector rather than a transparent drop-and-replace proxy.
-
Variable bitrate encoding (e.g., the OPUS codec's 6–510 kbps range) in VoIP protocols leaks content properties through packet timing, enabling ML classifiers to distinguish protocol tunnels from real conversations. An audio tunnel without timing shaping was identifiable with auROC 0.981 and aucPR 0.959 by an AutoGluon-Tabular classifier examining 1000-packet flow windows.
-
Voiceover's DCGAN, trained on ~400 hours of two-person telephone conversations, generates conversation timing templates that constrain when the tunnel transmits audio. This reduces ML classifier performance from auROC 0.981/aucPR 0.959 (unshaped baseline) to auROC 0.682/aucPR 0.482, and the improvement holds at 500-packet windows (auROC 0.68/aucPR 0.50), suggesting robustness to memory-limited adversaries.
-
Protocol mimicry that replicates only statistical or syntactic traffic properties is insufficient for unobservability: Houmansadr et al. (2013) showed SkypeMorph was trivially detectable by the absence of Skype control channels, missing login-server communication, and failure to replicate implementation-specific bugs present in real Skype—demonstrating that full behavioral replication, not just traffic shaping, is required to withstand scrutiny.
-
Skype for Web normalizes packet sizes such that Voiceover transmissions and genuine audio conversations produce nearly identical packet size CDFs across Ubuntu 18.04 and Windows 10, across all tested modulation parameters (carrier frequency, sampling frequency, baud rate, frame length). This makes the Skype-based tunnel inherently immune to packet-size fingerprinting without requiring explicit size shaping.
-
Voiceover achieves 31.16 bytes/s goodput with default parameters—roughly half the 62.32 bytes/s of the unshaped baseline—because GAN-imposed silence periods reduce transmission time. Skype's OPUS codec bounds the theoretical ceiling at 750–63,750 bytes/s, so all multimedia tunnels over this path are constrained to low-bandwidth use cases; the authors explicitly position Voiceover as an out-of-band channel for sharing secret keys rather than a general-purpose data path.
-
Across 7,336 websites analyzed comparatively across 71 ASes, blocklist sizes ranged from roughly 3,000 to 7,000 websites per AS, with differences between ISPs as large as 2,000 websites out of ~8,000 analyzed. Within single ASes, further blocklist variation was observed, suggesting misconfiguration or non-uniform middlebox deployment. Only 6,787 of 7,336 sites were blocked by at least one AS.
-
Only 10 of 64 measured Indian ASes conduct DNS-based blocking, but Atria Convergence Technologies (AS24309) was found performing DNS injection attacks against public DNS resolvers including Cloudflare, Google, and Quad9 — affecting 8.45% of the roughly 3 million DNS measurements collected using those resolvers. DNS blocking is otherwise concentrated in two large providers (AS24309 with 125,154 confirmed blocks and National Internet Backbone / BSNL with 92,653 confirmed blocks).
-
HTTP-based blocking is the dominant censorship technique across Indian ISPs, observed in 64 of 71 measured ASes. However, the authors note it is largely ineffective because over 90% of web connections now use HTTPS, meaning ISPs cannot inspect the HOST header for the vast majority of traffic — making HTTP blocking easily bypassed by any HTTPS client.
-
CensorWatch found that 2,370 of 3,745 websites covered by a 2018 temporary court injunction (which was withdrawn in early 2019) remained blocked by at least one Indian ISP, indicating ISPs do not routinely update blocklists to implement unblocking orders. Additionally, three ASes (Hathway AS17488, YOU Broadband AS18207, RailTel AS24186) continued to block avaaz.org despite an explicit government unblocking order issued on 18 January 2019.
-
SNI-based blocking is deployed by 16 of 64 measured ASes in India, concentrated heavily among the two largest ISPs: Reliance Jio (189,331 confirmed SNI blocks across 504,400 measurements) and Bharti Airtel Telemedia (158,022 confirmed blocks across 540,425 measurements). Smaller ISPs exhibit only marginal SNI blocking, likely as collateral from traffic peering through larger ISP infrastructure.
-
HTTP/URL/keyword filtering was the most prevalent censorship method both during the measurement period (49% of countries) and historically (69%), despite 82% global HTTPS adoption. The authors attribute this persistence to censors lacking technical sophistication to upgrade, and to uneven HTTPS adoption leaving older methods effective in underserved regions.
-
IP and port blocking dropped from 30% of countries historically to only 9% during the study period (six countries), with the decline attributed to difficulty maintaining ephemeral blocklists, CDN collateral damage, and IPv6 expansion. Iran is a significant exception: it has implemented port allowlisting — permitting only ports 80, 443, and 53 — on multiple occasions, blocking all other ports entirely.
-
Protocol fingerprinting — including DPI-based identification of VPNs, circumvention tools, and E2EE messengers — was active in only 6% of countries during the measurement period (13% all-time), but all confirmed instances came from focused individual studies, not from mass measurement platforms like OONI or Censored Planet. The authors flag encrypted traffic analysis (ETA) tools and next-generation firewalls (NGFWs) capable of blocking Signal or Tor Browser as an emerging threat to freedom of expression.
-
Residual censorship — where a censor detects an objectionable connection via one method and then blocks all traffic between the same 3-tuple (client IP + server IP + port) or 4-tuple (client IP + port + server IP + port) for a short duration — was documented in China, Iran, and Kazakhstan. This means a single detected circumvention attempt can trigger temporary IP-level blocking of the entire endpoint regardless of protocol.
-
TLS-based filtering (SNI blocking) was active in 41% of 70 surveyed countries during the June 2020–May 2021 measurement period and 44% historically, driven by the 82% global HTTPS adoption rate (Mozilla telemetry, Oct 2021). China took the unprecedented step of blocking ESNI traffic entirely, and the authors note that widespread ECH deployment could render this entire censorship category obsolete.
-
The GFW's SNI inspection is a stateless single-record parser: it cannot detect the SNI extension when the ClientHello is split across multiple TLS records, even when all records are contained within the same TCP segment. In contrast, the GFW does detect SNI when it appears fully within the first TCP segment despite TCP fragmentation, indicating the reassembly gap is specific to the TLS record layer.
-
TCP fragmentation before the SNI extension circumvents the GFW, but TCP fragmentation placing the SNI in the first TCP segment does not. The paper notes the GFW is showing 'the first signs of successfully handling TCP fragmentation,' indicating active hardening of TCP-layer circumvention that makes TLS-layer techniques increasingly necessary.
-
TLS record fragmentation is implementable entirely in userspace at the application layer and requires no elevated privileges, unlike TCP segmentation which requires raw socket access. The authors' DPYProxy tool demonstrates a MITM approach that wraps TLS messages into smaller records before transmission without breaking the TLS handshake, since TLS records are unprotected during the handshake phase.
-
96.21% of CitizenLab-tracked censored domains (1,092 of 1,135 scanned) and 92.36% of Tranco Top 1M domains (766,909 of 830,357 scanned) already support TLS record fragmentation, with support exceeding 90% across all Tranco rank ranges. This broad server-side compatibility makes TLS record fragmentation deployable without any server-side changes.
-
TLS record fragmentation successfully circumvents the GFW in all tested configurations: splitting the ClientHello across multiple TLS records — whether the split falls before or after the SNI extension — bypasses GFW SNI-based blocking in every case (Table 1). TCP fragmentation after the SNI extension fails, but any TLS-layer fragmentation succeeds.
-
In Brunei, censorship is confined to AS10094, which serves approximately 70% of the country's Internet users. The censor injects RST packets bearing a distinctive fingerprint — the censored query's IP ID field — in response to HTTP requests containing censored Host headers, and censors on all ports without residual censorship. A SYN followed immediately by a PSH+ACK with a censored payload is sufficient to trigger blocking without a completed TCP handshake.
-
Censoring middleboxes' TCP non-compliance — specifically, their willingness to censor bidirectionally without completing the three-way handshake — enables external vantage points outside a censoring country to trigger and measure censorship without any local endpoint participation. The approach requires only a confirmed censored domain per AS, evidence of bidirectional censorship, and minimal residual censorship.
-
Geneva — originally designed to evolve censorship-evasion packet sequences — was repurposed by inverting its fitness function to discover censorship-triggering packet sequences instead. Training against non-responsive IP addresses allows Geneva to attribute all responses to middleboxes, enabling fully automated discovery of triggering strategies without any endpoint cooperation.
-
The endpoint-free methodology fails when bidirectional censorship is absent or when residual censorship is pervasive: experiments in Burundi, Equatorial Guinea, Myanmar, and Kyrgyzstan could not confirm bidirectional censorship, rendering automated triggering-and-measurement inapplicable. Residual censorship causes false positives by making innocuous domains appear blocked following a censored query.
-
Tajikistan routes virtually all national egress and ingress traffic through a single state-run AS (AS51346, Tojiktelecom) under a 2016 national decree, creating a centralized chokepoint. The censor injects RST+ACK packets with a unique 22-byte all-zero payload, censors on all ports, and requires two PSH+ACK packets containing the censored content before injecting — possibly modeling typical multi-resource HTTP browsing behavior.
-
Using Geneva (genetic algorithm censorship evasion), five new evasion strategies were discovered that defeat Turkmenistan's censorship at both transport and application layers across DNS, HTTP, and HTTPS. The strategies exploit Turkmenistan's use of a commercial DPI box ("Golden DPI" by Qurium) and can be applied server-side without requiring changes to censored users' client software.
-
The paper introduces TMC, a remote measurement tool that infers domain-blocking status across DNS, HTTP, and HTTPS without requiring in-country vantage points, using only 38% Internet penetration in a country of 6 million people. TMC enabled the largest Turkmenistan censorship measurement to date by exploiting middlebox reflection properties observable from outside the country.
-
The largest measurement study of Turkmenistan censorship to date tested 15.5 million domains and found more than 122,000 domains censored using separate blocklists for DNS, HTTP, and HTTPS. Reverse-engineering the blocking rules revealed approximately 6,000 over-blocking rules that cause incidental filtering of more than 5.4 million additional domains — a 44x collateral damage ratio relative to intentionally blocked domains.
-
AS201776 (Miranda-Media Ltd) is responsible for the largest volume of Russian transit censorship by destination IP count, affecting approximately 16,000 IP addresses in Ukraine from US and Sydney vantage points. AS3216 (PJSC Vimpelcom) has the widest geographic reach—delivering blockpages for traffic destined to 8 countries—but impacts no more than 1,000 IP addresses per country from any single vantage point.
-
The authors' blockpage-based methodology cannot detect transit censorship implemented via TCP RST injection or packet drops, because distinguishing these from transient network errors requires identifying their location on the routing path. As a result, the 8-country, 6-AS finding is explicitly characterized as a lower bound on the true extent of Russian transit censorship.
-
Scanning the IP address spaces of 18 countries surrounding Russia, the authors identify Russian transit censorship affecting at least 8 countries (Afghanistan, Azerbaijan, Kyrgyzstan, Kazakhstan, Lithuania, South Korea, Tajikistan, and Ukraine), attributable to at least 6 Russian ASes. Only 2 of these 8 countries (Kyrgyzstan and Kazakhstan) had been reported in prior work, and the collateral damage is characterized as a lower bound due to the study's blockpage-only methodology.
-
The study's three vantage points (US university, AWS Sydney, AWS Tokyo) produce substantially different transit censorship observations: the US vantage point detects blockpages in all 8 affected countries, while Sydney and Tokyo detect transit censorship only in Kazakhstan and Ukraine. This variance is attributed to routing path differences across vantage points, confirming that transit censorship coverage is highly path-dependent.
-
AS60299 (Mezhdugorodnyaya Mezhdunarodnaya Telefonnaya Stanciya Ltd) and AS201776 (Miranda-Media Ltd) deploy commercial DPI technology manufactured by Russian company VAS Experts to perform transit censorship. Ukraine is subject to transit censorship by the most Russian ASes (at least 5: AS3216, AS25227, AS35816, AS47203, AS201776), likely due to post-2022 re-routing of Ukrainian Internet traffic through Russian telecommunications infrastructure.
-
Censored Planet measurements of psiphon.ca in AS6697 (Belarus) around the August 2020 Internet shutdown showed that Psiphon was initially blocked via connection timeouts during the shutdown itself, and then—several weeks after the shutdown ended—the censorship mechanism shifted to TCP RST injection. Outcome-typed measurement data made this two-phase mechanism change immediately visible without re-collecting any raw data.
-
During the Belarus Internet shutdown of August 9, 2020, Censored Planet Echo measurements showed an increase of two orders of magnitude in test measurements failing at the TCP connection stage on the first day of the shutdown, alongside an order of magnitude increase in failed control measurements on the same day. Without comparing test measurements against control measurements that are expected to succeed regardless of content, these failures are indistinguishable from targeted website-level censorship.
-
In Censored Planet DNS measurements of 75 .gov and .mil domains on April 11, 2021, only 36.06% of measurements from China resolved correctly. Of the failures, 19.06% returned SERVFAIL codes caused by US-based nameservers geoblocking Chinese recursive resolvers—server-side access control, not GFW censorship—causing prior studies that did not account for geoblocking to systematically over-estimate DNS blocking in China.
-
The Censored Planet data analysis pipeline matched more than 60.89% of all HTTP-response data across four years of measurements to either a known blockpage fingerprint or a confirmed non-censorship fingerprint. Over 60 million individual measurements were specifically classified as expected Akamai CDN behavior—responses that previous work had routinely misclassified as censorship because Akamai's edge configuration returns connection timeouts or HTTP 301 redirects when the test domain and vantage-point server are both Akamai-hosted.
-
Previous work reported that Myanmar ISPs selectively applied DNS blocking versus TCP/IP blocking, but analysis of the underlying data revealed they applied both concurrently. The apparent difference arose because some OONI volunteers bypassed DNS tampering by using public DNS resolvers (Cloudflare, Google Public DNS) and subsequently experienced IP-level blocking instead, making measurements appear selective when they were not.
-
Manual analysis of 700+ unique packet groupings from possibly tampered connections yielded 19 high-confidence tampering signatures — up from 6 in prior work — covering 86.9% of all possibly tampered connections. Post-SYN signatures account for 43.2% of possibly tampered connections (99.5% matching a known signature), post-ACK for 16.1% (98.7%), and post-first-data-packet (PSH+ACK) for 5.3% (97.9%), with 19 signatures described as flag-sequence patterns of the form ⟨X→Y⟩ in Table 1.
-
Sampling 1-in-10,000 TCP connections at Cloudflare's 285+ PoPs (serving ~17–20% of the Internet's websites, handling 45M HTTP requests/second at average load) over two weeks in January 2023 revealed that 25.7% of all sampled connections were 'possibly tampered.' The passive technique requires no vantage points inside censored networks, covering cellular, enterprise, and low-penetration-country networks that active measurement cannot reach.
-
Post-handshake tampering signatures (⟨SYN;ACK→RST⟩ and ⟨SYN;ACK→RST+ACK⟩) constitute 34.4% of tampered connections from Iranian networks, but over 70% from Sri Lanka networks and over 81% from Turkmenistan networks, suggesting that censors in the latter two countries disproportionately block at the IP/TCP-handshake level before any application-layer content is visible — consistent with IP-list-based blocking rather than SNI-based DPI.
-
Censoring middleboxes predominantly use RST injection rather than in-path packet dropping because injecting forged RST/RST+ACK packets does not require the middlebox to sit in the data path — off-path copies of packets suffice. The GFW specifically injects both RST and RST+ACK packets simultaneously after an offending PSH, a known idiosyncratic signature, while Iran's censor uses post-handshake RST injection (⟨SYN;ACK→RST⟩) and packet drops at the same stage.
-
Passive measurement of real user connections demonstrates that published active-measurement test lists (Citizen Lab, Herdict, GreatFire, Berkman Klein, and top-K lists) miss a considerable fraction of domains that are actively being tampered with, as confirmed in §5.5. Because passive measurement is driven by real user requests rather than an a priori domain list, it can discover blocked domains that were never included in any test list and has no dependency on volunteers providing ground truth.
-
Following the invasion, Psiphon user counts and VPN usage in Russia increased many-fold and correlated with specific censorship events, while multiple access paths to Tor (direct connections, bridges, pluggable transports) were progressively blocked. Despite this surge, circumvention tools reached only a small fraction of all Russian Internet users, indicating that aggressive multi-vector blocking and lack of user awareness left most people unable to access censored resources.
-
Of the Tranco top-10K domains, 286 (3.26%) returned geoblocking signatures for all Russian vantage points in May 2022, with CDN-mediated blocking dominant: 87 domains via Cloudflare and 57 via Akamai. DNS-level geoblocking alone affected 68 domains, and 29 domains implemented both DNS and TCP geoblocking simultaneously, rendering public-resolver circumvention of DNS blocks ineffective for those targets.
-
On March 28, 2022, Russian ISP RTComm (AS8342) hijacked Twitter's IPv4 prefix 104.244.42.0/24 for approximately 45 minutes (12:05–12:50 UTC) and announced it to the global Internet as a blocking measure. The hijack was blunted because Twitter had preemptively registered RPKI route origin authorizations (ROAs) for its prefixes, causing RPKI-validating ASes worldwide to reject the hijacked route.
-
OONI data shows anomaly rates in Russia's top five ASes (including Rostelecom AS12389, Vimpelcom AS8402) rose from roughly 7–11% in January and early February 2022 to 12–21% in mid-March 2022, with social-media and news domains such as Facebook, Twitter, Instagram, and BBC going from available to near-completely blocked after the invasion.
-
136 Russian government domains (25.09% of 542 accessible ones) blocked access to all tested countries outside Russia, and a further 112 (20.66%) were accessible only from Russian and Kazakhstani vantage points. Geoblocking was implemented via heterogeneous, uncoordinated mechanisms—DNS timeouts, TCP timeouts, HTTP 403 Forbidden responses, and explicit blockpages—across different domains, indicating an ad hoc emergency response with no central policy.
-
At 64 bps FSK encoding over cellular voice, Dolphin achieves a bit error rate below 2% across all tested data sizes (100–5000 bytes), cellular providers, and geographic distances up to ~3600 miles. Rates of 128 bps and above cause BER to jump to 5–22%, making transmission too unreliable for practical use.
-
A 280-character tweet via Dolphin takes under 1 minute end-to-end; a 500-character email takes approximately 2.7 minutes (∼1 minute for ECDH secure-channel setup plus ∼1.7 minutes for data transmission). Performance was confirmed during a real Internet shutdown in Delhi, India, where a 300-character email transferred reliably in about 1 minute.
-
FSK-encoded Dolphin audio is distinguishable from normal human speech via offline amplitude analysis: Dolphin's mean signal amplitude is 0.4 (std 224) versus 205 (std 1590) for natural speech — approximately an order of magnitude lower — enabling classification by a telecom operator who records calls. The paper also notes that standard CRC checksums appearing periodically every chunk provide a unique detectable signature if the adversary attempts to decode the audio.
-
Documented Internet shutdown events grew from 75 in 2016 to 213 in 2019 across 33 countries, with individual shutdowns lasting from hours to 472 days (Chad). These shutdowns completely sever IP connectivity, rendering all existing circumvention tools (Tor, VPNs, Shadowsocks, etc.) non-functional since they require at least partial Internet access to operate.
-
An adversary introducing audio perturbations every 2.5 seconds (sufficient to corrupt each 20-byte chunk at 64 bps) degrades PESQ call quality to 1.6, below the 2.0 'unusable' threshold, making the attack self-defeating. However, targeting only acknowledgment windows (every ~12.5 s under Dolphin's default batch-of-5 configuration) achieves PESQ 3.6 — acceptable to human callers — while fully disrupting Dolphin data transfer.
-
In China, it is typically the publisher (not the government) who self-censors translated books to avoid punishment including harsh scrutiny of future publications, book confiscation, and suspension of publishing rights. Authors are often unaware their translations were altered until well after publication. This self-censorship dynamic produces more restrictive outcomes than direct government censorship because publishers err on the side of caution without clear rules.
-
A case study on Chapter 5 of Chinese Literature: A Very Short Introduction (Knight) found 7 censored topics, 5 removed paragraphs, 31 removed sentences, and 2 removed/altered words in the Chinese translation. Censored topics included 2000 Nobel laureate Gao Xingjian, the Tiananmen Square Massacre, Mao Zedong, the Cultural Revolution, the Great Leap Forward, the plasma economy scandal in Henan, and a discussion of book censorship itself.
-
ChatGPT correctly identified missing sentences in a partially censored translation and correctly judged a complete translation as complete in a control condition, demonstrating that LLMs are a viable complementary detection method. The paper notes that having multiple independent detection approaches (NLP alignment, bitext mining, LLM-based reasoning) improves overall robustness by enabling cross-validation.
-
The paper proposes detecting translation censorship by back-translating the Chinese text to English via Google Translate, embedding each paragraph with distiluse-base-multilingual-cased-v1, and solving a linear-sum-assignment bipartite matching weighted by negated cosine similarity. Paragraphs below a similarity threshold are flagged as cut; matched paragraphs are recursively compared at sentence level to detect alterations.
-
The paper argues that an effective counter to translation censorship is to actively trigger the Streisand effect: publishing detected censored content side-by-side with the original on a public website causes the censored text to reach a broader audience — including people who would not have read the censored version — and makes the censorship itself backfire. Censors deliberately avoid publicizing removals precisely to prevent this outcome.
-
The proposed crowdsourced system runs multiple isolated Geneva training pools on a controlled server — one pool per censorship system (initially China and Iran) — and instructs volunteer browsers via JavaScript to send forbidden requests to isolated ports, with no download or software installation required from the user. The server monitors per-strategy success or failure to drive genetic evolution entirely from the server side.
-
Browsers cannot independently set the HTTP Host header or TLS SNI field, blocking the standard censorship-trigger methods used in Geneva training. The paper proposes two workarounds: (1) keyword-based HTTP censorship triggers using forbidden strings in URL parameters, limited to censors that employ keyword filtering; and (2) registering domains whose strings contain a censored substring to exploit censor overblocking via overbroad regular expressions (e.g., registering a domain matching torproject.org's regex to also catch mentorproject.org).
-
The system is designed to protect crowdsourced volunteer privacy by storing only AS-level granularity alongside randomized short-lived client identifiers, explicitly discarding source IP addresses and any browser-identifying information. AS-level resolution is sufficient for server-side evasion because strategies are evolved per-censor-ASN rather than per-user.
-
Server-side censorship evasion strategies require zero client-side changes: clients bypass censorship without installing software or even being aware of the evasion, and this approach has been adopted in production tools including Psiphon's packetman. The packet manipulations exploit weaknesses in how censors track or tear down TCP connections, occurring entirely at the server during the three-way handshake.
-
All existing automated server-side strategy discovery tools — Geneva, Alembic, and SymTCP — require researcher control of a client during training, even when the discovered strategies are deployed exclusively server-side. This dependency makes it infeasible to train against censors in networks where researchers cannot place a controlled machine.
-
Relying on third-party email providers to verify users was demonstrated by Ling et al. to leave Tor's BridgeDB vulnerable to censors capable of creating multiple accounts, enabling bridge enumeration via sock-puppet attacks at scale. Active and passive detection techniques — including traffic flow analysis, DPI, website fingerprinting, and active probing — have been demonstrated in prior work to reveal Tor bridges, making Tor inaccessible for the majority of users in some regions.
-
The Lox check-blockage protocol response size and time grow linearly with the number of blocked bridges — 6 kB / 11 ms at 5% blocked, 63 kB / 64 ms at 50%, and 126 kB / 122.5 ms at 100% — creating a bandwidth bottleneck a strategic and patient censor can exploit by triggering mass bridge blockages during a critical event (election, coup) to deny successful blockage migrations at the moment users most need them.
-
In a Rust implementation evaluated over 10,000 runs with 3,600 bridges (1,800 open-entry single-bridge buckets and 600 hot-spare three-bridge buckets), Lox's trust promotion protocol incurs the highest latency at 364.2 ms response time and 378 kB response size due to the encrypted migration hashtable, but this operation occurs only once per user. All other protocols complete in under 16 ms with request sizes under 3.4 kB.
-
Lox's trust level scheme (L=0 through L=4, requiring 30, 14, 28, 56, and 84 days respectively per level before upgrading, per Table 2) with blockage inheritance — invited users inherit their inviter's blockage count d — prevents a censor from resetting their reputation through self-invitation after causing blocking events, while users with d ≥ 4 become ineligible to migrate, capping the damage a persistent infiltrator can do.
-
Lox uses Chase et al.'s keyed-verification algebraic MAC anonymous credentials in a single-issuer/verifier setting with jointly-chosen credential IDs (neither party can unilaterally select them), so a fully compromised Lox Authority cannot link credential showings to specific users or reconstruct the social graph — the LA learns only that a shown credential was authentically issued.
-
Proteus does not yet implement normalized or randomized error responses, and the authors explicitly flag this as a known gap: without configurable error handling, the protocol may be identifiable by an active prober who can distinguish the proxy's error behavior from that of the legitimate service being mimicked.
-
The GFW detects Shadowsocks by flagging apparently high-entropy connections that are not TLS or HTTP, but this detection is brittle: connections are explicitly allowed if the first 6 bytes of the first packet of a flow are all printable ASCII characters (range 0x20–0x7E). Adding a 6-byte alphanumeric preamble to the Shadowsocks message definition is sufficient to bypass this heuristic and requires only a short patch to the protocol specification file.
-
Marionette, the prior programmable protocol system, executes user-specified plugin code in a generic Python runtime, making proxies and clients vulnerable to a malicious or buggy protocol distributor and creating a single point of failure in distributed networks like Tor. Marionette also lacks support for multiple simultaneous protocols and version upgrades, limiting its ability to respond to changing censorship rules across heterogeneous client populations.
-
A complete Noise NK handshake protocol — including Curve25519 ECDH key exchange with server authentication, HMAC-based key chaining, and ChaCha20-Poly1305 AEAD-encrypted data phase — was expressible in Proteus in less than 4 hours, demonstrating that a safety-bounded DSL with built-in crypto primitives and declarative message-format definitions is sufficient to prototype complex cryptographic transport protocols rapidly.
-
Proteus supports simultaneous execution of multiple Protocol Specification Files (PSFs) on a single server, selecting the correct protocol version by running all candidates in parallel on a shared read buffer and eliminating candidates as they fail to parse client messages. This enables servers to support legacy clients while deploying new evasion protocols, and to serve clients in different censorship regimes with localized protocol variants, without requiring synchronous client/server upgrades.
-
Combining all three active probing attacks in an Internet-wide scan of 30 million HTTPS servers identified approximately 15,000 hosts (0.05%) behaving like ShadowTLS relays; of these only 6,000 presented TLS certificates for Alexa Top 1000 domains. The scan successfully discovered all four researcher-operated ShadowTLS relays planted as ground truth.
-
The root vulnerability in ShadowTLS is that the relay cannot authenticate post-handshake data from the real mask site, causing it to silently absorb censor probes. The fix — deployed in ShadowTLS v0.2.3 — has the client re-derive the Application Data encryption key from the server random and the client-relay shared secret; unrecognized records (lacking the shared secret) are transparently forwarded to the mask site, so all censor-visible responses come from the real mask server.
-
ShadowTLS relays are detectable via three active probing techniques exploiting behavioral discrepancies from the mask sites they mimic: (1) responding to plaintext HTTP on port 443 with FIN-ACK rather than an error (only 17% of TLS servers share this behavior), (2) silently ignoring non-TLS record data post-handshake rather than sending a fatal alert (only 0.14% of 30M hosts behaved this way), and (3) silently ignoring corrupted TLS Application Data records rather than sending a bad_record_mac alert (only 0.12% of hosts silent).
-
ShadowTLS is structurally limited to TLS 1.2 because in TLS 1.3 the Finished message is sent as encrypted Application Data (record type 0x17), preventing the relay from detecting handshake completion without decrypting the session. This forces ShadowTLS to advertise TLS 1.2, which is an increasingly anomalous fingerprint as TLS 1.3 adoption grows.
-
ShadowTLS's TLS ClientHello fingerprint (JA3 hash ebaa863800590426) was not observed in the TLSFingerprint.io dataset collected from a university network tap, making the client fingerprint unique to the tool and trivially blockable by censors maintaining a TLS fingerprint blocklist.
-
Hong Kong Twitter users are 33% more likely than a random control sample to have protected their accounts, and over 247% more likely to have deleted past Tweets, after enactment of the June 2020 national security law (NSL). These differences are statistically significant at p ≤ 1.74e-48 for all account-protection and Tweet-deletion metrics.
-
Hong Kong Twitter discussion of COVID-19 continued declining after mid-2020 and did not resurge during Hong Kong's large March 2022 COVID wave, unlike the control group whose COVID discussion tracked local transmission rates. The authors interpret this anomalous pattern as a generalized chilling effect: NSL legal risk suppressed even politically ambiguous health discussion that mainland China had censored but that may not clearly fall under the NSL.
-
Of inaccessible Tweets from 2019, those containing NSL-sensitive political keywords are disproportionately deleted or protected by both Hong Kong users (36.38% inaccessibility) and Taipei users (34.89%), compared to New York City (29.45%) and Tokyo (30.80%). This suggests that NSL legal exposure — which extends extraterritorially under Article 38 — may be chilling speech even among users outside Hong Kong who transit or have ties to mainland China.
-
While Hong Kong users sharply reduced discussion of NSL-sensitive political topics after July 2020, their rate of Tweeting about non-sensitive topics (travel, food, art, media) remained stable and mirrored control-group trends. This targeted suppression — rather than a general withdrawal from Twitter — confirms the NSL produced specific self-censorship of covered speech rather than platform abandonment.
-
After the NSL entered into force in July 2020, the proportion of Hong Kong Tweets containing NSL-sensitive political keywords declined steadily and never returned to prior levels. By contrast, the control group's equivalent keyword usage rebounded (e.g., surging around the August 2021 Taliban takeover and March 2022 Ukraine invasion), indicating the Hong Kong decline is attributable to legal chilling rather than global topic cycles.
-
The GFW's fully-encrypted detector (deployed Nov 2021) operates by exempting likely-benign traffic and blocking the rest. Five inferred exemption rules applied to the first TCP payload (pkt): Ex1 — popcount(pkt)/len(pkt) ≤ 3.4 or ≥ 4.6 (bits/byte); Ex2 — first 6+ bytes are printable ASCII [0x20–0x7e]; Ex3 — more than 50% of bytes are printable ASCII; Ex4 — more than 20 contiguous printable ASCII bytes; Ex5 — first bytes match TLS or HTTP fingerprint. Traffic failing all five exemptions is blocked. Experiments confirmed all rules still held as of February 2023.
-
The GFW applies the fully-encrypted detector probabilistically and only to a targeted subset of IP address space. Each qualifying connection is blocked with probability p = 26.3% (geometric distribution fit over 109,489 affected IPs in a 10% IPv4 scan); residual censorship then blocks the same 3-tuple (client IP, server IP, server port) for 180 seconds after a first block. The detector only monitors ~26% of connections and targets specific IP ranges of popular data centers (VPS providers such as Alibaba US, Constant, DigitalOcean, Linode); large CDNs (Akamai, Cloudflare) and most residential/enterprise IPs are unaffected. 98% of scanned IPs were unaffected. Simulated on live university traffic, the rules would block ~0.6% of normal connections as collateral damage.
-
After blocking all *.google.com subdomains on September 22, 2022, China's censor lifted the block specifically for FCM endpoints on October 1 while leaving other Google services (Docs, Groups, Sites) blocked through at least February 2023. This selective whitelist exception — made after only days of blocking — indicates the censor judged the collateral damage to apps relying on FCM to be unacceptable.
-
Over 7 months of Hyperquack measurements across 5,555,298 probes targeting 1,632 unique ASes, only a small number of ASes actively interfered with HTTPS connections to FCM endpoints. The majority of blocking incidents occurred in China during September 22–30, 2022, coinciding with the Party's National Congress, when nearly all measurements failed with TCP reset.
-
PushProxy's high-frequency downstream channel generates over 100 push notifications to load a typical webpage, contrasting sharply with the daily average of 46 push notifications received by a smartphone. This statistical anomaly makes PushProxy flows identifiable by simple rule-based filters without requiring sophisticated traffic analysis.
-
PushProxy with N=100 parallel push receivers achieves a median 10 MB download time of 16.46s (~4.86 Mbps) without exceeding FCM's 5,000 messages/hour per-deviceToken rate limit, compared to 2.70s for Shadowsocks and 9.68s for OpenVPN (UDP). This throughput significantly exceeds other service-tunneling systems: dnstt (1.5 Mbps) and CensorSpoofer (64 Kbps).
-
PushProxy decouples upstream (XOR-obfuscated UDP) from downstream (FCM push notifications), implementing triangular routing that prevents per-flow traffic analysis: a network adversary with limited visibility cannot correlate upload and download flows since they use different transport protocols and paths. Median TTFB was 572ms versus 492ms (Shadowsocks) and 508ms (OpenVPN), while performance remained stable during Chinese peak hours (20:00–02:00 GMT+8) when Shadowsocks download times increased from 3s to over 100s.
-
Chinese DNS censorship operates symmetrically — injecting forged responses for both inbound and outbound DNS packets regardless of whether any real service exists at the destination IP. This means any DNS response received for a probe sent to a closed-port IP inside China is unambiguously a censorship injection, not a legitimate resolver reply.
-
In a 75-domain, 492-destination experiment, domains that showed small-scale routing-induced censorship changes — where some (source IP, source port) combinations bypassed censorship while others did not — were exclusively domains first censored within the last 2 years, indicating inconsistent GFW censorship-node configuration during rollout.
-
Routing-induced censorship variation is persistent across time: packet retries do not resolve observed differences, and manual re-measurement days later yielded identical censorship outcomes for the same (source IP, source port, destination IP) tuples across 12 iterative experiment rounds, ruling out transient packet loss or short-term routing fluctuations.
-
The lowest 3 bits of the source IP nearly double the number of destinations experiencing censorship measurement changes, consistent with routers XOR-ing low-order bits of source and destination IPs for load-balancing decisions. Varying source IPs produced a mean of 89 routing nodes and 134 distinct paths, versus 55 nodes and 110 paths when varying only source ports.
-
Across 10,000 destination IPs in China, 37% showed some change in censorship behavior depending on source IP and source port, spanning 56% of measured ASes. The dominant form of variation (95% of cases) was all-or-nothing: a given (source IP, source port) pair either experienced no censorship or 'expected' censorship, with no intermediate states.
-
Starting October 3, 2022, more than 100 users reported simultaneous blocking of TLS-based circumvention servers running Trojan, Xray, V2Ray TLS+WebSocket, VLESS, and gRPC. Blocking was port-specific initially (mainly port 443, but also non-443 ports), then escalated to full IP blocking when users switched ports. Domain names were not added to DNS or SNI blocklists. naiveproxy was notably not affected. The blocking was dynamic in at least some cases (browsers could still reach the port, but circumvention tools could not), strongly indicating protocol-level identification rather than blind port blocking.
-
The October 2022 blocking wave is the confirmed operational deployment of the fully-encrypted-traffic detector later formalized in Wu et al. (USENIX Security 2023). The detector was therefore in live production from at least late 2022, more than a year before the academic paper describing it was published. This event establishes that the GFW's passive fully-encrypted classifier operates at scale in adversarial real-world conditions, not just in controlled experiments.
-
The COVID-19 Wuhan lockdown caused geolocating Twitter users in China to increase 1.4-fold immediately, remaining 10% above pre-crisis baseline long-term; approximately 320,000 new Chinese users joined Twitter due to the crisis, and the available VPN application's ranking on the Chinese iPhone App Store jumped significantly around 23 January 2020 and maintained that elevated rank.
-
In countries with no Great Firewall-equivalent censorship (Germany, Italy) and in less-censored authoritarian states (Iran — Persian Wikipedia; Russia — Russian Wikipedia) that experienced comparable COVID-19 outbreaks, no analogous spillover to politically sensitive content was observed; Wikipedia engagement in those countries increased generally but did not show disproportionate access to historically censored topics, confirming the gateway effect is specific to high-censorship environments.
-
Once mainland China users circumvented the Great Firewall during COVID-19, they disproportionately followed politically sensitive accounts: international news agencies at 1.31x the expected rate, Chinese citizen journalists at 1.42x, and political activists at 1.23x — all relative to Hong Kong users as a control — while state media accounts saw only a 1.06x increase and entertainment accounts a 0.85x decrease, confirming a selective gateway to censored political content.
-
Circumvention activity varied strongly by geographic proximity to the crisis: Hubei province, the epicenter, saw Twitter volume double relative to pre-lockdown baseline and sustain that doubling 30 days after the crisis, while mobility decreases from Baidu location data correlated with Twitter user increases across provinces — but two weeks after lockdown, the elevated Twitter usage could no longer be explained by mobility restrictions or New Year seasonality, indicating crisis-induced circumvention becomes self-sustaining.
-
Chinese-language Wikipedia views grew from 12.8 million per day in December 2019 to 13.9 million during the Wuhan lockdown (24 January–13 March) and peaked at 14.7 million per day from mid-February through April 2020; the crisis disproportionately increased views of pages selectively blocked by the Great Firewall prior to 2015, of historical Chinese leaders since Mao, and of current officials — categories expected only under a gateway effect — and these elevated levels persisted through May 2020.
-
Among 18,199 stable open DNS resolvers discovered in Shanghai's IPv4 space, 136 were completely immune to GFW DNS filtering and correctly resolved all 83 blocked domains. On average, each blocked domain had more than 436 open resolvers with ACR ≥ 0.5 capable of returning its correct IP address.
-
Chinese public (pDNS) and ISP (iDNS) DNS resolvers exhibit highly variable filtering bypass rates: some resolvers return correct IPs for specific blocked domains with ACR > 0.6 (e.g., wsj.com, vpnintouch.com), while the same resolver queried from a different ISP or region may have ACR < 0.1. The paper identifies three factors that determine effective bypass: DNS resolver identity, client vantage-point location, and the specific blocked domain.
-
The authors implement a system that identifies correct IP addresses of blocked domains inside a censored network by exploiting the predictable characteristics of forged IPs returned by GFW DNS filtering devices. The system achieves 100% accuracy in identifying valid IPs within a short time period, using 1.7 billion DNS records collected over 40 days across 86,876 resolvers.
-
GFW DNS filtering effectiveness shows diurnal variation: correct response rates are lowest in the early morning hours (before 6:00 a.m.) and rise throughout the day, suggesting filtering devices fail to process all DNS queries during peak traffic periods. However, the overall variance across time is small — maximum standard deviation of 0.03 — indicating the filtering mechanism is broadly stable over the 40-day measurement window.
-
Queries from inside China to non-Chinese public DNS resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1) that pass through GFW DNS filtering devices yield an Absolute Correct Rate (ACR) of less than 1% for blocked domain lookups, regardless of the client's region or ISP. Even a self-built US resolver (45.63.86.214) was affected by the national-level DNS filtering mechanism.
-
Extending Geneva's genetic algorithm to the application layer automatically discovered 77 unique HTTP evasion strategies and 9 DNS evasion strategies against censors in China, India, and Kazakhstan — all requiring only unprivileged usermode modifications with no TCP/IP header access. Against India's Airtel censor, 56 of the 77 strategies succeeded; 29 worked against Kazakhstan; 22 evaded China's keyword-based HTTP censorship and 27 evaded its Host-header censorship.
-
China's Great Firewall runs three independent DNS censorship injectors in parallel; elevating the DNS qdcount field to 2 (despite only one query being present, violating RFC 1035) evades all three injectors simultaneously with 100% success rate across 1,000 trials — but only Cloudflare (1.1.1.1) among eight tested open resolvers responds to such queries. DNS compression paired with an elevated qdcount also achieves 100% evasion of all three injectors but is supported only by Cloudflare and Google (8.8.8.8).
-
China's GFW keyword-based and Host-header HTTP censorship can be simultaneously defeated by a 'sandwich' strategy: a header with a name ≥64 bytes must appear before the Host header, the Host header value must start ≥1,281 bytes from the start of the headers, and the final header must be ≥129 bytes total — and the Host header must not be first or last. A 64+ byte header name alone is sufficient to defeat Host-header censorship because it prevents the GFW from reading further headers.
-
India's Airtel HTTP censor fails to reassemble TCP segments: padding any HTTP request to at least 1,449 bytes causes the IP+TCP overhead (52 bytes) to push the total past the Ethernet MTU of 1,500 bytes, forcing segmentation that the censor cannot handle and achieving 100% evasion. Kazakhstan requires the segmentation boundary to fall precisely between the Host header name and value (with two trailing spaces), rather than anywhere in the request.
-
A central finding of the paper is that RFC-compliance in the censor creates evasion opportunities: the more faithfully a censor parses HTTP/DNS per the RFC, the more RFC-permitted variants it will pass that servers also accept, yielding more viable evasion strategies. In contrast, India's Airtel censor was the most brittle (56/77 strategies bypassed it) precisely because it failed on many legitimate RFC variants; China's more sophisticated parser left fewer openings.
-
DNS manipulation is widespread across China (305 domains via local resolvers, 300 via public resolvers) and Russia (251 local, 205 public), but simply switching to a public DNS resolver already evades local-resolver-only filtering for many domains, reducing apparent censorship at the public-resolver layer. On-path filtering systems that poison queries to public resolvers represent a harder threat class requiring encrypted DNS.
-
Using DoH plus ESNI, DNEye successfully unblocked 130/230 (56%) of DNS-filtered domains in China and 53/56 (95%) in Russia, but 0/49 (0%) in Iran. The primary failure mode in China (84 domains) and Iran (47 domains) was SNI-based filtering at the TLS layer for domains that do not support ESNI, which remains visible in the ClientHello.
-
DNEye detected DoTH (DoT and DoH) blocking across the largest number of ASes in China, with interference against Cloudflare, Quad9, AdGuard, and CleanBrowsing resolvers emerging in early March 2021. Blocking patterns varied per-AS rather than following a centralized GFW DNS-level policy, indicating individual ISP implementation. Saudi Arabia, by contrast, showed coordinated SNI-based blocking of the same DoH resolvers across different ASes, indicating centralized policy.
-
Only 1.5–2.25% of domains from TLD zone files have a valid ESNI key, with 15.4K of the top 100K and 143.3K of the top 1M popular domains supporting ESNI. All ESNI-supported domains are hosted by Cloudflare, making ESNI-enabled connections trivially distinguishable from the vast majority of TLS traffic and a low-collateral-damage blocking target for censors.
-
China's GFW blocks all ESNI traffic via RST packet injection following a TLS ClientHello with an encrypted SNI field, confirmed since July 2020. Russia blocks ESNI in a decentralized, ISP-level fashion across at least three identified ASes (AS28890, AS52207, AS41754), each injecting RST packets independently.
-
VPNalyzer is the first study to measure DNS leaks during tunnel failure, discovering that 8 VPN providers — including TunnelBear and Private Internet Access — allow DNS queries to bypass their kill switch or firewall rules, exposing users' ISP IP addresses and queried domain names to their ISP and DNS resolvers outside the tunnel.
-
Only 11 of 80 tested VPN providers supported IPv6 connectivity; 5 providers — Astrill VPN, Norton Secure VPN, Turbo VPN, SurfEasy VPN, and a university VPN — failed to block IPv6 traffic when the VPN tunnel did not support it, silently leaking all IPv6 data directly to the user's ISP even when IPv4 was fully tunneled.
-
Among 80 tested VPN providers, 26 leaked user traffic during tunnel failure: 18 exhibited a missing or broken kill switch leaking all traffic types, and 8 additional providers leaked only DNS traffic. In a case study of 39 top providers with all security settings explicitly enabled ('custom secure mode'), 10 still leaked traffic, with 6 leaking even with the 'kill switch' feature activated.
-
29 of 80 VPN providers — including paid services — configure clients to resolve DNS through third-party public resolvers (Google Public DNS, Cloudflare, OpenDNS, Quad9) rather than provider-operated infrastructure. Three self-hosted solutions (Algo, Streisand, Outline) hardcode public DNS with no easy override, causing connection failures in regions where those services are blocked.
-
27 of 80 tested VPN providers had servers within a single AS (AS 9009, M247 Ltd), and VPNalyzer identified 14 providers sharing 4 specific IP blocks within that AS; 2 additional providers shared an IP block in AS 60068 (Datacamp). Such infrastructure concentration enables censors to block multiple VPN products simultaneously with a single IP-range or AS-level rule.
-
D-LDA detected event-driven shifts in Indian censorship without prior knowledge: the word 'violence' disappeared from the 'Riots in India' topic cluster between months 6 and 14 of the measurement period, and 'killing' did not appear until month 16, consistent with the absence of actual riots during that window. Similarly, the 'Danish cartoonist' topic shifted from cartoon-focused discourse to broader Islamic-rights framing ('freedom,' 'speech') approximately 18 months in.
-
Data gaps severely degrade D-LDA accuracy: erasing every other month reduced the corpus from 4,577 to 1,919 documents and caused the model to lose detection of 'Religion-motivated killing,' 'Religious websites,' 'Muslim Violence,' and 'Homicide' topics entirely. Erasing one in three months (1,479 documents) caused further topic loss, and even removing one random month altered topic evolution trajectories. For 25% of pages, the gap between Wayback Machine snapshots and ICLab observations exceeds one year.
-
Dynamic LDA applied to ICLab longitudinal data for India (2016–2020) successfully identified 14 distinct censored topic clusters—including religious conflict, piracy, educational fraud, and political dissent—from 677 overtly-censored URLs out of 6,012 tested (11.3% overtly censored at least once). The model required monthly time-slice granularity; daily and weekly granularities produced unstable results due to wild swings in document counts.
-
India's censorship apparatus, while less aggressive than China's, legally mandates ISP-level blocking capability and has deployed it regularly. Of 6,012 URLs in ICLab's India test list observed since 2016, only 677 (11.3%) were ever overtly censored (block-page redirect); the majority of anomalies were covert (connection disruption mimicking network faults) and excluded from analysis due to ambiguity. Censorship topics include not only political dissent but copyright enforcement, indicating infrastructure originally deployed for political control is routinely repurposed.
-
OpenVPN's application-layer P_ACK packets — uniform in size and concentrated only in the handshake phase — provide a timing and count fingerprint detectable via threshold comparison over 10-packet bins. Tunnel-based obfuscation wrappers (Stunnel, SSH, obfs2/3, Shadowsocks) that do not add random padding preserve the 1:1 packet correspondence with the underlying OpenVPN stream, leaving 16 of 20 tested tunnel-based obfuscated configurations vulnerable to ACK fingerprinting.
-
34 of 41 obfuscated OpenVPN configurations and 18 of 20 UDP configurations were co-located with vanilla TCP OpenVPN servers within the same /29 subnet; probing the /29 subnet of a suspected obfuscated or UDP endpoint revealed nearby vanilla TCP servers, enabling confirmation by 'guilt by association' even when the obfuscated endpoint itself resisted direct fingerprinting. Some providers additionally share infrastructure across different VPN brands, further compounding exposure.
-
A two-phase passive-filter-plus-active-probing framework deployed at a 1-million-user ISP identified 85.90% of vanilla OpenVPN flows (1,718/2,000) and 72.67% of obfuscated flows (1,468/2,020), with an upper-bound false positive rate of 0.0039% across over 10 million flows — three orders of magnitude lower than prior ML-based approaches (1.4–5.5%). The system processed 15 TB and 2 billion flows per day on a single commodity server.
-
Even with tls-auth/tls-crypt HMAC protection making OpenVPN servers nominally 'probe-resistant' (silent to unauthenticated clients), the framework fingerprints servers via TCP-level timing side channels: a complete 16-byte client-reset probe triggers an immediate connection drop (HMAC validation fails after full packet reassembly), while a 15-byte truncated probe causes the server to stall awaiting the final byte until a server-specific handshake timeout expires. Over 97% of non-OpenVPN endpoints have RST thresholds below 500 or above 4,000 bytes, versus OpenVPN's characteristic 1,550–1,660 bytes derived from default MTU configurations.
-
OpenVPN's unencrypted opcode header byte is exploited to fingerprint vanilla and XOR-obfuscated flows: the XOR patch specification excludes the first buffer byte (the opcode) from reversal, so opcodes are always XOR-ed with the same key byte and map deterministically to fixed ciphertext values. All 4 of the top-5 VPN providers that offer obfuscated services use XOR-based obfuscation, and all were flagged by opcode fingerprinting over 90% of the time.
-
In AS45090 (China), the Cloudflare CDN IP 104.16.248.249 succeeds 100% of the time with SNI 'cloudflare-dns.com' but triggers TLS handshake resets 93% of the time with SNI 'mozilla.cloudflare-dns.com'. Follow-up measurements using those same SNIs against unrelated HTTPS servers (example.org, hbl.fi) reproduced the same resets, confirming that the GFW performs SNI-keyed TLS blocking independent of the destination IP.
-
Dominant failure modes differ systematically by country: China (AS45090) shows connect timeouts in 75% of DoT failures (IP-level blocking); Kazakhstan (AS48716) shows post-TLS-handshake timeouts in 72% of DoT failures (likely ACK or segment discard after handshake); Iran (AS197207) shows TLS handshake timeouts in 80% of DoT failures. Packet capture analysis confirmed that timeouts during and after the TLS handshake correspond to unacknowledged TCP segments, not connection resets.
-
MCI (AS197207, Iran) intercepts cleartext DNS and returns the bogon address 10.10.34.36 for dns.adguard.com A queries regardless of which upstream resolver is used (system, 8.8.8.8, or 9.9.9.9), and intercepted queries never reached a researcher-controlled DNS-over-UDP server. This bogon falls in the same /24 documented in prior Iranian censorship research. Additionally, SNI blocking for dns.adguard.com was confirmed independently on both port 853 (DoT) and port 443 (DoH).
-
In AS197207 (Iran, MCI), approximately 50% of DoT endpoints failed consistently — the only case across all tested ASN/protocol combinations where failure exceeded 20%. In Kazakhstan (AS48716) and China (AS45090), more than 80% of DoT and DoH endpoints were always reachable.
-
In AS197207 (Iran), Google's DoT endpoint 8.8.4.4:853 is blocked 100% of the time while 8.8.8.8:853 is always accessible, regardless of SNI value. TLSv1.3 handshake analysis (hiding server certificates) confirmed no SNI correlation, establishing that Google's DoT blocking depends solely on the destination IP endpoint.
-
Internet-wide IPv4 scanning found 386,187 IP addresses yielding amplification factors ≥ 100× via TCP middlebox reflection, with 82.9% of responses from the top 1 million IPs confirmed as originating from on-path middleboxes rather than endpoints. Nation-state censorship infrastructure dominates: China's GFW alone accounts for approximately 154 million responding IP addresses sharing a 3× RST+ACK (54 bytes each) fingerprint.
-
Censoring middleboxes respond to non-compliant TCP sequences because they must handle asymmetric routing and cannot rely on observing both sides of a connection. The hSYN; PSH+ACKi sequence elicited responses from 69.6% of 184 tested censoring middleboxes with a maximum amplification of 7,455×, while a lone PSH+ACK with no prior handshake elicited responses from 33.2% of middleboxes.
-
Nation-state censors produce characteristic TCP response fingerprints: China's GFW sends 3× RST+ACK (54 bytes each) from ~170 million IPs; Iran's infrastructure sends 402–405-byte FIN+PSH+ACK plus 54-byte RST+PSH+ACK from 8.6 million IPs (75.7% of responsive Iranian addresses); Saudi Arabia sends a 97-byte PSH+ACK plus 2× 1,354-byte PSH+ACKs at 18.9× amplification from 400,000+ IPs. Most nation-state censors produce less than 4× amplification due to compact block pages.
-
Routing loops within censoring infrastructure create effectively infinite TCP amplification: 53,041 of the top 1 million responding IP addresses showed routing loop behavior spanning 2,763 /24 prefixes. Two Russian ISP censorship systems with infinite routing loops continuously sent amplified traffic for approximately 6 days after a single 2-packet trigger sequence, and 6 GFW IP addresses in China sent data indefinitely.
-
A low-bandwidth attacker can sustain indefinite availability attacks by periodically re-triggering residual censorship: China's 3-tuple HTTP system requires only 4 spoofed packets every 3 minutes. For 4-tuple systems requiring full source-port coverage (65,535 ports), Kazakhstan needs 1,093 packets/sec (~634 kbps HTTP) and Iran needs 729 packets/sec (~422 kbps HTTP)—achievable with commodity hardware. Iran achieved 100% attack success against all 17 geographically disparate victim vantage points tested.
-
Switching source IP via VPN, Tor, or HTTP proxy is the primary victim-side mitigation because residual censorship is tuple-keyed; however, if the proxy entry node's path also crosses the censor, the attacker can redirect the attack at the proxy itself. On the censor side, null-routing middleboxes could eliminate the vulnerability by validating TCP sequence/acknowledgment numbers before dropping traffic, or by replacing null routing with an explicit block-page response.
-
Residual censorship—where a censor continues blocking all traffic on a 3- or 4-tuple after an initial censorship event—is active in China (HTTP: 90s 3-tuple RST injection; ESNI: 120–180s 3+4-tuple null routing), Iran (HTTP+SNI: 180s 4-tuple null routing, occasionally up to 5 minutes; protocol filter: 60s), and Kazakhstan (HTTP+SNI: 120s 4-tuple null routing). A December 2020 Quack scan found 3-tuple stateful disruption in 33 countries and null-routing censorship in 18, suggesting much broader applicability.
-
All tested censors (China, Iran, Kazakhstan) can be triggered statelessly—without completing a TCP 3-way handshake—using a SYN with decremented sequence number followed by a PSH+ACK containing the forbidden payload. This stateless triggering enables fully off-path, source-spoofed attacks: an adversary with packet-spoofing capability can residually censor a victim pair they have no on-path access to.
-
Iran and Kazakhstan reset the residual censorship timer whenever the censor observes any matching packet from the victim, so TCP retransmissions from the victim's own stack inadvertently extend the blocking window far beyond the nominal 120–180s. China's HTTP residual censorship has only ~50% per-request reliability from some vantage points due to heterogeneous GFW middlebox load-balancing, but reliability plateaus near 100% after 7 repeated censorship triggers sent ahead of time.
-
In China (AS45090), HTTP/3 over QUIC has a lower overall failure rate (27.1%) than HTTPS over TCP (37.3%), but hosts that time out during the TCP handshake (TCP-hs-to, indicating IP blocking) always also fail over QUIC — while hosts blocked via TLS-hs-to or conn-reset (SNI-based methods) nearly always succeed over QUIC.
-
In India (AS55836), TCP and QUIC failure rates closely track each other (15.0% vs 12.0%), with every TCP-hs-to and route-err failure matched by a corresponding QUIC failure, confirming IP-based blocking affects both protocols equally. In contrast, India AS14061 (VPS) shows 16.3% TCP failure entirely from route-err but only 0.1% QUIC failure, suggesting the VPS vantage point sits outside the censored path.
-
In Iran (AS62442), HTTPS connections fail at 34.4% (mostly TLS-hs-to, consistent with SNI filtering), while HTTP/3 over QUIC fails at only 16.2%. SNI spoofing reduces TCP failure from 60.1% to 10.2% but has zero effect on QUIC (20.1% both with real and spoofed SNI), indicating Iranian censors apply separate UDP endpoint blocking to QUIC rather than SNI-based identification.
-
Only approximately 5% of domains from the combined Citizen Lab and Tranco Top-4000 test lists supported QUIC in early 2021, heavily skewing the measurable set toward large global .com domains (e.g., Google properties). This bias means the study predominantly captures censorship of internationally targeted sites rather than country-specific domains.
-
Across all four studied countries (China, Iran, India, Kazakhstan), HTTP/3 over QUIC had consistently lower failure rates than HTTPS over TCP: 27.1% vs 37.3% in China, 16.2% vs 34.4% in Iran, and 12.0% vs 15.0% in India (AS55836). The only QUIC-specific interference method observed was black-holing during the QUIC handshake (QUIC-hs-to); no RST injection or SNI-based QUIC filtering was detected.
-
Anycast CDN architecture dominates popular web content delivery: in the US, 59% of Alexa top-1k websites use anycast CDNs vs. 19% DNS-based; in Saudi Arabia, 57% use anycast CDNs. IP geolocation databases such as Maxmind are severely inaccurate for anycast infrastructure — reporting only <15% of Saudi Alexa websites as in-country vs. 90% measured by RTT-based multilateration — causing prior research to incorrectly attribute "nation-state hegemony" over developing-country Internet traffic.
-
CacheBrowser and CDNReaper require clients to contact foreign CDN front-end IPs directly, but this only works for DNS-based CDNs; anycast CDNs use the same IP globally, so bypassing local DNS still routes the client to a local front-end. Only approximately 11% of Alexa top-1k websites use DNS-based CDNs across the five tested countries, and for potentially blocked sites (Citizen Lab lists), CacheBrowser can access only ~18% of 2,769 blocked URLs in Brazil.
-
CDN infrastructure causes 61%–92% of country-specific Alexa top-1k websites to be hosted within the client's own country across India, Iran, Saudi Arabia, Brazil, and the US, as measured by the authors' R-CBG multilateration technique achieving >89% accuracy. This traffic localization means web requests to popular sites rarely cross national borders, undermining the foundational assumption of decoy routing, domain fronting, CacheBrowser, and CovertCast.
-
Conjure's initial registration step requires the client to connect to an overt website hosted outside the censor's jurisdiction before deriving the unused IP address for actual decoy routing, but CDN traffic localization means this bootstrap connection frequently terminates at a local front-end and never crosses the border. The paper finds that for India's Alexa top-100 sites, only 23 websites had any parallel (leaf) HTTP connections terminating outside the country, with a median of just 3 such external leaf connections per site.
-
Domain fronting is undermined when CDN front-ends are located within the censor's jurisdiction because the censor can coerce the CDN provider to disable domain fronting on those front-ends. Russia coerced Google, Amazon, and Microsoft to halt Telegram's use of domain fronting; the paper's measurements confirm that CDN front-ends for popular services (YouTube, Facebook, Instagram) are hosted within all five tested countries.
-
GFWatch tested 534M distinct domains over 9 months (averaging 411M/day) and detected 311K censored domains, the largest such measurement in the literature. Of 138.7K base domains, only 1.3% appear in the top 100K most popular domains, confirming the GFW targets large numbers of obscure and unpopular domains far beyond well-known sites like Facebook or Twitter.
-
A circumvention strategy of holding DNS responses and filtering those matching the known forged-IP pool achieves 99.8% accuracy, correctly classifying 1,005,444,476 of 1,007,002,451 poisoned resolutions. From inside China, 99% of forged responses arrive within 364ms before the legitimate response, establishing 364ms as the recommended hold-on duration; from outside China, 11% of forged responses arrive after the legitimate one, making the IP-blocklist check necessary to avoid misclassifying genuine responses as poisoned.
-
The GFW's bidirectional DNS filtering — which poisons DNS queries regardless of whether they originate inside or outside China — has polluted the caches of major public DNS resolvers worldwide: Google (74,715 censored domains), Cloudflare (71,560), OpenNIC (65,567), and OpenDNS (63,295), with 77K censored domains found polluted in total. This is compounded by the fact that 38% of base censored domains (53K) have at least one authoritative name server inside China, ensuring systematic external pollution for those domains.
-
GFWatch discovered 1,781 unique forged IPv4 addresses used in GFW DNS poisoning, yet injection is non-random: only 600 (33.6%) account for 99% of all censored responses, with the remainder in a long tail responsible for just 1%. The forged IPv4 pool is dominated by addresses belonging to Facebook (783 IPs, 44%), WZ Communications (277, 15.6%), Twitter (200, 11.2%), and Dropbox (180, 10.1%); all forged IPv6 responses use the bogus Teredo prefix 2001::/32.
-
The GFW uses substring-matching regular expressions rather than exact domain matching, causing 41K of 311K censored domains to be overblocked — unrelated domains that happen to contain a censored domain string. The three base domains causing the most overblocking (919.com, jetos.com, 33a.com) collectively caused 15K unrelated domains to be inadvertently censored.
-
Current randomized-payload circumvention tools (obfs4/ScrambleSuit, SkypeMorph, VoIP-tunneling) rely on censors 'defaulting open' — treating unidentified traffic as innocuous. If censors instead block all traffic not explicitly recognizable as meaningful plaintext, these tools fail entirely. The paper notes anecdotal evidence this is already occurring, including blocking of some TLS 1.3 connections.
-
Variable-length sampling (Adaptation 2) achieves a provably secure but impractical encoding: a 16-byte plaintext encoded with GPT-2 requires 502–2994 tokens, produces 2.3–13.6 KiB of stegotext (149×–870× overhead), and takes 42–765 seconds even with GPU acceleration, depending on security parameter k=16–128.
-
Classical public-key steganography (Algorithm 1 from [54]) has a 100% failure rate when encoding a 16-byte message using GPT-2, because GPT-2's per-token entropy drops near zero frequently and standard rejection sampling cannot find an acceptable token. Entropy bounding reduces failure to 0–10% but introduces detectable statistical bias: selected tokens come from a visibly different probability distribution than baseline samples.
-
Meteor encodes bits by embedding a PRG-masked random value into the token-sampling randomness of a generative model, recovering bits proportional to the shared prefix length of the sampled interval. Expected throughput per sampling event is asymptotically within 1/2 of the Shannon entropy of the channel (proven in Appendix A), so Meteor automatically adapts to high entropy variability without explicit signaling or padding.
-
Meteor is proven secure against chosen-hiddentext attacks: any PPT adversary distinguishing Meteor output from honest model output can be reduced to breaking the underlying PRG. The scheme produces stegotext provably indistinguishable from the generative model's own output distribution, and requires only a shared public model — not a secret channel — making the model analogous to a common random string. On GPU the encoding overhead is ~1× model-load time; on CPU ~4.6×; on mobile ~49.5×.
-
OUStralopithecus (OUStral), a Selenium-based OUS implementing empirically-derived human browsing distributions — Weibull dwell times (λ=30s, k=0.75), Von der Weth action probabilities (45.1% internal-link clicks, 33% new-URL navigations), and Dubroy tab-switching rates — generated 471 requests with all Cloudflare Bot Management scores above the recommended blocking threshold of 30, while Slitheen and Waterfall consistently scored 1. Because Cloudflare has full HTTP-layer visibility (unavailable to a passive network censor), the paper argues a censor observing only encrypted traffic would be even less able to flag OUStral.
-
Traffic replacement systems that only shape individual HTTPS flows remain vulnerable to censors monitoring inter-connection patterns over time. Waterfall's OUS (reloading the same page every second), Slitheen's OUS (naïve PhantomJS with no crawling), and Slitheen++'s OUS all produced non-human connection patterns detectable at the session level even when per-flow content is well-concealed. OUStral addresses this by shaping the distribution and sequencing of connections across an entire browsing session.
-
Prior overt user simulators (OUS) using PhantomJS — including Slitheen, Waterfall, and Slitheen++ — received Cloudflare Bot Management scores of 1 (certainly bot-generated) and would be blocked by any operator following Cloudflare's recommended cut-off of 30. Slitheen++ improved marginally by adding user-agent randomization and brief inter-request pauses, but all PhantomJS-based OUS implementations were trivially detectable as bots.
-
Across tunnelling systems that apply traffic shaping against ML adversaries, a clear throughput cost emerges: Slitheen + OUStral with WebM replacement achieves up to 2.2 Mbps with 4.7x overhead; Protozoa (WebRTC, end-to-end) achieves up to 1.4 Mbps; DeltaShaper (VoIP) achieves only 7 kbps at 2x overhead. By contrast, Conjure (no traffic shaping) reaches 100 Mbps. Additionally, end-to-middle decoy-routing deployments incur a throughput penalty from packet-boundary parsing at the relay station that end-to-end systems (Protozoa, DeltaShaper) avoid.
-
Extending Slitheen to replace WebM video/audio frames reduced mean overhead from ~20x (image-only Slitheen) to 4.7x (±1.6) over 100 ten-minute sessions, while raising throughput to a mean of 581.7 kbps in video-only mode (max 2023.3 kbps, min 78.2 kbps) and 721.6 kbps in background-video mode (max 1528 kbps). This compares favorably to DeltaShaper's 2x overhead at only 7 kbps and Protozoa's up to 1.4 Mbps, while preserving Slitheen's resistance to traffic-analysis attacks.
-
Cellular data restrictions imposed from Mar. 15, 2021 were invisible to IODA (which uses BGP routing data, active probing, and darknet traffic) because cellular networks commonly use Carrier Grade NAT. Kentik's AS-level NetFlow aggregates clearly showed the cellular traffic drop, with all four major cellular ASes (MPT AS9988, Mytel AS136255, Telenor AS133385, Ooredoo AS132167) experiencing sustained traffic reductions while fixed-line providers only showed nightly dips.
-
Beginning Feb. 14, 2021, country-wide Internet outages affected Myanmar for 72 consecutive nights until Apr. 28, starting at 18:30 UTC (01:00 local time) and lasting 8 hours each night. These nightly curfews were highly synchronized across most ISPs—identical start and end times—in stark contrast to the haphazard, mis-timed outages on the day of the coup.
-
IP blocking in Myanmar was non-deterministic within individual ASes: Frontiir (AS58952) blocked Facebook's IP 157.240.15.36 but not 31.13.82.36, indicating ISPs used incomplete address lists. Different websites were blocked on different networks, and DNS interference was inconsistent even within a single ISP's resolvers, confirming that censorship was decentralized rather than implemented via a national choke point.
-
Post-coup, Myanmar ISPs shifted from primarily DNS-based blocking (dominant in 2020) to IP-based blocking. Blocking Fastly's IP 151.101.1.195 triggered collateral unavailability of more than 10,000 co-hosted websites; blocking a Google-hosted IP (172.217.194.121) rendered snapchat.com, getoutline.org, and others unreachable on at least 4 ASes during Feb. 24–27, 2021.
-
On Feb. 5, 2021, Campana Mythic (AS136168) announced Twitter's 104.244.42.0/24 prefix—apparently intending to blackhole Twitter traffic locally as part of the national Twitter block—but the route leaked to operators in Singapore and Vietnam, causing collateral disruption for Twitter users outside Myanmar. This accidental BGP leak corroborates evidence that Myanmar ISPs were independently implementing IP-level censorship without a centralized national kill switch.
-
Only 8% of keywords censored by Chinese chat clients (WeChat, Sina Weibo — ~63,200 total terms) are also censored by GFW packet inspection, demonstrating independently maintained blocklists. The GFW's packet-inspection chat-derived blocklist contains up to 1,221 distinct censored keywords for outbound traffic; just 68 keyword components account for all censored terms from Beijing, with 「六四」(June Fourth) alone responsible for more than half.
-
The GFW only inspects two locations within an HTTP request for censored keywords: the path component of the request line and the Host header, in UTF-8 and GB 18030 encodings (with %-decoding applied). Cookie headers, custom headers (e.g., X-Tension), and POST body fields are not monitored. Even in monitored positions, only approximately 75% of requests containing censored keywords actually trigger a TCP RST disconnection.
-
After a censored connection, 50–75% of subsequent connections from the same client IP to the same server IP and port are blocked for 90 seconds even without censored keywords ("penalty box"). The penalty box is strictly scoped to the (client IP, server IP, server port) triple — other ports at the same server IP or other server IPs are unaffected. The GFW monitors HTTP keyword traffic on every TCP port, not just port 80.
-
The GFW enforces SNI-based blocking on every TCP port (not just 443), triggering TCP RST injection and a penalty box for known-censored hostnames (e.g., facebook.com, zh.wikipedia.org) in the TLS ClientHello. The SNI blocklist is separate from the HTTP keyword blocklist — keyword-derived subdomains in the SNI did not trigger censorship. No evidence was found for indiscriminate HTTPS decryption or certificate substitution.
-
The GFW maintains two HTTP keyword sublists: 15 terms censored unconditionally, and approximately 60–63 additional terms censored only when the English word "search" also appears in the request URL. No other English word among the 10,000 most common, no Chinese search synonym (搜索, 查找, 关键词), and no common URL parameter abbreviation ("q", "kw", "s") replicates this expanded-censorship trigger.
-
Balboa's covert signaling protocol derives per-connection keys as KDF(TLS_master_secret ∥ pre_shared_secret) and signals by XOR-ing the MAC of a TLS Application Data record with this derived key. Because the master secret is ephemeral, the scheme inherits TLS forward secrecy—unlike Telex-based signaling (Client Random modification), future server compromise cannot retroactively identify which historical connections used Balboa, and a censor mimicking a client has negligible probability of guessing the modified MAC without the pre-shared secret.
-
Balboa runs unmodified application binaries on standard inputs, intercepting TLS via dynamic library injection (LD_PRELOAD / DYLD_INSERT_LIBRARIES) to replace plaintext with covert data while preserving all TLS record lengths and non-timing characteristics. This yields goodput of 145 kbps for audio streaming and up to 8 Mbps for web browsing, versus 2.56 kbps for DeltaShaper and 19 kbps for Freewave, both of which run real applications on non-standard inputs.
-
Balboa currently supports only TLS 1.2 stream cipher suites, covering approximately 81% of TLS connections; an active censor can force non-stream cipher suite negotiation, causing Balboa to silently enter pass-through mode—a potential denial-of-service vector. Separately, if the server's traffic model deviates from the local baseline (e.g., the same audio file streamed repeatedly), a sufficiently powerful censor can detect the anomaly independently of whether Balboa is running.
-
A random-forest classifier trained on TCP statistics distinguishes Balboa-enabled traffic from baseline with 66–84% accuracy at zero network latency (key features: average TCP window advertisement and data transmit time), but accuracy falls to near-random (50–57%) once realistic latency is introduced (≥5 ms mean). Adding four additional innocent clients to the classification task further reduces accuracy—e.g., VLC at zero latency drops from 84% to 66%.
-
By extracting TLS session keys through library debugging hooks (SSLKEYLOGFILE for GnuTLS/NSS/Rustls; an injected SSL_new() callback for OpenSSL) rather than reimplementing the TLS handshake, Balboa leaves the ClientHello entirely untouched. This prevents the class of fingerprinting attacks documented by Frolov and Wustrow that identified meek and similar tools via observable differences in cipher-suite ordering and TLS extension patterns, while remaining compatible with OpenSSL, GnuTLS, NSS, and Rustls without requiring application source-code modifications.
-
Large-file transfers via Camoufler (using Telegram as the IM channel) show modest overhead compared to direct wget: a 10 MB file takes 13.6s vs. 7.9s direct, 50 MB takes 52.1s vs. 35s, and 100 MB takes 93.3s vs. 68s. The overhead stems from the server downloading the complete file before forwarding it, but performance still substantially exceeds prior tunneling systems such as SWEET (email-based) and CovertCast (video-based), which the authors describe as incurring >10s even for small webpage loads.
-
Camoufler defeats active probing of its server endpoints by keeping server IM IDs private (shared only out-of-band with trusted clients) and configuring the server to respond only to those trusted IDs. An adversary systematically probing IM IDs to find Camoufler servers would receive no response from the server, making enumeration futile. When E2M-encrypted IM providers could collude with a censor, an additional application-layer key exchange (DH with RSA-wrapped ephemeral key, AES-256, PFS via key deletion) prevents the provider from revealing plaintext even under coercion.
-
Traffic analysis comparing Camoufler clients (fetching blocked websites) to regular IM clients (exchanging multimedia) shows indistinguishable packet-exchange rates and packet-size distributions: a 1.3 MB document download via Camoufler peaked at >700 packets/s, matching the >800 packets/s spike from a 1.5 MB video download by a regular IM client. Packet sizes cluster identically in two bins (<100 bytes for ACKs; >1,200 bytes for data) regardless of whether the underlying content is a web page or a video.
-
Camoufler's blocking-resistance relies on collateral-damage economics: IM platforms had ~2.5 billion active users as of January 2019 (projected >3 billion by 2022) and are embedded in essential business and commercial operations (airline e-tickets, professional collaboration tools). Blocking all IM to disrupt Camoufler would require the censor to harm its own economy; the threat model requires only that the censor permits at least one IM platform, in which case Camoufler remains operational.
-
Camoufler tunnels censored web traffic through real Instant Messaging applications (Signal, Telegram, WhatsApp, Slack, Skype), achieving a median page-load time of 3.6s (average 4.1s) over Signal and 2.3s median (average 2.7s) over Telegram for Alexa top-1,000 sites — compared to 120s for CovertCast loading BBC News and only 2.56 Kbps throughput for DeltaShaper. Over 90% of TTFB trials across 10 popular sites completed under 2s, with 50% under 1s.
-
The authors developed 'Aladdin,' a 10-step OONI-based measurement experiment that isolates SNI-based blocking (step 1), Host-header blocking (step 2), DNS injection (step 3), system-resolver vs. DoH discrepancy (steps 4–5), TLS interception (steps 6–8), and TLSv1.3-specific SNI dependency (step 10); this methodology exposed Vodafone's Allot TLS interception that OONI's Web Connectivity test had recorded only as a generic certificate error.
-
Spain's blocking infrastructure, initially mandated for copyright and gambling enforcement, was repurposed to block 24 unique Catalan referendum URLs during October 2017, including the IPFS gateway and two GitHub Pages domains. GitHub Pages was blocked only via DNS manipulation (pointing to 127.0.0.1) rather than HTTP blocking specifically to avoid collateral blocking of all of GitHub.
-
Analyzing over 3 million OONI network measurements (2016–2020) from 17 ASes covering 98.45% of broadband and 90.94% of mobile subscribers in Spain, the study detected 16 unique blockpages, 2 DPI vendors (Fortinet/Fortigate in Telefonica; Allot in Vodafone), and 78 blocked websites across copyright, political, civil-rights, and referendum categories.
-
DPI blocking by Spanish ISPs (Fortinet/Telefonica) was circumvented by inserting a tab escape character (\t) into HTTP GET request headers, or by delaying HTTP GET transmission — the same techniques reported to have bypassed DPI blocking of Catalan referendum sites in 2017. Both techniques exploited the DPI's shallow, stateless inspection of the opening HTTP request.
-
Vodafone (AS12357, AS12430, AS6739) deployed Allot-based TLS interception to block womenonweb.org: the system resolver returned a legitimate IP (67.213.76.19), but connecting to it triggered a forged certificate signed by Allot; disabling TLS certificate validation fetched the Vodafone blockpage, confirming a man-in-the-middle box rather than a redirect. OONI's standard Web Connectivity test recorded only a generic ssl_error:certificate verify failed and missed this entirely.
-
Active-probing censors who discover a shadow domain can be defeated by adding a CDN rule that only fetches from the blocked back-end when a secret custom request header is present; without it the CDN returns an innocuous response. Layering domain fronting over domain shadowing (DfDs) further hides the shadow domain by routing the initial request through an allowed front domain with the Host header set to the shadow domain, so the censor never sees the shadow domain in the SNI or DNS query even during active inspection.
-
Of 6 major CDNs surveyed (Google Cloud CDN, AWS CloudFront, Azure CDN, Fastly, Cloudflare, StackPath), 5 support full API automation of the three steps required for domain shadowing: setting the front-end, setting the back-end, and rewriting the Host header. Cloudflare restricts Host header rewriting to enterprise-tier accounts only, making it unsuitable without paid upgrade. All six CDNs allow arbitrary back-end domain binding by design, and all back-end DNS CNAMEs can be indirected to evade any CDN-side blocklist of popular domains.
-
In 200-request latency experiments, all five CDN providers used for domain shadowing yielded lower round-trip times than directly fetching from the origin server; Azure, Fastly, and StackPath showed median delays less than half those of direct visits. User-configured VPS HTTP proxies — including a powerful AWS t3a.2xlarge instance (8 vCPU, 32 GB RAM) — still underperformed CDN-based domain shadowing.
-
Google Cloud CDN and Amazon CloudFront disabled domain fronting by 2021 by enforcing SNI/Host header consistency, causing Tor Meek, Psiphon, Lantern, and Signal to halt or migrate their domain-fronting deployments. Domain shadowing avoids this failure mode entirely because it does not rely on the SNI/Host mismatch that CDNs were able to patch with a simple header equality check.
-
Domain shadowing makes all three traffic indicators — connecting URL, SNI, and Host header — appear to belong to an allowed shadow domain while fetching content from a blocked back-end domain via CDN. Unlike domain fronting, it exploits a legitimate CDN feature (arbitrary back-end binding) rather than a SNI/Host mismatch quirk, so CDNs cannot disable it by enforcing header consistency without breaking legitimate use cases such as third-party service outsourcing via CNAME. The technique was demonstrated successfully accessing www.facebook.com from a heavily censored country.
-
Filtering rules in Saudi Arabia were uniform across all three major ISPs (STC, Zain, Mobily) and six vantage points spanning four geographically distributed cities (Riyadh, Jeddah, Makkah, Al-Khobar), indicating a single centralized national filtering infrastructure rather than per-ISP implementation.
-
Saudi Arabia's blocking decisions closely track diplomatic ruptures: Qatari news sites were blocked in 2017 amid the Gulf crisis, Iranian news sites in 2018 following severed diplomatic relations, and Turkish outlets Anadolu and TRT Arabic in April 2020 amid Ankara–Riyadh tensions — the Turkish blocks were partly triggered by a citizen Twitter campaign calling for the block.
-
Internet filtering in Saudi Arabia is implemented primarily as HTTP URL-keyword filtering augmented by TLS-level (SNI) filtering for HTTPS connections; DNS and IP-level failures were minimal and consistent with transient network issues rather than deliberate blocking. In 2019, 82.2% of Adult, 7.6% of Shopping, and 6.2% of Games websites returned HTTP 403; TLS filtering of Shopping sites decreased from 9.6% to 6.6% between 2018 and 2020.
-
Saudi Arabia progressively unblocked VoIP and messaging applications after 2017: all 18 tested apps were blocked during 2013–2017, 67% were accessible in 2018, 93% in 2019, and all except WeChat in 2020, following CITC's 2017 announcement lifting the ban on compliant applications.
-
The GFW's passive classifier uses two features of the first data packet to flag probable Shadowsocks traffic: (1) high Shannon entropy (per-byte entropy > ~7 bits strongly correlates with replay probability, which is nearly 4x higher at entropy 7.2 than at 3.0) and (2) packet length in the range 160–700 bytes with specific remainders mod 16. A single data packet after the TCP handshake is sufficient to trigger the downstream active-probing pipeline.
-
The GFW's active probers originate from thousands of distinct IP addresses, but a network-level side-channel (shared IP ID counter sequences) reveals they are controlled by a small number of centralized structures. Probe delay from legitimate connection to first active probe can be as short as 0.28 seconds, ruling out any reactive defense that relies on out-of-band blocking before probes arrive.
-
Once passive analysis flags a connection, the GFW sends seven distinct active probe types in staged sequence: five replay-based (R1–R5, where R1 is an identical replay and R2–R5 alter specific byte offsets to attack stream vs. AEAD cipher variants) and two non-replay random-length probes (NR1, NR2). The system operates in stages: R3/R4/R5 probes are withheld until the server responds to R1/R2, meaning a server with replay protection (like Shadowsocks-libev ≥ v3.3.1) never receives stage-2 probes, while one without (original OutlineVPN) escalates to full probing.
-
The GFW's DNS injection infrastructure comprises three distinct packet injectors, fingerprinted by combinations of IP-DF bit, IP-TTL behavior, DNS-AA flag, and DNS-TTL: Injector 1 (IP DF=0, incrementing IP TTL, DNS AA=1, DNS TTL=60) filters 88 domains including most Google properties; Injector 2 (IP DF=1, randomized IP TTL, DNS AA=0) handles ~24,729 domains; Injector 3 (IP DF=0, IP ID=0, fixed IP TTL, DNS AA=0) covers ~22,948 domains as a subset of Injector 2's domains. Over a 9-month study (Sept 2019–May 2020) sending 2.8 billion queries, 119.6 million forged responses were observed.
-
Injector 3 mirrors the probe packet's IP TTL in its injected reply rather than using a fixed TTL. This defeats TTL-limited localization probes: the injected reply only reaches the prober when the probe's initial TTL equals 2n−1 (where n is the hop distance to the injector); at lower TTLs the mirrored TTL is too small for the reply to return. All three injectors appear co-located (inter-probe delays within 0.2 ms of each other), confirmed from 7 vantage points across 5 continents, and the behavior is consistent across 62% of all 36K tested Chinese IP prefixes.
-
Protozoa's encoded media tunneling embeds covert IP packets directly into VP8-encoded frame bitstream partitions (EFBP) after lossy compression, rather than into raw pixel data. Because SRTP uses a stream cipher that preserves plaintext size, overwriting EFBP bits leaves encrypted packet sizes identical to legitimate sessions, and the covert channel achieves 98.8% utilization of available frame space at an average throughput of 1422 Kbps—a 3× improvement over Facet and roughly three orders of magnitude over DeltaShaper's 7 Kbps maximum.
-
Protozoa's encoded media tunneling achieves an AUC of 0.59 against a state-of-the-art ML traffic classifier using packet-size and inter-arrival-time features—near the 0.5 random-guessing baseline—compared to >99% detection rates for prior tools such as Facet and DeltaShaper. To block 80% of Protozoa flows (TPR=0.8), a censor would erroneously flag approximately 60% of legitimate WebRTC flows (FPR=0.6). This resistance holds across trace durations from 10–60 seconds (AUC range 0.56–0.61) and across RTT, bandwidth, and packet-loss variations.
-
Protozoa's covert channel throughput degrades gracefully under bandwidth constraints but remains usable for common applications: average throughput is 975 Kbps at 1500 Kbps cap, 460 Kbps at 750 Kbps, and 91 Kbps at 250 Kbps. Under 2% and 5% packet loss the channel sustains 1130 Kbps and 360 Kbps, respectively, while 10% loss (near WebRTC tear-down threshold) still yields 160 Kbps without breaking the connection. Traffic analysis resistance is preserved across all these conditions, with AUC peaking at 0.65.
-
Protozoa successfully bypassed censorship in China, Russia, and India using whereby.com as a carrier. Despite several WebRTC services being blocked in China (appr.tc, discordapp.com, hangouts.google.com, messenger.com), at least seven alternatives remained reachable (aws.amazon.com/chime, coderpad.io, gotomeeting.com, slack.com, whereby.com, and others), ensuring carrier availability. Covert sessions over the alternative services coderpad.io and appr.tc achieved AUCs of 0.58 and 0.60, respectively, and average throughput of 1388–1420 Kbps.
-
Protozoa uses the economic and social indispensability of popular WebRTC conferencing services as a censorship deterrent: blocking all WebRTC traffic imposes prohibitive collateral damage on legitimate commerce and communication. This 'parasitism' strategy means the circumvention tool inherits the blocking immunity of the carrier without requiring any protocol mimicry at the network level. Protozoa requires only one reachable WebRTC service to function, and Table 3 confirms at least five services remained unblocked in China during testing.
-
When a censor controls the WebRTC signaling plane, it can mount MITM attacks against CRON's vanilla covert encoding because the encoding 'fully replaces the video payload with an apparently random covert data signal that results in a scrambled video image at the receiver's endpoint.' By replaying the captured video through a WebRTC gateway, the censor obtains direct visual evidence of payload manipulation.
-
CRON restricts multi-hop covert circuits (N≥1 relays) to delay-tolerant traffic only, because establishing multiple simultaneous WebRTC video calls is 'highly atypical in normal user profiles' and would trigger S1 behavioral anomaly detection. Real-time interactive tunneling is limited to direct circuits (N=0) within pre-existing calls, and active mode introduces only bounded variability in call times and frequency to stay within plausible user-profile ranges.
-
Protozoa creates a ≈1.4 Mbps covert channel over WebRTC by replacing encoded video frames with covert payload while preserving SRTP packet size and timing properties, making Protozoa flows 'hardly distinguishable from unmodified WebRTC streams using existing ML-based traffic classifiers.' Since all unencrypted packet fields remain intact, DPI cannot detect the tunnel either.
-
CRON's stego circuits defend against adversary-controlled WebRTC services by embedding covert data into encoded video frames at the compressed data domain using video steganography algorithms, maintaining the visual characteristics of the video feed rather than replacing it entirely. Endpoint authentication uses public-key encryption with keys exchanged out-of-band, preventing MITM key substitution through the censor-controlled signaling server.
-
Even when individual WebRTC flows pass traffic analysis, a censor can identify CRON users via three long-term statistical attack types: S1 (simultaneous video calls, atypical for normal users), S2 (sudden connections to previously unknown parties), and S3 (calls at anomalous times, frequencies, or durations). Relay nodes in multi-hop circuits are particularly exposed via S1 because conducting multiple simultaneous video calls is highly atypical in normal user profiles.
-
Slitheen++ achieves a median covert site loading time of 7 seconds in the naive setup, rising to 8 seconds with crawling and 13 seconds with a 1-second thinking-time (TT) delay. The Baseline-to-Covert factor ranges from 3.7–8.5 without TT and from 7.6–21.4 when crawling and 1-second TT are combined, reflecting the fundamental tradeoff between stealth overt behavior and covert throughput.
-
Slitheen++ embeds covert upstream data by applying HTTP/2-like header field compression to overt HTTP requests, using the recovered space for covert data placement. This ensures that neither timing information nor observable changes to packet sizes or delays can reveal decoy routing use to an omni-scientist passive censor. GZIP compression was explicitly avoided to prevent the CRIME side-channel attack.
-
Slitheen++'s relay station introduces minimal overt forwarding overhead: 95% of setups saw downstream per-packet delays between 1 ms and a maximum of 4 ms, with on average only 0.0029% of downstream packets affected (peak 0.006% in any single scenario). Upstream delays were similarly low except for a single outlier near 60 ms caused by thread contention during crawling-induced relay load spikes.
-
The original Slitheen appended covert upstream data directly to overt HTTP requests, significantly changing upstream traffic patterns and enabling censor identification even when traffic is encrypted. This upstream traffic analysis vulnerability—absent from Slitheen's original threat model—is the primary weakness Slitheen++ addresses.
-
A censor can identify Slitheen relay connections by observing that all packets in a suspected overt flow arrive in strict order while flows from the same source naturally exhibit out-of-order delivery: the relay station's traffic-server component reorders TCP segments to enable TLS record decryption, creating a statistically anomalous per-connection ordering pattern. The reordering buffer also increases per-packet round-trip times, providing a secondary timing signal.
-
All 25 applicable client-side Geneva strategies failed when mechanically translated to server-side analogs against China's GFW, even when the only structural difference was which endpoint sent the insertion packet. Experiments with the server placed inside China and client outside also failed, indicating the GFW tracks connection initiator identity and processes client versus server packets asymmetrically—meaning server-side circumvention requires a completely independent discovery approach.
-
China's GFW uses distinct, co-located censorship boxes—each with its own independent network stack implementation and bugs—for each application-layer protocol it censors. TCP-level strategies that exploit transport-layer bugs show dramatically different success rates per protocol: Strategy 1 (Simultaneous Open + Injected RST) achieves 89% for DNS but only 14% for HTTPS; Strategy 8 (TCP Window Reduction) achieves 100% for SMTP but only 2–3% for DNS, HTTP, and HTTPS. TTL-limited probes confirm all protocol boxes are co-located at the same network hop.
-
The paper identifies three distinct GFW resynchronization-state triggers with protocol-specific behavior: (1) a server payload on any non-SYN+ACK packet causes resync on the next SYN+ACK or client ACK-flagged packet for all protocols; (2) a server RST causes resync on the next client packet for all protocols except HTTPS; (3) a SYN+ACK with a corrupted acknowledgment number triggers resync only for FTP. Strategy 1's 50% per-attempt success rate for HTTP is confirmed to result from the 50% probability of the GFW entering the resynchronization state on an injected RST, consistent with Wang et al. [36].
-
The paper presents 11 purely server-side censorship evasion strategies requiring zero client-side software, successfully bypassing censorship in China, India, Iran, and Kazakhstan across DNS-over-TCP, FTP, HTTP, HTTPS, and SMTP. All strategies manipulate only TCP handshake packets (primarily the SYN+ACK) and were verified against 17 versions of 6 client operating systems (Windows XP–Server 2018, MacOS, iOS, Android, Ubuntu, CentOS) with unmodified clients.
-
TCP Window Reduction (Strategy 8)—reducing the SYN+ACK TCP window to 10 bytes and stripping wscale options, forcing the client to segment its request—achieves 100% evasion success against HTTP in India and Kazakhstan, 100% against HTTP and HTTPS in Iran, and 100% against SMTP in China, because none of these censors can reassemble TCP segments. The strategy is compatible with all 17 tested client OS versions when implemented without SYN+ACK payloads, making it the most broadly deployable server-side strategy found.
-
Using Geneva's genetic algorithm trained against Iran's live protocol filter, four evasion strategies achieving 100% success were discovered in under two hours: (1) injecting a fingerprint-matching PSH/ACK with a corrupt checksum before the real data; (2) sending two FIN packets before the SYN; (3) sending nine non-data-carrying packets (any flags, any seq/ack) during the handshake to exhaust the filter's per-flow packet limit; (4) a server-side variant that sends nine corrupted SYN+ACKs, inducing nine client RSTs before the real ACK, enabling fully unmodified clients to benefit.
-
The protocol filter's HTTPS fingerprint requires only that the first 5 bytes match a TLS header (type 0x16, version 0x03 0x01–0x03, correct length field); all subsequent bytes of the Client Hello are unchecked. Any TLS-based circumvention tool naturally satisfies this fingerprint and will bypass the filter by default. Furthermore, any one of the three permitted fingerprints (DNS, HTTP, HTTPS) can be used on any of the three monitored ports to whitelist an entire flow.
-
Testing the Alexa top-20,000 websites from within Iran, 3,595 IP addresses (17.9%) triggered the protocol filter at least 8 out of 10 times, and 3,499 (17.4%) were affected all 10 times. IP address provider is not correlated with filtering; instead, specific IP prefixes are targeted—for Cloudflare, only two prefixes (104.18.0.0/16 and 104.31.82.0/24) were fully affected while all others were unaffected.
-
Iran's protocol filter monitors only the first two data-carrying packets of a TCP connection on ports 53, 80, and 443, permitting only DNS, HTTP, and HTTPS. Once tripped, it drops all subsequent client-side packets for 60 seconds, with the timer resetting on each TCP retransmit. The filter is unidirectional (client-inside-Iran only), cannot reassemble TCP segments, and does not verify checksums.
-
Existing segmentation strategies effective against Iran's standard HTTP DPI can be counterproductive when the protocol filter is also active: if the first segment is fewer than 8 bytes, it fails the HTTP fingerprint check and trips the filter. However, segmenting such that the first segment is a valid HTTP fingerprint (≥8 bytes, well-formed verb + space) while splitting the Host: header into the second segment defeats both the protocol filter and the standard DPI censor simultaneously.
-
The dnstt DNS-over-HTTPS tunnel, built on a KCP Turbo Tunnel session layer, achieved download speeds of 130 KB/s using Google and Cloudflare DoH resolvers and 30 KB/s using Quad9, compared to iodine's maximum of 2 KB/s over the same operators' UDP DNS resolvers — a 15–65× improvement. DNS-over-HTTPS hides message contents from the censor, removing the two main classical DNS tunnel detection vectors: unusual DNS message structure and plaintext tunnel domain names in queries.
-
In Iran in 2013, censors dropped or throttled certain TCP connections after 60 seconds, severely disrupting circumvention protocols like obfs4 that fuse session state with a single long-lived TCP connection, while short-lived HTTP connections were largely unaffected. obfs4 has no session concept independent of the underlying TCP connection; when that connection is terminated, all end-to-end state is lost and a new session must restart from scratch.
-
Simultaneous upload and download of a 10 MB file took 10.6 s over TCP-encapsulated QUIC, 23.3 s over traditional meek, and 34.9 s over meek with encapsulated QUIC (Table 1), showing that naively adding a QUIC session layer to meek degraded throughput by approximately 50% relative to unmodified meek. Performance was sensitive to HTTP body size limits and request-thread count, but the root cause remained uncertain.
-
Geddes et al. demonstrated that acknowledgement packets in covert-channel circumvention systems can be identified through timing characteristics and selectively interfered with to disrupt the tunnel [§4.3, CCS 2013]. A Turbo Tunnel session layer adds fixed-overhead headers and periodic ACK/keepalive traffic that may produce distinctive timing patterns absent in legitimate flows, potentially increasing susceptibility to traffic-shape classifiers.
-
Turbo Tunnel inserts an interior session/reliability protocol (KCP or QUIC) between the obfuscation layer and user streams, decoupling end-to-end session state from any single transport connection. A session survives TCP termination, proxy rotation, or unreliable carriers by retransmitting lost packets over a new connection bearing the same session identifier. The pattern was implemented in obfs4, meek, and Snowflake, with Turbo Tunnel–enabled Snowflake shipping in Tor Browser alpha releases 9.5a13 (desktop) and 10.0a1 (Android).
-
Manually-crafted decision trees combining probe non-response, FIN/RST close type, and connection timing achieved a false-positive rate below 0.001% for obfs4, Lampshade, Shadowsocks, and OSSH across 1.9 million endpoints; for OSSH specifically, 7 of 8 flagged Tap endpoints were confirmed genuine Psiphon proxies by developers. MTProto was the sole exception, producing 3,144 false positives (0.56% of Tap, 0.02% of ZMap) because its infinite-timeout behavior is shared by a non-negligible population of common hosts.
-
Endpoints that never close a connection and never respond to any probe ('infinite timeout') represent 0.7% of the ISP Tap dataset and 42% of the ZMap active-scan dataset; this is the single most common probe-indifferent behavior in both datasets. MTProto already exploits this: its strategy of keeping failed connections open indefinitely produces the highest false-positive rate (0.56% of Tap) among all tested protocols, making it effectively uncountable at acceptable collateral-damage thresholds.
-
The authors' ISP Tap dataset yielded 129,000 unique response sets across 433,286 endpoints while ZMap's 1.5 million endpoints produced only 31,000 unique sets — with over 42% of ZMap endpoints behaving identically (infinite timeout, no data) due to firewall chaff. This vantage-point bias means the effective false-positive rate a censor faces when targeting ISP-observed traffic is ~28× lower than against random scans (0.02% vs 0.56% for MTProto), making ISP-scale active probing far more actionable than Internet-wide scanning alone.
-
Across 433,286 endpoints from a 10 Gbps university ISP passive tap, 94% responded with data to at least one of 8 protocol probes (TLS, HTTP, STUN, S7, Modbus, DNS-AXFR, random bytes, empty); all five tested probe-resistant proxies (obfs4, Lampshade, Shadowsocks, MTProto, OSSH) never responded with data to any probe. This single filter reduces the suspect set from 433,286 to ~26,000 endpoints and rules out 94% of ISP-observed hosts as non-proxies with zero false negatives against the tested protocols.
-
Each probe-resistant proxy exposes a unique TCP close-threshold fingerprint: obfs4 closes with FIN at 8,192–16,384 bytes and RST at the next multiple of 1,448 bytes beyond that; Lampshade at FIN 256 bytes / RST 257 bytes; Shadowsocks-python and -outline both at FIN 50 bytes (outline also RST at 51); OSSH at FIN 24 bytes / RST 25 bytes. A binary-search tool using random probes can discover these thresholds remotely without knowing any shared secret, providing a protocol-specific fingerprint independent of payload content.
-
The GFW was observed detecting Shadowsocks servers by sending follow-up active probes after an initial Shadowsocks-sized client message, including permuted replays of the client's message and random-data probes of various sizes up to and exceeding Shadowsocks' unique 50-byte data limit. This defeats shadowsocks-libev's replay cache because the GFW permutes the replayed bytes rather than resending them verbatim.
-
Censys scans of IPv4 HTTPS servers in June 2020 found that over 21% responded to a GET / with 400 Bad Request, 11.19% with 403 Forbidden, 8.62% with 404 Not Found, and 2.91% with 401 Unauthorized. These common error-response distributions provide a statistical baseline that HTTPT servers can match to avoid standing out to active probers.
-
HTTPT prototype performance is comparable to Shadowsocks: median Time-to-First-Byte was 612 ms for Shadowsocks, 844 ms for HTTPT (TLS 1.3, +1 RTT), and 1085 ms for HTTPT (TLS 1.2, +2 RTTs). Bandwidth overhead was approximately 2%: median time to fetch a 100 MB file was 24.65 s for Shadowsocks vs. 25.15 s for HTTPT.
-
HTTPT achieves replay-attack immunity by tunneling over TLS, which incorporates bidirectional nonces (client and server randoms) into key agreement so each connection uses unique cryptographic keys. Censors that replay a legitimate client's observed initial bytes are therefore unable to trigger a proxy response, unlike approaches that rely only on application-layer replay caches.
-
Frolov et al. (2020) found that over 94% of Internet servers respond with data to at least one popular protocol probe, making probe-resistant proxies that remain entirely silent statistically anomalous. Censors can further fingerprint silent proxies by their unique timeout or data-limit behaviors before connection close (e.g., Lampshade closes immediately after 256 bytes of unrecognized data, or waits exactly 90 seconds before timing out).
-
Splitting the TLS ClientHello so that the first TCP segment is ≤4 bytes (less than the 5-byte TLS record header) defeats the GFW's ESNI detection with near 100% reliability. Geneva expressed this as `[TCP:flags:PA]-fragment{tcp:4:True}-|` (client-side) or a server-side window-size reduction to 4 bytes that forces the client to segment. This suggests the GFW's ESNI classifier cannot reassemble TCP segments across all protocol contexts.
-
Geneva discovered 6 client-side and 4 server-side TCP-layer evasion strategies against GFW ESNI blocking within 48 hours of training, all achieving near 100% reliability. Effective strategies include desynchronization attacks (triple SYN with corrupt sequence number, FIN+SYN flag confusion, TCB turnaround via pre-handshake SYN+ACK) and TCB teardown via corrupted-checksum RST injection. All strategies operate at the TCP layer and require no changes to the application sending ESNI.
-
The GFW's ESNI detector is keyed specifically to extension value `0xffce` (ESNI draft-01). Replacing `0xffce` with ECH draft values `0xff02`, `0xff03`, or `0xff04` produced no blocking as of August 2020. This indicates the GFW deployed a detector matching on a specific extension ID rather than detecting encrypted SNI generically.
-
The GFW blocks ESNI by dropping client-to-server packets whenever a TLS ClientHello containing the `0xffce` encrypted_server_name extension is sent over a completed TCP handshake. Unlike GFW censorship of SNI and HTTP (which uses RST injection to both endpoints), ESNI censorship uses unidirectional packet dropping with no injected packets. The blocking applies on all ports from 1 to 65535.
-
After a GFW ESNI block is triggered, residual censorship persists for 120–180 seconds (varying by vantage point), blocking all traffic on the same (srcIP, dstIP, dstPort) 3-tuple. Additional ESNI handshakes sent during the residual window do not reset the timer, and it takes at least 1 second for the GFW to enable blocking rules after the triggering packet.
-
MIMIQ requires modifications only to a single trusted network (an ISP or enterprise AS): an address allocation server and several critical edge switches. Remote QUIC servers and the wider Internet require no changes. The authors argue ISPs have financial incentives to deploy MIMIQ as a privacy-enhancing service, and that QUIC's rapid adoption (600K+ QUIC-enabled domains, 1.6M QUIC-capable IPs as of 2020) means server-side support is increasingly given.
-
At a round-trip time of 50 ms, MIMIQ incurs only a 10% throughput drop when migrating every 25 packets (frequency = 4 per 100 packets). Per-migration latency ranges from 7–64 ms at 10 ms RTT and 43–99 ms at 50 ms RTT as migration frequency scales from 0 to 50 migrations per 100 packets.
-
MIMIQ leverages QUIC's connection migration to change a client's IP address mid-connection without disrupting ongoing transfers. QUIC's specification requires that endpoints never reuse connection IDs during migration and that migration tokens are encrypted; this makes migration events indistinguishable from a second distinct client initiating a new connection from a fresh IP address.
-
Against censors that detect blacklisted application protocols by examining only the first 30 packets of a flow (e.g., the technique in Wang et al. 2015), a single IP migration after 30 packets have been exchanged is sufficient to defeat detection while incurring minimal performance overhead—the client continues the connection normally on the new address.
-
Migrating the client IP address every 25–100 packets reduces state-of-the-art website fingerprinting attack accuracy to below 10% in the closed-world setting, outperforming advanced dedicated defenses such as HyWF multipathing. The mechanism works because most fingerprinting classifiers rely on as many packets per flow as possible, and flow splitting degrades feature quality.
-
MoneyMorph's threat model exploits the economic cost of blocking entire cryptocurrency networks: the censor is left with a binary choice — ban the full blockchain (incurring economic harm to the censored region) or allow all transactions including covert bootstrapping traffic. This assumption is grounded in the censor's observed tolerance of Bitcoin despite known circumvention use.
-
A prototypical Python implementation of MoneyMorph completes all cryptographic operations in under 50 milliseconds on a commodity Intel Core i7 (2.2 GHz, 16 GB RAM): fresh key-pair generation takes approximately 120ms, shared key derivation approximately 41ms, and symmetric encryption/decryption under 1ms. The dominant latency in practice is blockchain confirmation time, not computation.
-
MoneyMorph provides provable chosen-covertext attack security (SBS-CCA) for proxy bootstrapping, unlike prior email or social-media rendezvous approaches which offer only heuristic security. Under SBS-CCA, the censor's advantage in distinguishing a covertext-bearing transaction from a random transaction in the same space is negligible.
-
Sibling transaction analysis across 45 million Bitcoin transactions (blocks 580,000–600,000, June–Oct 2019) shows 32% use the Pay2PKeyHash + Pay2ScriptHash combination MoneyMorph employs. In Monero, the two-input two-output structure matches 42% of all transactions. In Zcash, only 11–19% of transactions are shielded, giving it the lowest sibling rate despite the highest bandwidth.
-
Zcash shielded transactions provide the highest per-transaction bandwidth of any tested cryptocurrency: 1148 bytes for the challenge covertext and 1168 bytes for the response, at a transaction fee of less than 0.01 USD. Bitcoin yields only 20/40 bytes at $0.34 fee and Ethereum only 20 bytes at $0.18 fee.
-
Survey data indicates 31% of Chinese Internet users use VPN services compared to Tor's approximately 2 million daily users globally, and centralized non-anonymous systems like Lantern and Psiphon dominate adoption over anonymity-focused tools. The paper argues this demonstrates that the majority of censored users prioritize blocking resistance over anonymity, supporting a separation-of-properties design principle.
-
The majority of censored websites are blocked in only one or two countries, with political and news content showing the strongest geographic specificity. Figure 3 shows that of domains blocked in China, Iran, and Turkey, only 29 are blocked in both China and Turkey, while 27,852 are China-only and 1,564 are Iran-only, demonstrating that cross-region client-to-client proxying is broadly applicable.
-
MassBrowser proxies operate on NATed IP addresses shared with other users and services, meaning blocking them imposes collateral damage on unrelated parties. The proxy IP pool scales linearly with user count via client-to-client proxying, and IPs rotate as volunteers move between networks, making enumeration-and-block strategies progressively more costly for censors.
-
In a traffic sample from a major non-anonymous circumvention tool (3.56 TB total, Feb 21, 2008), 48% of all proxied traffic belonged to websites that were not censored in Iran. Integrating CacheBrowsing to fetch CDN-hosted censored content directly further saves 41% of Buddy bandwidth for Alexa top-1000 websites.
-
MassBrowser estimates operational cost at $0.0001 per active client per month at large scale; the domain-fronted Operator alone costs ~$0.001 per active client per month because signaling traffic volume is small. Domain fronting used for bulk data proxying is characterized as prohibitively expensive and not viable at scale.
-
ICLab's semi-automated block page discovery — combining HTML tag-frequency vector clustering with locality-sensitive hashing (LSH) of page text — identified 48 previously unknown block page signatures from 13 countries: 15 via structural clustering across 5 countries and 33 via textual similarity clustering across 8 countries. The system seeds from 308 manually verified regular expressions and uses a URL-to-country ratio sort (largest ratio discovered: 286) to prioritize candidates for manual review, eliminating reliance on brittle hand-maintained regex lists alone.
-
Between January 2017 and September 2018, ICLab conducted 53,906,532 measurements of 45,565 URLs across 62 countries and 234 ASes, detecting blocking of 3,602 unique URLs in 60 countries via DNS manipulation, TCP packet injection, and block page delivery. Iran blocked 20–30% of Alexa top-500 URLs — more than any other monitored country — while Saudi Arabia consistently blocked roughly 10%. The global trend in detected censorship shows a steady decrease, which the authors attribute to rising adoption of TLS and circumvention tools.
-
ICLab's longitudinal monitoring detected censorship shifts coinciding with political events weeks before press coverage: Turkey's filtering rate rose from roughly 3% to 5% in late April 2017 — with blocked content shifting from pornography to news and political sites — ahead of a June 2017 constitutional referendum. India's censorship dropped from roughly 2% to 0.8% following a net neutrality announcement in late 2017, then partially recovered to roughly 1.5% after mid-2018 regulations clarified that illegal-content filtering would continue. Within the same country, different blocking techniques were applied to different content categories simultaneously (e.g., Turkey used DNS manipulation for illegal/streaming URLs but block pages for pornography and news).
-
Of 19,493,925 TCP packet injection events ICLab detected, only 0.7% (143,225) could be definitively attributed to censorship after multi-heuristic filtering; a further 58% (15,589,882) were RST-or-ICMP-unreachable events classified only as 'probable censorship' because ordinary network failure could not be excluded. Block pages appeared in just 3.4% of definitively-censored injections, meaning the vast majority of censor-side TCP disruption is covert. DNS manipulation detection achieved a false positive rate of approximately 10⁻⁴ using a threshold of θ=11 autonomous systems, cross-checked against block page observations.
-
ICLab's commercial VPN vantage points reside in data-center ('content') ASes for 41% of monitored networks, which may experience less aggressive censorship than residential ISPs, making VPN-based measurements a systematic lower bound on blocking rates faced by ordinary users. In countries where both VPN and volunteer-operated device (VOD) vantages coexist, identical block pages were observed from both AS types, indicating similar overt blocking policies, but covert IP-based or RST-injection blocking may still differ by AS class.
-
Protocol Proxy uses 'protected static protocols' — UDP-based protocols whose blocking causes severe collateral damage (e.g., Synchrophasor power-grid traffic, NTP) — as cover channels. Because any detection rule that fires on Protocol Proxy traffic also fires on legitimate PMU traffic, censors face a forced trade-off between blocking circumvention and disrupting critical infrastructure.
-
A deterministic Hidden Markov Model trained on 770,000+ real Synchrophasor samples produces interpacket timing that is statistically indistinguishable from the host protocol: the two-sample Kolmogorov–Smirnov test yields p = 0.21 (threshold 0.05, fail to reject null), and χ² homogeneity p-values for all three timing states are 0.82, 0.37, and 0.15 respectively.
-
Observation-based FTE constructs each packet field exclusively from values previously observed in real host-protocol traffic, guaranteeing syntactic equivalence. Wireshark correctly decodes Protocol Proxy-generated packets as valid Synchrophasor frames with correct checksums, and the Phasor Data Concentrator hardware accepts them; any rule blocking Protocol Proxy traffic must therefore also block legitimate PMU packets.
-
The Protocol Proxy achieves an observed goodput of only 182 bps against a 54 Mbps baseline link (>99.99% reduction), well below the theoretical ceiling of 15,477 bps; the gap is attributed to TCP retransmission overhead and the TCP header transiting the proxy. Tor baseline goodput measured at 7.31 Mbps by comparison.
-
Static protocols — UDP-based with no application-layer handshake — are immune to stateful protocol analysis that defeated SkypeMorph: without a handshake state machine, a censor cannot flag discrepancies between observed and expected protocol states. This eliminates the detection vector that Houmansadr et al. (2013) exploited to identify SkypeMorph via handshake mismatch.
-
Censored Planet collected 21.8 billion measurements over 20 months from more than 95,000 vantage points in 221 countries, covering 66–173 more countries than OONI and ICLab, with a median of 8 ASes per country versus OONI's 4 and ICLab's 1. In March 2020, it achieved coverage of 9,014 ASes compared to OONI's 1,915. Censored Planet and OONI together covered all 21 countries rated 'Not Free' by Freedom House, while ICLab reached only 4.
-
Of 21.8 billion raw measurements, approximately 7% (1.5 billion) were initially flagged as blocked; iterative HTML clustering and DBSCAN image clustering then removed ~500 million false positives, leaving ~1 billion confirmed blocked measurements. The clustering process formed 457 new response clusters, of which 308 were confirmed blockpages and 149 were false positives, with Cloudflare bot-checks being a notable source of false positives in HTTPS measurements.
-
Mann-Kendall trend analysis at 99% significance on 20 months of data found increasing censorship activity in more than 100 countries, driven primarily by DNS and HTTPS blocking methods, and identified 11 website categories facing rising censorship including human rights content, news media, and provocative attire. Countries such as Norway (ranked #1 in press freedom) showed aggressive DNS blocking across 25 ASes targeting more than 50 domains in at least 6 categories including hrw.org.
-
Censored Planet achieves 93% /24 vantage-point continuity and 99.01% AS continuity between weekly scans, versus ICLab's 64% and OONI's 36% AS continuity. Applying bitmap-based anomaly detection on the resulting longitudinal time series detected 15 prominent censorship events over 20 months, two-thirds of which had not been previously reported, while OONI data showed no corresponding increase for most newly discovered events due to sparse volunteer measurements.
-
During the Sri Lanka social-media block following the April 21, 2019 bombings, Censored Planet measured HTTP(S) censorship jumping from 0.1% to 2% in one week and discovered 22 blocked domains versus the 7 reported by NetBlocks and AccessNow; 5 of those extra domains were only present in the Alexa top-sites list, not the Citizen Lab Global Test List. Blocking remained elevated through May 12, 2019, contradicting public reports that the ban was lifted by May 1st.
-
Following publication of the researchers' findings, Mozilla Firefox and Google Chrome shipped changes on August 21, 2019 that completely blocked the Qaznet Trust Network root certificate even if manually installed by users, preventing future re-activation of the interception system without deployment of a new root CA. The paper advocates that browsers display non-intrusive visual indicators whenever a custom root CA is in use, and calls for content providers to detect and share data on large-scale interception via TLS fingerprint monitoring.
-
Of the Alexa Top 10,000 domains tested, only 37 triggered interception; 20 were Google services, 7 were Facebook-affiliated, and others included Mail.Ru properties (vk.com, ok.ru) and Twitter — a social media and communication focus consistent with a surveillance rather than security motive. The interception system was intermittently active for 21 days (July 17 – August 7, 2019), including a four-day shutdown for tuning, with a median of 340 TLS hosts observing interception when active.
-
Kazakhstan's 2019 HTTPS interception affected 7.0% of 6,736 measured TLS hosts when probed from North America and 24% when probed from inside the country; all affected paths traversed AS9198 (Kazakhtelecom), with 95% of injections occurring at two specific IP addresses (92.47.151.210 or 92.47.150.198), indicating a highly centralized interception infrastructure.
-
The Kazakhstan interception system connected back to the origin TLS server before issuing a fake certificate, and in doing so exposed a unique TLS fingerprint (hash f09427b5aaf9304b): it used TLS record-layer version 1.0, ClientHello version 1.2, and offered only 13 cipher suites — a fingerprint virtually unseen in normal HTTPS traffic — allowing content providers to detect when a connection was being intercepted.
-
Kazakhstan's interception system triggered solely on the TLS SNI header: a connection was intercepted only if the SNI contained one of 37 targeted domains AND the path passed through specific AS9198 hops; the server's actual certificate needed to be browser-trusted but did not need to match the SNI domain, and interception could be triggered bidirectionally — from outside the country connecting to TLS hosts inside Kazakhstan.
-
Anonymization and circumvention tools (VPNs, Tor, etc.) are among the three most commonly blocked content categories across all commercial filters surveyed, alongside pornography and gambling. This holds across diverse products including Fortinet, Cisco, and government-deployed firewalls in Iran, Saudi Arabia, and Bahrain.
-
FilterMap identified 90 blockpage clusters from 90 vendors and actors across 103 countries using 374 million measurements from ~45,000 vantage points against 18,736 sensitive domains; 87 of these signatures were previously unknown. Commercial filters were detected in 36 out of 48 countries rated 'Not Free' or 'Partly Free' by Freedom House, with Fortinet alone present in at least 60 countries.
-
In HTTP tests, more than 50% of filter responses that indicated censorship contained an injected HTML blockpage; the remainder used TCP RST injection or connection timeout. In HTTPS measurements, canonical template matching had a failure rate of only 1.9%, and 95% of Hyperquack measurements completed within 3.5 hours across ~45,000 vantage points.
-
The Great Firewall of China does not inject blockpages — it resets connections via TCP RST injection — making it invisible to blockpage-based detection systems. In contrast, the Iran firewall accounted for 97.1% of disruptions observed in Iranian vantage points, and the Bahrain and Saudi Arabia firewalls caused 71.2% and 80.2% of disruptions respectively, all using application-layer blockpage injection.
-
Russia operates the most fragmented ISP-level filtering infrastructure in the dataset: FilterMap detected 41 distinct ISPs deploying blockpage-injecting filters, and 38 out of 49 filter clusters identified by Quack were deployed in Russian ISPs. All 41 Russian blockpages explicitly cited Federal Law as the reason for blocking.
-
Of 44,797 CDN-served domains on the April 2019 Roskomnadzor blocklist, 99.6% (44,615) were hosted on Cloudflare—attributable to Cloudflare's free tier with minimal vetting enabling rapid mirror-domain creation by blocked operators; the blocklist also contained 1,769 responsive circumvention-related domains, confirming that circumvention infrastructure is an active and documented blocklist target.
-
Seven years of Roskomnadzor blocklist history (Nov 2012–April 2019) show the list grew to 132,798 unique domains and 324,695 unique IPs, with a dramatic spike in 2018 when Russia blocked Telegram by adding subnets covering approximately 16 million IP addresses—producing major collateral damage to co-hosted Google and Amazon services and illustrating that subnet-level blocking is the blunt instrument of last resort for CDN-hosted targets.
-
Data center VPSes predominantly experienced TCP connection timeouts and resets—with the highest-blocking VPS censoring 96.8% of tested domains—while residential ISPs were substantially more likely to inject explicit blockpages citing Roskomnadzor's registry, confirming that blocking mechanism varies significantly by network tier even when blocking rates are similar.
-
Despite Russia's decentralized ISP ecosystem, 9 of 14 residential probes observed more than 90% of 98,098 tested blocklist domains blocked, and all 14 probes observed at least 49% blocked—demonstrating that coordinated nationwide censorship without centralized choke-points is achievable through legal mandates and commodity equipment alone.
-
Quack (which probes censorship on port 7/echo servers) detected substantially less blocking than Satellite (DNS-based): approximately 50% of Quack vantage points observed no blocking and ~90% observed only minor blocking, whereas Satellite observed major interference at most vantage points; the authors attribute this gap to Russian ISPs applying filtering predominantly on ports 80 and 443, leaving non-standard ports largely unfiltered.
-
SiegeBreaker's session bootstrapping (from initial email to installed SP redirection rule) averaged 3–4 seconds across 100 trials, with the dominant delay attributed to email handling (SMTP connection, Selenium composition) rather than network latency; this setup cost is not included in the download-time benchmarks. The auxiliary ping-based switch-selection signal encodes 48 bits across three ICMP header fields (IP-ID, ping sequence number, ping identifier), requiring ~281 trillion spoofed ping packets per client–OD pair to brute-force.
-
SiegeBreaker explicitly acknowledges two unresolved attack vectors: (1) latency-based traffic analysis attacks (forced-asymmetry / RAD-style), which the system does not mitigate, and (2) website fingerprinting attacks against the proxied traffic, for which no defense is implemented. Additionally, the email-based control channel is vulnerable to a censor who can delay or block emails to the controller's address, disrupting rule installation before the client's SYN packet arrives.
-
Prior decoy routing deployments suffered severe throughput degradation: the TapDance ISP pilot reported average client throughput of only ~5 KB/s, making it unsuitable for most web content; other DR prototypes restricted evaluation to files under 1 MB in controlled lab settings, with some reporting over 30 seconds to load home pages under 1.5 MB in size.
-
All prior decoy routing systems (Cirripede, Telex, TapDance, Slitheen, Waterfall) require the DR to inspect every traversing flow — either all TCP SYN packets or all TLS flows — to identify DR requests, creating a privacy breach for non-DR users and a computational bottleneck. SiegeBreaker eliminates this by using an out-of-band email pre-registration (encrypted to the controller's 2048-bit RSA public key) that pins the controller's inspection rule to a single client-IP/OD-IP/ISN triple, so only authenticated potential DR flows are ever redirected.
-
SiegeBreaker achieves near-native TCP performance in Internet experiments: average download time for Alexa top-500 home pages via SB was 1.8 s versus 1.7 s for direct wget, across 500 concurrent client instances; bulk downloads of 1 GB files over a shared 1 Gbps link showed SB and native TCP sharing bandwidth almost equally, and throughput remained stable under 15 Gbps of cross-traffic or 50,000 parallel flows on the SDN switch.
-
A proposed HTTP censorship detection algorithm combining status-code comparison, response-length Z-score, HTML TF-vector cosine similarity, and redirect-hostname matching achieves F1 scores of 0.83 (censored) and 0.77 (uncensored), outperforming OONI (0.80 / 0.70), length-difference methods (0.70 / 0.66), and HTML-similarity methods (0.52 / 0.34) on a manually annotated set of 3,000 responses across six Indian ISPs.
-
All detected HTTP censorship events in BSNL and MTNL are attributable to infrastructure shared with or operated by Airtel and ACT, demonstrating that upstream ISP filtering creates collateral censorship visible to downstream networks. Isolated cross-ISP leakage was also observed: Vodafone's censorship notice appeared in 2 Jio tests, and Airtel's appeared in 2 Vodafone tests.
-
Indian ISPs use heterogeneous and overlapping censorship mechanisms with no single technique common across all providers: DNS tampering (ACT, Airtel, BSNL, MTNL), HTTP header filtering (all six ISPs), and SNI inspection (Jio only). Individual ISPs such as ACT simultaneously apply DNS-only blocking to 233 sites, HTTP-only to 1,873 sites, and both to 1,615 sites.
-
Across six ISPs covering 98.82% of Indian internet subscribers, only 1,115 out of 4,033 tested blocked websites (27.64%) are blocked by all six ISPs simultaneously. ACT blocks 3,721 websites while Airtel blocks only 1,892, and 215 websites are blocked by exactly one ISP with no apparent legal basis.
-
Jio, India's largest ISP serving 49.7% of internet users, employs SNI inspection to block 2,951 out of 3,340 websites it censors — the first documented use of SNI-based blocking in India. No other of the six tested ISPs uses this technique.
-
Frolov et al. (2020) found that obfs4, Shadowsocks Outline, Psiphon's OSSH, and Lantern's Lampshade are all identifiable by TCP flag and timing patterns when servers close connections on error, because each tool's timeout value and FIN/ACK behavior are distinct. Their recommended mitigation—'forever read' on errors so the prober always closes first—forces the server to terminate with FIN/ACK consistently across all code paths.
-
V2Ray clients emitted TLS ClientHello messages with a hardcoded, rarely-seen ciphersuite (fingerprint ID 8c48b95f67260663 on tlsfingerprint.io) that allowed a machine-learning classifier to identify V2Ray TLS traffic with 0.9999 accuracy; the same classifier could not accurately identify the traffic after the fingerprint was changed. The blocking rule based on the unique ciphersuite could be expressed in a single iptables line.
-
V2Ray's HTTP obfuscation mode prepends an HTTP header only to the first TCP payload per connection and uses a hardcoded HTTP 500 response for all failure cases, making the mimicry trivially detectable: legitimate HTTP servers send headers on every response, and do not return 500 for protocol errors a real HTTP server would never encounter.
-
VMess servers exhibit inconsistent TCP connection-draining behavior depending on error type: a first-seen (Encryption IV, Encryption Key) pair waits for more data before closing, while a replayed pair closes immediately. This timing asymmetry allows a prober to distinguish VMess servers from non-VMess servers with a three-connection probe sequence (M1, M2, M2 replay), as documented by @nametoolong in June 2020.
-
VMess authentication uses a timestamp-based credential with a maximum 120-second (average ~60-second) expiration window, allowing an attacker to replay a captured legitimate request within that window. By making 16 connections with altered Encryption Key bytes that enumerate all 16 possible Margin P padding-length values, a prober can confirm a VMess server by observing a non-repeated set of connection-close byte counts spanning a delta of 15.
-
Total hardware cost for four detector stations plus a central proxy was approximately $30,000 USD, with estimated annual operating costs of ~$13,000 for co-location and ~$24,000 for a 2 Gbps upstream connection, plus ~40% FTE of an ISP network engineer—costs that are structurally higher than endpoint-based circumvention due to mandatory network-operator co-location requirements.
-
During a major censorship event in April 2019, new censor techniques blocked many Psiphon transports while TapDance remained accessible, causing a 4× increase in the fraction of TapDance-enabled clients' traffic and daily users peaking above 25,000—with no measurable degradation in connection success rate or per-session throughput under the increased load.
-
Over 115 days of operation with 1,500–2,000 active decoys, the busiest decoy site averaged only 13.24 concurrent connections and 12.32 MB of traffic per day; only 2 of roughly 3,000 candidate decoy sites opted out via robots.txt over 18 months, and none reported operational problems, confirming that decoy websites are not meaningfully burdened at this deployment scale.
-
The first production Refraction Networking deployment used four TapDance stations at Merit Network observing 140 Gbps aggregate capacity and served up to 33,000 unique users per month across 559,000 Psiphon installations, proxying up to 500 Mbps of circumvention traffic during the first year of continuous operation.
-
Approximately 50% of TapDance client connection attempts failed to pass through any station due to routing variability at the ISP, producing an average of about one failed decoy per successful connection and time-to-first-byte exceeding five seconds in typical cases, even though median session RTT remained under one second.
-
The GFW's dominant exploitable discrepancy is accepting data packets whose TCP sequence number is ≤ the initial sequence number (ISN), while Linux rejects such packets as out-of-window. This single 'SEQ ≤ ISN' strategy accounts for the majority of the 3,152 successful evasion-packet cases against the GFW out of 4,587 total successful evasions.
-
Snort contains two novel TCP Timestamp discrepancies versus Linux: it omits RFC 7323-mandated timestamp validation on RST packets in SYN_RECV state, and its PAWS TSval acceptance window is 'off by two' — a TSval of 0 or 0xffffffff following a packet with TSval 0x80000000 is accepted by Linux but rejected by Snort, enabling insertion-based evasion by crafting packets that fall in the divergent range.
-
Snort interprets the TCP urgent pointer as the offset to the last byte of urgent data and discards all payload bytes before that offset, while Linux consumes only 1 urgent byte and leaves the remaining payload intact. Injecting a packet with the URG flag and the urgent-pointer offset pointing to an insignificant padding byte allows the full sensitive payload to reach the server while Snort strips it — a novel evasion strategy not previously reported.
-
SymTCP uses selective symbolic execution over Linux's TCP implementation (S2E + KLEE) to enumerate all packet sequences reaching 47 binary-level accept or drop points from LISTEN to ESTABLISHED, then conducts differential testing against a blackbox DPI to confirm discrepancies; the open-sourced system requires no DPI source access and covers 37 of 47 drop points within the operationally relevant handshake window.
-
SymTCP generated 56,787 candidate insertion/evasion packets in approximately one hour using concolic execution over Linux's TCP stack. Evaluating a sampled set of 10,000 test cases against real DPI systems yielded 6,082 evasions against Zeek, 652 against Snort, and 4,587 against the Great Firewall of China — discovering 14 novel evasion strategies beyond those found by prior manual approaches.
-
Hop-by-hop bottleneck localization showed that in more than 71% of measured paths the first lossy hop is located deep inside China (beyond the border), with only 34.45% of bottleneck hops coinciding with the GFW hop as detected by RST injection probing — suggesting Chinese ISP infrastructure underprovisioning rather than GFW intervention as the primary cause.
-
The bottleneck exhibits strong and consistent diurnal patterns: 80–95% of receiver–sender pairs show a standard deviation of less than 3 hours in daily slowdown duration, and the patterns persist unchanged across weekends and national holidays (May 1–2 and October 1 national day). Packet loss is strictly asymmetric — occurring only for traffic entering China (inbound data and outbound ACK packets), not for traffic leaving China.
-
The Great Bottleneck of China affects 79% of measured receiver–sender pairs, with more than 70% of those pairs suffering throughput below 1 Mbps for more than 5 hours every day. M-Lab NDT data independently corroborates this: in 64% of 75,464 tests from China, download speed was below 500 kbps.
-
Hong Kong is the sole geographic exception: it experiences no measurable slowdowns when accessing the foreign Internet, and Chinese mainland receivers accessing Hong Kong as a sender averaged only ~3 hours of slowdown per day — compared to 5–17 hours for US, European, and most Asian senders — making it an effective high-performance relay between mainland China and the rest of the world.
-
A/B testing across HTTP, HTTPS, VPN, and Shadowsocks traffic found no measurable difference in packet loss rates, ruling out censorship-targeted protocol throttling as the cause. Even at probe rates as low as one packet per 10 seconds, loss rates were similar across all protocol variants, indicating no per-connection or per-protocol speed throttling by the GFW.
-
Frolov and Wustrow show that every major TLS-based circumvention tool (Tor Browser, Lantern, OpenVPN, Psiphon, etc.) produces a TLS ClientHello fingerprint that is statistically distinguishable from real Chrome or Firefox: differences include cipher-suite ordering, extension set, extension ordering, ALPN values, and curve preferences. A passive observer with a classifier over ClientHello fields can identify the tool with high precision without decrypting any traffic.
-
Beyond the ClientHello, circumvention tools diverge from real browsers in TLS record-layer behavior: Go's crypto/tls splits the first application-data write differently than NSS or BoringSSL, and Go does not send a TLS ChangeCipherSpec in the same byte sequence as Chrome. These post-handshake divergences are detectable even when the ClientHello has been patched with uTLS, requiring record-layer mimicry in addition to hello-field mimicry for full fingerprint resistance.
-
The paper introduces the uTLS library, which allows a Go TLS client to impersonate a specific browser's TLS fingerprint by replaying a recorded ClientHello template (including exact cipher suites, extensions, and GREASE bytes) rather than constructing one from Go's crypto/tls. Using a Chrome 70 uTLS template reduces fingerprint-distinctiveness to near zero against a passive classifier trained on real Chrome traffic.
-
Evasion strategies are strongly censor-specific: TCB Teardown strategies that achieve 80–96% against the GFW fail completely (0%) against Kazakhstan's HTTPS MITM; India's Airtel is defeated uniquely by a 'Stutter Request' (duplicating the PSH/ACK and replacing IP length to 64) at 100% success, which scores only 3% against the GFW. Geneva converged on distinct species for each censor within 4–8 hours of live training.
-
Geneva, a genetic algorithm using four packet-manipulation primitives (drop, tamper, duplicate, fragment), independently re-derived 30 of 36 (83.3%) previously published evasion strategies in controlled lab experiments and discovered successful strategies in 23 of 27 live training sessions against China's GFW, yielding 4 unique species, 8 subspecies (5 novel), and 21 fundamentally different variants. Each training session ran for 4–8 hours against a real censor.
-
Geneva experiments revealed that the GFW determines TCP three-way handshake completion using only the presence of the ACK flag — without validating sequence numbers. Upon receiving a RST or RST/ACK before the handshake completes, the GFW enters a resynchronization state approximately 50% of the time rather than tearing down its TCB; strategies that exploit this pre-handshake window achieve 92–95% success rates (Strategies 3 and 4).
-
The GFW does not verify TCP checksums or validate RST flag combinations: Strategy 5 using the entirely invalid flag set FRAPUN with TTL 10 achieved 96% success. Separately, increasing the TCP data offset (dataofs) field to 10 in an insertion duplicate causes the GFW to reinterpret the beginning of the HTTP payload as TCP header bytes, preventing keyword detection and achieving 98% success (Strategy 2) — while the destination server discards the malformed packet.
-
Geneva's Segmentation species — fragmenting HTTP requests at the TCP layer without IP fragmentation, segment overlapping, or insertion packets — achieved 94–98% success against the GFW, 100% against India's Airtel ISP, and 100% against Kazakhstan's HTTPS MITM, making it the only strategy class effective across all three tested censors. These strategies require neither raw sockets nor root privilege.
-
As of July 2019, approximately 10.93% of the Alexa top 1 million websites support ESNI (all via Cloudflare CDN, which enabled ESNI across all its platforms in September 2018), with 92.56% of Cloudflare-hosted sites using encrypted SNI over TLS 1.3. However, fewer than 0.01% of observed TLS ClientHello messages in the wild contained an ESNI extension, revealing a severe gap between server-side readiness and client-side adoption.
-
The paper identifies 47 Cloudflare IP addresses that are already blocked by the GFW despite being shared by at least 85 websites, contradicting the prior assumption that censors avoid blocking shared CDN IPs due to collateral damage. This suggests censors will accept significant collateral damage to block CDN-hosted content when the set of co-hosted non-forbidden pages is deemed manageable.
-
Of the Alexa top 1 million websites censored in China, 84.5% are blocked by IP address, meaning that even if both DNS hijacking and SNI filtering are fully circumvented, the vast majority of blocked sites remain inaccessible. Only 66 currently censored sites can be unblocked by ESNI alone (combined with an encrypted DNS channel), while 101,049 ESNI-supported sites remain blocked by IP.
-
Monitoring ESNI-related censorship across 14 geographic regions — including Mainland China, Iran, UAE, South Korea, and 10 others — found no blocking of ESNI traffic or interference with ESNIKey retrieval via DNS TXT records as of mid-2019, contradicting a widely circulated report claiming South Korea had already blocked ESNI. Additionally, the GFW's residual censorship window after a triggered RST was measured at 60 seconds (down from the previously reported 90 seconds).
-
In China's Great Firewall, SNI filtering is almost never the sole blocking mechanism: only 70 of the 21,446 SNI-filtered sites are exclusively censored via SNI. The GFW uses SNI filtering as a 'third gatekeeper' — applied after DNS hijacking and IP blocking — and maintains separate blacklists for SNI filtering and DNS hijacking, evidenced by 2,764 sites under DNS injection but not SNI filtering.
-
The GFW's robustness depends principally on suppressed citizen demand for uncensored information, not solely on access barriers. Calibration shows censorship remains stable even if the unencouraged access rate were substantially expanded, because low demand and moderate social transmission prevent information from reaching population-wide tipping points. However, censorship is fragile to demand stimulation: scaling the encouragement intervention to all students would, per the model, inform the entire student population.
-
When given a free 18-month subscription to a premium VPN (retail value US$25/month), only 55% of treated Chinese university students activated the tool, and less than 5% of active users regularly browsed blocked foreign news websites. By contrast, 86% activated a placebo free Youku (Netflix-equivalent) account within a week, isolating low demand—not friction—as the barrier.
-
Acquisition of politically sensitive information produced broad, durable attitude change: access-plus-encouragement moved the median student from the 47th to the 56th percentile across all measured outcome dimensions. Students became more pessimistic about Chinese economic growth (elicited incentive-compatibly), more skeptical of government performance, more likely to plan exit via foreign graduate school, and more likely to report having withdrawn stock-market investments.
-
Peer-to-peer knowledge spillovers were statistically significant but small: a student who actively browsed foreign news and learned of a sensitive event made her dormitory roommate 12.7 percentage points more likely to answer a quiz on that event correctly. Model calibration showed this transmission rate is insufficient to propagate knowledge to the broader student population given the low share of initially informed students.
-
Modest financial incentives (US$2.50 per quiz requiring a visit to the NYT Chinese edition) produced a persistent increase in foreign-news browsing: after the 4-month encouragement ended, Group-AE students spent 3.4 min/week more on top foreign news sites than access-only peers (6.7 min/week among active users). By the experiment's end, 23% of newly exposed students paid US$4.50/month to continue uncensored access out of pocket.
-
Conjure achieves 20% lower latency, 14% faster download bandwidth, and over 1400 times faster upload bandwidth compared to TapDance on a 20 Gbps ISP testbed. TapDance upload is throttled to approximately 0.1 Mbps because it must reconnect for every 32 KBytes sent; Conjure maintains a single persistent connection. At the 99th percentile, Conjure is 281 ms (92%) faster than TapDance.
-
For IPv4, Conjure derives both the phantom host IP and TCP port from the client's registration seed, making exhaustive scanning infeasible: a censor enumerating from a /10 of potential client source IPs (4 million addresses) against a /16 of phantom IPs (65K addresses) across all 65K ports would require approximately 50 years at 10 Gbps with ZMap. Phantom hosts are additionally firewalled to respond only to the registering client IP, defeating single-vantage-point ZMap scans.
-
IPv6 phantom addresses drawn from an ISP's /32 prefix provide 2^96 potential addresses, making exhaustive enumeration and pre-image attacks computationally infeasible. Analysis of 4013 observed IPv6 addresses in a deployed /32 found approximately 75 bits of entropy (out of a maximum 96), with enough overlap with legitimate address distributions that blocking high-entropy addresses would produce significant collateral damage to real IPv6 services.
-
Conjure phantom hosts resist active probing by requiring knowledge of a per-client registration seed secret before the station responds. A ZMap scan of over 1 billion random IP/port combinations found that 99.4% of responding servers returned no data after a random OSSH-style probe and 7.42% closed with TCP RST — behavior indistinguishable from Conjure's OSSH transport — meaning censors face steep false-positive rates when attempting to identify phantom proxies via active probing.
-
Conjure registration is unidirectional: the client embeds a steganographic ciphertext tag in a complete HTTPS request payload encrypted under a Diffie-Hellman shared secret, and the station passively observes it without sending any reply or spoofing packets. This design makes registration flows indistinguishable from normal HTTPS traffic and enables 25% more viable registration decoys than TapDance by removing the requirement to exclude decoys with short TCP windows or connection timeouts.
-
China's GFW poisons DNS responses from major open resolvers (Google 8.8.8.8/8.8.4.4, Cloudflare 1.1.1.1/1.0.0.1, OpenDNS 208.67.222.222/220) for I2P domains, returning public IPs belonging to Facebook, SoftLayer, and other non-Chinese organizations. Blocking is non-uniform: AS9808 (Guangdong Mobile) appended a loopback 127.0.0.1 record alongside falsified IPs—a pattern not seen at other ASes—while the I2P mirror site remained accessible from most Chinese locations despite the homepage being blocked.
-
DNS injection from China's GFW leaked into South Korean networks: queries sent from Korean ASes (AS38676, AS9848) to open resolvers returned the same falsified IP addresses observed inside China, because geographic proximity caused transit routing through Chinese infrastructure. This demonstrates that the GFW censors both egress and ingress traffic, producing cross-border poisoning as a side effect. Sporadic rather than consistent injection at these ASes confirmed the leakage hypothesis rather than intentional Korean blocking.
-
Oman and Qatar deploy layered blocking: after a TCP handshake to geti2p.net completes normally, a TCP RST is injected immediately after the TLS ClientHello (SNI-based blocking), while HTTP connections to the mirror site receive injected packets redirecting to explicit national block pages. Kuwait applied only the HTTP mirror block, and only at one of six tested ASes (AS47589, Kuwait Telecommunication Company), with all other Kuwaiti networks leaving I2P fully accessible—illustrating significant ISP-level variation within a single country.
-
Over one month, 54K measurements from 1.7K ASes in 164 countries detected I2P blocking in exactly five countries: China (DNS poisoning of homepage and 3 of 10 reseed servers), Iran (TCP RST injection with HTTP 403 on mirror site), Oman and Qatar (SNI-based blocking of HTTPS homepage plus TCP injection with block-page redirect on HTTP mirror), and Kuwait (TCP injection on mirror site at AS47589 only). All other tested countries left I2P fully reachable.
-
A measurement infrastructure built on VPN Gate's 192K volunteer-operated residential vantage points (3.5K ASes, 181 countries) detected I2P blocking events that were missed entirely by both OONI—which had no test data for four of the five affected countries—and ICLab—which had vantage points in only two of the five countries and obtained only intermittent connections there. Residential vantage points reveal filtering policies invisible from datacenter-hosted probes, with ISP-level granularity confirming partial national blocking (one of six Kuwaiti ASes, heterogeneous Chinese AS behavior) that aggregate measurements would miss.
-
A proxy assignment algorithm derived from the Gale-Shapley college admissions game, using multi-feature utility functions across five client metrics (proxy utilization capped at T, new-proxy request rate, blocked-proxy usage, known-blocked count, client distance) achieves superior connected-client ratios and lower wait times compared to state-of-the-art rBridge in all tested ecosystem configurations (Static, Slow, Alive, Popular), without requiring knowledge of individual client types at assignment time.
-
The Chinese GFW enumerated all Tor bridges within approximately one month by deploying censoring agents that impersonated regular users, demonstrating that CAPTCHA- and email-based proxy distribution mechanisms are ineffective against resourceful state-level censors who can create large numbers of accounts and use human-based CAPTCHA-solving platforms.
-
Omnipresent censors who distribute censoring agents across diverse geographic locations obtain significantly more proxies than circumscribed censors confined to a single subnet, because location diversity improves their utility scores in proximity-weighted proxy assignment systems.
-
A game-theoretic optimal censorship strategy — in which coordinated agents maximize a joint utility combining proxy discovery and blocking impact (equation 3, parameterized by ω) — is significantly stronger than both aggressive (immediate block) and conservative (timed-delay) heuristic strategies evaluated in prior work including rBridge; changing ω (surveillance vs. blocking preference) further modulates the damage a censor can inflict on any given distribution profile.
-
In a static proxy pool (λ=0, no new proxies added), the fraction of connected censored clients decreases monotonically to near zero regardless of censorship strategy, even at low censoring-agent fractions (ρ=0.05) and against a non-strategic aggressive censor with a strict-balanced distributor profile.
-
An adaptive censor that retrains classifiers on both unmodified and GAN-transformed Meek traffic ('informed NN') partially recovers detection capability: informed NN achieves a PR-AUC of 0.440 against modified traffic versus 0.309 for the naive NN, and achieves FPR of 0.667 versus 1.000 for the naive NN. However, the informed NN suffers from catastrophic interference and performs worse on FPR than the naive classifier on unmodified data (0.545 vs. 0.002).
-
A GAN-based adversarial transformer applied to Meek traffic signatures increases mean classifier FPR from 0.183 to 0.834 and decreases mean area under the precision-recall curve (PR-AUC) from 0.990 to 0.414 across naive neural network, informed neural network, and CART decision tree classifiers evaluated on three geographically distinct datasets (residential, university, AWS).
-
The paper identifies that Meek traffic is compared against average HTTPS traffic across all domains rather than against traffic specific to the CDN fronting host (e.g., ajax.aspnetcdn.com for meek-azure), meaning a transformed signature that mimics generic HTTPS may still appear anomalous relative to expected traffic to that specific CDN host. This dataset construction limitation means real-world GAN-guided shaping must target host-specific traffic baselines, not population-wide HTTPS baselines.
-
Prior ML classifiers achieve near-perfect detection of unmodified Meek traffic using side-channel features: Wang et al. attain a false positive rate (FPR) as low as 0.0002 with a CART decision tree, Yao et al. achieve 99.98% accuracy with a hidden Markov model, and Nasr et al. deanonymize Meek flows with FPR of 0.0005 using a neural network. The distinguishing features are TCP payload size distributions (Meek concentrates 60–70 byte payloads) and inter-arrival time distributions (higher latency).
-
Incorporating perturbation loss — the mean absolute difference between original and transformed traffic signatures — into the GAN's training objective constrains the transformer to make minimal modifications, reducing the implementation overhead a real-time traffic shaper would require. The perturbation loss is weighted at 10× relative to classification losses, enforcing sparse modifications while still fooling the discriminator.
-
The component-aware binary splitting algorithm (CompAwareBinSplit) requires on average 35.47 messages per article to isolate a sensitive keyword combination — 10.3% as many as the 342.72 required by the previously used algorithm — and is the only evaluated algorithm that correctly handles overlapping keyword components and multiple co-occurring combinations.
-
WeChat, Alibaba Wangwang, Zhihu, and Sina Weibo all implement keyword combination filtering — messages are blocked only when every component of a blacklisted combination appears simultaneously, regardless of order. This allows censors to target sensitive contexts (e.g., 习近平 + 三连任 [Xi Jinping + three consecutive terms]) without filtering neutral mentions of individual terms.
-
The previously used bisection algorithm required an average of 342.72 messages per news article to isolate a triggering keyword combination, and produced incorrect results in 44% of test cases — primarily because the Unilateral Elimination Flaw caused it to miss components that appeared multiple times in an article.
-
Server-side keyword enumeration on Chinese platforms has become increasingly uneconomical: platforms now require non-virtual phone numbers for account registration, and test accounts are banned after sending a threshold volume of sensitive content. The paper's 5,521-article dataset and 1,956 confirmed keyword combinations were collected via sample testing between September 2017 and October 2018, with registration costs being the primary limiting factor for research scale.
-
WeChat censors messages even when keyword components overlap within the message text — e.g., the combination 帶來 + 調整 + 整體 + 領域 triggers filtering in the fused form 帶來abc調整體xyz領域 where 調整 and 整體 share a character. No previously published algorithm correctly identified overlapping components; only CompAwareBinSplit resolves this by advancing the search window from index i+1 rather than past the full matched span.
-
Capturing as little as 30 seconds of a multimedia-tunneling flow is sufficient for XGBoost to reach the same AUC achieved with a 60-second window (AUC=0.99 for Facet s=50%, AUC=0.95 for DeltaShaper h320×240, 8×8, 6, 1i at 30s). Classification performance degrades monotonically below 30 seconds, reaching AUC≈0.81 (Facet) and 0.75 (DeltaShaper) at 1 second.
-
CovertCast — which scrapes web content into colored-matrix frames broadcast over YouTube live streams — is fully detected by the χ² similarity classifier with TPR=100% and FPR=2%. The KL and EMD classifiers achieve TPR>96.5%, indicating the system provides essentially no unobservability in practice.
-
Feature importance analysis of XGBoost models reveals that Facet covert channels are identifiable primarily through packets in the 115–195 byte range (dominated by Skype audio packets), while DeltaShaper is identifiable through two distinct packet-length clusters: 85–100 bytes and 1105–1205 bytes. XGBoost assigns non-zero importance to only ~58% of the 300 quantized packet-length bins for Facet and ~42% of 600 bins for DeltaShaper, indicating that leakage is concentrated in a narrow portion of the packet-size distribution.
-
Unsupervised and semi-supervised anomaly detection methods (OCSVM, Isolation Forest, shallow autoencoders) perform near-random when attempting to detect multimedia protocol tunneling: OCSVM achieves average AUC between 0.518–0.584 across all tested configurations, Isolation Forest between 0.519–0.557, and autoencoders reach a maximum AUC of 0.702 only under optimal hyperparameter search. The paper concludes that labeled training data is a hard requirement for effective covert-channel detection.
-
Decision tree classifiers (XGBoost) can flag 90% of Facet multimedia-tunneling traffic while erroneously flagging only 2% of legitimate Skype connections (FPR=2%). Against DeltaShaper at its most conservative configuration (h160×120, 4×4, 6, 1i), XGBoost achieves AUC=0.85, demonstrating that existing unobservability claims for all three systems (Facet, CovertCast, DeltaShaper) were flawed.
-
For China (a highly connected, routing-capable adversary), the gossip protocol combined with any symmetric decoy routing design requires only 5 heavyweight downstream stations plus 880 lightweight upstream gossip stations — versus 880 heavyweight stations for purely symmetric designs. Five downstream stations alone impact 78% of routes from Chinese users, while a single downstream station already covers nearly 25% of traffic.
-
An asymmetric gossip protocol adds only 1.0055× bandwidth overhead for n=5 downstream stations — approximately 11 Mb/s extra on a typical 2 Gb/s OC48 link. Upstream gossip stations require no in-line blocking and impose zero additional load on overt sites, making them substantially lighter than heavyweight symmetric relay stations that must check every TLS connection for steganographic tags.
-
A censor using latency analysis to classify decoy routing sessions achieves a maximum F-score that drops to nearly 0 when the base rate of decoy routing falls below 10^-4 (one in 10,000 connections). Even at higher adoption rates the F-score remains below 0.5 for most overt sites, making reliable detection infeasible without unacceptable false-positive rates on legitimate traffic.
-
Between 80% and 90% of internet routes are asymmetric, with only about 10% of flows symmetric in Tier-1 (backbone) networks and roughly 70% symmetric at the network edge. This asymmetry makes decoy routing systems requiring relay stations on both upstream and downstream paths impractical for the majority of real-world deployments.
-
Decoy routing systems that re-encrypt TLS application data across the relay station (Slitheen, Rebound, Waterfall) are vulnerable to nonce-reuse attacks: an adversary capable of observing traffic on both sides of the relay can exploit reused GCM nonces to decrypt or modify covert traffic. Although this falls outside the standard decoy routing threat model, it poses a concrete risk to users already under heightened surveillance who face adversaries with broad network visibility.
-
By 2018 the GFW shifted from blocking Tor bridges by (IP, port) tuples to blocking the entire IP address. A blocked bridge remains inaccessible for exactly 12 hours; the block renews to 12 hours if any additional Tor connection attempt is made during that window, after which the GFW re-scans and removes the IP from the blacklist if Tor is no longer running.
-
The authors attracted 934 unique scanner IPs over 44 hours, all geolocated to China, with TTL values clustered at 48–50 and MSS of 1400 (with a secondary cluster at 1368 from IP 111.202.242.93). 908 IPs conducted exactly one scan and 26 conducted two; no IP scanned more than twice, indicating deliberate distribution to resist IP-based blacklisting of scanners.
-
Meek over Azure CDN successfully established Tor circuits from China in all tests; meek over Amazon was inconsistent and often failed mid-circuit. Meek requires TLS on the bridge — without it the GFW blocks the bridge within minutes and purges it from the blacklist, suggesting a separate meek-specific detection and blocklist is maintained.
-
obfs4 successfully established Tor circuits on the authors' own unpublished bridge relays but failed to connect to any public obfs4 bridge, consistent with the GFW having scraped and blacklisted public bridge addresses. This demonstrates that address confidentiality is a prerequisite for obfs4's effectiveness, independent of its obfuscation properties.
-
Configuring iptables to drop incoming Tor packets whose TCP MSS equals 1400 (the value observed on GFW scanners) prevented bridge IPs from being added to the blocklist across the entire 44-hour experiment. This technique requires changes only on the relay, unlike pluggable transports that require both client and server upgrades.
-
Despite I2P's decentralized design, a censor can block more than 95% of peer IP addresses known to a stable I2P client by operating only 10 routers in the network. The censor learns this by passively monitoring the distributed netDb through injected floodfill and non-floodfill nodes, exploiting the fact that I2P's peer-discovery mechanism exposes the near-complete address space to any sufficiently resourced participant.
-
A blocking rate of more than 70% of I2P peer IP addresses is sufficient to cause significant latency in web browsing activities, while blocking more than 90% of peer IP addresses can make the I2P network unusable. The cost to reach the 95% blocking threshold is operating only 10 censor-controlled routers.
-
Of approximately 32K active I2P peers observed daily during a three-month measurement (February–April 2018), roughly 6,000 peers came from 30 countries with poor Press Freedom scores (index > 50); China led with more than 2,000 peers, followed by Singapore (~700) and Turkey (~600). This suggests I2P is being used as a Tor/VPN alternative in heavily censored regions, despite China configuring I2P peers to hidden mode by default.
-
I2P obfuscates payload content to prevent protocol identification, but flow analysis can still fingerprint I2P traffic because the first four handshake messages between I2P routers have fixed lengths of exactly 288, 304, 448, and 48 bytes. The I2P team acknowledged this and was developing an authenticated key agreement protocol to resist automated identification.
-
A simpler but effective complement to IP-list blocking is to block access to I2P's small set of hardcoded reseed servers: first-time users cannot fetch RouterInfos of other peers and are entirely prevented from joining the network. Reseed servers are functionally equivalent to Tor directory authorities as a single point of failure for bootstrapping.
-
New Twitter users who joined because of the Instagram block were initially apolitical (80% Chinese-language preference vs. 39% for existing Chinese Twitter users; ~80% of first follows were entertainment/sports accounts) but within two days their rate of political discussion about Hong Kong converged with that of established users. This confirms the gateway effect operates without pre-existing political motivation and without a Streisand-style backlash.
-
Blocked Chinese-language Wikipedia pages received approximately 160,000 more views on September 29, 2014 (the day Instagram was blocked) than in the preceding week, covering politically sensitive topics — Tiananmen Square, mainland leaders, and the PRC blocked-sites list — that long-term VPN users would not be browsing for the first time. By November 1, Chinese-language Twitter accounts had accumulated 33,750 more followers than pre-block trend projections.
-
When governments suddenly block previously uncensored, habitual-use platforms, affected users acquire VPN/proxy tools to restore access — and those tools then incidentally unlock all long-blocked content. The authors call this the 'gateway effect': sudden censorship backfires not through political backlash but through habit-driven evasion that permanently expands information access. The effect is strongest for indispensable, hard-to-substitute services.
-
China's September 29, 2014 Instagram block caused VPN Express to jump from rank 1,229 to rank 6 among all iPhone app downloads in China in a single day, and four of the top ten free productivity apps that day were VPNs (VPN Express, GreenVPN, VPNArtifact, VPN in Touch). The prior day, no VPN appeared in the top 10.
-
On the day Instagram was blocked, geo-located Twitter users from mainland China increased ~30% and new account creation jumped more than 600%. A full 53% of previously active Instagram users (estimated 8–16 million people) continued accessing Instagram via evasion tools after the block, compared with roughly 0.026% of all Chinese Internet users who used Twitter before the block — demonstrating the Firewall's baseline efficacy and the magnitude of the gateway-driven surge.
-
China actively censors websites far outside the popular-traffic tier: many discovered censored domains appear in the tail of the Alexa Top 1,000,000, and some are absent from Alexa entirely. This demonstrates the GFW pursues content-classified hosts regardless of traffic rank, not only high-visibility platforms.
-
The 1,125 newly discovered censored domains span a broad taxonomy: Chinese human rights organizations, Tibetan rights outlets, Falun Gong and religious freedom sites, minority news, privacy-enhancing technology providers, and sources covering Tiananmen and the 1989 democracy movement—none appearing on the Alexa Top 1,000 or FilteredWeb's blocklist. Privacy-enhancing technology providers appear explicitly as a censored category alongside political and religious content.
-
Multi-word Chinese phrases as search seeds discover qualitatively different censored sites than individual English words: the phrase 'Chinese human rights violation' surfaces Chinese activist homepages and culture-specific outlets, while individual constituent words return only well-known Western media. TF-IDF scoring against a Chinese corpus ranks culturally rare phrases (e.g., '自由亚洲电台' / Radio Free Asia) as high-signal seeds and discards common filler phrases.
-
Using NLP phrase extraction on Chinese-language censored pages, the system discovered 1,125 new censored domains not present on any publicly available blocklist, producing a list 12.5× larger than the standard Citizen Lab list (220 web pages, 85 domains). Across three evaluations (unigrams, bigrams, trigrams, each capped at 1,000,000 URLs), only 3 of the top 50 discovered domains overlapped with FilteredWeb's top 50.
-
Culturally specific Chinese phrases are strong predictors of censorship: unigrams for controversial figures—Wang Qishan (74%), Li Hongzhi (64%), Guo Boxiong (62%), Hu Jintao (56%)—returned the highest block rates. Trigrams such as 'Beidaihe meeting' (54%), 'CCP's religious policy' (42%), and 'Tiananmen Square demonstrations' (32%) showed similar patterns, confirming King et al.'s finding that references to collective political dissent are disproportionately targeted.
-
WeChat's OCR filter performs blob merging to reconstruct characters from disconnected components. Filling character strokes with tiled letter patterns evaded OCR filtering in 100% of tests (vs. 92% for tiled square patterns), because tiled letters distract the blob-merging stage into finding the letter tiles rather than the composed characters.
-
WeChat's OCR-based image filter converts images to grayscale using the luminosity formula (0.299r + 0.587g + 0.114b) before text recognition. All 150 test images with colored text on a luminosity-matched gray background evaded OCR filtering, while average and lightness formulas failed to evade filtering for most colors.
-
WeChat normalizes uploaded images by their shortest dimension before blacklist comparison. Adding blank space equal to 50–200% of the longest dimension caused 4/5 wide images and 3/5 tall images to evade filtering; adding space along the shortest dimension never evaded filtering, consistent with a shortest-dimension resize hypothesis.
-
WeChat's visual-based image filter compares uploads against a specific blacklist using a perceptual similarity metric rather than ML classification. Semantic-preserving transformations — mirroring, cropping, adding whitespace — evaded all 15 tested blacklisted images, and images filtered visually were typically removed within 10 seconds, faster than OCR-filtered images (5–30 seconds).
-
WeChat's visual filter compares images as a whole rather than via a sliding window. Adding 3 or more duplicate copies of a blacklisted image to its canvas caused 8/10 images to evade filtering with no evasion attributable to compression artifacts (Figure A.13), whereas blank canvas extensions evaded mostly only through compression artifacts.
-
MultiFlow's tunnel operates as a virtual message board: the client and decoy router never exchange covert data within the same TCP connection. The decoy router uploads responses to a URI or email address specified by the client; the client downloads independently on a separate connection. This design eliminates the forged-packet and rewritten-traffic vectors that make TapDance and Rebound vulnerable to traffic analysis and decoy-host probing.
-
MultiFlow mitigates TLS termination attacks—where an adversary drops a connection after one data exchange—by having the client exfiltrate TLS session resumption information (219 bytes: 208-byte psk identity plus ticket metadata) to the decoy router. The decoy router can then resume a session with a different decoy host, establishing a new covert channel even if the original connection is severed, and amortizing per-session setup cost across multiple connections.
-
If an adversary replays captured client handshake traffic to a decoy host under adversary control, and the decoy router attempts to resume the client's session on that host, the adversary can infer that a decoy router is present on the path to the original decoy host. The paper identifies this as a residual probing vulnerability when the client does not encrypt the destination server to which resumption should be directed.
-
MultiFlow's stencil-coding capacity is constrained by TLS record sizes: hiding 1 byte per 16-byte block requires a 1568-byte TLS record to exfiltrate 98 bytes of key material. The paper notes that many websites' initial GET requests produce TLS 1.3 application records under 100 bytes, meaning MultiFlow would need to span multiple records or adopt the more efficient chosen-ciphertext steganography used by TapDance. No implementation exists at time of publication; session resumption from a different source IP was verified feasible using OpenSSL 1.1.1-pre2 and Scapy.
-
MultiFlow enables a tap-based decoy router to authenticate clients without inline traffic blocking by having the decoy router resume the client's TLS 1.3 session with the decoy host. The client embeds 112-byte sentinel values in the ClientRandom and key-share fields; the decoy router uses the exfiltrated 219-byte NewSessionTicket to perform the resumption. If the decoy host accepts the resumed session rather than falling back to a full handshake, the client is confirmed live.
-
For 1 MB files, even at a database of only 50,000 entries, PIR responses reach 73.1 MB per retrieval, making proof-of-censorship impractical for image or video streaming content providers. By contrast, for 256-byte (Twitter-like) messages the system remains workable at 10 million files with 8.0 MB queries and 2.0 MB replies, and stays roughly constant in reply size (2.0 MB) between 500k and 10 million files.
-
The proof-of-censorship scheme uses single-server computational PIR with homomorphic encryption so that the server, having signed both the PIR query hash and its reply, cannot selectively omit responses for a targeted file without returning garbage data. A client detecting the mismatch publishes the upload ticket, signed reply, and query seed as a compact, transferable cryptographic proof of censorship verifiable by any third party holding the server's long-term public key.
-
On a quad-core Intel Core i5 (3.30 GHz) against a database of 1 million 256-byte messages, the prototype produces a 3.8 MB PIR query (28 ms client-side generation) and a 2.0 MB proof requiring 2.8 s of server-side processing; third-party proof validation takes 52 ms, and the 120-byte upload ticket validates in 381 µs. All client-side operations are fast enough for smartphone or JavaScript implementations.
-
A censoring server cannot selectively withhold PIR responses for a targeted file while honestly answering others: if a PPT algorithm A could distinguish targeted-file queries from all other queries, it would directly violate the query privacy of the underlying PIR scheme. The server's only compliant evasion strategy is an indiscriminate shutdown — refusing all queries or all signatures — which is behaviorally distinguishable and does not produce a plausible-deniability defense.
-
Proofs of censorship are transferable and persistent: even if a content provider restores a censored file, previously generated proofs remain cryptographically valid and can serve as a reputation mechanism, a trigger for smart-contract financial penalties (e.g., Ethereum bonds), or mandatory disclosures to transparency databases such as Lumen, enabling accountability for transient or temporally-selective censorship that current transparency reports cannot capture.
-
Information Gain feature selection from 408 candidates identified informal language markers (informal, nonflu, swear), Chinese modal and general particles signaling mood and relational framing, and physical-feeling words used metaphorically as the top predictors of censored Weibo content — all with statistically significant differences between censored and uncensored classes.
-
A Naive Bayes classifier built on 17 LIWC-derived and keyword features achieved 79.34% accuracy (10-fold cross-validation) predicting censorship of Sina Weibo posts, with precision 0.80 and recall 0.85 for the censored class — outperforming all single-domain feature sets including the full 408-feature combination (0.69 accuracy).
-
A 598-term sensitive-keyword blacklist (sourced from Wikipedia and China Digital Times) achieved only 53% classification accuracy on Weibo censorship — below the 66% achieved by punctuation features alone — and appeared in only 31 of 152 uncensored posts versus 60 of 192 censored posts, confirming keywords are not the primary driver of platform censorship decisions.
-
Sentiment analysis features (Baidu and Boson tools) achieved only 57% accuracy individually; censored posts averaged 53.9% negative sentiment (General model) versus 49.3% for uncensored — a difference too small to be operationally useful — indicating that sentiment polarity does not reliably distinguish censorable content from permitted content on Weibo.
-
Across 85,421 Cloudflare-hosted domains crawled from five vantage points, 524 websites employed country-based blocking (Cloudflare error 1009). Ukraine (VPN) received 313 geo-blocks while Scotland (same VPN provider) received only 175, suggesting that IP/ASN reputation or exit-node characteristics cause significant variation in observed blocking rates even when controlling for the access method.
-
Because a disproportionate number of Tor exit nodes are located in the EU, GDPR-motivated blanket blocking of EU IP ranges creates collateral access restrictions for Tor users globally. This illustrates that privacy-protective legislation and censorship-circumvention infrastructure can have directly competing effects when server-side enforcement is implemented via coarse geographic IP filtering.
-
After GDPR took effect on May 25, 2018, 74 websites that had previously served all three EU vantage points (London, Sofia, Frankfurt) began blocking them; 40 returned explicit 'Blocked due to GDPR' blockpages with HTTP 403, 7 used HTTP 451 Unavailable For Legal Reasons, and all 47 sites with explicit blockpages were local news outlets.
-
Ukraine and Scotland both used the same VPN provider yet Ukraine received 1,874 CAPTCHA challenges vs. 309 for Scotland, and 1,519 browser verification challenges vs. 1,091 — a roughly 6× and 1.4× difference respectively. Only Ukraine was flagged as a VPN or Tor node by OctoNet's HTTP filter, indicating that IP/ASN reputation drives security-motivated blocking independently of the transport protocol used.
-
The paper enumerates at least eight distinct non-censorship motivations for server-side geo-blocking — economic sanctions, third-party liability (SESTA), copyright, GDPR compliance, security/fraud concerns, hosting costs, revenue optimization, and misconfiguration — each of which can produce the same observable signals (403 blockpages, DNS failures, TCP resets) as government censorship. Naive measurement methods that treat all location-based unavailability as censorship will produce systematic false positives.
-
Across all tested countries, circumvention and anonymization tools are the most consistently blocked category: www.hotspotshield.com is blocked in 5 of 13 detected censoring countries, and three Tor Project properties (bridges.torproject.org, www.torproject.org, ooni.torproject.org) each appear in the top-10 most broadly blocked domains. Collateral damage is also documented — Iran blocks psiphonhealthyliving.com as a substring match for the psiphon.ca circumvention domain.
-
By comparing echo-server (bidirectional) versus discard-server (inbound-only) results across 11 censoring countries, Quack finds that only 4 countries (China, Egypt, Jordan, Turkey) also block inbound traffic; the remaining 7 apply DPI exclusively to outbound data. Direction-sensitive blocking is a confirmed capability of deployed middleboxes.
-
Quack's echo-server technique achieves vantage-point coverage of 4,458 autonomous systems across 184 countries — nearly an order of magnitude more than OONI's 678 ASes in 113 countries — while processing over 500 domain-server pairs per second from a single measurement machine. The public IPv4 space contains over 50,000 active echo servers daily, with 47,276 stable over 24 hours.
-
Iran's number of blocked domains increases from 25 (HTTP keyword blocking) to 374 (TLS SNI-based blocking) — a 15× increase — with the newly blocked domains shifting composition to predominantly News, Human Rights, and Anonymization tools. This demonstrates that Iran maintains a distinct, more aggressive SNI blocklist for HTTPS traffic that is largely invisible to HTTP-only measurement.
-
Stateful DPI disruption in censoring countries disengages within approximately 100 seconds in 99.9% of observed cases, with roughly 50% of servers recovering within 60 seconds. A 2-minute empirically determined delay is sufficient to distinguish stateful per-connection blocking from persistent blocking when retrying with innocuous payloads against the same server.
-
DeltaShaper embeds covert TCP/IP data into Skype's encrypted video stream using a virtual camera interface, treating Skype as a black box rather than mimicking its protocol. This approach provides active-attack resistance by design: any in-path perturbation affects covert and legitimate streams identically, because real Skype software processes both. The system achieves a goodput of 2.56 Kbps (with Reed-Solomon ECC) or 3.12 Kbps (without ECC) at optimal encoding parameters (320x240 area, 8x8 cell size, 6 bits/cell, 1 fps), with RTT of approximately 3 seconds.
-
Packet-length frequency distributions reliably distinguish regular Skype calls from irregular streams using Earth Mover's Distance (EMD): regular streams consistently produce EMD < 0.1 against a reference stream, while irregular streams range from 0.025 to 0.25. At the breakeven threshold ∆I = 0.066, an EMD classifier achieves 83% accuracy (equal sensitivity and specificity). An aggressive policy (∆A) blocks 95% of legitimate calls to catch all irregular streams; a conservative policy (∆C = 0.11) passes 80% of irregular streams to avoid false positives.
-
Encoding parameters must be jointly tuned to remain unobservable: only specific combinations stay below the intermediate blocking threshold ∆I. Valid configurations at 1 fps include (160x120, 4x4) and (320x240, 8x8) areas/cell sizes; increasing frame rate above 1 fps pushes EMD above ∆ for all multi-bit encodings. As bits per cell increase, video compression introduces more decoding errors — error rates become unacceptable above 6 bits/cell for the (320x240, 8x8) configuration, yielding the candidate encoding: 320x240 area, 8x8 cells, 6 bits/cell, 1 fps.
-
Across eight combinations of traffic features (packet length, bi-gram packet length, inter-packet time, bi-gram inter-packet time) and two similarity metrics (EMD, KS), adversarial classification accuracy against DeltaShaper streams ranges from 72–90% in unperturbed conditions. Bi-gram inter-packet times with EMD achieves 88% accuracy, matching packet-length/EMD, but requires roughly 10x the computation (~64s vs ~6s). Bandwidth throttling to 300 Kbps degrades classifier accuracy from 88% to 75%, but also drops Skype frame rate from 30 to 5 FPS, creating collateral damage that limits censor deployment of throttling as a detection aid.
-
FreeWave, the VoIP-based predecessor, was vulnerable to passive traffic analysis because its covert Skype streams exhibited packet-size distributions different from legitimate calls, enabling detection with high probability. DeltaShaper's video-based approach with EMD-constrained encoding addresses this specific failure mode, but at a severe throughput cost: FreeWave achieves 18.75 Kbps vs DeltaShaper's 2.56–3.12 Kbps goodput. Competing systems benchmark: CovertCast ~168 Kbps (no unobservability constraints), Castle 3.48 Kbps, SkypeLine 0.064 Kbps, Rook 0.024–0.04 Kbps.
-
The Lavinia audit protocol is designed so that auditors are cryptographically indistinguishable from ordinary readers: an auditor cannot reveal her status to a server without forfeiting her own payment, and servers are therefore forced to serve content in response to every request. Any reader may additionally claim to be an auditor, and servers cannot verify such claims, further preventing selective serving.
-
The burn contract mechanism defends against deliberate auditor-chain termination attacks, in which a malicious actor poses as an auditor and refuses to post her secret, preventing all subsequent auditors from performing their audits. If the previous auditor fails, the current auditor can burn both her predecessor's payment and her own, receive a small fraction of those funds as incentive, and forward the chain secret to the next auditor — preventing a single compromised link from collapsing the entire revenue stream for a document.
-
Lavinia requires its underlying payment system to satisfy four properties for suitability in censorship-resistant contexts: (1) coercion-resistance through geo-political distribution or anonymization, (2) redeemable with a distributable secret, (3) time-locked escrow preventing early redemption, and (4) an append-only public log. The paper demonstrates that Bitcoin satisfies all four properties, with Zerocash extensions providing payment anonymization to prevent linking payments to specific documents.
-
Theorem 1 proves a dominant strategy Nash equilibrium in which all rational servers honestly store and serve all files, subject to the constraint that per-server audit payment exceeds routing cost and file-serving payment exceeds storage cost. At 2017 prices, storage hardware cost approximately $0.03/GB and bandwidth cost approximately $0.03/GB, so the minimum per-file hosting payment must exceed (η + BR) × $0.03/GB × |f|.
-
Lavinia allows a publisher to publish content, submit payments, and then cease all interaction with the system — continued document availability is not contingent on the original publisher remaining online or reachable. This specifically protects against out-of-band coercion tactics such as rubber-hose cryptanalysis in the case that the publisher is captured or prosecuted.
-
32 of 108 identified censoring ASes leak their censorship policies to other ASes, and 18 leak to other countries. Sweden's AS1299 leaked censorship to 9 countries including the United States, Ukraine, and Singapore; China's AS4812 leaked to 5 countries. Censorship leakage occurs when a transit AS implements filtering that affects traffic for users outside the censor's jurisdiction.
-
Censors in Russia, Iran, and India implement all three measured censorship techniques simultaneously: block pages, RST injection, and TTL anomalies. Iran and Cyprus censoring ASes censor content across many URL categories (including General News, Internet Services, Pornography, Gambling), while most other censoring ASes restrict only a few category types.
-
Network-level path churn is critical for censor localization: 25%, 30%, 38%, and 67% of ICLab source-destination pairs observe distinct AS-level path changes over periods of one day, week, month, and year respectively. Without path churn, nearly 90% of constructed CNFs return five or more solutions (ambiguous), compared to less than 2% when multiple distinct paths are included.
-
Combining boolean network tomography with BGP path churn from the ICLab platform identifies 108 censoring ASes located in 49 countries across 4.9M measurements, reducing the candidate set of potential censoring ASes by 97% on average. 97.9% of constructed SAT CNFs return exactly one solution enabling exact AS-level censor identification, with less than 0.7% returning no solution.
-
Splitting measurement data by individual URL and time granularity (day, week, month) is necessary for SAT solvability: coarser time granularity reduces solvability because censorship policies change and noise accumulates, producing unsolvable CNFs. The authors solved 34,298 CNFs in total, each averaging 43 clauses and 17.41ms to solve using an off-the-shelf SAT solver (picosat).
-
High-power seed domains including uyghuramerican.org, dw.com, hrw.org, and eastturkistaninfo.com each produced TF-IDF descriptive tags that led to discovery of more filtered URLs from other domains than the total number of URLs crawled from those seeds themselves. Content-category analysis of the 1,355 poisoned domains showed filtering-avoidance tools, news, educational content, and human-rights sites among the most heavily targeted categories.
-
Sending DNS queries to eight non-DNS IP addresses within the Chinese IP range reliably detects GFW DNS poisoning: any response indicates the censor intercepted and replied to the query, since a legitimate non-DNS server would not respond. This external vantage-point technique discovers poisoned domains without in-country volunteers or local infrastructure.
-
Approximately 95% of the 115,337 filtered URLs discovered in China were concentrated in just 15 large domains; the overall hit rate across the full crawl was 4.11 poisoned domains per 1,000 domains crawled. This concentration means aggregate filtered-URL counts in existing lists are dominated by a few major platforms while the broader tail of blocked domains remains largely undiscovered.
-
FilteredWeb discovered 1,355 DNS-poisoned domains and 115,337 filtered URLs in China through 54,000 web searches by February 2017 — 30 times more poisoned domains than the most widely-used published filter list (Citizen Lab, which identified 44 domains). Of the 1,355 domains, 759 fell outside the Alexa Top 1,000, demonstrating that automated search-based discovery surfaces obscure filtered content missed by manual and volunteer-driven lists.
-
The classifier uses a 3,000-dimension binary vector recording which upstream and downstream packet sizes appear across the full session, combined with aggregate biflow statistics (total packets, burst length, transmission time, incoming/outgoing fractions). This packet-size histogram is the highest-dimensionality feature in the set.
-
The authors trained on 1 GB of captured Shadowsocks traffic and 1 GB of non-Shadowsocks traffic from a single host, then tested on over 1 GB of each from 26 randomly selected hosts. The cross-host generalization of the model is demonstrated but no explicit false-positive or false-negative rates are reported.
-
A Random Forest classifier with 100 CART trees and a sqrt(C) feature-selection strategy achieves over 85% accuracy detecting Shadowsocks traffic from biflow statistics. Accuracy increases monotonically with train-set and test-set size before plateauing.
-
Shadowsocks traffic appears as ordinary TCP with no payload keywords or obvious protocol markers because the entire payload is encrypted; firewalls cannot distinguish it from generic TLS without behavioral flow analysis. This makes signature- and keyword-based detection ineffective against it.
-
The paper identifies that Shadowsocks can also serve as a transport layer for Tor and VPN connections, meaning a Shadowsocks flow detector functions as a first-stage classifier that unmasks compounded anonymity systems. The authors explicitly cite this as a motivation for detection.
-
Without per-site connection limits, popular decoy hosts risk resource exhaustion (Apache's default cap is 150 simultaneous connections); enforcing an initial limit of 30 concurrent clients per site—coordinated across stations via a central collector—kept the median site load at ~5 simultaneous clients, with the 99th-percentile site peaking at 37 after the limit was raised to 45.
-
Filtering candidate decoy sites by a minimum 15 KB TCP window eliminated 24% of the initial ~5,500 HTTPS hosts; a 30-second HTTP-timeout floor eliminated a further 11%; and AES-128-GCM cipher-suite support requirements eliminated an average of 32%—together reducing the viable decoy-site pool by approximately 55% before any live reachability tests.
-
The one-week trial served over 50,000 unique users (peak daily count: 57,000) with up to 4,000 concurrent sessions simultaneously, demonstrating that a four-station refraction deployment co-located at two mid-sized network operators can support tens of thousands of real censored users.
-
The trial explicitly obtained no evidence about TapDance's resistance to adversarial censor countermeasures: its scale and duration were judged small enough that censors likely did not observe it, leaving theoretical censorship-resistance claims unvalidated against active blocking responses.
-
TapDance was deployed on four ISP uplinks (two 40 Gbps, two 10 Gbps) using commodity 1U servers running a Rust/PF_RING zero-copy implementation; CPU load remained below 25% while handling a peak of ~14,000 new TLS connections per second across 34 cores, with cumulative mirrored traffic peaking at 55 Gbps across all stations.
-
Approximately 10% of respondents (n=23) held uncertain or incorrect beliefs about which actor was responsible for a given block, systematically conflating government censorship with geoblocking, paywalls, and platform-side restrictions. This misidentification cascaded into inappropriate tool selection and inaccurate risk assessment: users who could not distinguish state blocking from licensing restrictions could neither choose the right circumvention tool nor accurately gauge the legal jeopardy of accessing the content. Respondents specifically requested a pre-visit blocking-actor classification tool.
-
Nearly 70% (n=160) of respondents reported self-censoring online for fear of the law. Frequency of exposure to blocked content was a statistically significant, ordered predictor of self-censorship (Goodman-Kruskal's gamma = 0.421, 95% CI [0.247, 0.595], p < 0.05), with self-censorship increasing monotonically as exposure to blocked content increased. Notably, self-censorship rates did not differ significantly between respondents inside and outside Thailand, suggesting the chilling effect extends beyond the reach of domestic ISP-level blocking.
-
Of 229 Thai Internet users surveyed, 63% (n=144) had attempted to circumvent censorship, and of those, roughly 90% (n=132) reported success using VPNs (32.64%), proxies (32.64%), or Tor (23.61%). Failures were isolated to proxies (n=2), VPNs (n=2), and alternative searches (n=3), indicating that existing circumvention tools were technically adequate but that availability and comprehensibility—not raw capability—were the binding constraints on user success.
-
Users in Thailand relied on incident-driven tool selection—running a fresh Google search for a proxy or VPN each time they hit a block—which the paper identifies as a systematic vulnerability: the Thai Royal Police exploited this pattern after the 2014 coup by linking a phishing application to a government block page, harvesting email addresses and gaining application-level access to Facebook profile information. The paper further notes that orchestrated stricter censorship could drive users to a government-operated malicious tool.
-
Social media—primarily Facebook—was the dominant venue for direct, experienced threats: 9 of 15 respondents who had content blocked reported being censored on Facebook, and respondents observed that government censorship was shifting away from website blocking toward social media surveillance precisely because social media platforms are 'hard to block.' Respondents lacked any effective technical defenses against peer reporting, group-administrator censorship, and intermediary liability; they relied instead on social management strategies such as abbreviating references to royalty, running 'trial posts,' and self-censoring likes and shares.
-
The 30 key ASes computed from globally popular sites also intercept over 90% of paths to country-specific popular sites in nine censorious nations (China, Venezuela, Russia, Syria, Bahrain, Pakistan, Saudi Arabia, Egypt, Iran), covering 93.3% of paths to the top-50 country-specific sites. The same key AS set remained stable across repeated experiments conducted four months apart, suggesting durability over time.
-
Only ~30 ASes intercept more than 90% of paths to popular websites globally, regardless of the target destination set (Alexa top-10 through top-200). The top 2 ASes alone (AS3356 Level-3 Communications and AS174 Cogent) intercept 45.1% of all 4,497,547 paths to Alexa top-100 sites; the full set of 30 intercepts 92.4%. This is approximately 30× fewer ASes than prior work required for a single adversary country (858 ASes for China alone).
-
If China attempts the Routing-Around-Decoys (RAD) attack by blackholing paths that transit the 30 key ASes, 92.25% of all paths transiting Chinese ASes (306,874 of 332,742) originate at ASes outside China, making such filtering self-defeating through severe collateral damage to foreign transit customers. The 30 key ASes cover 98.8% of paths from Chinese ASes to globally popular destinations and at least 80% for nearly all adversary countries studied.
-
Customer-cone size — the AS selection metric used by prior work (Houmansadr et al. 2014) — is poorly correlated with actual path frequency (Spearman rank correlation = 0.2). 33.17% of paths to Alexa top-100 prefixes traverse 1-hop customers of the largest-cone AS (AS3356, cone size 24,553) without transiting AS3356 itself, showing that cone-based heuristics systematically misidentify which ASes actually carry traffic.
-
Router-level mapping of the 30 key ASes reveals that 11,709 individual routers must be replaced with Decoy Routers (non-censorious ASes only), at a hardware cost exceeding $10.3 billion USD. Individual large ASes require hundreds to over 1,600 router replacements (e.g., AS3356 needs 576, AS209 Quest Communications needs 1,662). Even targeting the weakest adversary studied, Syria (containable by 3 ASes at AS level), requires 1,117 DRs.
-
Only 4 Indian ASes are needed to intercept >90% of AS-level paths from all Indian ASes to censored sites; 10 ASes cover ~95% of paths. Fewer than 5,000 edge routers spread across those ASes would suffice for nationwide IP filtering, with ~70% of those routers belonging to just two private ISPs (Bharti Airtel AS9498 and Tata Comm. AS4755).
-
Any one of five Indian ASes — each needing control of only its BGP-speaking routers — can individually censor traffic for all ~896 Indian ASes via IP prefix hijacking. For example, AS4755 (Tata Comm.) fake advertisements can impact 955 ASes total (896 Indian + 41 foreign); AS9730 (Bharti Telesonic) requires as few as 7 edge routers to execute such an attack.
-
If India deployed centralized filtering at its key ASes, approximately 121,931 foreign-origin paths (1.15% of all Internet paths to censored sites worldwide) that transit Indian ASes would experience collateral blocking, affecting non-Indian users in Finland, Hong Kong, Singapore, Malaysia, the US, and elsewhere who have no connection to Indian censorship law.
-
Eight Indian ASes can collectively intercept 99.14% of AS-level paths connecting all Indian ASes to DNS resolvers, including GoogleDNS and OpenDNS; 4,906 routers across these 8 ASes suffice to launch DNS injection attacks covering the entire country. The same 8 ASes also appear among the 10 key ASes identified for IP filtering.
-
India's federated censorship model — each ISP independently enforces government blacklists — produces dramatically inconsistent filtering: Airtel censored only 1 of 50 pornographic sites probed, while MTNL censored 45 of 50; Reliance Jio censored 0 sites across all 540 test URLs. A well-informed user can escape censorship through a judicious choice of ISP.
-
A CAPTCHA-gated registration scheme with sequences of reCAPTCHAs at random intervals and short solve windows limits automated censor deployment. With 5 minutes spent per registration, a human adversary working non-stop for 24 hours can create at most 288 censors; combined with a 12-hour registration reset cycle, this bounds the adversary's censor accumulation rate.
-
For complete blockage (>99%) over 10 hours, the adversary requires a swarming ratio of 12.8, translating to 128,000 censors against a single server with 10,000 CoAs. Scaling to a 10-server, 10-interface deployment forces the adversary to operate 106,700 humans in parallel; with a 5-minute CAPTCHA registration and a 12-hour reset cycle, achieving complete blockage within 10 hours requires 1,067 non-stop human operators in the first two hours.
-
A credit-based accounting method dynamically assigns users to larger groups as their trust score accumulates (credit increases by G−1 per unblocked interval), requiring a user's credit to be twice the group's risk before joining. This reduces the total number of CoAs needed while making it costly for censor agents to infiltrate large groups, since they must wait through many clean intervals before the group reaches exploitable size.
-
A proof-of-concept Linux prototype using UMIP (open-source MIPv6) with three routers and five commodity machines (2.4GHz Intel Core 2 Duo, 4GB RAM) demonstrated correct CoA rotation every 10 seconds. Signaling overhead was reduced to one-third of standard MIPv6 by eliminating return routability messages; per-packet transmission overhead was 24 bytes (IPsec ESP), identical to the baseline secure-channel cost, yielding zero net overhead attributable to the MTD mechanism.
-
The MI-MTD framework uses Mobile IPv6 Care-of Addresses (CoAs) rotated among randomized user groups every shuffling interval. With 1,000,000 users, 5,000 censors, and 10,000 CoAs (swarming ratio φ=0.5), per-interval access probability is 60.88%; over one minute with 10-second shuffling intervals, blocking probability drops to approximately 0.358%, meaning users retain ~99.6% chance of access.
-
Ad server domains are structurally immune to censor blocking due to collateral-damage risk: Google DoubleClick is embedded in 1,843,854 publisher sites and PubMatic in 215,046, making IP-blocking of these domains prohibitively costly for any censor. Measurements of Alexa top-10K confirm the top 20 ad servers handle more than 75.6% of all ad requests.
-
82.2% of ad requests from Alexa top-500 websites are sent over HTTPS (Table 2), encrypting the HTTP Referer field. This prevents censors from correlating a user's direct-path ad request back to a censored publisher domain in the vast majority of cases; only the remaining 17.8% of HTTP ad requests are vulnerable to Referer-based traffic analysis.
-
Relay-based circumvention severely degrades ad relevance: across Alexa top-500 uncensored sites, the overlap between ad sets fetched via Tor and the direct-path ground truth averaged only 28%, with near-zero overlap for sites serving geo-targeted ads. For blocked sites, only ~16% of ads shown via Tor were in the user's language.
-
ADVENTION's split-path design — fetching publisher content via relay and ad requests via the direct path — raises average ad-set overlap from 28% (Tor) to 70%; combining ADVENTION with Intelligent Relay Selection (language-matched relay) further increases average overlap to ~80%. For blocked sites, ADVENTION with IRS raised ad relevance from ~16% to 100%.
-
ADVENTION provides up to 47% improvement in average page load time (PLT) compared to Tor, because ad requests — which are often on the critical rendering path — are served over the direct channel rather than through the relay. The exact improvement depends on webpage structure and bottleneck resources.
-
Of the 55 filters that inspected the HTTP Host header, 26 keyed only on the first Host header in a multi-Host request, 27 keyed only on the last, and only 2 examined both. Placing a benign Host header in the position the filter reads and the blocked URL in the other position bypassed the filter, and this divergence in behavior tracks RFC 7230's requirement to reject multi-Host requests with a 400 error — which none of the tested filters implemented.
-
HTTP GET fuzzing via subtle token modifications bypassed large fractions of filters: removing the `\r\n` before the Host header bypassed 36–38 of 44 Host-header filters; embedding the censored URL in the middle of a long hostname string bypassed 33–35 filters; placing the URL in an after-Host field with a non-empty Host bypassed 29–36 filters. Blacklist coverage was also weak: no filter blocked all 100 of the Alexa top adult sites, and some blocked as few as 31.
-
Among the 44 non-DNS filters, 11 did not reassemble TCP segments and 7 did not reassemble IP fragments before inspection, meaning a censored URL split across segment or fragment boundaries evaded detection. Five filters applied fragment/segment reassembly timeouts of under 2 seconds despite maintaining HTTP request state for more than 8.5 seconds, creating a window where a deliberately fragmented flow with artificial delay avoids inspection entirely.
-
Autosonda classified 76 commercial web filters in the NYC metropolitan area into three categories: 21 (27.63%) performed DNS blacklist filtering, 44 (57.89%) matched on the HTTP Host header of GET requests, and 11 (14.47%) performed a DNS lookup of the Host header value and blocked based on the resulting IP. Autosonda found circumvention paths for 100% of filters tested.
-
All 76 filters inspected only TCP traffic: sending the identical HTTP request over UDP bypassed censorship 100% of the time. Additionally, 17 of the 49 filters that censored requests to EC2 servers only inspected traffic on port 80 and passed through the same requests sent to port 9900 without modification. No filter triggered on URI query strings, so appending query parameters to any censored URL bypassed every tested filter.
-
Chinese mobile games widely implement keyword censorship client-side — blacklists were found embedded in plain text, XML, JSON, compiled Lua, compiled C++, and encrypted formats requiring reverse engineering to extract. The client-side implementation exposed 132 keyword lists from 113 different games in the first experiment alone. Games must submit their blocked keyword list to regulators (MOC/SAPPRFT) to obtain a publication license, making keyword filtering a regulatory compliance artifact rather than purely an operational choice.
-
Analysis of over 183,111 unique keywords collected from 200+ Chinese mobile games found no central state or provincial authority controlling keyword list generation. The only consistently significant predictors of keyword list similarity were whether games shared the same developer (Mantel r=0.17, p<0.001) or publisher (r=0.15, p<0.001); city, province, and genre showed no significant correlation (p>0.58). This indicates Chinese companies have substantial flexibility in determining which content to block under the 'self-discipline' intermediary liability framework.
-
When controlling for shared-developer as a confound, shared-publisher correlation collapsed to r=0.047 (p=0.0015) in the first experiment and r=0.064 (p=0.015) in the second; when controlling for shared-publisher, shared-developer remained r=0.095 (p<0.001) and r=0.13 (p<0.001) respectively. This demonstrates that development teams — not publishing entities — are the primary locus of keyword list authorship in the Chinese mobile gaming ecosystem.
-
Forensic analysis of keyword list formatting artifacts — C-style escapes appearing in XML files, XML entities appearing in non-XML files, and double-backslash encoding traceable to a 2004 leaked QQ keyword list — provides evidence that developers copy and circulate keyword lists across companies through informal channels including old web applications and bulletin boards. This keyword propagation mechanism explains partial overlap between unrelated companies' lists without implying a central authority.
-
Content analysis of 7,000 randomly sampled keywords (±1.1% at 95% confidence) found Social content (gambling, illicit goods, competitor references) was the dominant theme at 51.16%, followed by Technology/URLs at 16.81%, Political content at 15.00%, People (officials, dissidents) at 6.57%, and Event-related keywords at only 4.89%. Gaming keyword lists lacked references to current events from 2016–2017 that were found actively censored on Chinese chat applications during the same period, suggesting games face lower scrutiny for real-time event censorship than communication platforms.
-
In the heavily censored environment (E3), all successful connections used meek domain-fronting bridges (meek-amazon: 11 participants, meek-google: 9, meek-azure: 3); not a single participant successfully connected using flashproxy, fte, fte-ipv6, obfs4, or scramblesuit, despite all being available as built-in options.
-
The authors recommend 'smart automation' for bridge selection: the client first connects via a hard-to-censor bridge, then contacts a central Tor server over that Tor connection to identify the best available bridge for the user's location and network conditions, then reconnects using that bridge — eliminating the manual trial-and-error that caused 79% of attempts to fail. This is contrasted with 'naive automation' (sequential blind retry) which avoids UI friction but wastes time on non-working bridges.
-
Participants spent 64–78% of their total connection time on the progress/waiting screen (not in the configuration UI), and the simulated censorship environment was the dominant predictor of connection time (Kruskal–Wallis χ² = 80.5, df = 2, p < 10⁻¹⁵). In E3, each failed bridge attempt added several minutes of timeout before the user could retry, compounding the overall latency.
-
79% of total user attempts (363 of 458) to connect to Tor in simulated censored environments failed. In the most heavily censored condition (E3, requiring a meek or custom bridge), only 50% (10/20) of participants using the original interface connected, and even with the redesigned interface only 68% (13/19) succeeded within 40 minutes.
-
A redesigned Tor Launcher interface significantly increased success rates (Pearson χ² = 2.808, p < 0.047) and reduced median connection time in E3 from 40:08 to 20:25 (Mann–Whitney Z = −1.84, p < 0.0328, r = 0.172); configuration time also dropped significantly (Z = −3.28, p < 0.0005, r = 0.307). Changes included eliminating yes/no bridge and proxy question screens, adding auto-detection for proxies, consolidating options, and surfacing meek bridges as a fallback recommendation.
-
DeTor circuits have significantly lower end-to-end RTTs than standard Tor circuits because high-RTT paths cannot satisfy avoidance proofs, effectively self-selecting for shorter routes. Bandwidth distributions are similar to standard Tor. However, intentional packet-delay defenses proposed for Tor (to defeat timing attacks) would increase effective δ and reduce DeTor proof coverage, creating a tension between delay-based anonymity defenses and RTT-based geographic avoidance.
-
Never-once avoidance succeeds for 75% of source-destination pairs that do not already terminate in the US (a highly routing-central country) at δ=0.5, and for nearly all pairs avoiding less central countries. Russia is the hardest case at ~35% success (δ=0.5) due to proximity to the dense European node cluster. The median successful source-destination pair has over 1,000 valid DeTor circuits when avoiding the US and 500 when avoiding China.
-
Never-twice avoidance — ensuring no country appears on both the entry leg (source→entry) and exit leg (exit→destination) of a Tor circuit — succeeds for 98.6% of source-destination pairs not in the same country, using only client-side RTT measurements. This directly defeats traffic-correlation deanonymization attacks that require an adversary on both legs of the circuit simultaneously.
-
DeTor proves geographic avoidance using speed-of-light RTT constraints rather than Internet topology maps. If the measured end-to-end RTT satisfies (1+δ)·Re2e < Rmin, where Rmin is the theoretical minimum RTT that would include any point in the forbidden region, then packets provably could not have traversed that region — even against adversaries who forge traceroute and BGP responses.
-
Tor's built-in country-exclusion feature provides only the illusion of control: among circuits configured to exclude the US, only 12% could be identified as definitively avoiding US territory. The remaining 88% of 'trusted' circuits fail to deliver a proof of avoidance, meaning standard Tor policy and provable security diverge sharply.
-
Middlebox classification state is ephemeral: the testbed carrier-grade DPI device flushes results after 120 seconds (or 10 seconds after a TCP RST), and the GFC flushes state after 40–240 seconds depending on time of day. A strategically timed pause before the matching payload, or a TTL-limited RST packet, causes the classifier to re-evaluate the connection as unclassified traffic.
-
Iran's censor and AT&T's Stream Saver restrict DPI inspection strictly to port 80; traffic on any other TCP port escapes classification entirely. Iran additionally inspects the full flow (not just initial packets), unlike T-Mobile and the testbed device which only inspect the first few packets, making packet-count-based evasion insufficient against Iran on port 80.
-
TCP segment splitting and out-of-order delivery evades DPI classification in the testbed, T-Mobile, and Iran, but fails against the GFC—which performs extensive packet validation and correctly reassembles reordered streams—and AT&T, which uses a transparent HTTP proxy that normalizes all traffic before inspection. Payload splitting to one byte in the first packet is sufficient to defeat packet-count-limited classifiers.
-
lib·erate's TTL-limited inert packet insertion—sending a decoy packet with TTL set to expire at the middlebox but carrying a misclassifying payload—successfully evades classification in a carrier-grade testbed DPI device, T-Mobile's Binge On, and the Great Firewall of China, but fails against Iran's censor and AT&T (Table 3). When bilateral server support is available, inserting a single dummy packet at flow start evades classification in all four deployments.
-
None of the operational networks tested—T-Mobile, AT&T, the Great Firewall of China, and Iran—classify UDP traffic; the authors describe this as 'a surprisingly easy way to evade their policies.' Iran's censor inspects the entire TCP flow but leaves UDP flows untouched across all tested applications.
-
Measured packet loss rates under GFW censorship (Feb–Apr 2017, client at Tsinghua University/CERNET): Tor with meek obfuscation suffers 4.4% average PLR; Shadowsocks (AES-256-CFB) suffers 0.77% PLR; native VPN (PPTP/L2TP) and OpenVPN both achieve ~0.21% PLR. For comparison, the same tools accessed from a US vantage point show PLR below 0.1%, confirming the excess loss is GFW-induced. The GFW's DPI and active probing techniques specifically target Tor and Shadowsocks protocol signatures.
-
China's Internet censorship ecosystem is bilateral: the GFW handles technical blocking while separate government agencies (MIIT, TCA, MPS, MSS) handle non-technical regulation, and 'these two components do not operate synchronously.' Google Scholar is considered a legal service by Chinese regulators but is incidentally blocked as collateral damage because it falls under the google.com domain, blocked since 2010.
-
ScholarCloud's 'message blinding' — a non-public byte mapping (f: [0, 2^8) → [0, 2^8)) applied between domestic and remote proxy — successfully evades GFW deep packet inspection with 0.22% average packet loss rate, statistically indistinguishable from native VPN (0.21%). The paper reports that even this simple encoding suffices because the GFW cannot classify the traffic; confidentiality of the algorithm is the operative property, not cryptographic strength. Because the operator controls both proxy endpoints, the blinding scheme can be rotated at any time without requiring client-side updates.
-
ScholarCloud was launched in January 2016 and by late 2017 served over 2,000 registered users with 700 daily active users. It operates on two commodity VM instances at a daily operational cost of 2.20 USD. Legal operation inside China was achieved by registering the service as an ICP with the TCA (China ICP Reg. #15063437) and restricting the proxy whitelist to verifiably legal but incidentally-blocked domains — a strategy that places the service outside the GFW's aggressive technical blocking while also satisfying regulatory scrutiny from MPS/MSS.
-
Shadowsocks imposes an extra per-session TCP connection for user/password authentication plus a 10-second keep-alive timeout, causing an average page load time of 3.7 seconds and a sharp PLT inflection when concurrent clients exceed 60. In contrast, ScholarCloud (split-proxy, no per-session auth handshake) achieves 1.3 seconds average PLT with linear scalability up to 180 concurrent clients. Native VPN and OpenVPN also scale linearly; Shadowsocks is the only tested solution with a non-linear degradation point.
-
Bridges that carry clients are highly stable: their median lifetime is 116 days (~4 months) and 84% never change IP address, with 90% having at most one IP change. This means current censor policies that remove bridge IP blocks every 25 hours are far more conservative than necessary — an adversary could sustain blocks for months without significant collateral damage.
-
77% of public bridges offer only vanilla Tor, which is trivially detectable via TLS certificate pattern matching. An additional 15% offer Pluggable Transports with conflicting security properties (e.g., obfs4 + obfs3 + obfs2 co-deployed on the same bridge), allowing a censor to confirm and block the bridge via the weakest PT and thereby disable all stronger PTs on the same IP — including active-probing-resistant transports like obfs4 and ScrambleSuit.
-
Default bridges — whose IP addresses are hardcoded in the Tor Browser Bundle — carry 91.4% of all bridge clients globally in April 2016, and 86.1% in Iran and 69.2% in Syria. Because these addresses are trivially obtainable from the Tor Browser Bundle configuration files, a censor can block the vast majority of bridge users in a country at any time.
-
Four OR ports (443, 8443, 444, 9001) account for 82% of all active public bridge fingerprints as of April 2016, down from 95% in March 2013 but still concentrated. Scanning just three of these ports (443, 8443, 9001) is sufficient to deanonymize 71% of all active public bridges. Additionally, CollecTor's published per-bridge usage statistics allow a censor to rank bridges by client count per country and identify the highest-impact OR ports to scan next.
-
Tor's vanilla TLS certificate presents a distinctive pattern (SubjectCN=www.[random].com; IssuerCN=www.[random].net using base32 random strings), which never changes across certificate rotations every 2 hours. Using this pattern against Censys and Shodan scan data without running any active scans, the authors discovered 694 private bridges and 645 private proxies, and deanonymized the IP address of 35% of public bridges with clients (23% of all active public bridges) in April 2016.
-
Because Bangladesh's ban targeted specific named applications rather than underlying protocols, users successfully substituted functionally equivalent but unlisted apps: 'Banning Facebook, Viber, and Whatsapp for security purposes was not sufficient. For example, I used IMO to operate those apps. So, ultimately, nothing happened.' Authorities responded by expanding the blocklist to cover substitute apps, producing a reactive cat-and-mouse dynamic over the 26-day ban.
-
The Bangladesh Telecommunication Regulatory Commission (BTRC) directed ISPs to block Facebook, Viber, WhatsApp, and Facebook Messenger on November 18, 2015; the ban expanded over 26 days to include Twitter, Skype, IMO, and Instagram, with a coincidental 1-hour complete internet blackout at the outset. Blocking was enforced at the ISP level via written BTRC directives, targeting specific named platforms rather than underlying protocols or ports.
-
At least one participant was unable to use VPN during Bangladesh's ban because her Windows Phone (Lumia) did not carry VPN client apps in its app store, leaving her 'totally unable to communicate' for the ban's duration despite awareness of the workaround. Device platform and app-store access restrictions created a hard circumvention barrier independent of user intent or technical knowledge.
-
During Bangladesh's 2015 internet ban, police conducted roadside stops and physically inspected mobile phones for VPN software, confiscating devices found with VPN installed and asserting VPN use was illegal — despite no official government directive prohibiting VPN. This extra-legal enforcement, carried out by low-ranking constables, created a chilling deterrent effect on circumvention adoption beyond the technical challenge of blocking.
-
Prior to Bangladesh's 2015 internet ban, only 1 of 21 study participants had prior knowledge of VPN or IP-masking software; during the 26-day ban, VPN knowledge spread virally through social networks until it was described as 'fairly commonplace,' with adoption driven almost entirely by peer-to-peer instruction rather than technical documentation. Users required only procedural knowledge — installation steps and connection — not understanding of VPN mechanics.
-
Through Internet-scale BGP simulation against China, downstream-only decoy routing (Waterfall) with a single decoy AS provides equivalent resistance to routing attacks as a traditional upstream decoy system (e.g., Telex) with 53 decoy ASes. This efficiency gain arises because censoring ISPs can selectively re-route upstream traffic per destination but must re-route all or none of downstream traffic through each provider AS, making downstream-only routing far more expensive to evade.
-
Evaluation of the top 10,000 Alexa websites finds that 3,916 (39%) support HTTPS, of which 1,976 (50%) perform HTTP 3XX redirects that echo the requested path in the Location header and 812 (20%) replay the URL in HTTP 404 error responses — both usable as upstream covert channels readable by downstream-only decoy routers without intercepting upstream traffic.
-
Waterfall's Overt User Simulator caches previously loaded overt-website responses and replays them to generate cover traffic, overcoming Slitheen's 40% downstream throughput ceiling (caused by restricting covert replacement to leaf HTTP objects only). Because downstream-only decoy routers intercept all downstream TLS records — not just leaf content — Waterfall achieves higher covert capacity while perfectly mimicking overt browsing patterns against traffic analysis.
-
Table 2 shows that with 50 decoy ASes, the most powerful practical routing attack on downstream-only systems (rewiring-I) impacts 93% of China's routes (22.4% unreachable, 70% re-routed), compared to only 18.2% total impact from RAD on traditional upstream designs. Table 3 shows that even for Syria, the rewiring-II attack with just 1 downstream-only decoy AS already impacts 81% of routes versus 1.5% for RAD on upstream systems.
-
BGP simulation shows that a censor's source-block attack against 100 downstream-only decoy ASes disconnects 23% of Chinese Internet destinations, versus only 8% when applying the standard RAD attack against 100 upstream decoy ASes — imposing nearly 3× more unreachability collateral damage on the censor for the same decoy count.
-
Aggregate measurements across nearly 180 countries over 17 days found that 60% of reflectors experienced some degree of connectivity disruption; the bias of detected blocks toward Citizen Lab Block List sites held for both inbound and outbound filtering, and temporal variability corroborated documented censorship events around political timelines.
-
Of 2,134 tested sites, 229 (10.7%) were invalid for inbound blocking detection due to ingress filtering or network-origin discrimination; 431 additional sites were invalid for outbound blocking detection, of which 75% were Cloudflare-hosted and 7% Fastly-hosted because anycast topology prevents RST packets from returning to the originating anycast node.
-
Validation against the Citizen Lab Block List (CLBL) showed that for 99% of reflectors, more than 56.7% of detected inbound-blocked sites were CLBL-listed (vs. 56.7% CLBL composition of the input dataset); 95% of reflectors showed the same directional bias for outbound filtering, confirming the method detects real censorship rather than measurement noise.
-
Augur's Internet-wide ZMap scan found 22.7 million hosts (of 140 million reachable) using shared monotonically-increasing IP ID counters across 234 countries (median 1,667 reflectors per country); filtering to ethical infrastructure via CAIDA Ark reduced this to 53,130 reflectors in 179 countries (median 15 per country), representing 4,214 ASes.
-
Using sequential hypothesis testing (SHT) with false positive and false negative rates both set to 10^-5, more than 90% of reflectors required 40 or fewer experiment trials to reach a blocking decision; over 17 days the system collected 207.6 million runs across 47 trials spanning 2,134 sites and 2,050 reflectors.
-
Among Iris's DNS manipulation detection metrics, AS-level consistency was most effective, classifying 90% of DNS responses as unmanipulated. IP-address identity matching flagged approximately 80% of correct responses, while HTTPS certificate validation improved from 38% to 55% accuracy when SNI was included in follow-up TLS probes.
-
Iris detected 41,778 manipulated DNS responses (0.31% of 13.5 million queries) across 58 countries and 1,408 domains in a two-day measurement window in January 2017. Iranian resolvers exhibited the highest median manipulation rate at 6.02% per resolver; China followed at 5.22%. Iran and China together accounted for roughly 55% of all manipulated responses despite contributing only approximately 6% of total query volume.
-
Iranian DNS censorship returns special-purpose/private IPv4 addresses in 99.99% of manipulated responses (only 0.01% public), whereas Chinese manipulation returns public IPs 99.46% of the time—often addresses that host no services at all. The 10 most frequent Chinese censor-injected IPs constituted approximately 75% of all Chinese manipulated DNS responses.
-
Iris filtered 4.2 million open DNS resolvers down to 6,564 infrastructure resolvers by retaining only those with PTR records matching ns[0-9]+ or nameserver[0-9]*, achieving coverage across 157 countries with a median of 6 resolvers per country. The ethical constraint of excluding end-user home routers reduced usable resolvers by 99.8% but preserved global geographic breadth sufficient to detect country-level DNS manipulation at scale.
-
DNS manipulation is heterogeneous within countries, not uniform across ISPs. In Iran, one cluster of domains is manipulated by approximately 80% of in-country resolvers while a second group is manipulated by fewer than 10%, consistent with differential blackholing by separate DNS manipulation infrastructure tiers. China shows a similar bimodal split (~80% vs ~50%), while Greece and Kuwait exhibit more homogeneous cross-resolver manipulation.
-
CloudFlare platform policy creates outsized blocking: 80% of CloudFlare-hosted websites discriminate against at least 60% of studied Tor exits, while Amazon- and Akamai-hosted sites show high policy diversity. Social networking and shopping sites are the most aggressive discriminators — 50% block over 60% of studied exits — while search engines are least aggressive, with 83% blocking fewer than 20% of exits.
-
Conservative exit policies (Reduced-Reduced, which additionally blocks SSH, Telnet, and IRC ports beyond the default) have no statistically significant correlation with IP blacklisting rates or abuse complaint volume. Web-traffic accounts for 98.88% of all connections on Reduced-Reduced exits, confirming that ports 80/443 are the primary abuse vector and that port-restriction does not meaningfully reduce exposure.
-
7% of 84 commercial IP blacklists proactively blacklist Tor exit relay IPs as a matter of policy: the Snort IP and Paid Aggregator blacklists listed newly deployed relay IPs within 3 hours of their first appearance in the Tor consensus and maintained the listing for the entire relay lifetime. In total, 88% of all Tor exits appear on at least one commercial blacklist, compared to 9% of VPNGate and 69% of HMA VPN endpoints.
-
Real Tor users browsing the Alexa Top 1M websites via deployed exit relays experience failed HTTP requests at rates of 15.8–33.4% and failed HTTPS handshakes at rates of 35.0–49.6%, representing severe service degradation compared to non-Tor browsing (Table 8).
-
20.03% of Alexa Top 500 website front-page loads showed discrimination against Tor exit users. Exercising search functionality on compatible sites raised discrimination by 3.89% (to 21.33%), while exercising login functionality raised it by 7.48% (to 24.56%), demonstrating that headless front-page-only crawlers significantly underestimate the true blocking rate Tor users face.
-
41% of users (139,042 of 342,650) in the post-coup dataset voluntarily removed 18% of all post-coup tweets by switching to protected mode, deleting accounts, or deleting individual tweets; the largest groups were active users who deleted some tweets (44% of affected accounts) and users who switched to protected mode (22%).
-
Zero pro-Gülen topics appeared in the public tweet set post-coup, while 70% of unreachable (deleted/protected) Gülen-related tweets were pro-Gülen; the unreachable rate for Gülen-related tweets was twice the background rate, quantifying rapid directional self-censorship on politically targeted content within days of a government crackdown.
-
Tor usage in Turkey spiked sharply during the initial days of the July 2016 coup—when ISPs were actively throttling Twitter—but declined steadily in subsequent months back toward pre-coup baselines, consistent with post-coup suppression being driven by chilling effects rather than sustained network-level blocking.
-
Comparing 5.6M pre-coup tweets (2015 Turkish general election) to 8.5M post-coup tweets (July–November 2016), the authors found 72% fewer government-censored tweets post-coup (142,492 vs. 513,719), with an estimated 43% of that decline attributable to reduced overall Twitter usage in Turkey and the remainder to user self-censorship.
-
Twitter's official Transparency Report for July–December 2016 reported 489 censored tweets in Turkey from non-withheld accounts; the authors identified 6,402 unique censored tweets from the same period—approximately 13× more than officially reported—replicating an earlier order-of-magnitude undercount finding by Tanash et al. (2015).
-
All five Republic of Cyprus ISPs (Callsat AS24672, Cablenet AS35432, Cyta AS6866, MTN AS15805, and Primetel) used DNS hijacking as their sole blocking mechanism, creating local zone entries that override legitimate DNS replies and redirect users to ISP-controlled block pages or error pages.
-
The Republic of Cyprus National Betting Authority (NBA) blocklist grew from 95 URL entries in February 2013 to 2,563 entries in April 2017 — approximately 27 times its initial size — with entries specifying full URL paths rather than just domain names, requiring DPI-capable infrastructure for correct enforcement.
-
DNS hijacking used by Cypriot ISPs to block gambling websites also suppressed MX record responses for blocked domains, rendering email delivery to those domains impossible — collateral damage not mandated by the 2012 gambling law, which required only URL blocking.
-
Cypriot ISPs could not enforce HTTPS URL entries from the NBA blocklist because SSL/TLS interception was not deployed; connections to port 443 for blocked domains simply timed out with no block page or user notification, meaning HTTPS entries were effectively under-blocked.
-
The northern Cyprus ISP Multimax (AS197792) employed IP-based blocking rather than DNS hijacking, and its blocked-site list — including Wikipedia, Tor Project, Wikileaks, and Psiphon — matched Turkish ISP blocklists rather than the RoC NBA gambling blocklist, demonstrating that geopolitically distinct ISP operators on the same island implement categorically different censorship regimes.
-
Tested across 11 vantage points in 9 Chinese cities against 77 Alexa-ranked websites (50 trials each, April–May 2017), most prior TCB evasion strategies are largely broken: TCB creation with SYN achieves only 6.9% success (88.9% Failure 2), TCB teardown with FIN achieves only 11.1% success (87.9% Failure 2), while in-order data overlapping with TTL-based insertion still achieves 90.6% success and only 3.7% Failure 2. Without any evasion strategy the baseline success rate is 2.8%.
-
The GFW evolved to create a TCB not only on SYN packets but also on SYN/ACK packets, and enters a 're-synchronization state' upon seeing multiple SYN packets, multiple SYN/ACK packets, or a SYN/ACK with an incorrect acknowledgment number. Once in this state, it re-synchronizes its TCB using the next client-to-server data packet or server SYN/ACK, invalidating prior TCB-creation evasion strategies that assumed the GFW used only the first SYN sequence number.
-
INTANG, a measurement-driven tool that caches the best-performing TCP evasion strategy per server IP, achieves an average success rate of 98.3% (range 93.7%–100%) from vantage points inside China. Four combined new strategies — Improved TCB Teardown, Improved In-order Data Overlapping, TCB Creation + Resync/Desync, and TCB Teardown + TCB Reversal — each independently achieve average success rates of 94.5%–96.2% inside China and 84.6%–92.7% outside China, with Failure 2 rates below 1.1%.
-
Packets carrying an unsolicited TCP MD5 option header (RFC 2385) are silently ignored by modern Linux servers (kernel ≥ 2.6) that have not negotiated MD5 authentication, yet are accepted and processed by the GFW as normal packets that update its TCB. Crucially, none of the observed middleboxes dropped packets with MD5 options, making the MD5 header the most universally applicable insertion packet type — usable with any TCP flag (SYN, RST, or data) and immune to middlebox filtering.
-
Client-side middleboxes at every tested vantage point interfere with IP-layer evasion tactics: Aliyun (6/11 nodes) discards all IP fragments, while the Tianjin China Unicom node drops packets with wrong TCP checksums or no TCP flag. IP-layer discrepancies that survive routers (e.g., IP total-length > actual length) are still dropped by some middleboxes, making IP-layer manipulations unreliable across Chinese ISPs. TCP-layer manipulations are significantly more consistent across paths.
-
Survival analysis of 423,265 pages with Wayback Machine histories shows pages on politically controversial topics have substantially shorter lifetimes than those on uncontroversial topics; topic change — not just page deletion — must be treated as 'death' for probe-list purposes, since a page that switches topic no longer contains the sensitive material that made it censorship-relevant.
-
China's Great Firewall adds sites to its blacklist within hours of their becoming newsworthy and drops them again just as quickly; conversely, Pakistan's pornography crackdown used a rarely-updated blocklist, causing 50% of consumption to shift to unlisted sites. An outdated probe list will therefore underestimate GFW effectiveness and overestimate effectiveness in countries with static lists.
-
Analysis of 758,191 URLs across 22 probe lists found near-zero URL-level Jaccard similarity between nearly all list pairs (most < 0.01), including between country blacklists; even at hostname level, blacklists share little with each other or with researcher-curated lists like ONI's 12,107-URL list, indicating that any single probe list systematically misses large portions of what is actually censored.
-
Topic correlation analysis across 2,904 list-topic pairs (585 significant after Bonferroni correction at α = 0.05) shows social media is disproportionately represented in country blacklists relative to the broader web; video-sharing sites are also frequently blocked, likely to suppress political organization, copyright infringement, or competition with local businesses.
-
Syria's 2015 blocklist contained a disproportionately large share of software-related sites because censors applied indiscriminate TLD-based blocking of all .il (Israeli) domain names regardless of content, demonstrating that non-topic-based criteria (country-code TLD, ASN) can sweep in entirely unrelated infrastructure and are detectable only through anomaly spot-checks rather than content analysis.
-
Time-series analysis across five ISPs over six months reveals a near-universal stasis in January–February where blocklist changes were negligible for all ISPs, followed by significant fluctuations (e.g., a +20–35% swing in TCP unreachability between February and March for PTCL, Wateen, Qubee, and WiTribe). A ubiquitous drop in TCP-unreachability outcomes occurred December–January, suggesting a seasonal or policy-driven relaxation followed by re-tightening.
-
DNS tampering in Pakistan takes at least two distinct sub-forms: WiTribe and Nayatel redirect blocked domains to explicit block-page IPs (DNS resolution returns a routable address that serves a block page), while PTCL returns both failing IPs and explicit block pages, indicating that PTCL applies DNS tampering without user notification in some cases (NXDOMAIN-like) and with a block page in others. Qubee passes DNS entirely and applies content-level HTTP tampering at roughly 80% of measurements for blocked URLs.
-
Across five Pakistani ISPs measured over six months (Oct 2013–Mar 2014), censorship splits cleanly by ISP: WiTribe, PTCL, and Nayatel block via DNS tampering, while Wateen and Qubee block via HTTP content tampering. The two techniques do not overlap within a single ISP, demonstrating that Pakistan's censorship infrastructure is ISP-heterogeneous rather than centrally normalized.
-
A university closed survey of 64 Pakistani users found that 51% evade censorship using VPNs (Hotspot Shield being the most prominent), 25% use web proxies, 17% use Tor/onion routing, and approximately 7.2% use CDNs, mirror sites, search-engine caches, or web-based DNS lookup services.
-
DNS-sly encodes downstream data by selecting A records from the IP address pool of CDN-hosted domains. For the top 25% of Alexa Top 500 domains, approximately one third of DNS responses contain more than 8 A records and ~15% contain 15 A records; the global IP pool has a median of ~2,000 IPs per domain (maximum ~16,000), enabling b = floor(log2(s!/(s-c)!)) bits per response.
-
DNS-sly achieves downstream throughput of up to 600 bytes of hidden data per web page click, with a median of ~100 bytes/click using a global IP map and ~75 bytes/click using a local IP map (a 25% difference despite vastly different IP set sizes). A 4 KB file transfer completes in 30 clicks with the global profile map and 64 clicks with the local map.
-
DNS-sly requires out-of-band distribution of a 2.3 MB compressed bootstrap package (user profile map) before covert communication begins. The authors explicitly reject automated in-band bootstrapping to preserve deniability, accepting a hard scalability constraint as the cost; the particular censored environment tested did not interfere with DNS traffic at all, enabling successful censored-site retrieval at the same throughput rates as uncensored tests.
-
Active probing resistance was evaluated by simultaneously querying 5 additional DNS resolvers for every domain during DNS-sly operation. DNS-sly's response change distribution falls within one standard deviation of the other resolvers, making probing attacks unable to distinguish DNS-sly servers from ordinary resolvers. TTL-based re-encoding prohibition neutralizes forced-divergence probing where an attacker sends repeated identical queries to expose responder state.
-
DNS-sly achieves statistical deniability by profiling each user's organic DNS behavior — recording accessed domains, semantic topics, and resolver-specific IP addresses — and constructing upstream requests that semantically overlap with that profile. Upstream communication is indistinguishable from normal DNS traffic in volume, frequency, and semantics; all DNS headers are fully legitimate with no unusual record types.
-
Schuchard et al. demonstrated that latency differences caused by a decoy routing proxy communicating with a distant covert destination are sufficient not only to detect the use of decoy routing but also to fingerprint which specific censored webpage the client accessed. All prior decoy routing systems (Telex, Cirripede, Curveball, TapDance, Rebound) remained vulnerable to this attack at time of publication.
-
Slitheen replaces only 'leaf' HTTP resources (images, video) in overt-site responses with covert content, reusing all TCP/IP headers verbatim and forwarding packets immediately on arrival. This forces every observable feature—packet size, direction, inter-arrival timing—to be identical to a genuine access of the overt page, eliminating the censor's ability to apply latency analysis, website fingerprinting, or protocol fingerprinting to distinguish decoy sessions from normal traffic.
-
Measurement of the Alexa top 10,000 TLS sites showed that the fraction of traffic replaceable by a Slitheen relay varies from 0% (Facebook, due to large TLS records preventing leaf replacement) to 100% (Wikipedia, Yahoo). For representative sites: Reddit achieved 70% ±10% of leaf bytes replaced (19% ±3% of total page bytes), Gmail 87.7% ±0.2% of leaf bytes (23% ±9% total), and Quora 99% ±5% of leaf bytes (20% ±10% total), as reported in Table 2.
-
Table 1 shows Slitheen is the first decoy routing system to simultaneously defend against latency analysis, website fingerprinting, and protocol fingerprinting attacks, while also resisting TCP replay and Crazy Ivan active attacks. This security is achieved at the cost of requiring symmetric flows and inline blocking—requirements previously considered prohibitive—which the authors argue are increasingly met by commercial DPI traffic-shaping appliances (e.g., Sandvine) already deployed by ISPs.
-
TapDance's non-blocking asymmetric design leaves the overt connection open but abandoned, enabling an active censor to inject a TCP ACK carrying a stale sequence number; the overt server responds with its true TCP state, exposing the discrepancy and confirming decoy routing. The attack requires no clean-path routing capability: the injected packet is forwarded through the tainted path by the non-blocking TapDance station itself.
-
A censor tracking which deleted posts are resurrected can apply Bayesian inference to identify content-preservation system users: for each resurrected post r observed by set O(r), each observer's suspicion score updates by factor (|O(r)|−1)/|O(r)|, while observers of non-resurrected deletions can be ruled out with certainty. The attack requires only that the censor join the preservation system with a few sock-puppet accounts spread across multiple followed-user lists.
-
A censor with platform-side control can definitively confirm a single suspected user by injecting a unique fake post visible only to that user, then querying the preservation system for resurrected posts attributed to that fabricated author. Presence of the fake post in the resurrection feed is binary confirmation of user membership. This targeted attack defeats automated post-alteration countermeasures when a human examines the result.
-
Simulation on a 1,000,000-user scale-free Weibo topology shows that at 1% GhostPost user adoption the system preserves over 70% of postviews against the daytime censor (2-hour median deletion) and nearly 90% against the nighttime censor (10-hour median deletion). Even a highly aggressive censor deleting posts within 30 minutes on average cannot prevent a 1.5% GhostPost deployment from resurrecting the majority of postviews. Steep coverage gains plateau around 0.5% adoption, after which marginal returns diminish.
-
GhostPost's client-server coordination channel transfers only metadata and small text payloads, making it neither bandwidth-intensive nor latency-sensitive. The paper explicitly concludes that 'practically any means of communication, including low-performance covert channels, are adequate' for the coordination channel, enabling operation over DNS tunnels, steganographic channels, or other constrained transports when the central server's HTTPS endpoint is blocked.
-
Sina Weibo's deletion workforce exhibits strong diurnal variation: posts published 3–9 AM have median lifetimes of 8–9 hours, while posts from 10 AM–midnight have median lifetimes around 2 hours. Over 90% of eventually-deleted posts are removed within 24 hours, but the nighttime slowdown creates a predictable window where post survival is 4–5× longer than daytime.
-
Salmon simulations show that a censor with agents comprising 1% of 10,000 users can block at most 4A servers (one block per agent per full group) against a system with 1,000–2,000 servers; server groups with a hard cap of M=10 users that fill entirely with legitimate users before any agent joins become permanently invincible to server discovery. The censor's optimal strategy is to ensure each agent is always alone in its group at the time of joining, which requires knowing the user arrival rate — information Salmon withholds by not publishing user statistics.
-
Without recommendation-tree grouping logic, a censor starting agents at trust level 6 who each recommend 1–2 additional agents (requiring 4–5 months of waiting) can cut off over 95% of users even at agent percentages in the 15–30% range, as shown in Figure 6. With recommendation-tree grouping enforced, the same attack at equivalent agent fractions produces dramatically lower service disruption because agents cluster among themselves rather than spreading across innocent user groups.
-
Salmon's trust-level mechanism (7 discrete levels; promotion from level n to n+1 requires 2^(n+1) days; banning triggered when suspicion exceeds T=1/3) reduces the fraction of users cut off by an attacking censor by more than 3× relative to rBridge under the same agent-percentage conditions. Simulations with 10,000 users (1–10% censor agents) and 1,000–2,000 servers show that trust levels keep high-seniority innocent users isolated from newer users where agents concentrate.
-
A single harvesting script running for 9 days on one free Amazon EC2 instance verified 3,101 working VPN Gate servers by testing 44,039 IP addresses, demonstrating that VPN Gate's collective defense mechanism — which relies on detecting automated scanning patterns — can be fully bypassed by routing successive queries through previously verified VPN servers. This result implies that a censor could, with no collateral damage, essentially completely shut down VPN Gate by blocking all verified servers.
-
Salmon's defense against the active zig-zag attack — where a censor blocks a known server to force users onto new ones and watches for correlated reassignments — requires both per-user authentication (unique login credentials per server so unauthorized probes receive a plausible HTTPS page) and traffic camouflage. Without authentication, the server must respond as a functioning proxy to any connection, fully exposing itself to the censor; without camouflage, even a rejected connection may reveal the server's nature.
-
Adding a DPI apparatus with true positive rate TPR and false positive rate FPR creates three ordered thresholds Fam ≤ Fab ≤ Fmb governing censor strategy: allow all traffic (CTP ≤ Fam), deploy the apparatus (Fam < CTP ≤ Fmb), or block all traffic (CTP > Fmb). The apparatus does not qualitatively change the Nash equilibrium structure; it only shrinks the CTP range the circumventor can sustain, with the ordering Fmb ≥ Fab ≥ Fam holding whenever TPR ≥ FPR.
-
A censor can mount a zero-collateral-damage flooding attack by injecting fake CRS-protocol-conformant traffic into open channels, inflating the apparent CTP and evicting real circumvention traffic to throttled or sacrificial protocols. If injection is costless the censor can drive real circumvention throughput to zero while keeping all channels nominally open; the attack is equally effective against both throttling and dumping CTP control strategies.
-
In a single-round censorship game the only Nash equilibrium that keeps the channel open requires the circumvention traffic proportion (CTP) satisfy CTP ≤ F, where F = (βant+βbnt)/(αact+αbct+βant+βbnt). In repeated indefinite games a stable equilibrium exists at CTP = Z = (1−p)·CTPmax, where p is the per-round continuation probability, allowing a non-zero proportion of circumvention traffic to flow indefinitely without triggering shutdown.
-
The optimal multi-protocol CRS traffic allocation distributes circumvention traffic across n cover protocols proportionally to each protocol's non-circumvention traffic volume (CTPi = Li · CTP/(1−CTP)), keeping every individual protocol below the blocking threshold. This makes individual protocol channels independently optimizable, with the sole selection criterion being maximizing cover traffic volume L rather than any other protocol property.
-
Throttling—capping total CRS traffic at Fab and withholding surplus—strictly dominates dumping surplus traffic onto a sacrificial protocol that will subsequently be blocked. Table 2 shows that at CTP = Fab·1.05 the circumventor's relative utility drops to 0.88 of the Fab baseline when dumping, while throttling preserves all open protocols; under a censor flooding attack dumping additionally loses protocol n entirely, making throttling the dominant strategy in both attack and no-attack conditions.
-
All bridges in a given Tor Browser release batch were blocked simultaneously within a 20-minute window, and every blocking event occurred during China Standard Time business hours (between 10:40 and 17:00 CST). The combination of unpredictable multi-day delay followed by abrupt simultaneous batch blocking suggests a semi-manual process: human analysts discover bridges after an irregular delay, then an automated system applies blocks.
-
China's firewall never blocked a bridge before its public Tor Browser release, despite bridges being discoverable earlier via bug-tracker tickets and source code commits. The four bridges distributed only in Orbot (not Tor Browser) remained unblocked throughout the experiment, indicating the GFW monitors end-user software releases rather than upstream repositories or alternative distribution channels.
-
The Great Firewall of China blocked newly published obfs4 Tor Browser default bridges after delays of 7, 2, 18, 11, and 36 days following the first public software release, and up to 57 days after bridges were first discoverable via bug-tracker ticket filing. Iran showed no blocking of the same default bridges across the entire five-month measurement period.
-
Some obfs4 bridges exhibited a roughly 24-hour periodic semi-blocking pattern from China, where bridges cycled between reachable and blocked states with a ~24-hour period. This diurnal pattern differed between the two China probe sites and between bridges, and one blocking failure coincided with a documented nationwide GFW outage that also briefly restored access to Google services.
-
GFW blocking was keyed on both IP address and port number, not IP address alone. Bridges with port 22 (SSH) open had that port remain reachable even as other ports on the same IP were blocked, confirming per-(IP, port) tuple granularity in the GFW blocklist.
-
Snowflake exclusively uses WebRTC data channels (on-wire protocol: DTLS), whereas the majority of WebRTC applications use media channels (DTLS-SRTP or SRTP/SDES); a censor can therefore block Snowflake by filtering data-channel flows alone without blocking WebRTC media applications, incurring minimal collateral damage and reducing the overblocking deterrent.
-
The authors extend Houmansadr et al.'s 'parrot is dead' argument to WebRTC: because WebRTC is a large multi-protocol framework, superficial mimicry that fails to replicate exact DTLS version, cipher suite ordering, certificate common name ('WebRTC'), 30-day validity period, STUN server selection, and ICE packet sequence leaves detectable residual distinguishers, making deep fingerprint conformance especially hard for standalone non-browser implementations such as Snowflake's client.
-
Among the five WebRTC applications analyzed (Google Hangouts, Facebook Messenger, OpenTokRTC, Sharefest, Snowflake), Snowflake is uniquely identifiable by its use of DTLSv1.2 (all others use DTLSv1.0), its 17 offered cipher suites, and its exclusive selection of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256—a cipher suite not chosen by any other application in the study.
-
STUN and TURN packets carry a SOFTWARE attribute that explicitly names the server implementation (e.g., 'Citrix-3.2.5.1 Marshal West' for OpenTokRTC), and the choice of STUN servers, forced-TURN usage, and STUN message-type sequence (Binding-only vs. Allocate+CreatePermission vs. send-indication) differ across applications, providing a passive censor with reliable application-level fingerprints orthogonal to the DTLS layer.
-
A DTLS fingerprinting script run on one full day of network traffic at Lawrence Berkeley National Laboratory found only 7 DTLS handshakes with 3 unique client fingerprints and 3 unique server fingerprints, suggesting there may not be enough naturally occurring WebRTC traffic to provide meaningful cover for a WebRTC-based circumvention system.
-
Password-protected Castle game sessions (passwords distributed via a BridgeDB-like mechanism) prevent censors from joining instances to observe in-game state or identify participants; when a client fails to supply the correct password within a timeout, the Castle proxy falls back to an AI player, making Castle instances indistinguishable from legitimate games even to an adversary who enters the lobby.
-
Castle structurally avoids all three covert-channel pitfalls identified by Geddes et al.: architecture mismatch is avoided by supporting both client-server and P2P modes; channel mismatch is avoided because RTS games implement application-layer reliability over UDP (matching proxied TCP requirements, unlike VoIP), blocking selective-drop denial-of-service attacks; content mismatch is avoided because legitimate RTS traffic has high natural variance driven by map, strategy, and player count.
-
A single undergraduate ported Castle to two closed-source commercial RTS games (each with >8.5 million copies sold, from different studios) in under 6 hours per game using a ~500-LOC Python/AutoHotkey codebase; 17 of the Top 20 best-selling RTS games share the unit-command structure Castle requires, and 11 have community-decoded replay formats, enabling rapid adaptation to new titles.
-
Castle's packet-size and inter-packet-time distributions (measured via Kolmogorov-Smirnov statistic) fall within the variance observed between legitimate human-game sessions when using ≤50 units/command at ~1 command/second; the best-performing classifier (Herrmann) achieved only ~60% accuracy—roughly 10% above random guessing—against multiple Castle configurations, while two other classifiers (Liberatore, Shmatikov timing) performed near chance.
-
Vanilla Castle achieves 42–190 bytes/second (average) and transfers a 10 KB file in 52–238 seconds depending on the game (0-A.D. / Aeons / Conquerors); game-specific exploitation of per-unit click logging in Aeons raised throughput to ~3 KB/s. These rates are sufficient for asynchronous text-based communication (tweets, email, news articles) and bootstrapping Tor bridge IP distribution.
-
A naive active-probing resistance scheme that embeds a fixed-length token in the initial request is vulnerable to flow fingerprinting because the censor can detect connections that always begin with a fixed byte count; pseudo-random padding removes this length-based signature. Separately, obfuscating-service schemes that reveal server aliveness by completing TCP expose the server IP to enumeration even before the application-layer challenge fires.
-
Of 73 censorship resistance systems surveyed through February 2016, only 11 address the Communication Establishment phase versus 62 for Conversation, even though Tschantz et al. document that real censorship attacks concentrate on Communication Establishment rather than on the Conversation tunnel.
-
Wiley's Bayesian classifier against obfuscated protocols (Dust, SSL, obfs-openssh) found that entropy detection achieved 94% accuracy using only the first packet, timing-based detection achieved 89% accuracy over entire packet streams, and length-based detection achieved only 16% accuracy.
-
The Great Firewall detects Tor bridges through a two-stage active-probing pipeline: GFW DPI first flags a flow as a potential Tor connection, then random Chinese IP addresses initiate Tor handshakes to the suspected bridge; if the handshake succeeds, the bridge IP:port combination is blocked.
-
Anderson's analysis of Iran's network connectivity from January 2010 to 2013 uncovered two extended throttling periods with 77% and 69% decreases in download throughput respectively, plus eight to nine shorter periods; these often coincided with holidays, protest events, international political turmoils, and important anniversaries.
-
χ² homogeneity tests on 70 audio signal pairs show that at SNR ≥ 25 dB the probability that a statistical test distinguishes modulated from original signals falls to 77.13% (i.e., the rate of successful discrimination is below 23%). Crucially, this analysis requires access to the original unmodulated signal; for live voice transmissions no such pairing is feasible for the censor, rendering statistical detection unrealizable in practice.
-
The paper's threat model explicitly assumes censors can enforce client-side VoIP software (e.g., TOM-Skype in China) giving the adversary access to the pre-encoding audio signal at both endpoints. Despite this, SkypeLine forces the censor into an all-or-nothing position: intercepting hidden data requires blocking the entire VoIP service, since no network-layer observable (packet headers, timing, encrypted payload) distinguishes steganographic from legitimate calls.
-
SkypeLine's m-ary modulation (Mode B using 128-bit Hadamard sequences) achieves a peak data rate of 2,407 bps, representing a 12,035% improvement over FHSS-based DSSS (Takahashi et al., 20.5 bps) and 19,256% over phase-coding techniques (Nutzinger et al., 12.5 bps). Four-layer parallel binary modulation (Mode A, Quattro) achieves a peak of 224 bps and mean of 106.61 bps at ≥99% reconstruction accuracy.
-
A Skype prototype operating under real-world conditions achieves 64 bps (WGN noise, no ECC) at ≥99% reconstruction accuracy and ≥23 dB SNR. With OPUS/Silk encoding (vector quantization), throughput is constrained to approximately 72 bps at two modulation layers; additional layers fail to satisfy the 99% accuracy bound because VQ codec noise reduction filters the embedded pseudo-noise sequences.
-
Wireshark captures of Skype traffic with and without hidden information at inaudible SNR show no statistically significant differences in inter-arrival times (mean IAT 0.019 s in all conditions) and only a 2.6% difference in mean packet length (130.34 bytes unmodulated vs. 126.98 bytes at inaudible SNR), well within one standard deviation (SD ≈ 12–14 bytes) and insufficient for reliable content-mismatch detection.
-
By transmitting application-level social media content over genuine SMTP/IMAP connections rather than imitating email protocols, Mailet achieves channel and content consistency, making it immune to the differential channel attacks — channel mismatch and content mismatch — that defeated earlier hide-within systems such as StegoTorus and Freewave.
-
Mailet resists proxy enumeration because clients communicate exclusively through widely-used email hosting providers over standard POP3/SMTP/IMAP ports; no direct client-to-Mailet-server connection ever exists, so even if a censor learns a Mailet server's IP address, blocking it requires blocking all email to major providers — collateral damage that is politically infeasible.
-
Mailet's GCM-based Credential Recovery (GCM-CR) achieves a 120x speedup over traditional garbled-circuit 2PC for privately reconstructing split credentials inside a live TLS record, enabling a single Mailet server to support up to 200 simultaneous sessions with each service request completing in approximately 1 second.
-
Mailet clients' daily email traffic patterns remained within the normal range of genuine email users, validated against the Enron dataset (517,425 emails, 151 users) combined with simulated Twitter usage patterns from 100 randomly sampled accounts, demonstrating that per-user daily email frequency is a poor Mailet detector with high false-positive and false-negative rates.
-
Mailet's (2,2)-threshold credential scheme distributes a user's social media credential as Cred1 ⊕ Cred2 across two randomly chosen servers; an adversary corrupting fraction ρ of the server pool has at most probability ρ² of compromising both servers for a given user, and under standard AES assumptions a single compromised server leaks no information about the credential beyond its length.
-
CovertCast's broadcast model decouples server workload from client count: one server can serve unlimited simultaneous clients without per-connection overhead, unlike hide-within systems such as FreeWave where server costs grow linearly with users. This architecture also defeats Sybil-based DoS attacks, because flooding the server with fake client requests does not increase server load — the server never processes individual client connections.
-
Under degraded network conditions, CovertCast page load times increased by 2–3× at 800 Kbps (below YouTube's minimum 720p bitrate of 1.5 Mbps), with 20 of over 4,000 images dropped at 800 Kbps; at 10% packet loss, 35 images were missed due to YouTube temporarily accelerating video playback; at 20% packet loss, 720p video could not be loaded at all.
-
A KL-divergence classifier trained to distinguish CovertCast streams from real YouTube streams achieved only 33–45% true positive rate on packet-size distributions and 36–41% on inter-packet timing distributions — below random guessing — while maintaining 86–98% true negative rates. Overall classifier accuracy was approximately 65–68%, driven entirely by the high true negative rate rather than genuine detection capability.
-
CovertCast uses the identical video codecs, streaming protocols (RTMP/HTTPS), and server endpoints as any other YouTube live stream, making it indistinguishable from regular streaming traffic to both passive protocol-analysis and active traffic-manipulation attacks. Any active attack that disrupts CovertCast connections — such as selective packet dropping — would equally disrupt all non-circumvention viewers of the same streaming service, imposing prohibitive collateral damage.
-
Because CovertCast clients connect to live-streaming service infrastructure (e.g., YouTube servers) rather than to CovertCast servers directly, IP-address blacklisting of CovertCast infrastructure does not allow censors to identify or disrupt client connections. Discovering the CovertCast server's IP address is therefore irrelevant to the censor's blocking goal.
-
Internet connectivity is the primary determinant of RAD attack strength across nation-state censors: China (573 ASes, 858 ring ASes) achieves a censorship metric of 0.277 under profile T1, while Syria (4 ASes, 5 ring ASes) achieves only 0.101 with the same decoy budget. Venezuela, despite fewer total ASes than Saudi Arabia (44 vs. 107), achieves a higher censorship metric (0.210 vs. 0.197) owing to its disproportionately large ring AS count (835 vs. 176), confirming that ring AS count predicts RAD capability better than raw AS count.
-
Optimal RAD by a QoS-cautious wealthy Chinese censor (profile T1, F/ρ₀ = 5×10^6) forces 10.8% of routes onto non-valley-free (NVF) paths and 1.2% onto less-preferred routes, while still leaving 16.3% of routes traversing decoy ASes—zero routes become unreachable at this budget. The NVF and less-preferred-route fractions rise and then fall as decoy budget increases, as further RAD routing gains diminish past a crossover point.
-
The game-theoretic optimal decoy placement (ε-Nash equilibrium via best-response dynamics against an optimal RAD adversary) achieves a censorship metric of 0.2 at budget ratio F/ρ₀ = 10^8, versus 0.42 for the best prior heuristic ('sorted' placement from Houmansadr et al. [14]) under the same budget—a 2× improvement in censorship resistance per dollar. Prior comparisons used ad hoc RAD deployments rather than the optimal adversary, understating the benefit of principled placement.
-
Game-theoretic simulation shows that a QoS-cautious, wealthy Chinese censor (profile T1/T4) cannot reduce decoy-accessible routes below ~27% (censorship metric ≈ 0.277) via the RAD attack regardless of budget. An irrational censor can achieve a censorship metric of 1.000 but only by making 70.3% of all Internet routes unreachable to Chinese users—a collateral-damage threshold that constrains rational nation-state censors in practice.
-
In the autonomous (non-centrally-funded) deployment model, the decoy service fee γ (ratio of decoy revenue to transit revenue per MB) is the primary lever for censorship resistance: for China with profile T1, γ = 5 leaves 9.6% of routes usable for circumvention after optimal RAD, compared to 16.3% under the centrally-funded model at budget ratio F/ρ₀ = 5×10^6. Higher fees compensate ASes for RAD-induced transit revenue loss and sustain participation, but the autonomous model delivers roughly half the censorship resistance of a centrally-funded deployment at comparable incentive levels.
-
Matryoshka achieves an average covert rate of ~3 bits/word after human enhancement; for a 5-word hidden message averaging 5.5 characters per word, the final enhanced stegotext is approximately 73 words. This is roughly 10× the covert rate of Spammimic (~0.3 bits/word), the prior leading approach.
-
After crowdsourced (MTurk) enhancement, 88% of stegotexts on average pass a One-Class SVM trained on 150K sentences from Wikipedia, Brown, and Reuters corpora as natural language; pre-enhancement, only 25–58% pass. For calibration, the same classifier correctly rejects 97% of randomly generated sentences as non-natural-language.
-
A mixed Huffman codebook combining character-level coding with explicit entries for the 300 most frequent English words (covering ~65% of written material) achieves a 52% compression ratio on average across 4,825 sentences of 4–15 words—7 percentage points better than a character-only alphabet—directly increasing the covert bits available per output word.
-
Users required 4.0–5.8 minutes on average to enhance a stegotext into natural language across three experiments, inserting 4–8 extra words per sentence; this is comparable to the time required to write a short email. The random-word-selection baseline consistently required more time and inserted more words, confirming that n-gram-guided word choice meaningfully reduces human editing burden.
-
The Viterbi-based probabilistic decoder achieves zero character error rate on 96%, 93%, and 95% of decoded messages across the three corpora experiments (dreams, animals, facebook). For the small fraction of failures, only 15% of characters on average were corrupted rather than total message loss.
-
Naive interference measurement systematically misclassifies CDN geographic routing as blocking (and vice versa): when China or Russia resolves twitter.com to a non-US IP, a naive detector must decide whether that is a CDN point of presence or interference. Joint iterative analysis of DomainSimilarity and IPTrust scores is required to separate authentic CDN footprints from block-page redirections.
-
The top 10 CDNs collectively host nearly 20% of the Alexa top 10,000 domains (1,967 domains); CloudFlare alone accounts for ~10% of those sites (726 domains) and operates across 75 ASes with 107,008 IP addresses. CDN-hosted domains receive disproportionate interference relative to their 20% share, suggesting censors target popular shared-infrastructure sites as a high-leverage blocking strategy.
-
Censors can evade external DNS measurement systems like Satellite by injecting spoofed DNS responses only for resolvers located within the censored country, returning correct answers to external probes. This targeted injection would be 'much less visible to Satellite' while remaining fully effective against in-country users; the paper flags this as a fundamental limitation of single-vantage external measurement.
-
Satellite detected a spike in anomalous DNS resolutions across Iranian ISPs in the second half of 2015, correlating with Iranian authorities' public statements about beginning a 'second phase of filtering,' followed by additional newly inaccessible domains in the lead-up to the February 2016 elections — demonstrating longitudinal DNS measurement can detect and time censor policy escalations.
-
Satellite's single-node measurement methodology, probing 1/10th of 12 million discovered open DNS resolvers across 20,000 ASes and 169 countries, detected 4,819 instances of ISP-level DNS hijacking across 117 countries while measuring 10,000 domains with weekly precision from a single external vantage point.
-
Domestic mesh traceroutes (both source and destination inside the target country) uncovered 5,562 new AS edges not present in standard BGP table–derived topology datasets, far exceeding the 647 new edges found by inside-out/outside-in traceroutes using up to 25 probes. Russia, the US, France, the UK, and Ukraine gained the most new edges.
-
A decision tree with linear regression at leaves (DTLR) trained on AS-topology features for 168 countries predicts Freedom House freedom category (Free/Partly Free/Not Free) with 95% accuracy. Average FPI prediction error was 3.47%, and prediction error remained ≤8 points (on a 0–100 scale) 90% of the time under leave-one-out cross-validation.
-
IP density (number of IP addresses per person) is the single most predictive feature of a country's Freedom of Press Index. A normalized IP density value of ≥0.167 reliably predicts high freedom of expression, while normalized maximum BGP policy-compliant path length ≥0.643 reliably predicts low freedom.
-
Iran's national policy forces all domestic ASes to route through a single national telecom AS (AS 12880), resulting in Iran connecting to only 6 international networks. By contrast, Singapore has 257 domestic ASes connected to 3,022 international ASes despite similar geographic scale.
-
Singapore's AS topology — 257 domestic ASes with 3,022 international connections — resembles that of high-freedom countries, yet its Freedom of Press Index is 33 (Partly Free), making it a structural outlier where rich international BGP connectivity coexists with enforced information controls. Our DTLR model predicts Singapore's FPI should be ≥70 (Free).
-
Measured data overhead when loading web pages across four circumvention channels over DSL: instant messaging (Skype text) added 39% overhead, email added 107%, file sharing (Dropbox) added 272%, and VoIP audio modulation added an 84× overhead. Latency was lowest for instant messaging; VoIP latency was dominated by its limited 1200-baud audio encoding bandwidth.
-
Camouflage bypassed GFW censorship in China across one month of daily testing with no plugin blocked. The GFW's primary mechanism was identified as keyword filtering on web content rather than DNS hijacking (avoided due to risk of collateral international impact). Dropbox was inaccessible inside China during testing, demonstrating that plugin substitutability is operationally necessary: at least one alternative protocol must remain reachable in any given censored environment.
-
To match legitimate user behavior, the Camouflage dispatcher enforces empirically derived per-protocol session time limits: email 1–3 minutes, file sharing 5–10 minutes, instant messaging 15–20 minutes, and VoIP 20–30 minutes (Table 1). Sessions exceeding these windows produce a detectable deviation from population-level usage norms.
-
Protocol imitation systems (SkypeMorph, CensorSpoofer, StegoTorus) fail to achieve unobservability because they implement the target protocol only partially, creating statistical discrepancies that censors can detect. Houmansadr et al. (2013) demonstrated this as a fundamental flaw: unobservability by imitation is categorically insufficient as a circumvention design principle.
-
A single-protocol circumvention system creates a detectable anomaly: when the system is active, the traffic pattern on that protocol diverges from the same user's baseline behavior, which anomaly-based detectors can classify. Users who also legitimately use the tunneled service in daily life produce two distinct signatures — one with and one without the circumvention layer — further compounding detectability.
-
CDNBrowsing of full-CDN content imposes near-zero operational cost on circumvention operators because all bandwidth is paid by the censored content publisher via their CDN contract; dynamic mirrors for partial-CDN sites impose negligible additional load compared to proxy-based systems — measured traffic relayed by CDNReaper dynamic mirrors versus the meek pluggable transport for sample sites was nearly negligible, while meek has cost Tor $26,536 total ($2,479/month at the time of measurement) despite a 1.5–3 MB/s per-user bandwidth cap and a discounted research grant rate.
-
A survey of the top 10,000 Alexa websites found that only 6% (Class 1) are fully hosted on shared CDNs with HTTPS deployments that allow removal of destination leakage — the only class browsable with plausible unobservability against a competent DPI-equipped censor — while 64% are partial-CDN sites (Class 4) whose CDN-hosted content (images, videos) can still be reached via content wrappers or dynamic mirrors at negligible operational overhead.
-
A domain-based website fingerprinting attack against CDNBrowsing traffic — using the per-domain packet volume exchanged during a browsing session as a decision-tree feature vector — achieves 0.991 ± 0.002 accuracy against CacheBrowser on 100 China/Iran-blocked HTTPS pages, modestly outperforming the state-of-the-art k-NN classifier of Wang et al. (0.94 ± 0.002) while being two orders of magnitude faster: 0.60 CPU-seconds training and 10 µs classification versus 90 CPU-seconds and 0.05 CPU-seconds on an Intel Xeon 3.5 GHz processor.
-
Real-world CDN HTTPS deployments leak the identity of visited websites through three distinct channels — TLS certificate contents (A2, B1, B2 deployments), the plaintext SNI field (B1), and dedicated IP address mappings (B2) — enabling censors to block CDNBrowsing connections via standard DPI or IP filtering without collateral damage to non-forbidden CDN content. Each leakage channel requires inspecting only a single packet from an HTTPS connection, making the attack low-cost and deployable on off-the-shelf censorship boxes.
-
CDNReaper's Scrambler defeats domain-based and Wang et al. k-NN fingerprinting by injecting decoy requests uniformly distributed across ndom popular domains and dropping ~24% of advertisement/analytics requests (which constitute on average 24% of top-1000 Alexa page requests); even at low traffic overheads, fingerprinting accuracy drops significantly from the 0.991/0.94 baseline, with dropping traffic providing more benefit at lower overhead budgets.
-
Winter and Lindskog [157] (2012) documented that the GFW used TLS SNI inspection in combination with IP/port filtering and TCP disruption to block Tor, as recorded in the survey's Table 1. This is one of the earliest published accounts of the GFW applying SNI-based blocking specifically to a circumvention protocol, demonstrating that the GFW correlated multiple detection signals rather than relying on any single technique.
-
Table 1 of the survey documents that by 2013–2014 censors were deploying simultaneous blocking across BGP, DNS, IP/port filtering, TCP disruption, TLS, and application-layer keyword filtering. No single detection tool in the survey covers all six layers; the most comprehensive, OONI (2012), covers DNS, IP/port, TCP, TLS, keyword, and HTTP but notes only partial BGP coverage.
-
The survey identifies 'soft censorship' — including throttling, packet-loss injection, and quality-of-experience degradation — as detected by only 2 of 13 surveyed platforms (rTurtle and UBICA) as of 2015. The paper explicitly flags this as a measurement gap, noting that soft censorship symptoms are indistinguishable from ordinary network congestion without ground-truth probes placed outside the censor's network.
-
As of 2015, TLS tampering detection was implemented by only a small minority of surveyed censorship measurement tools: explicitly by Holz et al.'s Crossbear (2012) and OONI (2012), and partially by Soghoian and Stamm (2011) and UBICA (2013). The majority of the 13+ surveyed platforms detected DNS tampering and HTTP manipulation but lacked TLS coverage, creating a systematic blind spot in published censorship measurement.
-
The paper formally defines circumvention as either preventing the trigger from being seen by the surveillance device, or countering the effects of the censoring action. This two-path decomposition — hide the trigger vs. nullify the enforcement — provides a clean design framework: a circumvention tool can succeed by making traffic unrecognizable (no trigger fires) or by routing around the blocking device (action nullified).
-
In Italy, gambling and betting sites were censored primarily via DNS hijacking toward explicit blockpages with ISP-level plausible-DNS-resolution rates as low as 4.5% (NGI), 31.2% (Wind), and 46.1% (Telecom Italia), while the academic GARR network showed no censorship. File-sharing sites (thepiratebay.sx) faced a more aggressive multi-layer response: 2 of 4 ISPs showed less than 50% TCP reachability (versus near 100% for betting sites), and control DNS resolvers were also affected, indicating coordinated infrastructure-wide blocking rather than ISP-level DNS hijacking alone.
-
For the same blocked resource (YouTube) in Pakistan, UBICA found at least three distinct ISP-level techniques in parallel: Micronet Broadband and Witribe Pakistan use DNS injection redirecting to explicit blockpages; Pakistan Telecom Company Ltd. returns DNS responses yielding only 11.7% plausible IPs; while Transworld Associates and National Wi-Max/IMS apply HTTP tampering with no DNS interference, confirmed by passing TCP reachability tests but failing content-size ratio checks.
-
Pakistan Telecom Company Ltd. implemented DNS injection by returning 127.0.0.1 (localhost) for blocked domains, so TCP connections and HTTP requests appeared to succeed ("Content available" near 100%) while no legitimate content was served. Only 11.7% of DNS resolutions yielded a plausible IP address, yet the symptom is a silent local service response rather than an explicit blockpage, misleading users and confusing automated detection tools that rely on TCP reachability.
-
In South Korea, adult websites (e.g., hardsextube.com) were censored exclusively via HTTP content substitution — a JavaScript redirect to the official blockpage http://warning.or.kr — with 98% of content-size-ratio samples falling below the 0.3 detection threshold, while no DNS tampering or TCP-level blocking was observed. All other tested countries had fewer than 16% of samples below the threshold.
-
UBICA's crowdsourced measurement campaign across 31 countries deployed 200+ probes (47 GUI clients, 188 headless clients, 16 BISmark routers) and tested more than 16,000 targets (~15,000 hostnames) over 4 months. Its content-size ratio algorithm detects blockpage substitution by comparing average resource size per country against a global baseline, using a threshold of 0.3 (midpoint between the two observed distribution modes minus a 0.2 guard interval) without requiring a pre-existing uncensored ground truth.
-
Chrome's non-standard behavior of firing an onload event for any HTTP 200 OK response regardless of MIME type—combined with its enforcement of X-Content-Type-Options: nosniff—allows the script tag to probe reachability of arbitrary non-image URLs, a measurement capability unavailable in other browsers that attempt to execute fetched content as JavaScript and thus pose an XSS risk.
-
Over 60% of the 178 tested target domains host images ≤1 KB (fitting in a single TCP packet), enabling domain-level filtering detection via cross-origin image embedding for more than half of domains; however, Encore can measure fewer than 10% of individual URLs when limiting iframe page loads to 100 KB, confirming that detecting per-URL filtering is an order of magnitude harder than domain-level detection.
-
Applying a regional binomial hypothesis test (p=0.7, significance 0.05) to Encore measurements independently confirmed censorship of youtube.com in Pakistan, Iran, and China, and of twitter.com and facebook.com in China and Iran, validating passive cross-origin measurement against prior independent reports of filtering.
-
In 8,573 controlled testbed measurements across image, stylesheet, and script task types, Encore produced zero false negatives and a ~5% false positive rate in India (attributed to unreliable network connectivity rather than filtering), establishing that cross-origin browser probes reliably detect DNS, IP, and HTTP filtering under stable network conditions but require aggregation to control noise.
-
Encore collected 141,626 measurements from 88,260 distinct IPs in 170 countries over seven months (May 2014–January 2015) using as few as 17 volunteer webmaster deployments, demonstrating that passive cross-origin measurement can achieve broader geographic vantage-point coverage than custom-software deployments without recruiting individual end-users.
-
The fragment cache side channel is the most widely applicable TCP/IP side channel, capable of eliciting responses even from hosts behind host firewalls because it operates at Layer 3 (IP fragments). When combined with a Layer 4 technique such as the SYN backlog scan, it can distinguish censorship implemented at Layer 3 versus Layer 4, though fragment cache implementations vary widely across OSes and devices.
-
Approximately 1% of the IPv4 address space has globally incrementing IP ID counters, making IPID idle scans viable for Internet-scale censorship detection at roughly 5 packets per second. The technique is well-understood in terms of noise properties but is difficult to apply in IPv6 because the fragment ID field appears only in fragments.
-
Over more than 10 years of ONI client-side measurements conducted in 77 countries—of which 42 were found to implement some form of filtering—no participating user was ever arrested, apprehended, pressured, or intimidated by authorities. However, HTTP GET requests to sensitive URLs are made without obfuscation or anonymization, and in countries with restrictive legal frameworks this activity could be viewed as subversive by authorities sensitive to exposure of censorship infrastructure.
-
To reduce risk to human subjects in side-channel censorship measurements, researchers can substitute gateway routers near the target client in place of the client machine itself—the approach used by Censored Planet—or perform measurements across entire /24 subnets so that no individual can be incorrectly associated with the measurement traffic. For the ICMP rate-limit side channel, the 'client' can be an unresponsive IP address, measuring the gateway router rather than any end-user machine.
-
The SYN backlog side channel can detect censorship for any Internet host with an open port at approximately 5 packets per second without causing denial of service, provided only one measurement machine targets any given server at a time. Updated implementations require only that the backlog be half full rather than requiring full exhaustion, eliminating the earlier DoS requirement.
-
Marionette defeats active fingerprinting by routing non-protocol probes into explicit error-state transitions that respond byte-identically to the target service. Across all 9 evaluated configurations (HTTP, FTP, SSH × nmap 6.4.7, Nessus 6.3.6, Metasploit 4.11.2), every fingerprinting tool reported the Marionette server as the intended target application (Apache 2.4.7, Pure-FTPd 1.0.39, or OpenSSH 6.6.1) while simultaneously passing live Marionette client traffic.
-
Marionette is the first programmable obfuscation system to simultaneously satisfy all five threat-model dimensions evaluated in Figure 2: resistance to blacklist DPI, whitelist DPI, statistical-test DPI, protocol-enforcing proxy traversal, and multi-layer traffic control, while sustaining throughput above 1 Mbps (up to 6.7 Mbps). Every prior system (obfs4, ScrambleSuit, SkypeMorph, StegoTorus, FTE, JumpBox, etc.) fails at least one dimension, most commonly stateful proxy traversal or statistical-feature control.
-
Randomization-based obfuscation systems (obfs2/3, obfs4, ScrambleSuit, Dust) resist blacklist DPI but fail entirely under protocol-whitelist filtering, as explicitly demonstrated during the Iranian elections where censors permitted only known-good protocols. Pure randomization provides no signal of being a permitted protocol, making it trivially blockable under any whitelist regime.
-
High-fidelity statistical mimicry of Amazon.com traffic — simultaneously matching HTTP response payload length distributions, request-response pairs per TCP connection, and simultaneously active connection counts — reduced goodput to 0.45 Mbps downstream and 0.32 Mbps upstream, versus 6.6/6.7 Mbps for simple RFC-compliant FTP mimicry. The bottleneck was the prevalence of very short payloads (most common length: 43 bytes) forcing frequent TCP connection setup and teardown, with the server blocked on network I/O 98.8% of the time.
-
Format-Transforming Encryption (FTE) fails under proxy-induced ciphertext modification — a single character change causes decryption failure — while Marionette's probabilistic context-free grammar (CFG) templates tolerate header rewriting, connection multiplexing, and content alteration by intermediate proxies. Validated across 10,000 streams through Squid 3.4.9, achieving 5.8 Mbps downstream and 0.41 Mbps upstream goodput.
-
He et al. found that 65% of sampled routes between public traceroute servers have some degree of AS-level asymmetry; John et al. found that asymmetry reaches 96% on Tier-1 ISP backbone links due to hot-potato routing. These figures invalidate the symmetric-route assumption underlying Telex and Cirripede and motivate a fully asymmetric design.
-
Because Rebound never terminates the client–decoy connection, connection-state probes (including 0trace-style TTL-expiry probes that bypass the decoy router via an alternate route) cannot reveal any discrepancy between the observed and actual state: the connection to the decoy host is always exactly in the state a censor would expect.
-
Rebound's mole protocol generates a characteristic traffic pattern — a steady stream of long HTTP GET requests followed by 404-style error responses — that may be identifiable via traffic analysis even though the channel is TLS-encrypted; the paper acknowledges this as an unmitigated vulnerability and notes that intermingling with ordinary requests reduces observability but further lowers effective throughput.
-
Rebound eliminates the stack-fingerprinting vulnerability present in Telex, Curveball, Cirripede, and TapDance by never forging packets addressed to the client; all data from the decoy router to the client travels through the real decoy host, so the TCP/IP stack fingerprint observed by a censor is always that of the genuine decoy.
-
In an Internet measurement from a residential Verizon FiOS client 12 hops from the Rebound router (26 ms RTT), Rebound achieves 129,398 bytes/s (≈126 KB/s) for 1 MB transfers, compared to 354,676 bytes/s for Curveball and 1,174,240 bytes/s for plain HTTP — sufficient to stream 360p video but roughly 3× slower than Curveball. The unoptimised Python router implementation uses less than half a core of an Intel Xeon E5620 at 2.4 GHz at sustained full speed.
-
GFW probes originate from a dedicated /16 subnet of Chinese IP addresses distinct from ordinary client traffic, and a single suspicious connection can trigger dozens of independent probe connections from different source IPs within the same subnet. Blocking this probe-source range does not prevent blocking — the GFW blocks at a separate decision point — but it does make probe traffic distinguishable from legitimate users.
-
The GFW's active-probing system launches probes at suspected circumvention servers within seconds (typically under 3 minutes) of observing a suspicious connection, making reactive defenses (e.g., delaying or rate-limiting probe responses) insufficient on their own to avoid detection and blocking.
-
The GFW sends protocol-specific probe payloads tailored to each circumvention tool: Tor bridges receive a TLS ClientHello mimicking Tor's own; obfs2/obfs3 servers receive random-looking payloads; Shadowsocks servers receive random bytes. A server that responds differently to these crafted probes versus innocent traffic (e.g., by sending a valid protocol handshake in response to a probe) reveals itself and is subsequently blocked.
-
The GFW blocks Tor primarily by dropping SYN/ACK segments entering China from blacklisted IP/port pairs, not by dropping SYN segments leaving China. Of 142,802 CN→Tor-Relay measurements, 81.52% were Server-to-client-dropped versus only 0.55% Client-to-server-dropped. Blocking Tor directory authorities also showed substantial Client-to-server drops (19.61%), suggesting authorities may be treated differently.
-
GFW filtering failures — cases where blocked Tor traffic passed through — showed no conspicuous geographic patterns across China. The maximum observed Pearson correlation coefficient between neighboring clients' failure counts was 0.26 (near-zero), and failure cases were geographically distributed in proportion to Internet penetration, not clustered by province or ISP region.
-
GFW failures are both persistent and intermittent: four client/server pairs showed all 22 hourly measurements over a full day returning No-packets-dropped (entirely unblocked), while many others showed only sporadic failures. Temporal analysis showed failures cluster in bursts of hours, with probability of a second failure decaying sharply beyond ~5 hours after the first.
-
Routing is the dominant structural factor in GFW failures. CERNET (the Chinese Educational and Research Network) accounted for 503 of 135 destination IPs' failures — by far the most of any network — and packets transiting CERNET→CERNET links reached Tor destinations at an r=0.9896 ratio, near 1.0. Within CHINANET and CNC Group backbones, the Tor-to-non-Tor traversal ratio dropped to 0.403 and 0.272 respectively (Table 4), indicating heavy intra-ISP filtering.
-
The hybrid idle scan technique converts approximately 1% of the total IPv4 address space into passive measurement vantage points without requiring control of either the censored client or the destination server, enabling full bipartite connectivity measurements across 161 geographically stratified Chinese clients and 176 servers over 27 days. After data pruning for quality, 36% of raw measurements were usable; ARMA modeling was sufficient (over Hidden Markov Models) because only level-shift detection was needed.
-
Domain fronting exploits the fact that major CDN providers (Google, Amazon CloudFront, Akamai, Microsoft Azure) terminate TLS at the edge before inspecting the Host header, so the SNI visible to a censor names a permitted CDN domain (e.g., www.google.com) while the inner HTTP Host header routes the request to a blocked destination. Blocking the fronted service requires blocking the entire CDN, creating collateral damage that most censors are unwilling to accept for major providers.
-
The meek pluggable transport, implementing domain fronting over HTTPS, achieved median download throughput of roughly 1–2 Mbps in controlled tests from censored regions (China, Iran), confirming that CDN-fronted tunnels are viable for real users at consumer broadband speeds. Latency overhead compared to direct connections was measurable (tens of milliseconds per round-trip through the CDN edge) but acceptable for browsing workloads.
-
The paper formally characterizes the censor's visibility gap: the SNI field in the TLS ClientHello and the HTTP Host header inside the tunnel are the two places that reveal destination, and CDNs that terminate TLS before forwarding HTTP requests prevent censors from correlating them. Any censor capable of correlating SNI to inner-Host (e.g., through CDN cooperation or plaintext HTTP/2 framing) can defeat domain fronting without CDN blocking.
-
Residential ISP vantage points detect 36% more blocking than academic networks: of 1,947,691 matched URL tests, 72,454 non-academic tests were classified as blocking versus 52,921 academic tests. Averaged across 10 countries, the Jaccard similarity between blocked-URL sets in academic vs. non-academic networks is 0.59, indicating substantial divergence.
-
Iran's censorship infrastructure shifted from fully decentralized (Jaccard similarity ~0 across ISPs in 2007) to highly centralized by June 2011, when the Jaccard similarity between the national gateway AS 12880 and two other ISPs reached 0.94 and 0.95. Almost all 2011 blocking was accompanied by a blockpage containing an iframe redirecting to internal IP 10.10.34.34, providing direct evidence of a single choke-point filtering infrastructure.
-
Locally curated URL lists elicit 3–5× higher blocking rates than global lists in high-censorship countries. In China and Yemen, local content was blocked three to five times more than globally sensitive content, attributed to language filtering and active censorship of local political discourse; China's 99% block rate on 'falun' in HTTP path vs. 81% for 'falun' in domain name further illustrates trigger sensitivity.
-
Across MENA countries (UAE, Tunisia, Oman, Iran, Qatar, Yemen, Saudi Arabia, Burma), over 80% of blockpage-delivering tests delivered the blockpage without DNS redirection, indicating transparent web proxies performing deep HTTP inspection rather than the cheaper DNS-intercept approach dominant in China. McAfee SmartFilter was identified in Qatar, Saudi Arabia, and UAE; Netsweepr in Qatar, UAE, and Yemen.
-
Yemen's national ISP (YemenNet) uses explicit blockpages for social and Internet-tools content while applying stealthy techniques — TCP RST injection and unrequited HTTP GETs — specifically for political and conflict content that is constitutionally protected. Censorship also ceases intermittently when the ISP exhausts filtering product licenses.
-
Blocking all homophones of 422 censored keywords would generate approximately 47,000 false-positive weibos per day per keyword, totaling roughly 20 million false positives daily — approximately 20% of Sina Weibo's daily message volume — making blanket homophone blocklisting operationally infeasible without massive collateral censorship of innocent traffic.
-
Homophone-transformed weibos lasted on Sina Weibo an average of 3.94 hours (σ=5.51) before removal, versus 1.3 hours (σ=1.25) for unaltered originally-censored posts — a threefold difference (W=1830, p<0.01) — while ultimate censorship rates were not significantly different between conditions.
-
Falling back to human review to defeat the homophone technique would cost the Sina Weibo censorship apparatus more than 15 additional human-hours per day per censored keyword — derived from an efficient censorship worker reading approximately 50 weibos per minute (Zhu et al. 2013) applied to ~47,000 daily false-positive matches per keyword — a burden that scales with the number of simultaneously banned keywords, which may number in the thousands.
-
Replacing censored keywords with algorithmically-generated homophones increased the initial publication rate on Sina Weibo from 90.79% for unaltered posts to 94.74% for transformed posts (χ²=6.219, p=0.01), demonstrating that the technique successfully bypasses automatic keyword matching at the publication gate even when posts are ultimately censored at similar rates.
-
Native Chinese-speaking Amazon Mechanical Turk workers understood the content of 605 out of 608 homophone-transformed posts (99.51%), with only 2.85% of all impressions (52/1,824) reporting difficulty; workers unable to identify transformed keywords were significantly more likely to report confusion (p<0.001 for original keywords, p=0.03 for transformed keywords).
-
Of GFW-blocked websites in the Alexa top 1000, 82% are already hosted on CDN infrastructure; for news websites specifically, the figure rises to 85%. This was measured by scraping GreatFire.org blocked-site data and verifying CDN hosting for each domain.
-
Akamai's China-based edge servers self-censor, returning HTTP 403 for GFW-forbidden content, while Akamai's mapping system (located outside China) returns valid edge server IPs to Chinese users even for forbidden domains, and non-Chinese Akamai edge servers serve all content freely. This partial self-censorship structure is driven by the requirement to operate CDN infrastructure inside China.
-
CacheBrowser bypasses GFW DNS poisoning by directly fetching CDN content from known edge server IPs, using a low-bandwidth out-of-band bootstrapper to seed its edge-server database. The SWEET email-based bootstrapper achieves median 5.4-second resolution latency with 95% of queries answered within 10 seconds across 100 runs—acceptable because CDN provider migrations occur only every few months.
-
CacheBrowser achieves significantly lower download latency than Tor when fetching CDN-hosted content from China, because content is retrieved directly from CDN edge servers without traversing third-party proxies. Fetching from non-default alternative CDN edge servers increases latency relative to the CDN-mapped optimum, but the overhead is not prohibitive for real-world browsing; geographically proximate alternative servers minimize the penalty.
-
The GFW universally uses DNS poisoning rather than IP blocking to censor CDN-hosted content. Across all tested CDN providers (Akamai, CloudFlare, CloudFront, EdgeCast, Fastly, SoftLayer), no CDN edge server IPs were IP-filtered, because a single provider like Akamai hosts content on 170,000 shared edge servers—blocking any IP would collaterally block hundreds of thousands of unrelated publishers.
-
Beverly et al. found that 77% of Internet clients can spoof source addresses within their own /24 and 11% can spoof within their own /16, with these characteristics holding across a wide range of countries and regions. The authors use this result to argue that IP-spoofed cover traffic — where measurement probes appear to originate from many hosts in the same AS — is broadly feasible in practice.
-
The authors argue that it is almost certainly impossible to eliminate — or even definitively quantify — the risk to users who perform censorship measurements, because surveillance system capabilities are rapidly evolving and in some cases unknowable; retribution in adversarial environments may not follow due process. The paper explicitly states that its techniques had not been deployed on real networks as of writing because "a better consideration of the associated risks is warranted."
-
Spam-cloaked censorship measurements were correctly classified as spam by Proofpoint (the authors' university spam filter), validating surveillance evasion; separately, MX queries sent from a PlanetLab node in China confirmed that the GFW injected bad A DNS responses for both A-record and MX-record lookups for twitter.com and youtube.com, validating measurement accuracy.
-
Surveillance systems are fundamentally more selective than censorship systems due to storage constraints: as of 2009 the NSA could store only 7.5% of received traffic across 592 tapped 10 Gbps links with only 69 10 Gbps backhaul links, and the authors' campus network retains non-alert metadata for ~36 hours and IDS alerts for ~1 year. Censorship systems by contrast are transaction-focused and retain only enough data to process real-time requests. This asymmetry creates an exploitable gap: traffic that does not stand out from the population is discarded before reaching human analysts.
-
Analysis of two days of leaked censorship log files from Syria shows that 1.57% of the population accessed at least one censored site — a proportion the authors argue is far too large for a user-focused surveillance system to pursue individually. This implies that simply flagging all users who access censored content is not a feasible targeting strategy for surveillance.
-
Requiring consent from device owners for co-opted censorship measurements reduces coverage and continuity, and may paradoxically increase danger: soliciting consent signals intent to participants and draws attention, whereas the prevalence of malware and third-party trackers provides plausible deniability for unwitting device owners. The authors note that more widespread co-opted measurements collectively provide greater individual protection by normalizing unexplained outbound traffic.
-
The Encore technique uses cross-origin HTTP requests to induce a visiting user's browser to silently fetch a censorship target URL, enabling passive measurement of web filtering for sites including Facebook, YouTube, and Twitter. The ethical argument for deployment rests on the observation that nearly all major websites already embed content from these platforms, so the additional traffic is indistinguishable from normal browsing behavior.
-
University IRBs are not equipped to evaluate censorship measurement research because it falls outside the formal definition of 'human subjects' research (which requires direct intervention with individuals to collect individualized data). Despite this, the work poses real and potentially serious risks to people, leaving a governance gap with no clear institutional oversight body.
-
The legality of a measurement method within a given country does not equate to safety for implicated subjects: authoritarian regimes may assess network logs based on ulterior motives unrelated to technical specifics, or may lack sufficient technical understanding to distinguish measurement traffic from deliberate access. Subjects may additionally face privacy hazards such as being falsely implicated in accessing illegal content.
-
Three approaches to gathering censorship measurements exist: deploying researchers with software (snapshot coverage, researcher safety risk), deploying software to at-risk citizens (continuous but endangers locals), and co-opting existing deployed software (continuous, widespread coverage, but raises consent issues since device owners may be unwittingly implicated). The third approach offers substantially greater measurement capabilities but introduces the most unresolved ethical risk.
-
9158 version 6.9, in addition to its explicit keyword filter, asterisks out all English alphabet letters in any chat message containing six or more consecutive English letters. Combined with explicit keywords for 'http', 'www', and 'com' on its filter list, this constitutes a blanket URL-suppression mechanism that also incidentally blocks arbitrary English-language communication.
-
Reverse engineering of four Chinese social video platforms (YY, 9158, Sina Show, GuaGua) yielded 42 keyword lists totaling 17,547 unique keywords. Jaccard similarity clustering shows very little overlap between lists from different companies, consistent with prior work that found only 3% overlap in unique keywords across TOM-Skype and Sina UC (4,256-keyword dataset). This provides the largest unbiased cross-platform evidence that Chinese platform censorship is decentralized rather than governed by a monolithic ruleset.
-
Between February and May 2015, YY High received 21 updates and 9158 Chat received 8 updates. Updates correlated directly with current events within days: Zhou Yongkang's name was added to 9158 Chat on May 6, days after his April 3 corruption indictment; YY Normal added and then removed Chinese Christian song titles between April 23 and April 30 during a church demolition controversy. GuaGua does not download keyword updates at all.
-
SVP keyword lists from all four platforms explicitly target both government criticism and collective action, contradicting King et al.'s claim that criticism is tolerated while collective action is suppressed. All four platforms censor Falun Gong and current CPC leaders (including phonetic homonyms like '习尽平'); over 90% of YY's event-related keywords (2,535 total) reference the June 4 1989 Tiananmen Square Massacre, and derogatory phrases such as '共匪' (Communist gangsters) appear alongside collective action event keywords.
-
YY version 7.1 silently exfiltrates the full text of any triggering message via HTTP GET to sere.hiido.com, including sending user ID, receiving user ID, and the triggering keyword. The surveillance endpoint authenticates using md5(⌊unix_epoch/1000⌋ + ";username=report;password=pswd@1234") with hardcoded credentials, making the surveillance traffic structurally distinguishable from normal YY traffic.
-
On a 370-node PlanetLab deployment, Alibi Routing achieved near 100% success avoiding both the USA and China (Tables 1–2) with an average search cost of 1.0–1.66 nodes contacted (Table 4). In simulation over 20,000 globally distributed nodes, success rates were 93–100% at δ=0.5–1.0 with average search cost under 40 nodes (Table 3), capping TTL at 7.
-
For the vast majority of source-destination pairs avoiding the USA or China on PlanetLab, Alibi Routing introduces less than 50% latency inflation; some pairs even see latency improvement due to overlay shortcutting (Figure 9). Latency inflation is relatively insensitive to the inequality factor δ when relays are successfully found.
-
Property 1 proves that a peer inside a forbidden region F cannot satisfy the safety condition: appearing safe would require reporting an RTT lower than (3/c)·distance(peer,F), a physical impossibility. Property 2 follows: all trustworthy peers ignore packets routing through F regardless of attacker-controlled neighbor sets, making Alibi Routing safe without assuming honest neighbor selection.
-
Alibi Routing fails for source-destination pairs close to or inside the forbidden region: approximately 10% of pairs cannot provably avoid China and 22% cannot avoid the USA at δ=1.0 (Figure 5), with a strong monotonic correlation between proximity to the forbidden region and the number of available relays (Figure 6). Additionally, about 50% of nodes in target regions fail the alibi condition when avoiding the USA due to its BGP routing centrality causing actual paths to transit it despite geographic distance (Figure 7a).
-
Alibi Routing proves packets avoided a forbidden geographic region using physical impossibility: a relay MACs forwarded packets, and the observed RTT must satisfy (1+δ)·R(s,r) < min_{f∈F}{R(s,f)+R(f,r)}, where the minimum RTT to any point in F is estimated as (3/c)·ShortestDistance(q,F) — fiber-optic links at 2/3 the speed of light. This proof requires only GPS coordinates and local RTT measurements, no BGP modifications or PKI.
-
Analysis of GreatFire.org's server logs (16.6M requests, 13K unique source IPs, March 18–19 2015) showed 67% of DDoS attack traffic originated from Taiwan and Hong Kong, while mainland China accounted for only 18 requests — confirming the GC weaponizes foreign browsers by intercepting traffic at China's network border, not domestic ones. The dominant attack vector (38% of requests) was pos.baidu.com (Baidu's ad network), meaning any user globally visiting a non-Baidu site that loads Baidu ad scripts became an unwitting DDoS participant without visiting any Chinese site directly.
-
The Great Cannon (GC) operates as a distinct in-path system — not an extension of the GFW — capable of both injecting and suppressing traffic, enabling full man-in-the-middle capability against targeted IP addresses. Unlike the on-path GFW, the GC only examines the first data packet of each connection (avoiding TCP bytestream reassembly), targets specific destination IP addresses rather than all border traffic, and maintains a per-source-IP flow cache of approximately 16,000 entries to ignore already-processed connections.
-
The GC acted probabilistically, responding to only approximately 1.75% of eligible requests (526 out of 30,000 from three measurement IP addresses) and completely ignoring one of four measurement source IPs. Flow-cache exhaustion tests confirmed the probabilistic decision is made per-flow at cache insertion time: once the ~16,000-entry cache was filled, injections resumed on previously-ignored source ports, ruling out connection-tuple hashing as the selection mechanism.
-
TLS/HTTPS provides complete protection against GC-style content injection: the GC can only replace unencrypted HTTP responses and cannot inject into TLS-encrypted streams. GitHub's universal TLS enforcement prevented the GC from selectively targeting GreatFire.org's repositories despite sustained attack — China had previously attempted to block GitHub entirely but reversed the block within two days due to domestic programmer backlash, leaving TLS as the effective barrier.
-
Both GFW and GC injected packets share a distinctive implementation side-channel: the IP TTL field progressively increments on successive packets injected into the same connection, paired with an incrementing TCP window size. Using this compound fingerprint, the authors identified GC activity in 8 months of Lawrence Berkeley National Laboratory enterprise border traces with only a single false-positive source IP, and used per-hop TTL probing to localize both the GFW and GC to the same network link on China Telecom (hop 12–13, 144.232.12.211→202.97.33.37) and China Unicom (hop 17–18, 219.158.101.61→219.158.101.49).
-
The Encore system collected censorship measurements from 88,260 distinct IP addresses across 170 countries over seven months via installations by at least 17 volunteer website operators. China, India, the United Kingdom, and Brazil each contributed at least 1,000 measurements; Egypt, South Korea, Iran, Pakistan, Turkey, and Saudi Arabia each contributed more than 100.
-
The paper identifies a structural conflict between Internet research's scalability imperative — where a project processing millions of devices is considered superior — and human-subjects ethics frameworks designed to minimize the number of people exposed to risk. Under U.S. law, Encore is compliant because it exploits known, intentional web functionality (the same-origin policy's cross-origin request mechanism) and provides an opt-out mechanism, but the authors note this compliance does not transfer to all jurisdictions where measurements occur.
-
ACM SIGCOMM 2015's program committee accepted the Encore paper with an unprecedented 'signing statement' after heated ethical debate. The committee's core objections were: (1) users accessing censored URLs might face repercussions in regimes without due process; (2) most users under censorship would be unlikely to consent to the measurements; and (3) unlike ad-tracker third-party requests, Encore requests do not reflect any user intent.
-
To mitigate harm, Encore restricted its URL list to Twitter, Facebook, and YouTube on the grounds that widgets from these domains appear in ordinary web browsing, making Encore-induced cross-origin requests statistically indistinguishable from normal traffic. The authors argued that this renders the risk comparable to baseline browsing, though the SIGCOMM committee disputed whether contextual equivalence with ad-tracking constitutes adequate ethical justification.
-
Encore's architecture turns ordinary web visitors into measurement vantage points, which the researchers argue prevents censors from detecting and disabling dedicated measurement probes. However, this benefit comes with the trade-off that the individuals whose browsers are co-opted face potential legal or physical risk that differs by country and by the specific censored content accessed.
-
Routing traffic from a user on ISP-B through a peer relay on ISP-A (which applied only HTTP-level filtering and permitted HTTPS) produced the smallest page load times in most cross-ISP comparison runs, beating both HTTPS/domain-fronting and Tor. The performance gain is attributed to lower end-to-end latency on the intra-country cross-ISP path relative to international relay routes.
-
Direct circumvention via HTTPS/domain-fronting from Pakistan achieved an average throughput of ≈1.5 Mbps, whereas static proxies located in the US, Europe, and Asia yielded less than 0.9 Mbps in most cases. Page load times for the YouTube homepage (≈360 KB) were significantly lower under the direct method, and a TCP slow-start model predicts throughput could reach ≈2 Mbps if the flow completed within slow start.
-
Across two major Pakistani ISPs, blocking mechanisms varied substantially for the same URL: ISP-A applied HTTP-level blocking with redirection to a block page, while ISP-B deployed multi-stage blocking combining DNS-level resolution to localhost and independent HTTP/HTTPS request dropping. A single ISP also used different filtering techniques for different URL categories (e.g., YouTube vs. HTTPS-accessible sites).
-
C-Saw's design demonstrates that coupling circumvention capability with censorship measurement creates a self-reinforcing incentive loop: users opt in for improved page load times, their participation grows the vantage-point pool, and richer measurements enable finer-grained technique selection per ISP and URL. The system avoids requiring a pre-populated URL list by building a blocked-URL database dynamically from user-initiated requests.
-
In experiments using 200 back-to-back fetches of the YouTube homepage (≈360 KB), HTTPS produced lower page load times than Tor in most cases because Tor circuits do not optimize for performance and often select longer paths. Tor's page load times varied widely as circuits changed approximately every 10 minutes, producing a heavy tail in the latency distribution.
-
Among withheld retweets in the Turkish dataset, 92% of the corresponding original tweets were also withheld, while 4% survived uncensored and 4% belonged to fully-withheld accounts; this asymmetry suggests the Turkish government's censorship targeting mechanism operates with some degree of systematic (possibly hashtag- or keyword-based) sweep rather than purely manual per-tweet review.
-
Manual review of 46 fully-withheld Turkish accounts found that 36 (78%) were classified as posting anti-government political content critical of President Erdoğan, 2 as pornography, 1 as advertising bots, 3 as unidentified, and 4 as no-longer-findable; NMF/tf-idf topic modeling of withheld individual tweets confirmed that the dominant censored themes were criticism of government-aligned media and ruling-party politicians.
-
Twitter's country-withheld content mechanism relies on a browser-set location cookie, not IP geolocation; the authors confirmed that viewing a known-withheld Turkish tweet via a Turkish proxy server did not trigger the withholding display, but manually changing the Twitter app's location setting to 'Turkey' did — meaning any Turkish user who sets their location to a different country can bypass the entire withholding mechanism without Tor or a VPN.
-
The Chilling Effects database contained only 33 notices from Twitter across all countries, far fewer than the 108 account-withholding requests disclosed in Twitter's own transparency reports for the same period; Twitter itself acknowledges its transparency reporting is neither 100% comprehensive nor complete, and the authors confirmed that at least 86% of Turkish government withholding requests for non-protected tweets were approved by Twitter.
-
Twitter's official transparency reports for Turkey recorded 183 withheld tweets (Jan–Jun 2014) and 1,820 withheld tweets (Jul–Dec 2014), but the authors' collection of 17 million geo-bounded Turkish tweets yielded 3,258 withheld tweets from the streaming phase alone, and expanding to followers of censored accounts produced 171,652 withheld tweets—roughly two orders of magnitude more than Twitter's own disclosures.
-
DNS hijacking of blocked gambling domains in Greece also destroyed MX records for those domains in seven of eight ISPs, making it impossible for users to send email to the censored companies. Only OTE preserved MX records for some (not all) blacklisted domains, and even those were not consistently updated. The Greek Gaming Commission's own public guidance directed affected users to consult prior bank statements for contact information.
-
After the EEEP blacklist was updated in July 2014 to remove pokerstarsblog.com, multiple ISPs continued blocking it — overblocking was observed at Cosmote (7 entries), Wind (7 entries), Vodafone (7 entries), Cyta (3 entries), Forthnet (3 entries), HOL (3 entries), and OTE (3 entries). The blacklist itself contained 28 duplicate domains (6.39%), 17 malformed entries (3.88%), and 3 entries (0.68%) with no gambling content (expired or parked domains).
-
At least two ISPs (Cyta and Wind) returned fake HTTP 404 errors instead of mandated block pages for a portion of censored entries, and some ISPs served connection timeouts (port 443 blocked) with no explanation — in both cases obscuring deliberate censorship as an apparent network or server failure. Additionally, Cyta embedded Google Analytics on its block landing page to track users who attempted to access censored content.
-
Across eight Greek ISPs measured in June–August 2014, DNS hijacking was the dominant blocking method: seven of eight ISPs used it exclusively, while only Vodafone deployed DPI (Bluecoat WebProxy/6.0) for URL-level filtering. Compliance with the EEEP blacklist of 438 entries ranged from 21.91% (Forthnet) to 100% (Cosmote, HOL, OTE), with no ISP exactly matching the regulator's list.
-
Vodafone Greece's DPI system (Bluecoat WebProxy/6.0) performed exact-URL matching against the EEEP blacklist: requests to rivernilecasino.net and www.rivernilecasino.net passed through unblocked, while the exact blacklisted URL www.rivernilecasino.net/index.asp was intercepted and redirected to http://1.2.3.50/ups/no_access_gambling.htm. Subdomains of DNS-hijacked domains returned NXDOMAIN with no A record, making them silently unreachable rather than redirected.
-
Rook constructs per-field symbol tables by observing 600 packets (~60 seconds) of real gameplay at session start, then restricts substituted values to only those previously observed with frequency within two orders of magnitude of the median. This ensures altered packets never contain field values that are absent or anomalously rare in legitimate traffic, defeating value-anomaly and out-of-range DPI filters.
-
Rook achieves 34 bits/second client-to-server and 26 bits/second server-to-client within Team Fortress 2, sufficient for OTR-encrypted real-time chat. Rook use did not trigger Valve Anti-Cheat warnings and did not noticeably degrade gameplay for co-located legitimate players.
-
Kolmogorov-Smirnov two-sample tests on packet-size distributions and inter-packet timing show that standard Rook (altering ~1-in-10 packets) is statistically indistinguishable from normal TF2 gameplay across 20 samples each. High-bandwidth Rook (1-in-2 packets) shows a slightly higher average bandwidth but remains difficult to distinguish on traffic-shape metrics.
-
Because Rook runs the actual game client and server rather than mimicking them, active anti-mimicry probes receive identical responses to a normal game instance. Systems based on protocol mimicry are vulnerable to probes that expose non-conforming behavior, but Rook eliminates this attack surface entirely.
-
Game-specific trigram analysis of mutable fields distinguishes high-bandwidth Rook (1-in-2 substitution rate) in server-side packet counts, showing clearly reduced distinct-trigram counts versus baseline. Standard Rook (1-in-10) produces only a few outliers and is not reliably distinguishable; any detector would face a high false-negative or false-positive rate against normal-rate Rook.
-
Format-transforming encryption (FTE) as deployed in the Tor Browser Bundle is detected by combining a URI Shannon-entropy threshold (≥5.5 bits) with an exact URI length check (239 bytes) on the first HTTP GET request. This embellished test produces only 264 false positives across approximately 10 million HTTP URIs in three campus datasets, while a length-only test causes roughly 15% false-positive rate over the same flows.
-
CART decision-tree classifiers trained on entropy-based and packet-header features detect all five Tor pluggable transports (obfsproxy3/4, FTE, meek-amazon, meek-google) with average PR-AUC=0.987, TPR=0.986, and FPR=0.003 on synthetic traces. On 14 million real campus flows the highest per-obfuscator FPR is 0.65%, and meek-google yields only 842 false positives across all three datasets. However, cross-environment portability is poor: classifiers trained on an Ubuntu/campus setup and tested on a Windows/home network achieve true-positive rates as low as 52% with false-positive rates reaching 12%.
-
The paper demonstrates that 'having no fingerprint is itself a fingerprint': randomizing obfuscators that emit uniformly random bytes from the first packet are detectable precisely because conventional protocols (TLS, SSH, HTTP) always begin with fixed plaintext headers. This structural distinction requires no deep payload parsing — the attack operates on only the first TCP packet — and achieves TPR=1.0 / FPR=0.002 against obfsproxy3/4 using commodity-implementable statistics.
-
Obfsproxy3 and obfsproxy4 are reliably detected by an entropy-distribution test (KS test, block size k=8) applied to the first 2,048 bytes of the first client-to-server packet, combined with a minimum payload-length check of 149 bytes. On three university campus datasets totaling over 14 million TCP flows, the test achieves TPR=1.0 with FPR ranging from 0.24% to 0.33%. Omitting the length check raises the SSL/TLS false-positive rate to approximately 23%.
-
A semantics-based attack that flags HTTP flows carrying structurally invalid PDF documents as Stegotorus produces false-positive rates as high as 43% across three campus datasets (10,847 PDF flows examined), because malformed, partial, and non-standard PDFs are common in real network traffic. By contrast, active HTTP-response fingerprinting of a suspected Stegotorus server yields only 0.03% false positives (3 matching servers out of 9,320 Alexa-top-10K servers), but requires active probing and is detectable by the proxy operator.
-
Monitoring Twitter, YouTube, Tor, and Google Public DNS across 10 Atlas probes spanning 9 ASNs cost 19,200 credits per day (under 1 probe-day equivalent), and Atlas's external queuing allowed measurement scheduling to begin within hours of reported blocks. The platform documented 6 distinct shifts in Turkey's filtering strategy and identified private-sector cooperation in Russia that would have been missed by platforms limited to DNS and HTTP measurements.
-
Rostelecom (AS12389) performed network-layer redirection of blacklisted traffic rather than DPI-based filtering: 40 of 343 Russian probes returned SSL certificates attributed to Russian ISPs (State Institute of Information Technologies, Rostelecom, Electron Telecom Network). The interference affected all protocols and ports holistically across Rostelecom's downstream peers, consistent with BGP-level false advertisements or forwarding rules rather than application-layer classification.
-
LiveJournal cooperated with Russian authorities (Roskomnadzor) to segregate censored content by altering DNS A records for blacklisted blogs to a special host (208.93.0.190) that came online between February 10–17, 2014. Only 5 of 1,462 LiveJournal subdomains in Alexa's Top 1 million resolved to this address, all of which had been publicly declared in violation of Russian media law.
-
Turkey's filtering of Twitter relied overwhelmingly on DNS manipulation over IP blocking: as of April 24, 2014, only 167 IP addresses were blocked versus 40,566 domain names. Users who received valid DNS answers could browse Twitter without further interference, making foreign DNS servers (Google 8.8.8.8, OpenDNS) an effective circumvention mechanism — reportedly graffitied across Turkey in protest of the ban.
-
When Turkish users shifted to foreign DNS providers as a circumvention mechanism, Türk Telekom escalated by rerouting traffic destined for Google Public DNS (8.8.8.8 and 8.8.4.4) to a local DNS server serving false answers (Event E, March 28), causing a rapid drop in Tor and YouTube availability across all Atlas probes regardless of DNS configuration. At least 6 distinct shifts in filtering strategy were documented within a two-week period.
-
The GFW does not distinguish DNS query traffic directionality, injecting forged replies for both inbound and outbound queries on monitored links. This causes collateral censorship of DNS resolvers outside China when they contact authoritative nameservers located in or whose paths transit China, even for non-Chinese clients.
-
Testing approximately 130 million domain names uncovered 35,332 censored domains from which 14,495 keywords were extracted across 7 distinct matching patterns. The blocklist grew by approximately 10% over eight months (August 2013–April 2014), and more than two-thirds of censored domains had expired registrations, suggesting the GFW rarely removes entries.
-
The GFW deploys DNS injection nodes only at China's border, within 2–3 hops of international transit points, across 16 border ASes. Internal probing found only 0.04% of 42,849 domestic routing paths exhibited DNS pollution, versus ~80% of externally-facing /24 subnets.
-
Probing ~150,000 open DNS resolvers inside China over two weeks found that more than 99.85% provided polluted answers for blocked domains. The small fraction of clean resolvers achieved this by forwarding queries to Google Public DNS or OpenDNS via uncensored tunnels, or by locally dropping responses containing known GFW 'Bad IP' addresses (174 identified IPs).
-
A single GFW node employs approximately 360 distinct processes, load-balanced by source and destination IP address, which collectively inject censored DNS responses at an average rate of ~2,800 packets per second, ranging from 1,100 to 4,000 pps over a day.
-
Because CloudTransport uses the same network servers as legitimate cloud services, blocking it requires statistical classification of every cloud connection; false positives will disrupt popular and business-critical cloud applications (enterprise software, games, file backups), raising the economic and social costs of censorship. Empirical evidence shows that Chinese censors declined to block Amazon S3 even after it was used to mirror censored websites because doing so would disrupt 'thousands of services in China' with significant economic consequences. Due to the base-rate fallacy, even an accurate classifier will either miss many CloudTransport connections or cause collateral damage to non-circumventing cloud users.
-
The dead-drop bootstrapping protocol is vulnerable to censor stuffing: because bridge dead drops are publicly advertised and world-writable, censors can flood them with fake tickets containing credentials for non-existing rendezvous accounts, potentially exhausting bridge polling resources. The paper mitigates this only partially via exponential backoff on inactive accounts, and acknowledges that if the censor's stuffing rate significantly exceeds the bridge's check-and-discard rate the attack may hinder bootstrapping. Censors may also delete genuine tickets, though cloud providers such as Dropbox preserve all file versions for 30 days, allowing bridges to collect the first version of every file.
-
CloudTransport achieves 'entanglement' by using the exact same cloud-client libraries, protocols, and network servers as legitimate cloud storage applications, making it immune to protocol-discrepancy detection that defeated imitation systems like SkypeMorph. Iranian censors blocked Tor by exploiting differences in Diffie-Hellman moduli between genuine SSL and Tor's SSL and the expiration dates of Tor's SSL certificates; CloudTransport has no such discrepancies because it is not an imitation. Simple line-speed tests based on tell-tale differences in protocol headers or public keys cannot be used to recognize CloudTransport.
-
CloudTransport's passive-rendezvous design ensures clients never establish direct connections to bridges; consequently, even a censor in complete control of a bridge cannot enumerate client IP addresses without computationally intensive flow-correlation analysis. Blacklisting the IP address of a CloudTransport bridge has zero effect on CloudTransport connections, and when a bridge migrates to a new IP address this change is completely transparent to clients.
-
CloudTransport Cirriform in tunnel and proxified-Tor modes achieves performance comparable to Tor with Obfsproxy across Web browsing (Alexa Top 30 front pages), 300 KB SCP uploads, 10 MB YouTube uploads, and 5-minute 480p streaming video. Bandwidth overhead per message is 350–400 bytes for Amazon S3, with HTTPS adding an extra 2–3% overhead. Per-page browsing costs are as low as $0.00100¢ (Cumuliform on S3), with idle-polling costs of $0.185/day plus $0.34/day/connection for Cirriform on S3.
-
Four circumvention tool names were explicitly blocked as URL substrings with zero allowed requests passing through: hotspotshield (126,127 blocked), ultrareach (50,769), ultrasurf (31,483), and the generic keyword israel (48,119). All matching requests — including update checks and background pings — were denied at 0% pass-through rate.
-
Skype.com (503,932 censored, 0 allowed) and live.com IM services were blocked with 100% denial rates at all times. During the August 3, 2011 protest events Skype accounted for up to 29.24% of all censored traffic; 9% of Skype requests were software update attempts, which were also denied, confirming content-agnostic domain-level blocking rather than content-selective filtering.
-
Syria's Blue Coat proxies blocked any URL containing the string "proxy," generating 3,954,795 censored requests (53.61% of all policy-censored traffic in Dfull). The collateral damage was severe: Google Toolbar's /tbproxy/af/query API calls and Facebook social plugins (/plugins/like.php at 43.04% and /extern/login_status.php at 38.99% of facebook.com censored traffic) together account for over 80% of censored facebook.com requests, all denied with 0 allowed counterparts.
-
Syrian censors used a custom Blue Coat URL-category to policy_redirect specific Facebook pages (Syrian.Revolution: 1,461 censored) while allowing 17.70M facebook.com requests overall — only 1.62M (8.4%) were censored. The URL-pattern matching was imprecise: www.facebook.com/Syrian.Revolution?ref=ts was blocked but the identical page with additional AJAX query parameters (__a=11&ajaxpipe=1) was not categorized as 'Blocked Site,' leaving some access through.
-
Port 9001 (Tor) ranked third among all blocked ports in Syria, behind only ports 80 and 443. Proxy SG-48 was responsible for a disproportionate share of Tor censorship — blocking Tor traffic for multiple consecutive days — while other proxies in the same deployment did not, indicating per-proxy policy specialization or traffic steering of suspected circumvention flows to dedicated blocking infrastructure.
-
The paper acknowledges that modern blind steganalysis tools combining first- and second-order statistical classifiers (e.g., SVM-based universal steganalysis) are likely capable of detecting TRIST-embedded images, though this was not experimentally verified. The authors note these attacks rely on large feature vectors and are computationally more expensive than histogram or blockiness attacks, but do not claim invulnerability.
-
TRIST evades the self-calibrated blockiness detector — proven effective against OutGuess — by embedding at JPEG quality 30 and then transcoding the steg image up to quality 90 before transmission. This renders the blockiness-based message length estimator unreliable across the full range of message lengths from 0 to approximately 39 KB, as shown over 20 cover images from the BOSS dataset.
-
By embedding messages in heavily quantized DCT frequency components at base JPEG quality 30, TRIST achieves near-zero bit error rates when images are transcoded to higher quality levels and back. The quantization mapping is many-to-one, so noise introduced by re-encoding tends to be stabilized on output, making the message robust against commodity transcoding proxies that re-encode images in-flight.
-
Using low DCT frequency components (indices 10, 9, 8, 3) at JPEG quality 30 achieves near-zero message error rates for image rescaling in the 75–95% range across a wide range of sharpening sigma values. Higher-frequency component sets (indices 18, 17, 16, 10) only survive rescaling above 100%, making them unsuitable for scenarios where censors reduce image dimensions.
-
TRIST integrated with StegoTorus as a one-hop SOCKS proxy introduces minimal additional bandwidth overhead: JPEG steganography throughput falls between StegoTorus's PDF and JSON schemes across link delays of 20–400 ms and 1–4 parallel circuits. The steganographic expansion factor is 1:6 to 1:12 (message bytes to cover JPEG file length), adequate for basic web surfing.
-
Approximately 10% of China's IP addresses respond to IPID probes, and 13% of those exhibit globally incrementing IPIDs, meaning roughly 1% of China's total IP address space can serve as passive measurement vantage points with no cooperation from host owners. In contrast, Tor bridge blocking from Chinese clients was observed in 58.91% of server-to-client cases versus 0% for non-China Asia-Pacific clients.
-
The GFW blocks Tor primarily via stateless SYN/ACK dropping based on the server's source IP address and port (server-to-client direction, 73.04% of CN,Tor-dir cases). Two specific Tor directory authorities account for 98.8% of client-to-server (null-routed) blocks and 72.7% of error cases, indicating selective deeper blocking of specific IP addresses beyond the common return-path filter.
-
Over 5 days of measurement, 73.04% of connections from Chinese clients to Tor directory servers were blocked server-to-client (stateless SYN/ACK dropping), 16.73% were blocked client-to-server (null routing), and only 0.63% were unblocked. Of all censored Tor directory server connections measured across all regions, 98% originated from Chinese clients.
-
Using TCP IPID side channels combined with SYN backlog state inference, the authors detect intentional packet drops between two arbitrary Internet hosts without controlling either host. The only requirements are a client with a globally incrementing IPID (~1% of IP space) and a server with an open port; an ARMA model handles autocorrelated noise.
-
Client-to-server packet drops (RSTs from client to server are dropped in transit) indicate the simplest null-routing mechanism: the server's destination IP is null-routed at the censor. The method distinguishes this from server-to-client drops (stateless return-path filtering) and from RST/ICMP injection—cases where the packet is not dropped but a forged termination packet is inserted—which both appear as the 'no-packets-dropped' outcome in the IPID time series.
-
Under the RAD attack a large fraction of China's routes to Internet destinations shift to non-valley-free (NVF) paths, which impose direct monetary costs because ASes must pay for traffic they would normally earn revenue transiting. Among valley-free paths that survive, 6%–21% switch to less-preferred (more expensive) routes, 20%–43% become longer, and average path length increases by 1.12×–1.40× depending on placement strategy.
-
Even under the most censor-favorable (random-no-ring-1) decoy placement, launching the RAD attack increases average Internet route latency from China by over 4×; under strategic placements the average latency increase factor reaches 8×. These increases arise because RBGP is forced onto lower-capacity, less-popular transit ASes even when path hop-count is unchanged.
-
The feasibility of the RAD attack scales sharply with the censor's network connectivity. Strategic placement of decoys in just 1% of ASes disconnects China from 18% of Internet destinations, Venezuela from 54%, and Syria from 87%. Countries with fewer controlled ASes and ring ASes have dramatically less routing flexibility and are far more vulnerable to even small decoy deployments.
-
The RAD attack requires converting a large number of Chinese edge ASes into transit ASes: placing decoys in 2% of global ASes (random-no-ring-1, China-World scenario) forces 59 edge ASes to become transit ASes, nearly doubling China's 30 existing transit ASes. One Chinese transit AS must carry approximately 122× its normal load; the abstract reports a peak of 2,800× in a more aggressive scenario, a threshold the paper considers operationally infeasible.
-
The RAD paper's random decoy placement is heavily biased in favor of the censor: 86.2% of all Internet ASes are edge ASes with customer cone size 1, so random selection rarely hits transit ASes. Replacing random with sorted-no-ring placement (decoys chosen from ASes that appear most on adversary BGP routes) disconnects China from 30% of Internet destinations using only 2% decoy coverage, versus the 4% disconnection reported in the original RAD paper.
-
Page length comparison at a 30.19% size-difference threshold achieves a 95.03% true positive rate and 1.371% false positive rate for block page detection, outperforming DOM similarity (95.35% TP, 3.732% FP) on false positive rate and cosine similarity (97.94% TP, 1.938% FP, 74.23% precision) on precision. These metrics were evaluated via ten-fold cross-validation on the ONI dataset of ~500,000 entries from 49 countries spanning 2007–2012.
-
Five commercial filtering products (FortiGuard, Squid, Netsweeper, Websense, WireFilter) were identified in 7 of 36 block-page clusters via copyright notices in HTML comments, HTTP header strings, or URL path patterns; the remaining 29 clusters contained no identifying markup. WireFilter was first detected in the wild in Saudi Arabia (AS 25019) in 2011, representing a newly deployed filtering product not previously observed in measurements.
-
Within a single country mandate, different ISPs implement censorship with different filtering tools and mechanisms: Thailand's AS 9737 and AS 17552 use structurally distinct block-page templates (vector 17 is ~1,000 bytes using div layout; vector 8 is ~6,000 bytes using table layout). Both ISPs actively obfuscate their filtering product by reporting generic 'Server: Apache/2.2.9 (Debian)' or 'Server: Apache' HTTP headers instead of the actual product identifier.
-
Applying automated block-page detection to the ONI dataset (49 countries, 2007–2012) reveals that Burma's (AS 18399) censorship mechanism shifted from DNS redirection to a transparent proxy returning a custom block page in mid-2009, then block pages largely disappeared after Burma's late-2011 political liberalization. Saudi Arabia (AS 25019) shows a similar transition with WireFilter replacing an unidentified prior tool in 2011, with two concurrent block-page templates suggesting multiple simultaneous filtering devices.
-
Term frequency clustering of block pages achieves an F-1 measure of 0.98, correctly recovering manually identified block-page templates; page-length clustering performs far worse at F-1 of 0.64. Across the full ONI dataset, only 37 distinct term frequency vectors were found from five years of measurements, indicating that filtering vendors rarely change block-page HTML structure.
-
By deploying covert channels inside legitimate high-traffic web services (e.g., OpenSearch sites), Facade raises the censor's cost of blocking to unacceptable collateral damage: blocking Facade requires blocking the legitimate web service, which harms local businesses and normal users. Facade explicitly assumes censors are unwilling to block major platforms such as AWS or popular search services.
-
Facade encodes 78.04 bits per HTTP GET request using search-query terms, compared to Infranet's 3 bits per URL — a ~26× improvement — while maintaining comparable statistical deniability. StegoTorus encodes 12,000 bits per URL but offers no statistical deniability against traffic-pattern analysis.
-
Facade routes all encoded HTTP requests through a Selenium-controlled Chrome browser instance, so every message the censor observes is generated by a real browser implementation. This defeats 'parrot attack' fingerprinting, which exploits discrepancies between a protocol emulator's responses to error conditions and those of the genuine client or server.
-
Facade faces an inverse tradeoff between upstream throughput and deniability: pure search encoding maximizes bits per request (78.04 bits) but does not reflect real user click behavior, while mixing in click-range mapping (lg(k) bits per URL, k=8 → 3 bits) reduces throughput but better models normal browsing. Neither pure strategy is optimal; the design requires tuning the search-to-click ratio.
-
Analysis of the AOL search corpus shows an average search query length of 17.42 bytes with an entropy of 4.48 bits/byte, yielding 78.04 bits of deniable information per HTTP GET request. This entropy matches real user search behavior, making entropy-based traffic analysis unable to distinguish Facade traffic from genuine search sessions.
-
Before censorship the local ISP resolver handled ≥99% of SOHO DNS queries for blocked categories; post-YouTube block, local ISP resolver usage fell to 68–74%, with Google Public DNS rising to 14–19% of queries and OpenDNS/LEVEL-3 also gaining significant share. Simultaneously, unique web-proxy domains in SOHO traffic averaged only 1 pre-block, jumped to 41 on average post-block, and peaked at 114 unique proxy domains on the block day itself.
-
Pakistan's censorship used layered, evolving mechanisms: DNS redirection by local ISP resolvers appeared in all post-block traces, supplemented by HTTP 3XX redirection to a local provider's error page in Sep 2012 and shifting to RST injection by Aug 2013 (where ≈95% of YouTube HTTP requests received no response, vs. ≈2% pre-block). Porn blocking similarly combined DNS redirection with IP blocking (41% blacklist overlap) in Sep 2012 and RST injection in Aug 2013.
-
Before censorship, porn traffic averaged 8.4–11.5% of HTTP bandwidth across residential and SOHO users respectively. Post-censorship, this fraction fell to ≈3.5–4.0% for residential and ≈2.0–3.7% for SOHO users. Even after accounting for traffic shifted to unblocked alternate porn domains and the contemporaneous SSL/VPN increase, porn traffic did not return to pre-block levels, suggesting censorship achieved partial demand suppression despite being bypassable via alternate DNS resolvers.
-
On the day of YouTube's block in Pakistan (18 Sep 2012), SOHO users' HTTP:SSL traffic ratio collapsed from ~38:1 pre-censorship to ~3.2:1, and remained at ~3.25 eleven months later (Aug 2013), indicating rapid and sustained mass adoption of SSL-based circumvention. A supplementary survey of ~700 Pakistani users confirmed 57% used SSL-based VPN software (UltraSurf, OpenVPN, Hotspot Shield) to access YouTube.
-
YouTube held an average of ~97% of SOHO video bandwidth across four pre-block traces. On the block day (18 Sep 2012) this dropped to 15.8%, with DailyMotion absorbing ~82% of 'Others' traffic. Eleven months later (Aug 2013), YouTube's unencrypted video share reached 0%, with Tune.pk at 57.6% and DailyMotion at 40.9% of total video bandwidth, reflecting a durable market reallocation among video platforms.
-
Chinese censorship does not primarily target criticism of the state or its leaders — vitriol against top officials is routinely published. The decisive variable is collective action potential: posts that organize, incite, or reference crowd formation outside the Internet are censored regardless of whether they are pro- or anti-government, a distinction the authors formally establish and experimentally test for the first time.
-
The automated keyword-filtering tier is acknowledged to be largely ineffective at text classification due to well-known poor performance of keyword-matching approaches; the government compensates by deploying tens of thousands of human censors who manually review posts held by automated filters. The automated system affects large numbers of posts on fully two-thirds of Chinese social media sites surveyed.
-
By operating their own Chinese social media site using commercially available software, documentation, and vendor support, the authors confirmed that censorship enforcement is delegated to platform operators via configurable off-the-shelf software. By default the software shipped with no automated review or blocking; webmasters activate keyword lists and gain controls for bulk deletion, IP blocking, user banning, and per-post-type restrictions.
-
Chinese social media censorship operates at two sequential stages: an instantaneous automated review that holds flagged posts before they receive a public URL, followed by human censors who read each held post and decide within roughly 24 hours whether to publish or delete it. The ex ante automated stage is invisible to observational methods that only monitor published content, creating a systematic blind spot in prior censorship measurement research.
-
The Chinese censorship apparatus detects collective action potential through volume-burst monitoring: it identifies a spike in social media posts about a topic area, traces the spike to a real-world event, classifies the event as having collective action potential, and then censors all posts in that burst — regardless of individual post stance or content.
-
Content inconsistency — transmitting non-native payloads (e.g., modem signals or general web traffic) over VBR-encoded VoIP/video channels — is sufficient for censors to detect camouflage systems via packet-length traffic analysis. Channel inconsistency — requiring reliable transport over a loss-tolerant UDP channel — allows selective disruption: dropping 5% of packets stalls SkypeMorph indefinitely, and dropping 90% for under one second desynchronizes the FreeWave modem.
-
A single Facet server with 15 Mbit/s bandwidth and 4 virtual CPU cores supports up to 20 simultaneous video-streaming sessions. Server-side downstream bandwidth consumption is approximately 150 kbit/s lower than a Squid HTTP proxy for equivalent video quality (240p), because Facet fetches only the video stream without page overhead such as advertisements and images.
-
For decentralized videoconferencing systems (e.g., Skype) where peers communicate directly, publicly distributing the Facet server's conferencing ID allows a censor to pinpoint the server's IP address via active probing. Centralized systems (e.g., Google Hangout, FaceTime) hide the proxy IP behind the provider's relay server, making active probing unable to identify the Facet server.
-
Without traffic morphing, a χ² packet-length classifier can identify 90% of Facet (video-over-Skype) sessions with only a 10% false positive rate on genuine videoconferencing. To block 80% of Facet connections, the censor need only disrupt 4% of genuine Skype calls; blocking 70% requires disrupting only 2%.
-
Facet's video morphing — embedding the requested video in a fraction s of H.264 macroblocks within a randomly chosen chat video — raises the censor's required false positive rate dramatically. At steganography level s=0.125, blocking 90% of Facet connections requires disrupting over 40% of genuine videoconferencing traffic; blocking 80% requires disrupting at least 20% of legitimate calls.
-
DFA state-space explosion makes DFA-based FTE impractical for many realistic network-monitor regexes: the minimum DFA for `(a|b)*a(a|b){16}` has 131,073 states requiring 266 MB of precomputed tables, while the equivalent NFA has only 36 states requiring 73 KB — a reduction of roughly four orders of magnitude. Some formats in the Snort corpus required up to 383 MB under DFA-based ranking, rendering them prohibitive for deployment.
-
In PostgreSQL benchmarks, FPE-encrypted account-balance fields (libfte P-DD scheme, regex `\-[0-9]{9}`) reduce throughput by only 0.8% for complex mixed-transaction workloads (USUUI) and only 1.1% for SELECT-only workloads, relative to conventional authenticated encryption. Per-query latency for FPE versus authenticated encryption is identical across all five tested query types.
-
A deterministic FTE scheme (T-DD) that maps 16-digit credit card numbers to 7-byte ciphertext strings achieves simultaneous encryption and compression, reducing on-disk table size from 112 MB (authenticated encryption) to 42 MB — a 62.5% reduction — while maintaining provable privacy. The compression arises because the ciphertext format's message space is smaller than the plaintext's.
-
LibFTE exposes a regex-based API (Python, C++, JavaScript) that instantiates DPI-defeating FTE schemes from a regular-expression format specification alone, without expert cryptographic knowledge. The DCRS FTE scheme implemented in the library makes ciphertexts indistinguishable from real HTTP, SMTP, SMB, or other network-protocol messages under state-of-the-art DPI, and was already integrated into the Tor Browser Bundle at time of publication.
-
LibFTE's NFA-based 'relaxed ranking' sidesteps the PSPACE-hardness obstacle that previously made direct NFA ranking unworkable. Across 3,458 Snort IDS regular expressions in the network-monitor-circumvention setting, NFA-based ranking reduces client/server memory requirements by as much as 30% compared to DFA-based approaches.
-
Cascade-based censorship (ICM model) and uniform random deletion produce measurably different topological signatures: cascade removal causes greater increases in network diameter and radius as the censorship fraction γ increases and a substantial increase in assortativity at mid-removal levels (γ=0.2–0.5), whereas uniform deletion shows slower, more gradual changes across these same metrics.
-
An SVM classifier using a 60-dimensional feature vector — 10 topological network metrics (assortativity, clustering coefficient, diameter, radius, betweenness centrality, degree distribution exponents) plus 50 Laplacian eigenvalues — can detect network-level censorship without any content analysis. The classifier successfully distinguishes censored from uncensored reply-graphs even at the lowest tested censorship level of γ=0.1 (10% edge removal), using 10-fold cross-validation repeated 10 times.
-
Censors on Sina Weibo were documented retroactively removing entire repost cascades started from a single sensitive post. Extrapolating from sampled data, prior work estimated that up to 4,200 workers working eight-hour shifts would be required to match the censorship demand on Sina Weibo alone, with documented peak hours for deletion activity.
-
A random sample of Sina Weibo messages found that 16.25% were deleted overall, with geographic distribution having a strong impact: up to 53% of messages from some Chinese provinces were deleted. Nearly 30% of all deletions occurred within the first 5–30 minutes of posting, and up to 90% within 24 hours of the posting.
-
Collaborative spy detection aggregates VPN connection logs (complete, incomplete, and tiny calls) across all volunteer nodes to a central log analyzer, which identifies censor probe IPs by looking for clusters of incomplete or tiny calls from the same /24 block, then distributes a Spy List back to every server so probing packets are silently dropped before the handshake completes. A single server cannot distinguish a spy from a regular client in time; the cross-server aggregate makes pre-response spy identification feasible.
-
After VPN Gate blocked the GFW's original probe IP (210.72.128.200, operated by China Science and Technology Network / CSTNET), the GFW authority immediately pivoted to Amazon EC2 and commercial hosting (Gorilla Servers) to enumerate relay lists, using a Python-urllib user agent at fixed polling intervals. Following this adaptation, approximately 80% of all VPN Gate servers became unreachable from China.
-
The GFW authority discovered VPN Gate and deployed an automated IP-blocking tool within four days of launch: the List Server was blocked on March 11, 2013 (day 3), and automated scanning of the full server list began by March 12 (day 4). This automated tool polled and blocked all listed IP addresses several times per day.
-
Innocent IP mixing — inserting IP addresses of critical Internet infrastructure (DNS roots, Windows Update servers, popular mail servers) into the relay list distributed to users — forces the censor to manually verify each address before blocking. In March 2013, the GFW blocked every IP VPN Gate mixed in within 30 minutes, demonstrating it was trusting the list without verification; after the technique was noticed (March 20), the GFW switched to verifying IPs first, substantially slowing its blocking cadence.
-
After deploying innocent IP mixing and collaborative spy detection, VPN Gate raised server reachability from China from a low of ~30% to 78.5% by June 19, 2013, sustaining 60–70% reachability through end of August. On August 29, 2013, VPN Gate served 9,000 daily unique IP addresses from China versus Tor's estimated 3,000.
-
In a 140-hour measurement, requests forwarded into a 10-node Darknet connected to the Opennet by a single bridge link succeeded only 0.08% of the time, versus 8.46% for Opennet-forwarded requests — a ~100× failure-rate gap caused by ID-space isolation between the two overlay segments.
-
An 8-week measurement in June–August 2012 discovered 58,571 unique Freenet installations across 102,376 distinct IP addresses; approximately 25% were in the US and 12.5% in Germany, with Europe and North America collectively representing the vast majority — users from countries typically associated with Internet censorship were a small minority.
-
Freenet's deployed Opennet topology uses uniformly random long-range contacts rather than Kleinberg-optimal distance-proportional selection, yielding an average routing length of 37.17 hops in simulation; adopting a 1/d distance distribution (r=1) reduces this to fewer than 13 hops — a 2.9× improvement achievable via a Kademlia-style bucket system.
-
Freenet users exhibit a median session length of 95–99 minutes (p=0.975–0.99), substantially longer than all measured P2P file-sharing systems (1–60 minutes for Napster, Gnutella, FastTrack, Overnet, BitTorrent, KAD); ~2% of sessions exceeded 100 hours, and the distribution is best modeled by a lognormal fit (residual error 0.019) rather than Weibull or exponential.
-
The FNPProbeRequest message, designed to return location and uptime of a node sampled via an 18-hop Metropolis-Hastings random walk, can be used to reliably track individual node online times — capturing >98% of online nodes per sampling interval — enabling intersection attacks on anonymity even though it cannot target a specific node by design.
-
The paper argues that the advantage in the censor-vs-circumvention arms race lies with the censor due to fundamental asymmetry: a nation state controls centralized communication infrastructure while dissidents depend on it. Standalone anti-censorship tools therefore face a structurally disadvantaged security posture that iterative patching cannot overcome.
-
Centralized communication architectures have a single global point of failure: governments can leverage centralization to surveil with or without operator cooperation, as demonstrated by the Snowden revelations about Skype, Facebook, and Google. A compromised broker in a centralized design enables monitoring and censorship that spans all users of the service.
-
The paper sketches a decentralized DHT-based communication protocol where all payloads are encrypted in TLS and explicit redirection enables a form of onion routing. Because the censor cannot distinguish censored from non-censored streams, it is forced into a binary choice: block all protocol traffic (overblocking) or allow all of it.
-
If a communication protocol is regularly used for business and commerce, blocking it may be too politically and economically costly for a censor. The paper posits that censorship resistance achieved as a side-effect of widespread general adoption is harder to defeat than a niche protocol designed solely to circumvent censorship.
-
Known attacks on existing circumvention tools include steganographic detection, enumeration of decoy-router locations, and machine-learning traffic classifiers. The paper acknowledges these defeat current approaches (Infranet, Collage, Telex, SkypeMorph, Freewave) and argues that no iterative patch can neutralize the censor's long-term structural advantage.
-
DNSSEC fails to withstand legal attacks because governments can legally compel DNS authority operators to manipulate entries and certify the changes; the trust chains DNSSEC establishes mirror DNS zone delegations and therefore inherit the same jurisdictional vulnerabilities. A Danish police incident demonstrated the collateral damage: 8,000 legitimate domains were accidentally removed when censorship procedures were executed against a single target. Chinese DNS injection has been shown to have worldwide effects on name resolution through out-of-bailiwick NS record chains.
-
GNS uses a proof-of-work-gated network flood for key revocation, requiring an adversary to block flood traffic on every path between the revocation origin and all peers to suppress it. This is substantially more robust than X.509 certificate revocation lists, which an adversary can render ineffective by simply blocking access to CRL servers — a weakness severe enough that browser vendors must bundle revocation lists inside software updates.
-
GNS encrypts all DHT queries and responses using a zone-private-key-derived symmetric key (h = x·l mod n; query = H(hG)) such that a passive DHT observer can only mount a confirmation attack — requiring simultaneous knowledge of both the zone's public key and the specific label. Without both values, an adversary observing DHT traffic cannot determine the label, zone, or record data; even fully participating malicious DHT nodes see only opaque signed blobs unlinkable to their originating query.
-
GNS bounds the trusted computing base (TCB) for any individual name resolution to fewer than approximately 125 entities (constrained by name label length) and makes the full trust chain transparent to the user. By contrast, even simple DNS lookups can silently depend on correct answers from over 100 DNS zones; China's DNS injection caused global collateral damage precisely because out-of-bailiwick NS record chains made the full trust graph invisible to resolvers and users alike.
-
Blockchain-based naming systems such as Namecoin are insufficient under a strong adversary model where a nation-state can muster more computational resources than all other participants combined, allowing it to produce alternative valid chain histories. This vulnerability is most acute during system bootstrapping and in censored regions where the user base is small, precisely the conditions under which a censorship-resistant naming layer is most needed.
-
GoHop without traffic shaping achieved 76.8–78.5 Mbps (virtual NIC) on a 1 Gbps LAN; traffic shaping reduced this to 58.1 Mbps (~26% overhead from fragmentation). In a Beijing-to-Seattle real-world download test, GoHop delivered 960–999 KB/s against a 1,544 KB/s direct baseline, with the 96.7 Mbps WAN link—not GoHop—as the bottleneck. This compares to Tor's 40–300 KB/s (30–80 KB/s with obfuscation plugins such as SkypeMorph).
-
Packet padding alone is insufficient to defeat statistical traffic analysis unless every packet is padded to MTU; small-size padding has minimal effect on classifier accuracy (citing Hjelmvik & John 2010). Traffic shaping that also fragments large packets—transforming the full packet-size CDF to match a target distribution rather than merely inflating small packets—is required to statistically impersonate a target traffic class.
-
A pre-shared key enables encrypting the entire GoHop packet—header, payload, and padding bytes—achieving true randomness in the full byte stream. Standard VPN protocols such as OpenVPN encrypt only the payload while leaving headers in plaintext, exposing protocol-identifying fields to DPI without payload inspection. This design choice is a prerequisite for defeating header-based fingerprinting.
-
Spreading UDP datagrams across a randomized port range breaks traditional 5-tuple-based session tracking, randomizes per-port inter-arrival times, and reduces per-port throughput to a small fraction of the aggregate—making per-flow statistical analysis significantly harder. Critically, the number of random ports does not reduce aggregate throughput: GoHop measured 76.8 Mbps (1 port) versus 78.5 Mbps (100 ports) at the virtual NIC.
-
GoHop's naïve traffic shaping targeting a uniform packet-size distribution (0–MTU) successfully morphed both HTTP and SSH flows: K-S test D values were 0.019 (HTTP) and 0.022 (SSH), both below the 0.025 rejection threshold, with p-values of 0.20 and 0.11 respectively. After shaping, packet-size CDFs and statistical metrics (mean ~782–783 bytes, variance ~163,600) for both protocols became nearly identical, eliminating the size signals that distinguish them.
-
Asymmetric IP routing is a fundamental constraint on prior E2M designs: tier-2 ISPs typically see around 25% of packets on asymmetric paths, while tier-1 ISPs can have up to 90% of packets on asymmetric flows. Because Telex requires observing both directions of a connection to derive the client-server TLS master secret, this asymmetry severely constrains where it can be deployed. TapDance resolves this by using chosen-ciphertext steganography to leak the master secret from client to station in a single upstream packet, making it functional under fully asymmetric routing.
-
TapDance introduces chosen-ciphertext steganography, which allows the client to embed an arbitrary-length hidden message inside a valid TLS ciphertext without invalidating the TLS MAC or session. By exploiting ciphertext malleability in both stream-cipher (counter) mode and CBC mode, the client can choose specific byte values to appear in the ciphertext while constraining plaintext to a safe ASCII range (0x40–0x7F), encoding 6 bits of tag data per ciphertext byte. This provides unbounded covert-channel bandwidth, compared to the fixed 224-bit TLS nonce used by Telex and Decoy Routing or the 24-bit TCP ISN used by Cirripede.
-
All three prior end-to-middle (E2M) schemes — Telex, Cirripede, and Decoy Routing — require an inline flow-blocking component at the participating ISP, which adds latency, introduces a single point of failure, and may violate carrier SLAs. In private discussions with ISPs, the authors found that despite willingness to assist Internet freedom technically and financially, none were willing to deploy existing E2M technologies due to these operational impacts. TapDance removes the inline blocking requirement entirely, requiring only a passive tap and packet-injection capability.
-
Scanning a 1% sample of the IPv4 address space and the Alexa top-1-million domains, the authors found that over half of all TLS hosts will leave an incomplete HTTP request connection open for at least 60 seconds before sending data or closing the connection; many had timeouts exceeding 5 minutes. The 16-core TapDance station prototype processes over 12,000 tag verifications per second per core, with approximately 90% of CPU time consumed by a single ECC point multiplication on Curve25519. The station adds a median latency of 270 milliseconds to page downloads versus direct connections, and a single station instance can be overwhelmed by approximately 1.2 Gbps of TLS application-layer traffic.
-
Because TapDance does not block client-to-server packets, a censor can inject a TCP packet with a stale acknowledgment number directly to the true decoy server; the server will reply with its actual TCP sequence state, which will differ from the sequence numbers the TapDance station has been using — confirming the flow is proxied. This active packet-injection attack is qualitatively easier to execute against TapDance than against Telex or Cirripede, which used inline blocking to prevent such probes from reaching the server. Table 1 in the paper confirms that TapDance, unlike Telex, lacks replay/preplay attack resistance and has no traffic-analysis defense.
-
Throughput variance across Iranian ISPs collapsed nearly simultaneously during suspected throttling events, consistent with a centrally-coordinated administrative order rather than independent ISP-level decisions. Former ISP staff accounts cited in the paper indicate throttling orders were delivered by phone or fax, with smaller regional providers potentially delaying compliance—implying a brief window before universal enforcement.
-
Throughput drops correlated directly with political mobilizations: the 2012-02-14 anniversary of political detentions registered a -102.9% weekly-minimum change relative to the two-month mean, and the October 2012 currency protests showed a -86.2% weekly minimum. Round-trip time did not increase proportionally during these drops, distinguishing them from ordinary congestion.
-
Using M-Lab NDT measurements from Iran, the paper identifies two extended throttling periods: November 30, 2011 – August 15, 2012 (77% decrease in median download throughput) and October 4 – November 22, 2012 (69% decrease), plus 8–9 shorter-term disruptions. Weekly variance analysis yields even steeper figures of -98% and -82% for the two major events.
-
During the November 2011 throttling event, every Iranian ASN under consideration experienced more than a 74% drop in throughput within the first two months; only one prefix (ITC's commercial hosting block 80.191.96.0/19) showed an increase. Academic networks (Sharif University AS12660, University of Tehran AS29068) recovered faster than consumer ISPs, suggesting selective prioritization or exemption for institutional traffic.
-
Iran's censors preferred throttling over outright shutdown because it is less conspicuous and draws less controversy. The paper notes that NDT-style bulk-transfer tests cannot detect targeted, DPI-based throttling of specific protocols (VPN, Tor, streaming), since those present different traffic signatures than generic TCP bulk transfers. Iran's filtering infrastructure (TCI/ITC, AS12880) runs deep packet inspection as an auxiliary layer on top of ISP-level controls.
-
Measurement of Alexa top-500 websites across 18 categories found that over 50% of the internet's most-visited sites were blocked in Iran, with adult content blocked at over 95% and the Art category the third-most censored. DNS hijacking was applied selectively to only three domains (facebook.com, youtube.com, plus.google.com), while HTTP Host filtering accounted for the vast majority of blocks.
-
Traceroutes from one major Iranian ISP to 3,160 destination IPs across 13 countries consistently showed a single private-address node (10.10._._) as the first observable external hop, preceded by one of only two TCI-owned transit nodes. TTL-based probing confirmed that both HTTP and DNS blocking originated at this same centralized node, suggesting that the processing capacity of this national chokepoint is a key bottleneck in Iran's censorship infrastructure.
-
DNS queries for blocked domains were intercepted on-path and never reached the authoritative server; instead, the DNS server received 5 TCP RST packets spoofed from the client's address — despite the original queries being UDP, a likely misconfiguration. Three RST packets carried an identical random sequence number while two had a relative offset of 30 from the first three, the same distinctive 3+2 RST pattern observed in the HTTP blocking mechanism.
-
Iran's HTTP censorship allows the TCP three-way handshake to complete normally before acting on the HTTP GET request: the censor responds with a '403 Forbidden' and simultaneously sends 5 spoofed RST packets to the destination server (3 with in-sequence numbers, 2 with seemingly random offsets). No modifications to TCP/IP or HTTP headers were observed at either endpoint, ruling out a transparent proxy and pointing to inline DPI.
-
SSH transfers utilized only 15% of available bandwidth versus 85–89% for HTTP/HTTPS. When SSH was obfuscated by XORing payloads with a constant key (hiding the plaintext handshake), throughput dropped to near-zero during all trials. Applying the same obfuscation to HTTP transfers produced the same near-zero result, supporting the hypothesis that Iran whitelists known-approved protocols rather than blacklisting specific ones, which would preemptively block any unrecognized or randomized transport including Tor's obfsproxy.
-
In the August 2012 Bell-Dery BGP route leak, TTL analysis at per-prefix granularity revealed that two IP addresses within AS577 maintained constant TTLs and unaffected packet rates throughout the disruption, while 37 of 38 other active /16 prefixes experienced significant volume drops and TTL changes indicating rerouting through longer paths. This demonstrates that BGP route leaks can affect subnets within a single AS asymmetrically, and that TTL inspection can identify unaffected sub-AS paths.
-
During the February 2012 Dodo-Telstra BGP route leak, AS1221 (Telstra) exhibited a 20-minute congestion phase in which γC and γ3 both dropped while η rose from approximately 3 to 5 seconds, followed by a complete outage during which zero darknet sources were observed from the AS. The congestion phase produced measurable packet loss before the full blackout, providing an early-warning window of roughly 20 minutes.
-
Conficker-like traffic to TCP port 445 constitutes more than 40% of packets observed at the UCSD /8 Network Telescope and Windows XP/NT hosts consistently emit exactly 2-packet SYN flows; γC stayed within the narrow band 1.98–2.02 throughout an entire month (January 2012) with no large-scale outages. A second signal from default Windows 3-SYN flows (approximately 156 million flows/month from ~14K hosts/hour) provides a non-malware-specific validation stream with inter-packet times consistently between 3.09 and 3.37 seconds.
-
IBR-derived metrics γ (average SYN retransmits per flow) and η (inter-packet time between retransmits) can distinguish packet-loss-induced outages from packet-filtering censorship: during Libya's 2011 packet-filtering phase γC remained near pre-censorship values despite reduced source counts, whereas BGP route leaks caused measurable γ decreases and η increases. This difference exists because filtering reduces the host population but preserves per-flow OS retransmit behavior, while congestion causes routers to drop individual packets mid-flow.
-
Libya's 2011 Internet shutdown combined two distinct censor techniques across separate episodes: BGP-level route withdrawal and later packet filtering. During the packet-filtering episode, γC remained near its pre-censorship baseline (~2.0 packets/flow) even as the number of reachable Conficker sources dropped, confirming that the mechanism was per-subnet allowlisting rather than link saturation.
-
Censorship on Weibo does not produce a measurable chilling effect on discussion: Spearman's ρ = 0.198 (p = 0.011) between the percentage of censored tweets and unique tweeters per topic, indicating that censored topics attract more unique participants. No significant negative correlation was found for any of five engagement variables (comments per tweet, comments per user, total comments, unique commentors, unique tweeters).
-
Comments on Weibo (~18M per day) are not independently censored: when a tweet is deleted, its comments are deleted as a cascade, but no instances of standalone comment censorship were observed in 36.5M tweets and associated comments. This creates a structural asymmetry — there are an order of magnitude more comments than tweets, yet comments persist unless their parent tweet is removed.
-
Weibo users circumvent keyword-based censorship by substituting censored terms with morphs — abbreviations, anglicizations, homophones, homographs, and neologisms. 11 of 37 trending topics in a 44-day crawl of 280K users contained morphs, and morph usage was concentrated in heavily censored topics, with up to 5 morphs per topic observed.
-
Morph adoption in censored topics begins within hours of censorship being imposed, and in some topics users adopt morphs preemptively before censorship is applied, demonstrating rapid community-level awareness of keyword filtering. Temporal analysis of the Lushan and Taxi topics (Figures 19–20) shows morph usage rising sharply in parallel with or ahead of censor action.
-
Weibo employs keyword-based censorship with highly uneven application across topics: 82% of tweets in the Lushan topic (criticism of a local official) were censored, while 27 of 37 trending topics exhibited <2% censorship; overall ~1% of the 36.5M crawled tweets were censored. The Chinese government prioritizes censoring content that could incite public protest over content that is merely critical.
-
All confirmed URL filtering deployments—McAfee SmartFilter in UAE and Netsweeper in Yemen, UAE, and Qatar—block content across at minimum six of seven tested human-rights-sensitive categories: media freedom, human rights, political reform, LGBT, religious criticism, and minority groups/religions. Netsweeper in both Qatar (Ooredoo) and UAE (Du) blocks all seven categories. This content is protected under Article 19 of the Universal Declaration of Human Rights.
-
In YemenNet (AS 12486), URL filtering was observed to be intermittently offline: proxy URLs accessible in one test run were blocked in others and vice versa. A prior ONI measurement found a Yemeni ISP running Websense whose filtering ceased entirely when concurrent user count exceeded the product's license capacity. This inconsistency required larger URL test sets and repeated measurement runs to establish blocking with high confidence.
-
In every ISP where URL filtering was empirically confirmed, the 'proxy anonymizer' category was actively blocked. Netsweeper blocked 6/6 submitted proxy domains in YemenNet (AS 12486), 5/6 in Du UAE (AS 15802), and 6/6 in Ooredoo Qatar (AS 42298); McAfee SmartFilter blocked 5/5 anonymizer-category submissions in Etisalat UAE (AS 5384). Blue Coat in UAE and Qatar did not confirm—Etisalat appears to use SmartFilter for URL filtering atop a Blue Coat proxy appliance for traffic management.
-
URL filtering appliances are frequently misconfigured to be externally visible on the global Internet, enabling passive identification via Shodan keyword searches on product-specific HTTP headers and management console paths (e.g., 'cfru=' for Blue Coat, '8080/webadmin/' for Netsweeper). This technique discovered previously unknown installations in Finland, Sweden, Philippines, Thailand, Taiwan, Argentina, and Chile, as well as large U.S. ISPs including AT&T, Verizon, Bell South, Comcast, and Sprint.
-
The paper presents a repeatable method for confirming which specific URL filtering product is used for censorship: create test domains under researcher control, submit a subset to the vendor's public URL categorization interface, then retest within 3–5 days to observe whether submitted domains become blocked. This technique confirmed McAfee SmartFilter in UAE (Etisalat, AS 5384) and Saudi Arabia (Bayanat Al-Oula AS 48237, Nournet AS 29684), and Netsweeper in Qatar (Ooredoo AS 42298), UAE (Du AS 15802), and Yemen (YemenNet AS 12486).
-
In 80% of measured paths (72 PlanetLab VPs × 5,000 Alexa targets), at least one intermediate router returns the full IP packet in ICMP time-exceeded replies (RFC1812-compliant), enabling per-hop detection of packet modifications. The majority of these full-ICMP routers reside in the network core rather than the access segment.
-
Middleboxes that randomize TCP sequence numbers do not update the sequence numbers inside TCP SACK blocks; tracebox found two PlanetLab VPs with stateful seq-number randomizers that cycled approximately every 20 seconds. When SACK blocks reference sequence numbers outside the current window, the Linux TCP stack waits for a full RTO instead of fast-retransmitting, producing up to 50% throughput degradation in controlled measurements.
-
Of 72 PlanetLab vantage points, 7 (~10%) automatically stripped or replaced TCP options (Multipath TCP, MD5, and Window Scale) with NOPs at the very first hop, and 2 VPs always altered TCP sequence numbers. These modifications occurred without any corresponding update to dependent fields, corrupting the TCP stream for higher-layer protocols.
-
tracebox can estimate middlebox location with an error of ≤4 hops in 61% of cases; errors above 13 hops (the length of ~60% of paths) are each below 1% individually. Of MSS-modifying middleboxes detected, 52% were located in the network core and only 2.7% close to the source vantage point.
-
tracebox identified a transparent HTTP proxy or IDS within a National Research Network (SUNET) that intercepted port-80 SYN probes but not port-21 SYN probes, producing shorter observed path lengths to port 80. It also found proxy misconfigurations causing forwarding loops for non-HTTP traffic, where ICMP replies alternated between two routers indefinitely.
-
High-speed Internet-wide scanning enables a censor or attacker to locate every publicly reachable host vulnerable to a newly disclosed flaw within hours of disclosure; in a concrete example, 3.4 million UPnP-vulnerable devices were identified in under 2 hours — faster than network operators could apply patches — with a 150-SLOC probe module written in approximately 4 hours.
-
Obfsproxy (predecessor to obfs4) listens on randomized ports as an explicit defense against discovery by comprehensive Internet-wide scanning, because an adversary must scan all 65,535 ports to locate bridges rather than a single known port — multiplying scan cost by roughly 65,000× relative to a single-port sweep.
-
Comprehensive Internet-wide scanning enables cross-IP tracking of users and devices by correlating stable cryptographic identifiers — TLS certificates or SSH host keys presented by home routers and cable modems — with public geolocation data across DHCP lease changes, defeating the anonymity assumption behind dynamic IP addresses.
-
By scanning ports 443 and 9001 and fingerprinting responses with Tor's TLS v1 cipher-suite handshake pattern, ZMap identified 79–86% of all allocated Tor bridge fingerprints in a single scan, demonstrating that bridges whose protocol is distinguishable are largely discoverable through comprehensive Internet-wide scanning even though their addresses are not publicly listed.
-
ZMap completes a single-port scan of the entire public IPv4 address space in under 45 minutes from a commodity machine with a gigabit Ethernet connection, over 1,300 times faster than the most aggressive Nmap configuration. A single-probe scan achieves approximately 97.9% coverage of live hosts, rising to 98.8% with two probes and 99.4% with three probes.
-
Manually-generated FTE regexes achieve a 100% misclassification rate against all six tested DPI systems — appid, l7-filter, YAF, bro, nProbe, and the proprietary enterprise-grade DPI-X — for HTTP, SSH, and SMB target protocols. Each regex took less than 30 minutes to specify and debug against known classifiers.
-
FTE proxy overhead compared to socks-over-ssh: the intersection-ssh format incurred 0% average latency increase and only 16% bandwidth overhead (1,164 KB vs. 1,348 KB per Alexa Top 50 site). The worst-case auto-http format incurred 29% latency increase (5.5 s vs. 7.1 s) and 181% bandwidth overhead (3,279 KB), primarily due to ciphertext expansion and FTE/SOCKS negotiation on persistent empty TCP connections.
-
An FTE-tunneled Tor circuit using intersection, manual, and auto HTTP formats successfully traversed the Great Firewall of China from a VPS inside China to a server in the United States on port 80. A persistent tunnel polling a censored URL every five minutes remained active for one month until VPS account termination, with no blocking observed.
-
Default Tor connections to a private bridge inside China were detected by the Great Firewall via active probing: an initial connection succeeded, followed by a probe from a Chinese IP address approximately 15 minutes later that performed a TLS handshake and then blacklisted the (IP, port) combination. Subsequent connection attempts resulted in a successful SYN followed by spoofed TCP RSTs terminating both the client and bridge connections.
-
Regex-based DPI is fundamentally vulnerable to format-transforming encryption: because every tested system (including the proprietary enterprise-grade DPI-X, rated for 1.5 Gbps at $8,000) classifies protocols solely by membership in a regular language, any ciphertext can be guaranteed to match any chosen regex. The paper argues this forces DPI to adopt machine learning, active probing, or non-regular semantic checks — but notes that making such checks fast, scalable, and low-false-positive at line rate for arbitrary target protocols remains an open problem.
-
The bulk-transfer mode requires both the censored client and the cooperating proxy to accept incoming TCP connections, rendering it unusable for clients behind NAT without port-forwarding capability. Rendezvous mode is unaffected because it only requires the client to send a single outbound request. The authors note that many real-world residential users are behind NAT, limiting practical deployment of the bidirectional channel.
-
OSS operators—not the censor—are the primary abuse-detection risk for high-bandwidth use. PDFmyURL's published policy blocks clients making more than 100 requests in 2 hours that cumulatively consume more than 1000 seconds of server CPU and more than 10% of CPU resources. The authors were blocked by PDFmyURL and Twitter during high-bandwidth tests, suggesting that covert use must stay well below these thresholds.
-
Online scanning services span security scanners, ad networks (Google AdSense), web diagnostics, and link shorteners—categories economically important enough that blocking them wholesale causes severe collateral damage. The paper identifies five broad OSS categories with dozens of providers, and notes that translation services, photo printers, RSS aggregators, and image hosts are additional unexplored candidates, making exhaustive enumeration by a censor infeasible.
-
OSS throughput varies from 250 B/s (vURL/HTTP-302) to 265 KB/s (PDFmyURL/JavaScript-onload). High-rate OSSes—Dr.Web at 20 KB/s, GoMo at 22–175 KB/s, PDFmyURL at 160–265 KB/s—support bulk bidirectional transfer; low-rate OSSes (AdSense 500 B/s, vURL 250 B/s) are suited only for rendezvous. Concurrent streams scale linearly (2× aggregate throughput) for all tested OSSes except AdSense, which rate-limits per source IP.
-
In the standard redirect design the cooperating proxy's IP address or domain name appears in plaintext HTTP redirect responses, because the censored client cannot present a valid TLS certificate to the OSS and must use plain HTTP. A censor inspecting OSS-bound traffic can extract the proxy address from the Location header or URL query parameters. The no-redirect variant (client and server each initiate single scans of each other) eliminates this leakage at the cost of higher latency and server-side OSS enumeration.
-
Injecting a single replayed ACK packet every 100 ms into a SkypeMorph session is sufficient to permanently stall data transfer: the server continuously resets its sequence counter back to the replayed position and never advances, while legitimate VoIP call traffic is completely unaffected. The attack requires the censor to induce only a small amount of server-to-client packet loss to prevent the legitimate ACK counter from overtaking the injected value, as shown in Figure 5b.
-
FreeWave's modem synchronization depends on a preamble transmitted only at connection start (approximately 0.25 seconds for a 2048-symbol preamble); a censor applying 95% packet loss for under one second at the beginning of the session reliably prevents synchronization and breaks the connection, while reducing VoIP MOS only briefly and leaving the remainder of the session intact (Figure 2). With fixed data-frame designs, the censor can repeat preamble-targeted drops on every frame, achieving complete desynchronization at low average packet loss rates tolerable to legitimate VoIP.
-
SkypeMorph and FreeWave both overlay a client-proxy communication model onto a peer-to-peer VoIP network; because Skype clients attempt direct peer contact before falling back to supernodes, initiating a call to a FreeWave proxy reveals its IP address directly to the caller, and proxy nodes accumulate user-to-bridge ratios that reached 8–12× in Syria/Iran and up to 120:1 in China (Figure 8), producing concentration signatures uncharacteristic of normal P2P call distributions. These architectural mismatches allow enumeration and fingerprinting attacks independent of traffic-content analysis.
-
By targeting SkypeMorph's deterministic ACK-flagging schedule (one ACK every ~100 ms) and capping overall packet loss at 5–20%, a censor can drop up to 47% of ACK packets, reducing SkypeMorph throughput from its normal ~200 KB/s to 5–10 KB/s (a 90–95% reduction) while VoIP call quality remains within acceptable MOS thresholds. The attack exploits the reliability mismatch between the loss-tolerant UDP cover channel and the TCP-like retransmission layer SkypeMorph builds over it.
-
FreeWave's modem generates audio whose packet-length distribution has dramatically lower variance than human speech, even when transmitted through Skype's variable-bit-rate encoder; Figure 9 shows that English and Portuguese speech samples produce high-variance packet-length sequences while modem audio produces a narrow, nearly constant distribution, providing a reliable passive classifier for modem-over-VoIP traffic. This content mismatch persists even with perfect emulation of the VoIP protocol framing.
-
TCP-based web traffic performs poorly on mesh networks because each wireless hop halves effective bandwidth (bidirectional ACKs share the same half-duplex channel) and introduces highly variable latency and loss; voice traffic is similarly unsuitable due to jitter. Applications leveraging delay-tolerant networking principles or requiring only very low bandwidth are identified as the category of workloads that can function within mesh constraints.
-
Purpose-built or uncommon radio hardware provides governments a legal pretext for crackdowns, is subject to import restrictions, and aids identification of dissidents via radio direction-finding equipment. The authors conclude that only ubiquitous, innocuous devices—smartphones and standard indoor WiFi access points—can be used in a dissent network without raising suspicion or endangering users.
-
Gupta and Kumar proved that the per-node capacity of a multihop wireless network approaches zero as the number of nodes increases; Li et al. experimentally validated this result for 802.11-based mesh networks. The authors emphasize this is an architectural constraint derived from fundamental radio physics, holding for arbitrary networks regardless of routing protocol.
-
Mesh networks can reach meaningful scale only by adopting centralized management, planned growth, and a static topology—properties that simultaneously create a single point of failure and make nodes easy targets for government radio direction-finding. Decentralized, organic, mobile mesh retains safety properties but at the cost of near-zero effective capacity as network size grows.
-
Pseudonymity is insufficient for dissent networks: social-network profile information can be correlated with external data to deanonymize users, and fixed-infrastructure networks enable localization attacks even without explicit identity. The authors argue that true anonymity—or at minimum strong deniability where usage is non-incriminating and activity is difficult to trace—is required to protect participants.
-
FreeWave over Skype reliably achieves 16 kbps for clients in Berlin, Frankfurt, Paris, and the UK (0% packet drop) and 19.2 kbps for Chicago, IL (0.01% drop), using 4-QAM with 8–9.6 kHz symbol rate and rate-0.5 Turbo channel coding. The maximum achievable bit rate is hard-bounded by the VoIP codec's sampling rate: 40 kbps for Skype SILK, 64 kbps for G.711, and 128 kbps for the L16 codec.
-
Protocol mimicry approaches (SkypeMorph, StegoTorus, CensorSpoofer) do not execute the target protocol in full and leave detectable discrepancies: SkypeMorph fails to replicate Skype's TCP handshake, and CensorSpoofer's IP-spoofing downstream channel enables active traffic analysis by censors who can inject manipulated packets and observe whether the purported VoIP endpoint reacts. The authors state that morphing approaches provide no provable indistinguishability, and protocol evolution further invalidates mimicry over time.
-
FreeWave-over-Skype produces traffic statistically indistinguishable from genuine Skype-Speak state: average packet rate 49.91 pps vs. 50.31 pps for Skype-Speak, and average packet size 148.64 bytes vs. 146.50 bytes. However, the Skype-Silent state generates distinctly lower rates (49.57 pps, 103.97 bytes avg), creating a detectable anomaly when both FreeWave endpoints appear to be 'speaking' simultaneously rather than alternating.
-
Because FreeWave is VoIP-provider-agnostic, blocking it requires censors to block all VoIP services simultaneously — a politically and economically costly action given that approximately one-third of U.S. businesses used VoIP by 2011 and penetration was forecast to reach 79% by 2013. The authors argue this collateral-damage cost makes wholesale VoIP blocking infeasible for most censors.
-
FreeWave routes client VoIP connections through oblivious intermediary nodes (e.g., Skype supernodes) rather than directly to the FreeWave server, so even if a censor discovers the server's VoIP ID or IP address it cannot block clients via IP filtering. This 'server obfuscation' is absent from SkypeMorph and StegoTorus; the authors note that Chinese censors enumerated all Tor bridges—on which SkypeMorph depends—in under a month, rendering those transports instantly blockable.
-
Hypothetical fixed parrot systems (SkypeMorph+ and StegoTorus+) that correct all passive detection failures remain unambiguously detectable via active and proactive attacks (Table II). Supernode cache flushing and TCP control channel manipulation — e.g., sending RST causes genuine Skype to drop the call immediately while parrots produce no reaction — distinguish them from genuine Skype because the parrot cannot actually execute Skype protocol logic.
-
CensorSpoofer's IP-spoofing architecture has an unfixable detection flaw: the spoofer cannot receive or respond to SIP probe messages (INVITE, invalid SIP, BYE for random call IDs) directed at the spoofed dummy host, making four SIP probing tests (Table IV) reliably distinguish CensorSpoofer from genuine Ekiga at local-censor cost. The nmap-based dummy-host selection algorithm identifies only 12.1% of 10,000 random IPs as candidate hosts; SIP probing of 10,000 random addresses found zero IETF-based VoIP clients.
-
The authors enumerate 12 requirements a parrot system must satisfy simultaneously (Correct, SideProtocols, IntraDepend, InterDepend, Err, Network, Content, Patterns, Users, Geo, Soft, OS) while a censor need detect only one failure. They conclude 'unobservability by imitation is a fundamentally flawed approach' and recommend embedding covert traffic in genuine encrypted payloads of a real running protocol (e.g., FreeWave in Skype voice, SWEET in email), which constrains detection to OM adversaries performing large-scale multi-flow analysis.
-
SkypeMorph and StegoTorus-Embed fail 5 of 9 standard Skype identification tests (Table I), including the TCP control channel (T9), SoM packet headers (T3), and periodic message exchanges (T6/T7). All failures are detectable by a local (LO) passive censor at line speed without requiring ISP-scale statistical analysis.
-
The StegoTorus-HTTP module returns '200 OK' for non-existent URIs, produces no response to HEAD, OPTIONS, DELETE, and TEST method requests, and omits xref tables from generated PDF files. Using httprecon with 9 request types, the StegoTorus server is distinguishable from any real HTTP server by an OB (resource-limited) censor that records port-80 destination IPs at line speed and fingerprints them offline.
-
Over 72 days, the authors observed 814,667,299 blog posts (average 11,314,823/day; peak 13,083,878/day). To blacklist all potential MIAB drop points, a censor would need to block 33,361,754 FQDNs (5% of all web servers per Netcraft) or 1,803,345 second-level domains (1.4% of global domain registrations); even a fully-maintained static blacklist retains an 11–12% daily miss ratio as new blogs appear.
-
Existing censorship-resistant systems share a fundamental vulnerability: they require the user to know a finite set of entry points (bridge addresses, rendezvous points, or ISP-level collaborators) that a censor can enumerate by impersonating a legitimate user. China has blocked the majority of Tor bridges since 2010 and Iran blocked all encrypted traffic in 2012, demonstrating this attack is operationally deployed at scale.
-
MIAB reduces the bootstrap requirement to only the operator's public key — no pre-shared rendezvous point is needed — by using blog pings as a real-time broadcast discovery channel. Since every blog post on the Internet is a potential drop point, the censor cannot enumerate entry points by posing as a legitimate user, unlike Collage (requires an up-to-date task database) or Telex (requires ISP collaboration).
-
A single modern machine with a fast domestic Internet connection can process the full blog-ping stream within the 5-minute ping-server release interval: steganographic extraction takes 2m:51s, RSA decryption 2m:35s, and image fetching 4m:17s (parallelizable with extraction), completing under 5 minutes at under 90% CPU. A single machine accommodates 15–20 million posts per day; serving Iran's entire population blogging daily would require only five machines.
-
All trained ML classifiers (K-NN, Naive Bayes, ANN, SVM, vote ensemble) performed at near-chance levels when distinguishing RSA-encrypted stego messages from clean photos — best precision 52.05%, best meaningful recall 61.52% (K-NN on clean class). The authors attribute this to embedding only a few hundred bytes into cover photos hundreds of KB in size, with natural image entropy in noisy pixel regions being empirically indistinguishable from RSA-ciphertext statistics.
-
GFW reassembles both IP fragments and TCP segments for HTTP connections, but its overlap-resolution policy diverges from receiver behavior in documented cases: it prefers the original IP fragment in all overlap configurations except when the challenger is simultaneously left-long and right-long (IP2), and prefers a later left-equal TCP segment over the original (TCP5). The paper tests all 18 possible fragment overlap cases and confirms that placing a banned keyword only in the fragment version GFW discards achieves evasion.
-
GFW exhibits three confirmed HTTP analysis gaps: it inspects only the first Request-URI and Host header in HTTP-pipelined requests (HTTP3), will not scan beyond 2,048 bytes into a Request-URI (HTTP2), and recognizes only standard percent-encoding while ignoring alternative URI encodings such as overlong UTF-8 (HTTP4). The authors classify all three as low-difficulty fixes for the censor, meaning they may be patched quickly once disclosed.
-
GFW maintains TCP connection state for up to ≈10 hours and tolerates up to ≈1 GB of client-to-server data, but drastically reduces these limits when a sequence hole exists: it abandons state after buffering only 1 KB above the hole (TCP9) and times out holed connections in 60–90 minutes rather than ≈10 hours (TCP10). These thresholds were confirmed over repeated measurements and represent the maxima tested, not precise censor-configured limits.
-
GFW instantiates a TCB upon observing a bare SYN before any SYN-ACK (TCP1), enabling a split-connection evasion: a client sends a low-TTL SYN visible to GFW but not the server, then opens the real connection on the same 5-tuple with a different initial sequence number. GFW tracks the phantom TCB and fails to detect banned keywords on the real, desynchronized connection. This same behavior also renders GFW vulnerable to SYN-flooding-style memory exhaustion.
-
A TTL-limited bare FIN packet (without ACK) is sufficient to induce GFW to tear down its connection state for a live TCP session (TCP6b), because GFW accepts FIN packets that violate RFC 793's requirement for the ACK flag. After induced state teardown, subsequent packets carrying banned keywords on the same connection produce no RST, confirming the monitor has lost track of the flow.
-
All 307 blocked websites in Pakistan's test dataset were accessible via CoralCDN (by appending .nyud.net to the hostname) and via Google, Bing, and Internet Archive search-engine caches at the time of the study (2013), representing simple but underutilized bypass vectors. The paper flags these as 'surprisingly unexplored' circumvention options.
-
A controlled survey of 67 technically literate users in Pakistan found that ~45% primarily use public VPN services (Hotspot Shield, Spotflux), 24% use web proxies, and 11% use HTTP proxies such as Ultrasurf to bypass censorship. The survey population skews technical, so real-world adoption of low-friction tools among average users is likely higher.
-
Pakistan's pre-April 2013 ISP-level censorship used DNS injection (spoofed NXDOMAIN) as the primary mechanism, affecting 60.91% of the 307 tested websites on the university network. Critically, the DNS injection extended to public resolvers including Google DNS (8.8.8.8) and Level3 (209.244.0.3), meaning switching to a well-known public resolver does not bypass the block.
-
Every website blocked at the DNS level in Pakistan was also blocked by a secondary HTTP-layer mechanism, ruling out the use of alternative DNS resolution (web-based lookup tools or user-generated content hosting DNS records) as a standalone bypass. Multi-IP shared-service sites such as YouTube and Wikipedia were blocked only at the HTTP level, where a Host-header match triggered censorship regardless of the destination URL.
-
In April 2013 Pakistan transitioned from fragmented ISP-level HTTP 302 redirect blocking to centralized IXP-level fake HTTP 200 response injection (attributed to the Canadian firm Netsweeper), resulting in a uniform warning page across all test networks except one still transitioning ISP. Post-transition, 58.30% of the 307 test sites were blocked by DNS and 1.62% by fake HTTP 200 injection; IP and URL-keyword filtering remained at zero.
-
GoAgent, the most widely used circumvention tool among the 1,175 surveyed users, routes traffic through Google App Engine IP addresses also used by Gmail and Google Apps for Businesses. The GFW resorts to DNS poisoning of appspot.com domains rather than IP-blocking these shared addresses because a blanket IP block would disrupt commercially critical Google services — and GoAgent bypasses the poisoned DNS by connecting directly to the unblocked IPs, making surgical separation of circumvention traffic from business traffic infeasible.
-
Among 1,175 Chinese circumvention users surveyed in late 2012, purpose-built anti-censorship platforms showed severe attrition: Freegate had 44.3% former users but only 15.3% current users, while GoAgent and paid VPNs (piggybacking on commercially indispensable infrastructure) were the top two most-used tools in the past month. The median respondent had used four different types of circumvention tools, indicating frequent switching driven by blocking events.
-
China's 2012 real-name registration law for consumer-facing online services (including VPNs) is designed to enable censors to segment circumvention-related consumer VPN traffic from business VPN traffic — permitting selective blocking of consumer VPNs while leaving corporate VPNs operational. The GFW had already demonstrated protocol-level VPN blocking capability; registration provides the identifying information needed to apply that capability selectively rather than as a blunt instrument.
-
Tor, which has minimal commercial footprint and a distinctive network signature, was blocked throughout China using tailor-made GFW countermeasures and lost approximately 85% of its Chinese users as a result. In contrast to GoAgent and VPNs, China's censors can block Tor without significant economic collateral damage, making it uniquely vulnerable despite its strong privacy properties.
-
In a survey of 1,175 Chinese circumvention users, reliability ranked as the top factor in tool selection (cited more often than speed), while privacy and trust in the developer ranked last. The overwhelming majority are versatility-first users seeking fast, reliable access to social media and search engines and are largely unconcerned about surveillance; only a small minority of journalists, dissidents, and activists are privacy-first users.
-
For a Collage-style system with T forward-security time intervals and k rendezvous-point identities (e.g., k popular Flickr hashtags), standard public-key steganography requires distributing kT public keys, whereas an IBST-based solution requires distributing only 1 master public key. This reduction is exact — the paper states it verbatim as an efficiency argument.
-
Key distribution is the primary bootstrapping weakness of steganography-based censorship-resistance systems: a censor can simply block stego-key distribution. Identity-based steganographic tagging (IBST) eliminates this attack surface by requiring only a single master public key, which can be bundled with the client software — no key distribution inside the censored area is necessary.
-
The IBST construction is provably secure under the bilinear decisional Diffie-Hellman (BDDH) assumption in the random oracle model. Any adversary with advantage ε(λ) against IBST indistinguishability implies an adversary against BDDH with advantage at least ε(λ)/e(1+qE), where qE is the number of private-key extraction queries. Tags produced by the scheme are computationally indistinguishable from uniform random bitstrings for any party lacking the recipient's private key.
-
Replacing Telex's original stego-tagging with the IBST scheme and using time periods as identities achieves eventual forward security with arbitrarily short rotation intervals. The key material a client needs after a master-key rotation is only the new master public key — 'a few hundred bytes' — small enough to fit in covert channels such as steganographic images, avoiding the original Telex design's problem of large bundled key sets expiring before a client updates its software.
-
The paper proves that immediate forward security is impossible for Telex-like decoy-routing systems. The Telex station must decide whether to treat a connection as a Telex request after the first client message, using only received messages and its long-term key — an eavesdropper who stores all network traffic can replay the station's entire view once it compromises the station's long-term key, retroactively decrypting all sessions.
-
In four of five incidents (all except Syria), spam accounts were registered in temporally clustered blocks while legitimate accounts were not; in Russia and Mexico, multiple distinct registration bursts were observed. Across all five incidents, spam account usernames were automatically generated, with China'12 and Mexico accounts following a {name}{name}{number} pattern padded to exactly 15 characters (Twitter's maximum), making algorithmic reverse-engineering feasible.
-
In the Russia and Mexico incidents, spam tweets showed statistically significant spikes at fixed sub-hour intervals (5 and 15 minutes past the hour respectively), consistent with cron-job automation. Despite this automation, both campaigns deliberately mimicked human diurnal activity patterns — spam volume peaked at the same hours as legitimate traffic — to evade time-based anomaly detection.
-
Default-profile usage was significantly elevated among spam accounts in China'11 (89.4% spam vs 51.2% non-spam), Russia (57.8% vs 34.7%), and China'12 (95.1% vs 47.8%); however, Mexico inverted this trend with only 1.7% of spam accounts using default profiles vs 27.0% of non-spam accounts, indicating that newer campaigns actively customize profiles to evade appearance-based detection.
-
Across five political spam incidents, spam constituted 62–73% of all tweets in the Russia, China'12, and Mexico incidents, while Syria had only 6% spam. In the China'12 incident, 1,700 spam accounts (14% of all accounts) generated 600,000 spam tweets (73% of total), with 10 individual accounts each producing over 5,000 tweets before shutdown; in Mexico, 50 accounts sustained 1,000 spam tweets per day throughout the incident.
-
Twitter's existing automated spam-filtering mechanisms caught only approximately 50% of politically motivated spam in the Russian parliamentary election incident, as reported by Thomas et al. (2012) and noted as the baseline for this study. Spammer behavior varied sufficiently across incidents (targeting strategy, URL usage, mention patterns, default-profile adoption) that supervised machine-learning classifiers trained on one incident are unlikely to generalize to others.
-
A browser-history survey found that approximately 8% of domain name resolutions involved typing in a genuinely new domain not reachable via an existing link, meaning a SDSI/petname delegation-based name system could serve roughly 92% of real-world Web navigation without requiring any out-of-band key exchange.
-
In a DHT-based censorship-resistant name system, poisoning attacks (injecting invalid mappings) are neutralized by requiring signature verification on stored values; eclipse attacks (isolating specific mappings from the network) require replication across multiple DHT nodes. Critically, decentralizing lookups from a single ISP resolver to a DHT shifts query visibility from ISPs to arbitrary peers, requiring per-query encryption keyed to secrets known only to the querying client to limit adversaries to confirmation attacks.
-
DNSSEC's hierarchical delegation structure provides no protection against state-level censors: governments can legally compel top-level domain operators to alter records, and coerced results still validate because they are signed by the coerced-but-technically-legitimate authority — making end-to-end DNSSEC security insufficient to detect such attacks.
-
Pseudo-TLDs (e.g., '.key' for cryptographic-identifier namespaces, '.pet' for petname systems) allow multiple censorship-resistant name systems with distinct security trade-offs to coexist transparently alongside DNS via Name Service Switch configuration, with system-specific resolution logic applied per TLD and no application reconfiguration required by users.
-
In an adversary model where the censor may hold more computational power than all honest nodes combined, a squatting attack lets the adversary enumerate and pre-register every memorable name, formally proving it is impossible to simultaneously achieve memorable, secure, and global names in a single name system (Zooko's triangle).
-
In simulated event-driven (crisis) blocking where all corrupt users simultaneously block bridges on day 300, available bridges drop from ~500 to ~150 and thirsty users spike to 25%; maintaining 50 reserve bridges (~10% of deployed stock) halves the thirsty-user count, and 100 reserve bridges nearly eliminates thirstiness among users who had accumulated sufficient credits.
-
Knowing a user's bridge assignment narrows the adversary's anonymity set to the small group sharing that bridge, deanonymizing Tor users even when the bridge itself is not compromised; rBridge addresses this using 1-out-of-m Oblivious Transfer, Pedersen commitments, and non-interactive zero-knowledge proofs so the bridge distributor learns nothing about which bridges a user holds.
-
China's GFW was able to enumerate all Tor bridges distributed via IP address or Gmail account in under a month, demonstrating that standard small-subset distribution strategies are insufficient against a state-level adversary controlling large numbers of accounts and Sybils.
-
rBridge tolerates up to ~30% malicious users with acceptable bridge protection, but fails at f≥50%; with f=5% under aggressive blocking, over 95% of users are never bridge-starved and ~50% of bridges are never blocked, while conservative blocking (corrupt users waiting 225 days before acting) causes ~10% of users to be thirsty 15% of the time because delayed blockers accumulate enough credits to inject additional malicious invitees.
-
rBridge outperforms Proximax by at least one order of magnitude across all robustness metrics under aggressive blocking with 5% malicious users: to support 200 users for 30 days, Proximax requires at least 2400 bridges while rBridge needs only 108, and in Proximax fewer than 5% of bridges produce more than 20 user-hours versus 99% in rBridge.
-
ScrambleSuit's prototype achieves a mean goodput of 148 KB/s (σ=61 KB/s) versus Tor's 286 KB/s (σ=227 KB/s) over a 100 Mbit/s LAN — roughly half Tor's throughput — with 45–50% total protocol overhead compared to Tor's 19.6%. Disabling inter-arrival time obfuscation raises goodput to 321 KB/s (σ=231 KB/s), demonstrating that artificial delays are the dominant cost rather than padding or cryptography.
-
ScrambleSuit achieves polymorphism by seeding each server's PRNG with a randomly generated 256-bit value, which generates server-specific probability distributions over packet lengths (up to 100 bins) and inter-arrival times (bins in [0, 10) ms). The seed is shared with clients after authentication, so both sides shape traffic identically; a censor monitoring two distinct ScrambleSuit servers observes different distributions and cannot build a single universal classifier.
-
Client proof-of-work puzzles are ineffective as an active-probing defense because a state-level censor with parallel hardware can solve multiple puzzles simultaneously, one per CPU core. The authors estimate that the Tor bridge churn rate (rate of new bridge IP addresses) is too low to raise a well-equipped censor's workload beyond practical limits without simultaneously making the scheme impractical for legitimate clients — the same balancing problem as PoW for spam.
-
ScrambleSuit defeats active probing by requiring clients to prove knowledge of an out-of-band shared secret before the server responds; a probing censor receives only silence. Two mechanisms are provided: session tickets (preferred for non-Tor applications) and an authenticated UniformDH handshake (optimized for Tor's shared-secret bridge distribution model), with both producing payloads computationally indistinguishable from random.
-
Tor's traffic contains a characteristic prevalence of 586-byte packets (Tor's 512-byte cells plus TLS header overhead) that form a strong flow-level fingerprint detectable from a few dozen captured packets. ScrambleSuit's packet length morphing eliminates this signature and shifts the distribution toward MTU-sized packets, but the authors note that a censor using the VNG++ classifier — which relies on coarse features like connection duration, total bytes, and burstiness — would still require only a marginal increase in ScrambleSuit's overhead to defeat.
-
The censorship arms race is highly asymmetric: circumvention tool developers such as Tor operate entirely in public (code, designs, and data), while censorship systems like the GFW are black boxes. This structural imbalance means censors systematically learn more from defenders than vice versa, motivating volunteer-based in-country measurement to reduce the defender's information deficit.
-
DPI boxes used for censorship do not rely solely on simple regular expressions but also employ context-sensitive languages for protocol identification. The paper notes that precise knowledge of these DPI patterns could be fed directly into format-transforming encryption to enable targeted protocol misidentification.
-
Iran deployed a new Tor-blocking strategy in February 2013 that caused direct Tor user counts to collapse from over 50,000 to near zero within weeks, as recorded by Tor Project metrics.
-
As of March 2013, Tor is documented as blocked in China, Iran, Syria, Ethiopia, the UAE, and Kazakhstan. Blocking techniques range from simple IP address blacklisting to a sophisticated hybrid consisting of deep packet inspection (DPI) and active probing.
-
Tor's TLS handshake exhibited multiple distinguishing fingerprints — including the client cipher list, server certificates, and randomly generated SNIs — that were used for TLS-based filtering in Ethiopia, China, and Iran. Inferring the exact byte-level pattern matched by DPI boxes required manual analysis and remains a difficult open problem as of 2013.
-
SWEET argues that mimicking complex protocols (SkypeMorph, CensorSpoofer, StegoTorus) is fundamentally breakable because comprehensive imitation of today's protocols is infeasible. The paper instead advocates tunneling inside genuine traffic from actual, widely-used protocol providers — in this case real email services — so the censor observes authentic protocol behavior rather than a simulation.
-
When using a foreign encrypted email provider (AlienMail), the censor observes only an encrypted connection to the foreign mail server (e.g., Gmail's servers in the U.S.); it cannot see the recipient address or the SWEET server's IP, making spam-filtering-style blocking of the SWEET endpoint entirely infeasible. This anonymity is provided by the mail provider's own TLS, requiring no additional obfuscation from the client.
-
When using a domestic email provider that collaborates with the censor (DomesticMail), SWEET clients must embed tunneled data via steganography (image or text) and coordinate a secondary secret email account with the SWEET server out-of-band. This prevents the censor from discovering the SWEET server association via recipient-field inspection, but adds operational complexity and requires an out-of-band bootstrapping channel.
-
In a prototype using Gmail, ~90% of SWEET emails traveled from client to server in under 3 seconds; the median time-to-first-appearance (TFA) for the top-10 Alexa sites was approximately 5 seconds; most of the delay comes from email provider handling (spam checks, SMTP connection setup) rather than geographic network latency, so performance degrades little with increased client distance from the mail server.
-
Traffic analysis poses a concrete throughput ceiling: a conservative SWEET user can perform only 35–70 web downloads per day or 10–20 interactive web sessions while staying within the bounds of normal email volume (2012 averages: 35 sent, 75 received daily). Most websites require fewer than 3 SWEET emails in each direction, with Yahoo as an outlier due to its many hosted objects.
-
A snapshot from 6 April 2012 shows TOM-Skype had 1,130 censorship keywords and SinaUC had 1,490, with only 21 words in common — all high-frequency stock keywords (e.g., 'falun', 'Epoch Times'). This near-total divergence indicates each company independently compiled its own blacklist rather than distributing from a centralized government source.
-
TOM-Skype's client-downloaded keyword blacklist was updated with current-event-specific terms (protest locations, individual names like Bo Xilai) while SinaUC's lists were not updated with current events and appeared more targeted at spam removal. This correlation between surveillance capability and more timely, politically specific keyword updates suggests censors prioritize maintaining current blacklists on clients that also perform message surveillance.
-
Weibo's post-censorship system initially checks only for literal keyword strings, but after a user posts a literal blacklisted keyword the server switches to regex/wildcard matching for that user's subsequent posts — catching obfuscations like 'Fa-ccc-lun' that were not blocked before the trigger event. This per-user escalation of pattern matching means keyword obfuscation provides only one-shot protection.
-
Weibo's search censorship is more aggressive than its post censorship: searching for a keyword returned no results in cases where posting the same keyword was not blocked. The authors hypothesize this asymmetry reflects resource constraints — post censorship requires processing longer, more varied content at high volume, while search censorship is cheaper to apply broadly.
-
Bigram frequency analysis of Weibo around the December 2011 Wukan village protests (Figure 1) shows censorship of the keyword 'Wukan' was applied proactively before mainstream media coverage and lifted after the government announced a peaceful resolution on 21 December 2011 — demonstrating that censors operate on a news-cycle timescale and use temporary suppression to manage narrative rather than indefinitely blocking topics.
-
Iran has deployed a 'dual-stack' addressing pattern in which the same server receives both a globally routable public IP and an RFC1918 private address, enabling failover between global and domestic routing. DNS records document this for entities ranging from ISPs (acc4.pishgaman.net: 81.12.49.108 / 10.8.218.4) to government organizations (Vice Presidency for Management Development: 10.30.5.163 / 10.30.5.148) and private companies.
-
Iran's nationwide censorship redirect page is hosted at private IP 10.10.34.34, operated by Data Communication Affairs (a subdivision of TCI's Information Technology Company, AS12880). Traceroute data confirms the final public hop before this private host is 195.146.33.29, registered to Data Communication Affairs, and 24 of 27 tested Iranian networks (89%) can reach it.
-
A scan of the full 10.0.0.0/8 block from within Iran identified 45,928 active hosts, including 20,060 on Telnet (port 23), 9,960 on HTTP (port 80), 8,029 on SSH (port 22), and 2,510 on DNS (port 53). Identified participants include TCI, government ministries (Agriculture, Education, Science), universities, and ADSL providers, establishing the private network as a purposefully designed national intranet in place since at least 2010.
-
Using open HTTP proxies distributed across 27 Iranian ASNs, the study confirmed 89% (24/27) of tested networks could reach the private filtering page (10.10.34.34) and 77% (21/27) could reach Imam Reza University's private IP. Of 15 proxies on RFC1918 addresses themselves, 13 (87%) could also reach the filtering page, confirming nationwide — not localized — private-space reachability.
-
Several Iranian domains maintain DNS A records pointing to RFC1918 private addresses that resolve only when queried against Iranian nameservers (IRNIC); the same query to Google's public DNS (8.8.8.8) returns REFUSED. Domains including realm.blizz.ir (→ 10.175.27.120), isftak.ir, and geeges.co.ir exhibit this split-DNS pattern as of September 2012.
-
BlueCoat's commercial DPI hardware/software, deployed in Syria, was confirmed capable of detecting and blocking Ultrasurf connections. BlueCoat logs recovered from Syria additionally exposed real Ultrasurf user behavior, including unproxied traffic leaking to non-Ultrasurf servers before and after bootstrapping completed.
-
An attacker with DNS spoofing capability — the paper cites the GFW explicitly — can respond to Ultrasurf DNS discovery queries before legitimate resolvers and inject crafted CNAME records that fully control the client's single-hop path selection. In code paths where peer verification is skipped ('SkipverifyQ0' log entries), this enables complete traffic interception without any cryptographic break.
-
Ultrasurf confirmed to the researcher that its protocol has no forward secrecy and uses RC4 without any integrity check (no MAC or HMAC). This means all recorded ciphertext can be retrospectively decrypted once a session key is recovered, and the stream is trivially malleable — both properties confirmed by the UltraReach team during disclosure.
-
Because Ultrasurf is a single-hop proxy where client ingress and remote web-server egress share the same IP address, any web server contacted through the network can log and report the proxy IP. The paper notes an attacker running a popular web server for a short time would passively harvest the full set of Ultrasurf server addresses for subsequent IP-list blocking.
-
Ultrasurf's DNS bootstrapping phase uses subdomain names that are always exactly 16 characters between delimiters and exclusively target .info TLDs, producing a constant byte-width network signature. The paper concludes that filtering this bootstrapping traffic is straightforward even without reverse engineering the client binary, as the client itself acts as a network discovery oracle for censors observing its connections.
-
Without DNSSEC, Hold-On can be defeated by a sophisticated censor that crafts injected packets with TTL and timing matching the expected legitimate reply, injecting just before its predicted arrival. When combined with DNSSEC, Hold-On is robust even against this attack because the censor cannot forge a valid DNSSEC signature; injection can still cause a denial-of-service by forcing a 'Bogus' result, but Hold-On prevents that by waiting for the legitimate validating reply.
-
Over 11,700,000 DNS requests across 6 days at ICSI's border network and 15,200,000 DNS transactions in a 1.5-hour trace at UC Berkeley's border, secondary differing DNS replies were essentially absent in normal traffic, yielding effectively 0 false positives. Only two benign authority servers produced anomalous dual replies at Berkeley—one for the BBC returning two addresses within the same /24, one for businessinsider.com returning a SERVFAIL—neither of which would disrupt a Hold-On resolver.
-
A prototype Hold-On DNS proxy introduced no perceptible additional latency for either cached or uncached DNS queries in live testing; query-time measurements for both sets of names overlapped entirely with baseline (Hold-On disabled) measurements. The Hold-On timer (set to 5 seconds initial, 10s second try, 15s third try) is only reached under anomalous conditions; under normal operation the resolver returns as soon as the legitimate reply validates.
-
On-path censors commonly operate on traffic mirrors rather than inline (in-path), making their systems failure-tolerant and easier to deploy. This architectural choice means on-path injectors cannot suppress the legitimate DNS reply—both the forged and authentic replies reach the resolver—creating a detectable anomaly. The same structural weakness applies to TCP RST injection and other on-path packet injection attacks.
-
In approximately 100,000 DNS queries over 9 days from within a censored network, injected packets were reliably distinguishable: legitimate IP TTLs were stable at either 44 or 42, while injected TTL values ranged across [0–255], and injected packets arrived well before legitimate replies because the injector co-resided within the same ISP while the recursive resolver was in another country. With a TTL threshold of ±1 and an RTT threshold of 0.5× expected RTT, the Hold-On prototype achieved 0% false positive rate and 0% false negative rate.
-
Flash proxies successfully relayed Tor traffic from within China in December 2011, but the test relied on a simple HTTP-based rendezvous blockable by IP address; the authors identify rendezvous — getting just a few bytes (the client's IP address) out of the censored region — as the bottleneck that determines whether the entire proxy system remains operational.
-
Because browser-based proxies can only initiate outbound connections, flash proxies connect to censored clients rather than the reverse, requiring the facilitator to maintain a registry of client IP addresses; a censor can impersonate a legitimate flash proxy to query the facilitator and enumerate the IP addresses of circumvention users.
-
Applying Little's law to measured traffic parameters (mean inter-arrival time 1/λ = 1407.6 s, mean visit duration µ = 285.8 s), 100 volunteer web pages each embedding the flash proxy badge can support approximately 203 simultaneous censored clients; capacity scales linearly, so 1,000 such pages support ~2,030 clients.
-
Flash proxies provide mean throughput of 79.7 KB/s when uninterrupted — comparable to direct Tor (69.5 KB/s) — but throughput drops to 56.6 KB/s (20–40% lower) when proxies alternate on 8-second duty cycles, with most variance attributable to Tor circuit reconstruction overhead rather than transport switching.
-
Flash proxy tunnels carry inherent network-level fingerprints that survive application-layer obfuscation: WebSocket connections begin with a plaintext HTTP upgrade handshake followed by structured binary framing, and Flash socket connections open with a crossdomain XML policy request — both are distinguishable from ordinary TCP by a DPI middlebox.
-
OONI pairs client-submitted test reports with data independently collected at the OONIB backend TestHelper, providing both connection endpoints' viewpoints in a single unified report. The backend is designed to be run by anyone and exposed both over HTTPS and as Tor Hidden Services to resist simplistic denial-of-service and reduce fingerprint-ability of the reporting infrastructure.
-
OONI's experiment-control methodology explicitly favors false positives over false negatives: it is preferable to generate more censorship candidate events for further investigation than to miss genuine interference. Mismatch between experiment and control data is not always a definitive signal of manipulation but is treated as sufficient cause for flagging, and data collection and analysis are treated as distinct phases.
-
OONI observes that many interception devices deployed in the wild advertise their vendor and model information, making passive device identification feasible from probe-level observations alone. The framework is designed to locate interception devices and then apply probing techniques to fingerprint the specific vendor and product in use.
-
OONI's threat model assumes an adversary capable of country-wide traffic manipulation who may actively fingerprint and identify measurement probes. Prior measurement tools (e.g., ONI's rTurtle) used easily fingerprinted centralized DNS and HTTPS traffic, which the authors flag as a pattern to avoid. The authors acknowledge that anti-fingerprinting measures will likely reduce measurement accuracy — a trade-off unresolved at publication.
-
OONI's traffic manipulation test suite uses bidirectional traceroute comparison: asymmetry between inbound and outbound paths for specific source/destination port pairs is treated as an indicator that traffic is being diverted to an interception device. Additional per-flow indicators include timing differences in packets directed at specific ports and layer-7 header field manipulation detectable at the receiving endpoint.
-
The vast majority of censorship activity occurs within 24 hours of original posting, with some deletions occurring more than 5 days later. Across 11,382,221 posts from 1,382 Chinese social media sites collected in 2011, the average censorship rate is 13%, with rates of 16%, 17%, and 24% in low, medium, and high ex ante political sensitivity topic categories respectively.
-
Chinese government censorship is aimed at suppressing collective action potential, not state criticism. Average censorship magnitude is 27% for collective action events but −1% for policy and −4% for news events. Posts criticizing and supporting the state are both censored at ~80% during collective action events, compared to ~10% for non-collective-action topics.
-
Censors apply categorical event-level judgment — whether a post is associated with a collective action topic — rather than per-post sentiment classification. The paper explicitly states that no known statistical or machine-learning technology can achieve the accuracy required for this task, and the authors obtained 98.9% intercoder agreement (86/87 events) using human coders applying the same five-category scheme.
-
Keyword blocking has limited effect because users evade it through homophones (e.g., 'river crab' substituting for 'harmonious society'), homographs, analogies, metaphors, and satire; the Chinese character-based writing system provides particular affordances for this evasion. Chinese social media is distributed across approximately 1,382 sites following a power-law distribution, with blog.sina alone accounting for 59% of posts, creating highly variable enforcement across the long tail of local sites.
-
Chinese censors operate primarily through manual human review, not automated classification. Hand-censorship is identified as the last and most extensive form of content filtering and cannot be evaded by clever phrasing, unlike automated keyword blocking. Individual content providers each employ up to 1,000 censors, supplemented by 20,000–50,000 Internet police and an estimated 250,000–300,000 'fifty-cent party' members at all levels of government.
-
DEFIANCE's Address-Change Signaling (ACS) requires each client to contact a sequence of IP addresses with precise timing (per-user wait and window parameters) and a one-time passphrase derived from NET provisioning. Connections arriving out of order, outside the timing window, or lacking the correct passphrase receive only innocuous content, so a censor probing a suspected address block finds only normal commodity servers.
-
A balls-and-bins analysis shows that an adversary conducting N full rounds of a rate-limited rendezvous protocol discovers only 63% of a pool of N entry points; full coverage requires N ln N rounds (the coupon collector's bound). Concretely, with three 8-hour shifts of 100 humans performing 60-minute CAPTCHA+proof-of-work challenges, an adversary discovers ~2,400 entry points per day, exhausting a static pool of 10,000 addresses in roughly 19 days.
-
The Chinese Great Firewall was observed conducting two follow-up probes for each outbound TCP/443 connection: the first with garbage binary data (target unknown) and the second specifically performing an SSL negotiation, an SSL renegotiation, and successfully building a one-hop Tor circuit to confirm the bridge. This reactive probing renders unpublished Tor entry points discoverable even when not listed in any directory.
-
NET payloads are wrapped in three nested layers — (1) steganographic encoding plus transport encryption with a factory digital signature, (2) proof-of-life (CAPTCHA), and (3) proof-of-work (computational puzzle) — so that even an adversary who harvests many payloads cannot decode them faster than gateway addresses can be rotated. The payload format is explicitly extensible to add harder challenges as adversaries improve.
-
The mod_freedom Apache module hooks into the HTTP 404 ErrorDocument handler and steganographically embeds encrypted NET payloads in image responses to valid RP requests, while returning normal content to all other clients. Using Identity-Based Encryption (IBE, Boneh-Franklin) keyed on the server's hostname eliminates any need for out-of-band public-key distribution and allows deployment on thousands of volunteer webservers without mutual trust.
-
With 512 PlanetLab nodes each advertising 50 KB/s as malicious Tor middle routers, the theoretical catch probability that at least one bridge circuit traverses a controlled node reaches P(512, 50, 30) ≈ 99% after only 30 circuits. In real-world validation, the 21st circuit created by a bridge client traversed one of the 512 controlled PlanetLab nodes, matching theory. The result generalizes: the 30-circuit exposure threshold applies to any adversary whose nodes' aggregated bandwidth reaches the equivalent of 512 × 50 KB/s = ~25.6 MB/s.
-
Tor's bandwidth-weighted path selection creates a structural amplification: 60% of middle routers selected across 430 circuits had bandwidth above 1 MB/s, yet only 10% of all Tor routers exceed 1 MB/s. This skew means that an adversary advertising a single high-bandwidth middle node achieves selection probability far exceeding its proportional count in the network, making high-bandwidth Sybil nodes highly cost-effective for bridge discovery.
-
The paper identifies three countermeasure classes against bridge discovery: (i) CAPTCHA on email/HTTPS distribution (limited by automated solving services); (ii) uniform random middle-node selection, which defeats bandwidth-Sybil attacks but degrades Tor throughput by routing through low-bandwidth nodes; (iii) DHT-based P2P architecture where no central server holds all bridge IPs, making systematic enumeration infeasible—though DHT systems introduce Sybil and eclipse-attack vulnerabilities of their own.
-
Large-scale email and HTTPS enumeration of Tor bridges using 500+ PlanetLab nodes and 2,000 Yahoo accounts discovered 2,365 distinct bridges over approximately one month. The bridge https server rate-limits distribution to 3 bridges per 24-bit IP prefix per day, and the email server to 1 reply per account per day; these controls are circumvented by sourcing requests from hundreds of distinct prefixes. Bridge distribution follows a weighted coupon collector model proportional to bridge bandwidth, not uniform probability.
-
A single malicious Tor middle router advertising 10 MB/s bandwidth discovered 2,369 distinct bridges in 14 days. The catch probability is determined solely by the aggregated bandwidth M = k·b of malicious middle routers regardless of how that bandwidth is distributed across nodes: three routers at 10 MB/s each achieve strictly greater catch probability than 512 nodes at 50 KB/s each. This means a well-resourced single node is equivalent to or surpasses hundreds of low-bandwidth Sybil nodes.
-
SkypeMorph decouples bridge reachability from IP address: clients identify a bridge solely by its Skype ID, so a bridge can change IP address and port at any time without redistributing contact information through BridgeDB. This makes IP-list blocking of known bridges ineffective; a censor that discovers a bridge's current IP cannot prevent the bridge from migrating to a new one while remaining reachable to existing clients.
-
After a Tor client inside China connected to a US-based bridge, that bridge subsequently received a series of Tor connection-initiation messages from different Chinese hosts — consistent with GFW active probing triggered by the initial client connection. The probe burst was followed by loss of the original client connection, demonstrating a two-phase detect-then-block pattern: passive identification of suspicious traffic triggers active re-probing to confirm the protocol before blocking.
-
SkypeMorph's packet size and inter-packet delay distributions are statistically indistinguishable from real Skype video calls: Kolmogorov-Smirnov tests on both the naïve traffic-shaping and enhanced Traffic Morphing outputs report p > 0.5, indicating no significant difference from the Skype target distribution. The original Tor traffic distribution, by contrast, is considerably different from Skype, validating the need for the morphing layer.
-
SkypeMorph achieves a goodput of 33.9 ± 0.8 KB/s (naïve shaping) and 34 ± 1 KB/s (enhanced Traffic Morphing) versus 200 ± 100 KB/s for a normal Tor bridge, with overhead of ~28% compared to 12% for normal Tor. The two traffic-shaping methods perform statistically identically (KS p > 0.5), but the overhead grows during silent periods because the transport must transmit padding to maintain Skype's constant bitrate even when the Tor buffer is empty.
-
Encrypted channels expose only two statistical features to an external observer: packet sizes and inter-packet arrival times. Original Traffic Morphing (Wright et al. 2009) shaped only packet-size distributions, leaving inter-packet timing as an unobfuscated fingerprint identical to the source (Tor) distribution. SkypeMorph extends Traffic Morphing to jointly sample from nth-order conditional distributions of both packet sizes and inter-packet delays (tested up to n = 3), closing the timing gap.
-
The paper explicitly flags that BTP's fixed-size b-byte connection tag creates an active-probing oracle: a censor that sends b−1 bytes and observes no close, then sends one more byte and observes a close, can confirm the endpoint is running BTP. Preventing such active-probing attacks is identified as future work.
-
BTP's forward secrecy guarantee depends on reliably destroying old keys, but the paper notes that secure deletion from persistent storage—especially solid-state storage—is difficult with current operating systems and hardware. The recommended mitigation is passphrase-derived encryption of stored secrets, though this shifts the problem to passphrase protection.
-
BTP achieves forward secrecy over unidirectional transports—where ephemeral in-band key exchange is impossible—by using a one-way key derivation function (NIST SP 800-108) to produce sequential temporary secrets from an initial shared secret. Once both devices destroy a given temporary secret, no keys derived from it can be reconstructed even if devices are later compromised.
-
BTP's wire protocol contains no handshakes, timeouts, or plaintext headers. Connections open with a pseudo-random b-byte tag that the recipient can compute in advance from its key state, making BTP frames indistinguishable from random data to a passive observer who does not know the shared secret.
-
BTP's secret retention period for transport t is Rt + 2C + Lt, where Rt is the rotation period, C is the maximum clock-skew tolerance, and Lt is the maximum transport latency. With Rt = 2C + Lt only two temporary secrets need simultaneous storage. Concrete durations: TCP with automatic clocks (C=10s, Lt=60s) requires 2 minutes 40 seconds; TCP with manual clocks (C=1800s) requires 4 hours 2 minutes; mail with manual clocks (Lt=2 weeks) requires 4 weeks 4 hours.
-
A warden can fingerprint the specific covert destination a Telex user is visiting by comparing observed latency distributions against a pre-built database of covert-destination latencies. With an intelligently filtered database of only 10 distributions (K-S inter-entry threshold 0.8), the AUC is 0.868, and with approximately 12 collected samples the false positive rate drops below 10%. Larger databases (size 50) degrade to AUC 0.537 due to distribution similarity, but threshold-based filtering restores substantial discriminative power.
-
A routing-capable warden can enumerate over 90% of decoy-router-deploying ASes for deployments as large as 4,000 ASes using an intersection-based discovery attack: the warden probes many paths, accumulates a set of 'clean' ASes, and prunes candidate paths until a single 'tainted' AS remains. All evaluated wardens (China, Syria, Iran, Australia, France, Venezuela) achieved roughly equal detection success across all deployment sizes.
-
Containment analysis shows that surrounding China with a 'ring' of decoy routers at AS-hop depth 1 requires covering 161 ASes; depth-2 expands by a factor of more than 23, becoming untenable, while depth-3 is slightly smaller but leaves the majority of the Internet reachable via clean paths. Cutting China off from at least half the Internet would require all 96 of the world's largest ISPs to deploy decoy routers at all exit points simultaneously.
-
Under the Cirripede 'random ASes' deployment scenario — where 0.4%–1.0% of ASes deploy decoy routers — routing-capable wardens need only disconnect themselves from 0.85%–3.04% of the Internet to obtain clean (decoy-free) paths to all remaining destinations. Even at 10% Internet-wide deployment, wardens are cut off from only 7%–9% of non-participating ASes on average.
-
A passive timing attack using the Kolmogorov-Smirnov test on connection latency distributions reliably distinguishes Telex users from honest hosts: K-S scores against the overt destination max out at 0.26, while scores against covert destinations (even those within 10 ms of the Telex station) range from 0.3–1.0 with a median of 0.7 for nearby servers and 1.0 for Alexa top-100 sites. The attack is effective even for clients 50–250 ms from the Telex station, with no K-S score below 0.26 observed across 40 PlanetLab hosts.
-
DNSSEC validation naturally prevents DNS injection collateral damage: both .de and .kr sign their results, allowing a validating resolver to reject the unsigned injected reply while awaiting the legitimate signed response. The paper identifies DNSSEC deployment at the TLD level as the most robust structural defense against injection-based collateral damage.
-
Probing 43,842 open recursive resolvers across 173 countries found 26.41% (11,579) suffer some collateral damage from Chinese DNS injection, distributed across 109 countries. The top-affected regions are Iran (88.20%), Malaysia (85.34%), South Korea (79.20%), Hong Kong (74.63%), and Taiwan (66.13%).
-
DNS injection collateral damage arises from three structural properties of DNS: iterative resolution (full queries sent to root and TLD authorities), anycast routing (two resolvers may reach different physical servers via different paths), and dynamic routing through censored transit ASes. A single domain lookup may generate many queries at multiple levels, any of which can be intercepted by a censored transit AS even when both the originating resolver and the authoritative server are outside the censored network.
-
TraceQuery probing identified 3,120 router IPs performing DNS injection belonging to exactly 39 Chinese ASes. AS4134 (Chinanet) alone accounts for 1,952 router IPs (62.6% of injecting routers); the top 5 ASes account for over 77% of all identified injecting routers.
-
TLD-level paths are the primary collateral-damage vector: 11,573 resolvers (26.40%) suffered collateral damage via censored transit to TLD authorities, while only 1 resolver (0.002%) was affected via paths to root servers. The .de ccTLD was most affected because a large fraction of US-to-Germany transit traverses Chinese networks.
-
56% of logins tied to legitimate users discussing the Russian election originated from Russia, compared to only 1% of logins for the 25,860 spam accounts, with Japan accounting for 14% of spam logins. 39% of IP addresses used by the attackers appeared in the CBL blacklist for email spam and malware distribution, compared to 21% of IPs tied to legitimate users, confirming that the attack infrastructure was shared with conventional spam/malware operations.
-
Twitter's relevance-ranked search returned 53% fewer bot-generated tweets compared to real-time chronological search across 1.1 million queries during the attack; restricting analysis to the top 5 most-recently returned relevance results reduced spam by 64% versus real-time. Relevance ranking incorporates social-graph overlap and content popularity signals to demote mass-produced low-engagement content.
-
The attack demonstrates that spam-as-a-service markets built for commercial spam (fake reviews, URL advertising) were directly repurposed for political censorship without modification, using the same compromised-host pools (39% blacklisted IPs) and bulk account infrastructure. This convergence means technical defenses against commercial spam infrastructure simultaneously constrain politically-motivated censorship operations by actors who lack direct Internet-access control.
-
Researchers identified four distinct account-registration patterns using regular expressions on mail.ru email addresses and screenname naming conventions; these patterns flagged 975,283 spam accounts with only 4% false positives on manual validation of 150 accounts. The 25,860 accounts deployed in the attack represent just 3% of the flagged pool, indicating a centralized spam-as-a-service vendor provisioned accounts in bulk and sold access.
-
An unknown attacker leveraged 25,860 fraudulent Twitter accounts to send 440,793 tweets targeting 20 election-related hashtags, peaking at 1,846 tweets per minute, in an attempt to dilute political conversations following Russia's December 2011 parliamentary election. The accounts were drawn from a pool of approximately 975,283 fraudulent accounts identified by the researchers, 80% of which remained dormant with zero friends, followers, or tweets.
-
Content-oblivious replication delegates ongoing availability maintenance to 'manifest guarantors' — nodes holding content manifests — who periodically sample chunk replication factors and restore missing replicas without knowing the plaintext they protect, freeing the original publisher from any post-publication obligation. Two honest manifest holders (one content, one key) are sufficient to maintain replication with overwhelming probability even under adversarial conditions and high churn.
-
Simulation over erasure code parameters uniformly sampled from m∈[1,5] and n∈[5,500] shows that a 50-of-500 code is the best trade-off between overhead and robustness: it requires nearly 10× storage overhead to support 2^60 variable-size chunks and allows the network to tolerate more than 70% node failure before data is lost. Replication combined with erasure coding yields better durability than either strategy alone.
-
A hybrid garbage-collection scheme combining time-based expiry (last-access timestamp cutoff), popularity-based retention, and editor-signed manifest exemptions forces adversaries conducting pollution or exhaustion attacks to continuously re-access or re-upload junk to prevent its deletion. A single honest editor's signature is sufficient to exempt important but infrequently accessed content from deletion indefinitely, while malicious editors cannot explicitly remove content from the system.
-
One-way indexing separates a published file into encrypted content blocks (indexed by hash1(block)), a content manifest (indexed by hash2(keyword)), and a key manifest (indexed by hash3(keyword)), so a storer holding all content chunks cannot recover the plaintext or keywords without inverting a cryptographic one-way function. Using distinct hash functions for each manifest type also minimizes the probability that a single node stores both manifests, preventing correlation.
-
In a 250-node PlanetLab deployment with 10–15% silent node failures and high churn, the median user retrieved a 20MB file in 65–85 seconds end-to-end (search + manifest download + chunk fetch + reconstruction + decryption). 15.12% of DHT lookups and 11.24% of maintenance operations failed; 20% of nodes accounted for 80% of failures, yet nodes with working connections completed lookups and maintained sufficient guarantors for manifest replication.
-
China's censoring devices send four spoofed RST packets per filtered connection with varying sequence and ACK numbers and TTL values corresponding to roughly the hop count to the Chinese border; the IP ID field increments sequentially per TTL group, strongly implying a small cluster of out-of-band machines co-located at each border router. Because the device is out-of-band, the actual server response still arrives at the client but is preempted by the injected RSTs.
-
China's censoring device is stateful: it inspects only the first HTTP GET request after a TCP handshake and ignores subsequent requests or those without a preceding handshake. After blocking a request, it records the (src IP, dst IP, port, protocol) tuple and denies all further communication between that machine pair for approximately 12 hours, even for traffic that would not independently trigger censorship.
-
Across 11 countries, censorship execution falls into at least six distinct categories: DNS redirect to localhost (Malaysia, Russia, Turkey), DNS redirect with warning page (South Korea), connection timeout with no notification (Bangladesh, India), spoofed TCP RST injection (China), spoofed HTTP 403 with warning page (Bahrain, Iran), HTTP 302 redirect (South Korea, Thailand), and spoofed HTTP 200 iframe response (Saudi Arabia). Four countries censor at DNS and eight at routers, with South Korea employing both layers simultaneously.
-
Thailand uses an out-of-band device to inject spoofed HTTP 302 redirect responses, so the destination server still receives and responds to the original request — unlike inline censors in Bangladesh and India where the request is dropped before reaching the server. Saudi Arabia similarly uses an out-of-band device to inject a spoofed HTTP 200 response containing an iframe warning page loaded from a separate IP address, allowing the warning page content to be updated without modifying the censoring module.
-
South Korea operates DNS-based and router-based censorship simultaneously; sites blocked at the DNS resolver are a strict subset of those blocked at the router, verified by switching to an external DNS resolver and observing continued blocking at the router layer. Alternate DNS resolvers alone are therefore insufficient to circumvent South Korean censorship, in contrast to Malaysia, Russia, and Turkey where DNS-only bypass is adequate.
-
A censor can compare the predicted AS path from the claimed dummy host to the client against the actual observed ingress entry point of the spoofed downstream traffic; inconsistency reveals the dummy host as a cover. For clients in China Telecom (ASN 4134) and China Unicom (ASN 4837), 100% of 225 candidate dummy hosts passed AS-path consistency filtering; for clients in ASN 4538 only 18.2% (41/225) passed, sharply narrowing the usable pool for smaller ASes.
-
CensorSpoofer decouples the upstream channel (URLs hidden via steganography in IM/Email) from the downstream channel (web content injected into spoofed UDP/VoIP flows), so the proxy's real IP is never revealed to any user. This asymmetric architecture provides perfect insider-attack resistance: even if all users are compromised, they can only learn cover dummy-host IPs, not the spoofer's address.
-
Port-scanning 10,000 randomly selected non-China IPs found 1,213 (12.1%) acceptable as VoIP dummy hosts (SIP, RTP, RTCP ports not in 'closed' or 'host seems down' states). Of 100 sampled dummy hosts tracked over time, over 90% remained usable for more than 2 hours and over 80% for more than 6 hours; the total usable pool was stable across a 7-day measurement window (Feb. 9–16, 2012).
-
The MIT ANA Spoofer project shows that over 400 ASes (22%) and 88.7 million IP addresses (15.7%) permit outbound IP address spoofing, constraining where CensorSpoofer proxy nodes can be deployed. ASes applying ingress/egress filtering make IP-spoofing-based downstream channels infeasible from those locations.
-
Using G.711 or G.722-64 codecs (64 Kbps downstream), CensorSpoofer clients in China downloaded Wikipedia's HTML file in approximately 6 seconds and the full 160 KB page in approximately 27 seconds; Tor and a proxy-based system (NetShade) were measurably faster. The iLBC codec limits downstream throughput to 15.6 Kbps, and all codecs impose equivalent dummy-traffic cost on the dummy host (G.711 consumes 87.2 Kbps at the dummy host).
-
The StegoTorus HTTP module degrades severely with network latency: it can sustain only a 50 kB/s stream at latencies below 200 ms and fails entirely at higher rates or latencies, because the HTTP request-response pattern transfers only one or two 512-byte Tor cells per round-trip. Plain Tor and chopper-only StegoTorus show no measurable throughput degradation at latencies up to 450 ms. Increasing parallel HTTP connections improves low-latency throughput but does not recover high-latency performance.
-
HTTP steganography in StegoTorus expands upstream traffic by a factor of 41× and downstream by 12× compared to a direct connection (uploading 966,964 bytes vs. 23,643 bytes to transfer a 1 MB file). Chopper-only operation adds only ~2.7× upstream overhead, comparable to plain Tor. Maximum achievable goodput with the HTTP module is ~27 kB/s (~4× a 56 kbps modem), which the authors attribute to a minimum expansion factor of 8× inherent in contemporary steganographic schemes.
-
A naive-Bayes website-fingerprinting classifier achieves AUC > 0.94 against vanilla Tor for 8 of 9 Alexa top-ten sites (e.g., Wikipedia 0.9991, YouTube 0.9947). Against StegoTorus-HTTP, AUC drops to ≤ 0.75 for 7 of 9 sites (YouTube 0.4125, Facebook 0.5413, Google 0.6928), which the authors argue is too low for practical perimeter-scale deployment where near-perfect precision is required to avoid error floods.
-
Tor's fixed 512-byte cells packed into TLS 1.0 records produce a characteristic TCP payload of 586 bytes (512 + 74 bytes of TLS overhead). A perimeter filter running a simple exponential moving average (τ ← ατ + (1−α)1ₗ₌₅₈₆, α=0.1, T=0.4) identifies Tor flows within a few dozen packets; this attack succeeds at backbone rates of ~540,000 packets/second on commodity hardware. Obfsproxy does not alter packet sizes or timings and therefore does not defeat this classifier.
-
StegoTorus distributes a fixed set of packet traces and HTTP covertext databases with the software, but allows users to record their own; classifiers trained on the distributed covertext will not generalize to user-generated databases. The paper further notes that reusing a small number of traces repeatedly creates a statistical fingerprint because censors can learn conversation patterns from packet sizes and timings alone, implying that trace diversity must be maintained over time.
-
A blocked Tor bridge becomes reachable again after approximately 12 hours if Chinese scanners are unable to reach it continuously. In the authors' experiment, one bridge (port 23941) whitelisted to their Chinese VPS via iptables was unblocked within 12 hours despite remaining actively used, while an unrestricted bridge (port 27418) stayed blocked indefinitely.
-
Of 2819 public Tor relays in the February 2012 consensus, only 47 (1.6%) were reachable via TCP from within China. After three days, only 1 of those 47 remained reachable. The GFC blocks relays by IP:port tuple rather than by IP to minimize collateral damage to co-hosted services.
-
Over 3295 active-probing scans observed across 17 days, 51% (1680) originated from a single IP address (202.108.181.70), while 98% of the remaining 1615 addresses were unique. All scanner IPs belong to three Chinese ASes: AS4837 (65.7%), AS4134 (30.5%), and AS17622 (3.8%). TTL analysis of 85 connections shows the scanner IPs are likely spoofed by the GFC—post-scan ping TTLs differed by +1 from during-scan TTLs.
-
The GFC identifies Tor connections via a unique TLS ClientHello cipher list sent by the Tor client. Once DPI boxes detect this fingerprint on outbound traffic, active scanning is initiated within minutes: scanners connect to the suspected bridge, attempt to build a Tor circuit, and if successful the IP:port tuple is blocked. This two-stage pipeline (fingerprint → confirm → block) allows dynamic bridge blocking without pre-enumeration.
-
Tor DPI fingerprinting by the GFC is applied exclusively to egress traffic (from inside China to the outside world). Simulated Tor connections between domestic Chinese nodes and between external nodes connecting inward to a Chinese VPS attracted zero active scans across multiple experimental runs, indicating the detection infrastructure is positioned on the border for outbound flows only.
-
On a 2011 MacBook Air (1.86 GHz Core 2 Duo), #h00t achieves 3,610 encryptions/second and 15,590 decryptions/second (Table 2). Twitter's peak load at the time was 6,939 tweets/second, meaning full-service encryption at peak would require at most two commodity machines. The authors conclude that computational overhead is negligible and bandwidth is the binding constraint.
-
#h00t achieves censorship resistance by truncating a key-derivation-function output to k bits to produce a 'short tag', deliberately inducing collisions across unrelated groups. A censor cannot block a targeted group's short tag without simultaneously blocking all colliding groups — including innocuous, high-traffic ones — forcing heavy-handed censorship that creates domestic blowback. The design provides plausible deniability: subscribers can claim they follow a foreign pop star rather than a dissident group.
-
Against an attacker with 2^10 CPU cores running ~2^17–18 decryptions/second per core, plain tags require at least 47 bits of entropy to survive one week of brute force. A single dictionary word plus 7 decimal digits yields only 38.5 bits and can be cracked in ~20 minutes; two dictionary words plus 7 digits yields ~53.8 bits, requiring over two years. The authors note that SHA-1 was used in the prototype for performance reasons and recommend scrypt for production deployments.
-
Even with end-to-end encrypted messages, a censor observing subscription queries can detect anomalous interest in a short tag (e.g., a sudden domestic surge in followers of a foreign pop star's hashtag) and use timing/size traffic analysis to distinguish #h00t subscriptions from ordinary hashtag follows. The paper flags this as an open threat and proposes two mitigations: (1) push cover traffic for randomly selected short tags to all clients regardless of their actual subscriptions, or (2) silently redirect normal clients' hashtag follows to the corresponding #h00t short tags.
-
If a large site such as Google or Wikipedia scrambled all served content using a publicly known de-scrambling algorithm, the censor faces a strict all-or-nothing blocking decision: it cannot selectively filter banned scrambled content without blocking the entire site, since scrambled legitimate and banned content are computationally indistinguishable prior to running S⁻¹. This property scales the political cost of blocking proportionally to the size of the co-scrambling platform.
-
Scrambling without secret key management can frustrate DPI-based censors if the de-scrambling function satisfies 'high-inertia' — meaning an adversary computing S⁻¹ on n inputs cannot use less than Θ(n) times the resources of a single commodity-PC user, including electricity, memory, and computation time. This forces bulk censorship to become computationally infeasible without over-censoring all scrambled content.
-
Transmitting the de-scrambling algorithm S⁻¹ as in-page JavaScript alongside AJAX-fetched scrambled content eliminates the need for special client software installation or trusted public-key distribution, removing the primary bootstrapping vulnerability that cryptographic censorship-resistance schemes (including Tor) share — a vulnerability exploited when Iran blocked Tor by filtering its Diffie-Hellman parameter bit sequence.
-
The proposed multi-stage scrambling composes four orthogonal layers: (a) 128-bit AES with 20 bits stripped, requiring brute-force search; (b) an AES key derived from a CAPTCHA solution; (c) a memory-bound function key; and (d) blocks whose de-scrambling exploits JavaScript floating-point and string-processing quirks. Each layer independently forces a censor to build or emulate a distinct acceleration environment, multiplying total reverse-engineering cost.
-
Applying a BEAR all-or-nothing package transform (using a zero key) to message blocks forces any censor attempting to scan content to cache all blocks from all active concurrent transfers simultaneously, since no individual block reveals any information about the original message until all blocks are received. Artificially delaying block transmission amplifies censor state requirements proportionally.
-
Both Egypt and Libya demonstrate that concentration of Internet infrastructure under state ownership—in Egypt, all submarine fiber backhaul terminated at a single facility, the Ramses Exchange, controlled by the state telecommunications provider—makes country-wide BGP-based shutdowns technically straightforward. The authors conclude that the small number of state-controlled parties involved in international connectivity was the critical enabling factor, not any novel technical capability.
-
Unsolicited background radiation traffic to the UCSD network telescope—particularly Conficker worm scanning (TCP SYN, port 445, 48-byte packets)—dropped nearly simultaneously with Egyptian BGP route withdrawals on January 27, corroborating control-plane analysis with data-plane evidence. Crucially, some worm-infected hosts continued to generate outbound scanning traffic even after their prefixes were BGP-withdrawn, because packet filtering was absent; this asymmetry between inbound unreachability and outbound connectivity can distinguish pure BGP-based blocking from combined BGP-plus-filtering approaches.
-
Egypt's Internet shutdown on January 27, 2011 was accomplished via BGP route withdrawals: approximately 2,500 IPv4 prefixes (out of 2,928 visible) disappeared within a 20-minute window beginning at 22:12:26 GMT, leaving only 176 prefixes visible by 23:30:00 GMT. The shutdown lasted more than five days, with BGP connectivity beginning to return at 09:29:31 GMT on February 2, and more than 2,500 Egyptian prefixes back in global BGP tables by 09:56:11 GMT.
-
During Egypt's 5.5-day Internet blackout, active CAIDA Ark measurements found that only 1% of probes to Egyptian IPv4 prefixes received responses, compared to 16–17% on normal days. The minority of addresses that retained bidirectional connectivity all mapped to BGP prefixes that had not been withdrawn—including prefixes serving the Egyptian stock exchange and two national banks, whose 83 prefixes were kept live until January 31 at 20:46:48 GMT before being simultaneously withdrawn.
-
Libya implemented escalating Internet disruptions before executing a sustained blackout: a 6.8-hour curfew on February 18 and an 8.3-hour curfew on February 19, followed by a 3.7-day near-total blackout beginning March 3. The authors detected what they believe were Libya's attempts to test firewall-based packet filtering before transitioning to more aggressive BGP-based disconnection, demonstrating a two-phase escalation pattern.
-
Graduated censorship — limiting the suppression rate to remain within the typical weekly variance band — evades the weekly-interval detector entirely. The paper acknowledges that detecting slow-ramp blocking requires extending the observation window beyond seven days.
-
Per-jurisdiction user counts are modeled as a Poisson process; the detector infers the 99.99th-percentile credible interval for the underlying rate λ from the observed count via a Gamma-Poisson approximation rather than a Gaussian assumption, correctly treating small-jurisdiction zero-user days as non-anomalous.
-
The detector constructs its 'typical ratio' baseline exclusively from the 50 largest jurisdictions, then discards outliers beyond four inter-quartile ranges of the median before fitting N(m,v). This ensures a jurisdiction undergoing active censorship cannot bias the global model and mask its own anomaly.
-
A censor can defeat the anomaly detector without triggering an alert by replacing blocked user traffic with synthetic requests from adversary-controlled machines, keeping per-jurisdiction connection counts within the typical range. The paper explicitly identifies this as an unaddressed active-attack vector.
-
The deployed system uses 7-day intervals and a baseline built from the 50 largest Tor jurisdictions; a jurisdiction's user-count ratio is flagged when it falls outside the 99.99th percentile of the fitted Normal distribution N(m,v), yielding an expected false-alarm rate of approximately 1 in 10,000 per jurisdiction-week.
-
During a two-month run in 2011 that coincided with the Jasmine Revolution protests, China's HTTP GET request backbone blacklist showed no additions or removals of keywords on a daily, weekly, or even monthly basis. Numerous current-event terms that triggered search engine censorship produced zero GET request RST responses, indicating the two censorship mechanisms operate on entirely different update timescales.
-
A maximum entropy named entity extraction (NEE) model trained on Chinese-language Wikipedia achieved 89.63% recall and 83.44% specificity for person names, 96.3% recall and 69.80% specificity for place names, and 87.56% recall and 88.40% specificity for organization names. Despite 0.42% precision for person names, the system reduces the number of words requiring censorship probes by nearly an order of magnitude while retaining nearly 90% of actual named entities.
-
To measure Chinese search engine censorship independently of backbone GET request filtering, the authors split each search engine HTTP GET request across multiple TCP packets so the server would reassemble the full query but routers performing single-packet keyword inspection would not see a complete match. This technique allowed ground-truth measurement of search engine responses free of backbone RST injection interference.
-
A controlled probe of two Chinese search engines found that the query 'fuck' triggered a legal notice that results had been removed, while 'fuck you' did not, suggesting that search engine censorship suppresses websites where a sensitive term appears prominently rather than matching exact byte strings in the query itself. The paper concludes this mechanism is topical and website-removal-based, not a static keyword blacklist.
-
During the 2011 Jasmine Revolution, words such as 'Jasmine Flower,' terms linked to Liu Xiaobo's Nobel Prize, and numeric references to presidential rent criticism triggered Chinese search engine censorship (results-removed warnings) but produced no HTTP GET request RST injections. This demonstrates that search engine filtering and backbone keyword filtering are independently operated layers that diverge sharply for rapidly evolving current-event content.
-
If clients probe the top 1,000 Alexa-ranked sites to discover a deflecting router, a censor would have to block more than 95% of those 1,000 sites to prevent any client from joining Cirripede. Clients aware of failed probes can continue cycling through additional popular sites, further raising the blocking cost.
-
In an emulation testbed with 200 ms effective client-server RTT, Cirripede added no more than a few seconds to time-to-first-byte, attributable primarily to two extra TLS round-trips and the SOCKS request-response. For large file downloads, Cirripede's TCP connection splitting (two lower-RTT hops instead of one high-RTT hop) produced faster total transfer times than the non-Cirripede baseline, confirmed with a control non-Cirripede SOCKS proxy.
-
Replaying 94 million TCP SYN packets from 6.4 million unique client IPs at ~41,000 packets/second, the Cirripede registration server (quad-core Xeon E5530, 12 GB RAM) achieved a 97% detection rate — 1,038,689 out of 1,069,318 embedded registrations — with average CPU utilization of 56% (max 73%) and average memory of 1.1 GB (max 1.6 GB). The 3% miss rate was caused entirely by network-layer packet reordering, not server capacity.
-
Using two CAIDA traces from March 2011, the byte volume of TCP SYN packets across all ports was only 4–7% that of port-443 traffic. Cirripede's registration design inspects only SYN packet headers rather than full HTTPS payloads, reducing the traffic an ISP must process by 14–25× compared to Telex/Decoy routing architectures that must reconstruct all port-443 TCP sessions.
-
Simulations on the CAIDA AS-level topology (January 2011 snapshot) show that deploying Cirripede deflecting routers at just 1 tier-1 AS enables 97% of Internet clients to use the system, and 2 participating tier-1 ASes achieve 100% client reachability. When clients probe only the Alexa top-30 most popular sites as overt destinations, 2 tier-1 ISPs still yield 100% reachability.
-
Cloud-based onion routing confronts censors with a collateral-damage dilemma: blocking a cloud provider's IP prefixes requires blocking all co-hosted services (Amazon EC2 hosted over 1 million instances sharing common IP prefixes in 2010), while allowing the traffic means circumvention succeeds. Rotating IP addresses—by retiring and spinning up new VM instances or via DHCP/gratuitous ARPs—reduces the window a blocked address remains in service, forcing censors into a perpetual cat-and-mouse game across all major cloud providers simultaneously.
-
In controlled benchmarks using TorPerf, the best COR circuit achieved a median file download time 7.6× faster than Tor across 50 KB, 1 MB, and 5 MB files (100 repetitions each). COR was also several times faster than Tor for downloading full web pages across the top 10 Alexa domains, even when COR relays were serving 50 simultaneous connections.
-
COR does not solve the bootstrapping problem: a user's first connections to the COR bootstrapping network are vulnerable to the same IP-enumeration and blocking attacks as public Tor directory connections. To mitigate directory-partitioning attacks, directory retrieval is always performed through an existing COR circuit, and directories return only a random subset of available nodes rather than the full list—but this subset-delivery design is itself exploitable by a malicious directory that can fingerprint users via uniquely-assigned relay subsets.
-
COR circuit construction enforces four properties to prevent single-entity de-anonymization in a limited-provider setting: (1) entry and exit ASPs must differ; (2) entry and exit CHPs must differ; (3) the same ASP's relays must not surround another ASP's relay without an intervening hop of a distinct ASP; and (4) at least two relays per traversed datacenter so an adversary with only perimeter visibility cannot trivially correlate ingress/egress.
-
Running a COR network matching Tor's 2011 aggregate bandwidth (estimated at 150 MB/s end-user demand, ~376 TB/month) would cost approximately $61,200/month on Amazon EC2 at July 2011 pricing. A single EC2 node at 17¢/hour plus bandwidth charges can relay approximately 110 Mbps and support up to 100 concurrent users at ~1 Mbps each; m1.large and c1.medium instances handled 100+ concurrent connections while t1.micro struggled beyond 10.
-
Decoy routing places the circumvention service at transit routers rather than fixed-IP edge proxies, so the client addresses packets to any reachable decoy destination and the router hijacks the flow on the client's behalf. A single well-placed router may lie on paths to millions of destinations, making circumvention proxies appear ubiquitously deployed from an adversary's perspective. Blocking such a router requires disrupting ordinary traffic for large fractions of the Internet, qualitatively raising the cost of IP-address-based censorship.
-
An adversary aware of a decoy router's location can force decoy-routed flows to be unprocessable by fragmenting all packets below the size of a complete TCP header in the first fragment, preventing flow assignment and forcing the router into expensive reassembly. Alternatively, the adversary can use small-fragment attacks to grow the router's state table, analogous to NAT resource exhaustion. The paper identifies fragmentation-based denial as a harder-to-mitigate attack class than sentinel replay.
-
A preplay attack defeats the TLS-sentinel covert channel: the adversary intercepts each ClientHello, immediately sends a copy to the decoy destination before the client's copy arrives, causing the sentinel to be consumed and poisoned. The client can never establish a decoy routing session while ordinary TLS to the decoy destination continues to work normally, giving the adversary both blocking capability and forensic confirmation that decoy routing was attempted. The paper notes this vulnerability is specific to the TLS sentinel and that alternatives such as port-knocking sentinels may not share it.
-
TCP flow hijacking by the decoy proxy is practical under an asymmetric routing assumption: expected sequence numbers are recoverable from ACK values in client-originated packets alone, so the decoy router need not observe return traffic. The proxy forges a TCP RST to the decoy destination and mimics its TCP options (timestamp, window scale, SACK) to reduce detectability; these options are conveyed encrypted inside the sentinel's 28-byte TLS random field.
-
Clients embed HMAC-derived, time-varying sentinels into the 28-byte random field of the TLS ClientHello message, which decoy routers can scan at line rate. Sentinels are keyed to the current hour and a per-hour sequence number, providing freshness. This covert channel requires no out-of-band signaling and is invisible to passive observers who see only a normal TLS handshake toward the decoy destination.
-
The BBC's Geostats prototype (2010) detects censorship events by normalizing hourly traffic from two sources — a web-bug-based Livestats API and approximately 30GB/day of uncompressed Akamai streaming logs — alerting when traffic deviates ±60% from a rolling historical average keyed to hour-of-day and day-of-week. A key limitation identified is that CDN log files arrive up to 24 hours behind real-time, preventing timely detection of live blocking events.
-
The BBC has distributed international audio and video through Akamai CDN since 2003 using URLs that do not include bbc.co.uk, making URL and IP-based blocking harder than targeting *.bbc.co.uk directly. However, individual Akamai edge machines have been blocked in China, causing thousands of co-hosted websites to become collaterally unavailable, illustrating the concentration risk when many services share CDN IP space.
-
During the December 2010 Nobel Peace Prize ceremony blocking in China, of two Psiphon nodes brought online for the BBC English News site, one was blocked almost immediately while the other remained available throughout the weekend, serving 387 logins on the ceremony day with no direct promotional channel available. A non-BBC-branded live-stream page promoted via a bit.ly URL released one hour before the ceremony received 4,236 clicks, with approximately 50% from China, accounting for about one-third of total stream viewers.
-
During the June 2009 blocking of BBC Persian in Iran, the BBC observed a more-than-fourfold increase in traffic to its BBC Persian TV Internet live stream, with geographic IP lookups confirming the majority of streaming originated from inside Iran. The BBC deployed Psiphon web-proxy nodes — chosen over alternatives because they required no executable installation on the user's PC and could be hosted by a trusted third party — promoted via email newsletters, Twitter, Facebook, and on-air announcements.
-
BBC Chinese's multi-channel Psiphon promotion — radio broadcasts three times daily with additional trails, daily email newsletters, and ad hoc tweets — allowed its service to reach page-view parity with BBC Persian's established Psiphon deployment within eight weeks of launch in September 2010. Separately, a third-party BBC Persian iPhone app using full-text RSS feeds received over 50% of its downloads from inside China, demonstrating that syndicated full-text content distributed across multiple third-party sites and apps is difficult for censors to enumerate and block.
-
TOM-Skype maintains two separate encrypted keyword lists: one triggering both message suppression and silent upload to a Chinese server, and a second triggering surveillance only. Version 5.1.4.10 introduced a distinct surveillance-only keyfile downloaded from a separate URL (skypetools.tom.com/agent/keyfile_u), allowing the censor to monitor users without alerting them via censorship.
-
TOM-Skype keyword list encryption evolved from a simple XOR cipher in versions 3.6/3.8 to 256-bit AES-ECB in versions 5.0/5.1. Surveillance traffic was encrypted with DES-ECB using hardcoded ASCII keys embedded in the binary (SURVEIL_KEY4.0 = 'X7sRUjL\0'; SURVEIL_KEY3.6 = '32bnx23l'), both recovered via known-plaintext attack and DLL injection respectively.
-
The TOM-Skype keyword blacklist contained numerous user-coined neologisms added after the originals were censored—e.g., 'Lu Si' (a homophone for the Tiananmen date '64') and 'Oscar best actor winner' (a euphemism for Wen Jiabao)—demonstrating an adversarial arms race in which evasion vocabulary spreads freely until censors detect and blacklist the neologisms. The authors observed that some sensitive concepts (e.g., '64' rendered as '32+32' or '8 squared') spawn so many variants that the neologism strategy may not scale for the censor.
-
The TOM-Skype censorship keyfile was substantially updated on 4/22/2011—possibly correlated with US-China human rights talks on 4/27–4/28/2011—and contained exact phrases lifted verbatim from 2011 Jasmine Revolution protest coordination documents, including specific intersection meeting points such as 'McDonald's in front of Chunxi Road in Chengdu'. This demonstrates real-time, operationally targeted keyword blacklisting within days of new coordination material appearing.
-
The 158-word surveillance-only keyword list in TOM-Skype 5.1.4.10 focused predominantly on specific Beijing demolition sites and addresses (e.g., 'Ling Jing Alley demolition'), plus five Shouwang church keywords—none of which triggered message suppression. Messages matching these keywords were silently uploaded to a server, demonstrating that the censor operates event-specific surveillance lists targeting localized grievance communities independent of its censorship blacklist.
-
By integrating onion routing at the ISP/AS boundary (exactly one onion router per AS hop), the specific relay used is neither specified in the protocol nor addressable by end hosts, eliminating the enumerable relay list that makes overlay Tor blockable. The end host only knows ISP public keys, not individual relay addresses.
-
Encrypting traffic at the application layer still discloses communicating parties to every ISP along the path; overlay anonymization is subject to blacklisting of exit nodes and traffic analysis. The paper argues that effective privacy requires building anonymity into the network routing layer itself, with the necessary tradeoff being hardware cost and routing inefficiency for privacy-requiring circuits.
-
Routing all traffic through rendezvous mailboxes with a put/get interface prevents direct DoS against end hosts and hides service host addresses; each service deploys many mailboxes with a randomly chosen sequence per connection, so an attacker can disrupt at most a fraction of any given flow even with substantial resources.
-
Tor-like anonymizing overlays are easily censored because they rely on centralized, publicly visible relay lists; governments can blacklist Tor nodes or monitor all Tor exit traffic so that traffic analysis can reveal the source. Traffic to or from Tor 'essentially advertises itself as probably worth tracking.'
-
The design guarantees that as long as an end host can reach any non-censoring ISP, it can trampoline to any service; the anonymity properties make it difficult for ISPs to selectively block flows without cutting off the end host from the outside world entirely. Wikileaks-like services require only one willing authority for name resolution, not universal cooperation.
-
Channel blocking risk in Proximax is modeled as an independent Poisson process with rate λj; when a proxy is advertised on multiple channels simultaneously the risk parameters add (Λi = γ + Σλj), so each additional dissemination channel shortens expected proxy lifetime 1/Λi. The analytic result is that redundant multi-channel broadcasting is strictly suboptimal once cumulative risk exceeds the marginal usage gain.
-
A sophisticated censor can infiltrate a proxy distribution system, accumulate large numbers of proxy addresses and channel identities, and delay mass-blocking for weeks or months to maximize information before acting. The paper argues this is self-limiting: delayed blocking extends proxy lifetimes (benefiting system yield), and the infiltrating account's subtree reputation score degrades sharply the moment it begins blocking proxies, triggering exclusion from future proxy assignments.
-
Proximax uses fast-flux DNS — multiple IP addresses registered to one personalized domain with short TTLs and round-robin rotation — to resist channel-level DNS blocking. When a channel's domain is blocked, the system issues a fresh individualized hostname, forcing the censor to repeat discovery rather than permanently suppressing the channel with a single DNS entry removal.
-
Open proxy distribution registrations are vulnerable to adversary flooding with fictitious accounts that inflate yield scores via dummy connections. Proximax uses invitation-only registration with RICO-style subtree reputation scoring — a compromised sub-node taints the entire inviting user's subtree — and sub-linearly credits usage from closely clustered source IP prefixes to limit bot-driven inflation.
-
Proximax frames proxy distribution as a yield-maximization problem: the expected yield of a proxy is its attracted usage Ui divided by its total blocking risk Λi. A dissemination channel should only be assigned a proxy if the channel's own yield ratio u/λ exceeds the proxy's current yield ratio; otherwise the added risk outweighs the additional traffic and the channel must not be used at all.
-
Russia's high AS complexity (score 19.39, 2,346 ASes) enabled the Russian Business Network to hide malware-hosting ASes by chaining traffic through multiple intermediate legitimate-seeming ASes, making connections very difficult to trace and sever. The paper concludes that higher national AS complexity directly raises the operational cost of enumerating and cutting any given connection.
-
China has only 3 points of control covering approximately 240 million IP addresses (roughly 80 million IPs per point of control), the lowest ratio among large-population countries. This enabled China to cut off nearly all Internet access for the Xinjiang region for ten months beginning July 2009.
-
Eastern Asia averages 4.80 points of control and a complexity score of 1.54 across 510 million IP addresses, while Eastern Europe averages 19.10 PoC and a complexity score of 11.35 across 74 million IPs — nearly twice the complexity of any other region. Russia specifically has 2,346 autonomous systems and a complexity score of 19.39, versus China's 177 ASes and score of 0.11.
-
By 2009, the top 150 autonomous systems carried approximately 50% of all Internet traffic globally, up from roughly 30% in 2007. Akamai alone claimed approximately 20% of all web traffic, and the proposed Level 3 / Global Crossing merger would have covered over half the world's IP addresses.
-
Iran and Libya each have a single point of control (1 AS), making complete national internet shutdown achievable with a single administrative action. Egypt's 2011 shutdown left one AS (Noor Group, 4.9% of connected IPs) operational for four days, apparently due to its role serving the Egyptian stock exchange and other core financial institutions.
-
Each round of copyright enforcement drove deeper architectural decentralization: centralized servers (BBSs/FTP) → central directory (Napster) → supernodes (KaZaA/Grokster) → pure protocol (BitTorrent). Even after Grokster was shut down its software continued to work, because no fixed corporate entity remained as the control point.
-
DNS infrastructure is a primary chokepoint target: U.S. DHS seized domain names of sites including rojadirecta.org — found non-infringing under Spanish law — without Congressional authority. The proposed PROTECT-IP Act (2011) would have authorized DNS injection against 'non-domestic' domains. Developers countered with a browser plug-in distributing alternate domains outside U.S. jurisdiction; Mozilla refused a DHS demand to remove it.
-
When RIAA filed suit against more than 30,000 individual filesharers, users migrated toward anonymous channels, small-world networks of vetted peers, ephemeral pointers, and user-generated IP blacklists for spoofed-peer detection. The University of Washington demonstrated IP-to-person attribution is unreliable — a networked laser printer received a DMCA takedown notice.
-
Censorship operating at the infrastructure layer (hosting, DNS, ISPs) rather than the content layer produces opacity: blocklists must be kept secret lest they become menus of blocked content, accuracy cannot be examined, and harms are divided from those with incentive or expertise to oppose them. The consistent pattern in anti-censorship responses is to distribute, decentralize, encrypt, and obfuscate — making circumvention traffic indistinguishable from permitted use.
-
The U.S. 'five strikes' program had major ISPs reduce bandwidth of accused subscribers; challenging required a $35 fee with only one permitted defense category ('unauthorized use of account'). Users responded by routing traffic through VPNs and anonymizing networks such as I2P to bypass ISP-level monitoring entirely.
-
Over a 14-day evaluation in April 2011, CensMon tested 4,950 unique URLs from 2,500 domains across 174 agents in 33 countries, detecting 951 unique URLs from 193 domains as filtered. Manual verification of all 193 flagged domains found only 3 false positives, demonstrating high precision for an automated distributed monitor.
-
The single Chinese PlanetLab node reported 176 censored domains — more than all other 173 agents combined. Turkey (6 domains), Jordan (5), and Hungary (1) were the only other countries with any detected filtering. 86% of agent nodes across 33 countries reported zero filtering events.
-
Among all filtered URLs detected, HTTP filtering accounted for 48.5%, IP address blocking for 33.3%, and DNS manipulation for 18.2%. Of the domains blocked at the HTTP layer in China, 71% were blocked due to URL keyword filtering rather than HTML response content filtering.
-
CensMon detected zero instances of partial web-page content filtering across 4,950 tested URLs during April 2011, indicating that censors at that time uniformly applied coarse-grained techniques — full URL block, IP blacklist, or DNS hijack — rather than inline content modification at the sub-page level.
-
21% of all URLs that CensMon began tracking were found accessible on the very first re-probe, indicating initial inaccessibility was a transient network failure rather than censorship. The false-network-failure rate fell to near zero after 3 consecutive tracking attempts, providing a practical threshold for classifying persistent inaccessibility as filtering.
-
Some politically active bloggers in the studied country deliberately continued publishing on officially court-blocked platforms, reasoning that official blockage created a legal defense against persecution: 'if they say you wrote this on your blog, I will say all of these blogs are blocked according to this court decision—they don't exist and they are officially inaccessible to citizens.' This co-option of censor infrastructure as a shield was treated as a serious protective strategy.
-
A politically active blogger in an anonymized censored country explicitly avoided BlackBerry encryption stating: 'they can't crack that encryption and they would just get suspicious. Cause they listen to me and listen to me and then suddenly I am encrypting and so that means I am really saying something they don't want me to.' This documents censor behavior where the mere use of strong encryption—independent of content—serves as a targeting signal.
-
Blocking in the studied country was erratic and inconsistent: some geographic areas accessed the Internet through channels outside the main government-controlled pipeline and experienced no blocking, while other areas experienced sudden unexplained block-and-unblock cycles (e.g., a video sharing site and a microblogging site were blocked for 2-3 days in 2010 and then unblocked without explanation). Users frequently could not distinguish between deliberate blocking and ordinary technical outages, and this ambiguity itself amplified self-censorship among users who had not been directly targeted.
-
Forum and blog platform operators in the censored country were systematically coerced into serving as first-line censorship enforcers: they monitored user comments, warned users that Internet anonymity did not exist, gave users chances to self-remove offending posts, and ultimately handed user identifying information to government agencies when users did not comply. Larger forums hired full-time moderators operating 24 hours a day to manage this compliance workload.
-
Users lacking technical circumvention skills bypassed blocking via social relays: technically savvy friends or contacts in unblocked regions copied blocked content into email or reposted it on social network profiles, allowing censored information to reach users who had no direct access to proxies or anonymizers. This informal bypass required no circumvention software on the recipient's end.
-
Tor bridges that always accept incoming connections enable a three-phase 'bridge aliveness attack': an adversary collects bridge descriptors at scale, correlates bridge uptime timestamps with pseudonymous post timestamps to narrow the candidate set (winnowing), then confirms identity via circuit-clogging and timing attacks. Because bridge descriptors remain valid indefinitely and the BridgeDB rate-limits only to one descriptor set per /24 prefix per week, an adversary with botnet or open-proxy access can hoard enough bridges for the winnowing phase to succeed.
-
A passive observer of BridgeSPA traffic sees only a TCP connection timeout on failed authorization or a successful TLS connection on success—exactly what they would observe with an unmodified Tor bridge. The ConnectionTag is indistinguishable from the normally-random ISN and timestamp fields in Linux 2.6, so no new observable artifact is introduced. However, BridgeSPA does not address the separate problem that Tor traffic itself remains fingerprint-distinguishable from HTTPS; this is an orthogonal concern.
-
BridgeSPA encodes a 32-bit SHA256-HMAC ConnectionTag derived from a time-limited MACKey into the TCP SYN packet's ISN (lower 3 bytes) and TCP timestamp (lower 1 byte) fields—values that are uniformly random in Linux 2.6 and therefore carry the tag innocuously. Bridges silently drop unauthorized SYN packets without returning any response, preventing aliveness queries. MACKeys rotate every 1–7 days (bridge-configured), so hoarded descriptors become stale within the epoch.
-
Measured over 5,000 SYN/SYN-ACK pairs on a shared physical network hub—the best-case vantage for an adversary—BridgeSPA's DoorKeeper adds a mean latency of approximately 90 µs (280±20 µs baseline vs. 370±80 µs with BridgeSPA). This overhead is consistent with prior SilentKnock analysis concluding that an adversary would need hundreds of observed connections before gaining statistical advantage in distinguishing SPA-protected hosts from dynamic-firewall behavior.
-
An active man-in-the-middle adversary can hijack a live BridgeSPA TCP SYN by intercepting the ConnectionTag-bearing packet and racing to complete the bridge connection before the client's timestamp rounds to a new minute. Mitigating this requires the client to re-send the full (non-truncated) ConnectionTag after TLS is established, causing the bridge to act as a cover service (e.g., IMAP over TLS) until validated—but this mitigation is undermined by the fact that Tor bridge TLS certificates are currently distinguishable from other service certificates.
-
Encrypted protocols such as SSL/TLS remain fully fingerprint-able through their unencrypted handshakes: DPI can apply static string matching, packet-length comparison, and timing profiling to the cleartext cipher-negotiation and key-exchange phase to identify and block the protocol even though the payload is encrypted.
-
Dust defeats DPI fingerprinting by constructing all packets from entirely encrypted or single-use random bytes (defeating static string matching), appending a random number of random padding bytes to every packet (defeating length matching), and permitting a complete client–server conversation to be encoded in a single UDP or TCP packet (defeating timing analysis for sufficiently small payloads).
-
Dust eliminates the in-band key-exchange fingerprint surface via an out-of-band half-handshake: the server's public key, IP, port, and a single-use secret are bundled into a PBKDF-encrypted invite packet transmitted out-of-band; only the decryption password (not the server IP) appears in plaintext, defeating the email/IM IP-address blocking attacks documented against prior systems.
-
BitTorrent's Message Stream Encryption (MSE), despite omitting static strings from the handshake, can be identified with 96% accuracy using packet-size analysis and direction-of-packet-flow; MSE also uses a cleartext Diffie-Hellman key exchange, leaving an additional fingerprint surface.
-
The obfuscated-openssh handshake encrypts SSH with a key derived from an iterated-hash PBKDF whose slowness was intended to prevent real-time censor analysis; Wiley argues this defense fails because modern censors use statistical packet sampling with offline processing, and the slow key generation itself introduces a timing side-channel detectable from the inter-packet delay between the first and second packets.
-
Censorship mapping tools that detect filtering by probing blocked content create concentrated access patterns that are qualitatively different from normal user behavior, potentially exposing volunteers to scrutiny even in countries where individual access to filtered content would not ordinarily trigger enforcement action. The paper identifies this as a fundamental ethical tension intrinsic to any filtering measurement methodology.
-
Censors responding to encryption-based circumvention have two escalation options: block all encrypted connections outright, or identify the underlying protocol via traffic signatures that persist even inside encrypted tunnels. The paper frames these as the two dominant censor responses to DPI being defeated by encryption.
-
Open DNS resolvers, widely available across the internet as public services, make DNS poisoning trivially detectable globally: a researcher can connect to a resolver in a target country and compare responses against a trusted reference resolver, without requiring volunteer proxies or in-country infrastructure.
-
National-level filtering is not homogeneous: the administrative burden of maintaining up-to-date filtering rules at national scale leads states to delegate implementation to regional authorities or individual ISPs, producing measurable filtering differences between geographic regions and providers within the same country.
-
At the time of writing, the Tor network had no publicly announced exit nodes located on the Chinese mainland, making direct Tor-based measurement of GFW filtering unavailable. The paper generalizes this: heavily filtered countries show systematically low availability of relay services, precisely where measurement need is highest.
-
On a single 2.93 GHz Intel Core 2 Duo CPU core, the Telex elliptic-curve tagging scheme achieves approximately 5,482 tag generations per second and 11,074 tag verifications per second across 10 trials of 100,000 tags each (standard deviations of 0.016 s and 0.0083 s respectively). Tag verification is therefore unlikely to be a throughput bottleneck in a deployed Telex station.
-
Telex embeds steganographic tags in TLS ClientHello nonces using elliptic-curve Diffie-Hellman, placing proxy stations at ISP level on paths between the censor's network and popular uncensored destinations. Because the cover destinations are ordinary popular HTTPS websites, the censor cannot block Telex without simultaneously blocking a large class of legitimate TLS traffic — converting the censor's own reluctance to over-block into an unblockability guarantee.
-
A PlanetLab node in Beijing successfully loaded all 100 Alexa top-100 websites through a prototype Telex station at the University of Michigan; without Telex, 17 of the 100 sites were blocked (including facebook.com, youtube.com, blogspot.com, and twitter.com from the top 10), using forged RST packets, false DNS results, and destination IP blackholes. The median latency overhead for routing through Telex was approximately 60% for the 83 unblocked sites.
-
Telex prevents tag replay attacks by seeding the client's TLS key exchange randomness (e.g., the Diffie-Hellman exponent) with the shared secret ksh derived from the steganographic tag. The TLS Finished message must then be freshly encrypted with the newly negotiated master secret, implicitly proving knowledge of ksh. An adversary replaying a captured ClientHello nonce without knowing ksh cannot produce a valid Finished message, causing the server to terminate the connection.
-
The paper identifies two unresolved fingerprinting surfaces: (1) traffic-shape analysis of packet sizes and inter-arrival times could distinguish Telex flows from normal TLS, and (2) the prototype exhibits detectable deviations from real servers at the IP layer (stale IP ID fields), TCP layer (incorrect congestion windows detectable by early acknowledgements), and TLS layer (different compression methods and cipher-suite extensions). Convincingly mimicking a diverse population of TCP/TLS server implementations is flagged as requiring substantial engineering effort.
-
The study located 495 router interfaces with attached IDS filtering devices across China, with CHINANET holding 79.4% and CNCGROUP 17.4%. The two ISPs use fundamentally different placement strategies: CHINANET distributes filtering across provincial networks (80% of its 21 served provinces operate their own filtering devices, Guangdong alone hosting 84 of 374 CHINANET interfaces), while 90% of CNCGROUP's 82 filtering interfaces concentrate in its backbone.
-
CNCGROUP's filtering interface count has grown to three times its 2007 level, now accounting for 17.4% of all 495 filtering interfaces found, while CHINANET's count has remained stable since 2007. This divergence indicates CNCGROUP is actively expanding its censorship infrastructure while CHINANET's filtering capacity has matured.
-
China's AS-level topology is shallow and concentrated: CHINANET and CNCGROUP together account for 63.9% of 133 unique foreign peerings, 87% of internal ASes are within one hop of a border AS, and just 24 border/backbone ASes serve as effective choke points for all international traffic. The TTL of GFW RST packets is now crafted to prevent IDS localization by TTL inspection, requiring TTL-incrementing probe packets to identify filtering device positions.
-
The GFW is fully stateful as of 2010: probing all 11,824 Chinese IP prefixes with single TCP packets containing the keyword 'falun' produced no RST responses, confirming that a complete TCP handshake must precede any filtering trigger. Earlier measurements (2006, 2007) reported contradictory results; this study finds statefulness is now universal across all probed prefixes.
-
14 of 495 filtering interfaces (2.9%) are located in non-border internal ASes, all but two belonging to CHINANET provincial subsidiaries. The paper notes that CHINANET's provincial filtering architecture creates infrastructure capable of inspecting inter-provincial domestic traffic, even though there is no current evidence it is being used for that purpose.
-
Collage's threat model identifies the censor's two most dangerous capabilities as: (1) aggregate traffic-flow analysis (e.g., NetFlow statistics) to detect anomalous access patterns to specific content hosts, and (2) joining the system as a sender or receiver to discover content locations and mount denial-of-service or deniability attacks. The censor is assumed to monitor all egress traffic but is modeled as computationally limited against joint statistical distributions across arbitrary user pairs.
-
Rateless erasure coding with ε=0.01 adds only a 0.5% storage and traffic overhead. Consistent hashing of message identifiers to task-database entries ensures that when 50% of tasks are replaced, sender and receiver still share at least one task if three or more tasks are mapped per identifier. At a 10× send rate, message recovery succeeds even if 90% of published vectors are blocked.
-
The paper demonstrates that no single steganographic algorithm can provide both availability and deniability, since almost all production algorithms have been broken and steganography alone does not hide the identities of communicating parties. Collage addresses this by treating the embedding algorithm as a swappable component in a layered architecture—vector layer, message layer, application layer—so that compromise of the embedding scheme does not compromise the system, and stronger algorithms (e.g., digital watermarking) can be substituted as they mature.
-
Production steganography tools achieve encoding rates of 0.01–0.05 (fraction of cover-medium bytes available for hidden data), yielding 20–100× increases in storage, traffic, and transfer time relative to the raw message. A 23 KB one-day news summary requires approximately 9 JPEG photos (~3 KB data per photo plus encoding overhead) and takes under 1 minute to retrieve over a fast connection; over an unreliable broadband wireless link the same message was received in under 5 minutes with sender time under 1 minute.
-
Collage leverages platform-scale user-generated content—Flickr's 3.6 billion images with 6 million new per day and Twitter's ~500K tweets/day as of 2009—as a covert channel substrate. Because the censor cannot block all UGC platforms simultaneously without removing massive amounts of legitimate content, the system achieves availability and user deniability that fixed-infrastructure proxies (e.g., Tor relays) cannot: accessing Flickr or Twitter does not implicate the user as a circumvention tool operator.
-
A dynamic binary-tree partitioning algorithm solves the proxy distribution problem with at most k(1 + ⌈log₂(n/k)⌉) total proxy keys: partition n users into k groups in round 1, then halve each compromised group on each compromise event. Each of k adversaries can trigger at most ⌈log₂(n/k)⌉ compromises, bounding total proxy expenditure tightly.
-
A simple entropy argument proves the dynamic key distribution problem requires at least Ω(k log(n/k) / log(k + log n)) keys: the algorithm must identify which k of n users are adversaries from at most ℓ log ℓ bits of feedback (ℓ round outcomes each indexing one of ℓ keys), and distinguishing among C(n,k) adversary sets requires log C(n,k) = Ω(k log(n/k)) bits.
-
The static proxy distribution problem — giving k²-adversarial users keys from m proxies so that all n−k legitimate users retain at least one uncompromised proxy — requires at most O(k² log n) keys and cannot be solved with fewer than Ω(k log(n/k)) keys. This establishes the information-theoretic cost of one-shot proxy distribution against k colluding informants among n users.
-
By reusing keys already held by trusted (non-suspicious) users for ℓ−1 of ℓ subgroups when bisecting the suspicious cohort — issuing only one fresh key per round — the total proxy count drops from O(k log n) to O(k² log n / log log n) in expectation. The information-theoretic lower bound is Ω(k log(n/k) / log(k + log n)), so this bound is tight in n up to a factor of k.
-
In invitation-based proxy networks (modeled on Psiphon's trust-tree), a single adversary can invite fake accounts as children in the trust tree, multiplying the effective adversary count k and invalidating sublogarithmic key budgets. For k=1 adversary on a trust tree of depth O(log n), an O(log n)-key algorithm exists by keeping the 'suspicious group' always rooted at a subtree boundary; for k>1 this remains an open problem.
-
Global anonymity is maximized when the anonymity set is large and behavior is uniformly distributed: 'global anonymity is maximal iff all subjects within the anonymity set are equally likely.' Strong global anonymity does not protect individual 'likely suspects' — even in a strong-anonymity system, one user with distinctive behavior may have weak individual anonymity. Strong or even maximal global anonymity does not imply strong anonymity of each particular subject.
-
Adding dummy traffic to any anonymity mechanism yields the corresponding kind of unobservability: 'A mechanism to achieve some kind of anonymity appropriately combined with dummy traffic yields the corresponding kind of unobservability.' DC-nets achieve sender anonymity and MIX-nets achieve relationship anonymity; with dummy traffic both achieve the corresponding sender and relationship unobservability respectively.
-
Pseudonymity uses persistent identifiers other than real names, enabling accountability while providing partial unlinkability; however, use of the same pseudonym across different contexts enables linkability: the attacker can link all data related to a pseudonym. Unlinkability of two messages requires that the attacker cannot sufficiently distinguish whether they share a sender or recipient; for a scenario with n senders, this holds iff the probability of common authorship is sufficiently close to 1/n.
-
Undetectability of a message requires that it be indistinguishable from 'random noise' — an attacker cannot sufficiently distinguish whether the message exists or not. This is distinct from anonymity, which protects only the relationship between an IOI and a subject, not the IOI's existence itself. Undetectability is possible only for subjects not involved in the IOI; senders and recipients cannot achieve it against each other.
-
The paper establishes a strict property hierarchy: unobservability ⇒ anonymity, and sender/recipient anonymity ⇒ relationship anonymity. Unobservability is strictly stronger than anonymity because it additionally requires undetectability against all uninvolved subjects — the IOI's very existence must be hidden — while anonymity only hides the subject's relationship to the IOI.
-
In the Clouds P2P protocol, a blocking attack against a specific topic requires adversaries to occupy at least 50% of the 200-peer region closest to the resource provider to be effective; below that threshold, query messages routed through multiple paths bypass the censorship. This 50% threshold holds regardless of the number of clouds κ created per peer.
-
The number of clouds per peer κ has no measurable effect on censorship resistance (Figure 5 curves are identical across κ = 1–4), while cloud size is the dominant driver of message overhead. This decoupling means designers can increase κ to improve anonymity without degrading censorship resistance or incurring bandwidth cost.
-
Cloud locality — building clouds from semantically close peers via short-distance links — ensures that 2-wise and 3-wise cloud intersections have median cardinality between 40 and 50 peers, and the probability that a peer participates in clouds whose pairwise intersection falls below 40 is below 10⁻⁴, rendering intersection attacks infeasible in practice.
-
The surrounding attack on peer anonymity is also effective only when adversaries control at least 50% of the ~100 semantically closest peers to the target; at 25% malicious peers, at least 10 honest peers still join the target's cloud at every step of the joining algorithm, preserving k-anonymity.
-
The Clouds protocol retrieves approximately 70% of available answers even in the absence of attackers, representing a ~30% retrieval performance decrease relative to an insecure SON. This baseline loss stems from the cloud-based routing mechanism's probabilistic message delivery, not from adversarial interference.
-
Website fingerprinting attacks that match file sizes and access patterns against a database of known sites remain applicable to SkyF2F, but are limited to the granularity of 512-byte fixed-size stream cells, since streams are multiplexed within a single tunnel circuit. The authors note this is less effective than against SafeWeb, where full request/response sizes are directly observable.
-
Because Skype relies on a central login server, it is technically possible for a censor to block Skype, but the paper observes that blocking widely-deployed services like Skype or Google inflicts real economic harm, making it a credible deterrent. Additionally, Skype's proprietary, closed-source protocol and P2P architecture make it harder to characterize and selectively filter than open protocols.
-
SkyF2F's friend-to-friend service model, where a server publishes its appid only to trusted contacts rather than publicly, provides significant resistance to both sybil attacks (malicious censor-controlled servers) and DoS exhaustion attacks. A censor posing as a client can establish many tunnels to exhaust a public server's resources; restricting service to a trusted friend list eliminates most of this attack surface.
-
SkyF2F tunnels censored traffic through Skype's encrypted overlay network, forcing the censor into an all-or-nothing dilemma: blocking SkyF2F requires blocking Skype entirely, which causes actual economic damage to businesses and users who depend on it. Because Skype users are identified by pseudonym and all messages are routed to overlay addresses rather than Internet addresses, IP-based blocking, DNS filtering, port blocking, and keyword filtering are all rendered ineffective.
-
A censor hosting Skype supernodes can perform passive traffic-flow analysis on relayed streams even without breaking encryption, since supernode-relayed conversations expose traffic metadata. However, with thousands of supernodes in the Skype network, the probability that any censor-controlled supernode relays a specific SkyF2F tunnel is low, making large-scale correlation high-cost.
-
Using Tor exit nodes to query the bridge authority, the authors enumerated 247 bridge descriptors over two weeks (out of 1,716 active bridges during that period). An adversary running a relay advertising just 10 MBps of bandwidth would discover 63% of bridges that relay at least 40 circuits and 87% of bridges running at least 80 circuits, because all Tor clients proactively build circuits every 10 minutes.
-
A circuit-clogging attack against bridge operators—using median-normalized latency correlations—achieved an AUC of 0.884 and an equal error rate of 0.2 when distinguishing the victim bridge from innocent bridges in PlanetLab experiments with 180 victim and 180 disjoint runs. With 10 repeated clogging experiments and a majority-vote threshold, the false positive (and false negative) rate drops below 0.033, confirming a bridge operator's identity with high confidence given a candidate set of ≤4.4 bridges from the winnowing stage.
-
The architectural coupling of 'surfing' and 'serving' in Tor's bridge design—where enabling the bridge service is required to use Tor as a client—means a bridge always accepts connections whenever its operator is online, allowing a remote non-global adversary to probe a bridge's availability at negligible cost (less than 2 bps per bridge per status check via SYN/RST). Of the 247 enumerated bridges, only an average of 29.6 (just over 10%) were accessible at any given moment, providing a highly discriminating availability signal for intersection attacks.
-
An 'unfair queuing' mechanism that partitions CPU time between bridge-operator circuits and bridge-client circuits using a time-allocation parameter τ=0.9 reduced the circuit-clogging AUC from 0.884 to 0.520 (median-normalized) and 0.412 (mean-normalized)—indistinguishable from random guessing—in 20 PlanetLab experiments. The mechanism eliminates latency interference between the two circuit types without requiring the bridge to ever refuse connections, but introduces up to 1−τ performance loss for client traffic.
-
Cross-referencing the online/offline status of 87 monitored bridges against 186,935 Wikipedia users' edit sessions showed that 95.7% of users with 50 or more sessions matched zero bridges after winnowing. For users with 180 or more sessions (a surrogate for long-term pseudonymous activity), only 89 false positives remained among 2,329 users—a false positive rate of 0.000439—meaning that even if 10,000 Tor clients volunteer to bridge, on average only 4.4 bridges remain after the winnowing stage.
-
The Great Firewall of China deploys at least four distinct, simultaneously-operating RST injectors with separate fingerprints (IPID 64, IPID -26, SEQ 1460, RAE). The RAE injector—which sets RST+ACK+ECN-nonce-sum flags—is the most common, with 4,162 distinct source IPs observed at UCB alone. Of 298 ICSI hosts disrupted by Chinese injectors, 102 showed fingerprints of two or more injectors acting independently on the same connection.
-
Injectors sending multiple RSTs with increasing sequence numbers to overcome the RST_SEQ_DATA race condition produce a detection signature (RST_SEQ_CHANGE) that cannot arise from a standards-compliant TCP endpoint: the second RST must have a sequence number exceeding both the preceding RST and any ACK yet observed from the receiver. This creates an inherent design tension — a robust injector that uses sequence-incremented multi-packet RSTs to ensure delivery is precisely the kind most detectable by passive monitoring.
-
Out-of-band RST injectors fundamentally face race conditions because they cannot modify in-flight packets: a data packet may pass the injector's observation point before the forged RST is generated, producing detectable out-of-sequence RSTs (RST_SEQ_DATA) or post-RST data packets (DATA_SEQ_RST). A passive detector exploiting these two race conditions, plus a third signature (RST_SEQ_CHANGE) from multi-packet injectors, reliably identifies injected RSTs across four network datasets totaling 30.2M TCP flows.
-
Individual RST injectors exhibit stable, idiosyncratic header-field fingerprints enabling device-level identification across geographically separated sites. Sandvine devices produce back-to-back RST pairs where the second packet's sequence number is exactly 12,503 higher than the first (a known implementation bug confirmed by Sandvine's CTO) with IPID increments of 4 then 1; 90% of 193 alerting Comcast IP addresses across all four datasets matched this fingerprint. The GFW SEQ 1460 injector always increments sequence numbers by 1,460 regardless of actual MTU or window size.
-
The proposed countermeasure of ignoring RST packets with anomalous TTLs (to defeat GFW injection, per Clayton et al. 2006) is impractical: 28% of normal responder-terminated TCP flows have RST TTLs differing from prior data packets, with changes clustering around 64, 96, 128, and 192. Of 200 randomly sampled flows with differing TTLs, only 2 triggered the injection detector, confirming the high false-positive rate of single-field TTL heuristics.
-
Centralized proxy-discovery services are reliably disabled by censors: both Anonymizer and SafeWeb were blocked in China by targeting their central discovery sites, and Wikipedia identified and blocked all 700+ Tor anonymizing relay servers to prevent anonymous edits. Any single publicly-known host that handles proxy distribution becomes the censor's primary and sufficient target.
-
Kaleidoscope uses at most one intermediate relay hop so proxies can serve users beyond their immediate trust neighborhood without directly learning user addresses. If a system allowed each proxy to directly advertise to N users, a censor posing as a proxy would learn N user identities; the one-hop relay design caps per-proxy exposure to r=5 relay addresses and keeps end-user identities hidden from proxies.
-
On a crawled Orkut subgraph of 42,474 users (≈90% Brazilian nodes treated as the censored domain, 15% of external nodes as proxies = 1.5% overall), the median node reaches 7 proxies — higher than the synthetic graph due to greater average degree (5.59 vs. 4.65) and lower clustering. Even when subverted trust links reach half the total proxy count, more than 94% of users can still access at least one proxy unknown to the censor.
-
Kaleidoscope bounds censor knowledge by routing proxy advertisements over symmetric random routes of length r=5 on a social trust graph: if the censor controls f subverted trust links, they can learn of at most r×f = 5f users or proxies regardless of how many Sybil identities they generate. Symmetric routing ensures the set a node learns of and the set that learns of a node are identical, closing the asymmetric information-leakage channel.
-
Simulation on a synthetic social graph of one million nodes (average degree 4.65, maximum 13) shows that when 1.5% of nodes act as proxies and random routes of length r=5 are used, the median node can reach 3 proxies and more than 90% of nodes can access at least one proxy.
-
ChinaNET (CHINANET-*) performed 324/389 = 83.3% of all filtering observed across 296 probed hosts over a two-week period, and 99.1% of all filtering that occurred at the first hop past the Chinese border, despite constituting only 77% of first-hop routers encountered.
-
GFC keyword filtering exhibits strong diurnal patterns in which filtering effectiveness drops markedly during busy network periods, sometimes letting more than one fourth of packets containing known filtered keywords pass through unimpeded; the blocking timeout after a keyword RST was measured at 90 seconds for the tested route.
-
GFC keyword filtering is distributed across the backbone, not confined to border routers: only 29.6% of filtering occurred at the first hop into China's address space, 11.8% occurred beyond the third hop (with as many as 13 hops past the border in one case), and 28.3% of the 296 probed Chinese hosts were reachable via paths with no filtering at all.
-
Latent semantic analysis applied to the Chinese-language Wikipedia (942,033 terms across 94,863 documents, k=600 rank reduction) discovered 122 previously unknown GFC-filtered keywords starting from only 12 seed concepts; each list of 2,500 candidate terms required 1.2–6.7 hours to probe, with an average of 3.5 hours.
-
When the GFC keyword blacklist is known, multiple server-side-only evasion techniques become viable requiring no client modification: IP packet fragmentation to split keywords across MTU boundaries, HTML comment injection mid-keyword (e.g., 'Fa<!- Comment ->lun Gong'), alternative URL percent-encodings (e.g., 'F%61lun Gong'), and spam-style character substitution ('F@1un G0-ng'); the GFC implementation was observed not to check control characters in URL requests.
-
A single bad Chinese DNS server queried 600 times about the same censored domain consistently returned a random address from the same pool of 8 IPs across all responses, confirming that the tampered behavior is deterministic and centrally coordinated rather than ISP-specific or probabilistic. The same 8-IP pool appeared uniformly across servers from China Telecom, China Unicom, and other carriers.
-
99.88% of 1,607 tested Chinese recursive DNS servers returned tampered responses for censored domains. Tampered responses drew from a pool of only 8 IP addresses, compared to 441–454 distinct IPs returned by U.S. control servers for the same query set — with 366 censored domains sharing exactly those 8 IPs.
-
Because the GFW injects forged DNS responses rather than dropping the original query packet, the legitimate response from the upstream DNS server may still arrive after the injected forgery. The authors propose two circumvention strategies: querying on a non-standard port to bypass the port-53-only injection filter, or issuing standard-port queries and selectively discarding responses matching the known bad-IP pool to recover the authentic answer.
-
TTL manipulation experiments demonstrated that the GFW injects forged DNS responses at the router level, not at the DNS server: responses to censored domain queries exhibited inconsistent IP ident fields and wildly varying TTL values — consistent with a stateless in-path router — while control (non-censored) responses to the same server showed monotonically increasing ident and stable TTL. The injection was observed exclusively on port 53; identical queries sent to port 80 received no injected responses.
-
Nonsense domains with known-censored hostnames embedded as subdomains (e.g., www.epochtimes.com.pSyfA6srAZ0qCxU63.com) triggered the same tampered responses — returning the pool of 8 bad IPs — as direct queries for the censored domain. Control-subdomain nonsense domains (e.g., www.pSyfA6srAZ0qCxU63.com) did not trigger tampering, indicating the GFW performs substring keyword matching across the full DNS query label string.
-
A hybrid two-stage blocking system (IP-redirect first stage, URL-proxy second stage) can be exploited as an oracle to enumerate blocked IP addresses by sending TCP packets with a TTL sufficient to reach the first-stage redirector but insufficient to reach the destination. Non-redirected IPs return ICMP TTL-expired from an intermediate router, while redirected IPs return a SYN/ACK from the web proxy impersonating the destination. A live scan of a /24 subnet confirmed 17 redirected IP addresses, yielding 91 associated hostnames across 9 of those IPs.
-
Using a simple dialup connection, the CleanFeed oracle scan enumerated IP addresses at up to 98 addresses/second. At this rate, the ~8.3 million Russian IP addresses (the IWF reported 25% of known illegal sites were hosted in Russia) could be scanned in under 24 hours, and the full routable IPv4 space (32% of 2^32 addresses) in approximately 160 days. A suitable filtered dialup account was available for free, with phone costs under £15.
-
The CleanFeed first stage populates its IP blocklist by automatically resolving hostnames from the IWF database via DNS. Content providers can serve false DNS results pointing to high-traffic third-party IP addresses (e.g., Google cache servers at 66.102.9.104), causing the first stage to redirect legitimate traffic through the proxy. Automated IP-update processes cannot reliably distinguish a genuine IP migration from a spoofed DNS result, and this can cause legitimate sites to be blocked collaterally.
-
The hybrid two-stage design's architectural vulnerability is that circumventing either stage independently defeats the system: end-users can tunnel via Tor or JAP to bypass both stages entirely, while content providers can serve different content to IWF crawlers versus real users, exploiting the fact that only 33% of IWF hotline reports were substantiated as potentially illegal. The system's precision is entirely contingent on content-provider cooperation, which cannot be assumed.
-
Brightview's countermeasure requiring a minimum probe TTL of 24 (to prevent low-TTL scans from stopping at the proxy) was bypassed by sending probes with TTL=128 and examining the TTL of returned SYN/ACK packets. The UK web proxy consistently returned TTL=49 (64−15 hops), while Russian destination servers returned TTL=45–49 or TTL=113–238 depending on initial OS TTL settings. The two populations were cleanly distinguishable, defeating the fix with no change to scan logic beyond raising the probe TTL.
-
Post-trigger blocking persisted for an average of ~20 minutes (observed range: a few minutes to nearly an hour) per source-IP/destination-IP pair, but was scoped to the 128 TCP port numbers sharing the same 7 most-significant bits as the triggering connection's ephemeral port. On pseudo-random ephemeral-port systems such as OpenBSD, the probability of a subsequent connection falling in the blocked port range is only ~1 in 500; on sequential-port systems such as Windows, an average of 64 further connections are blocked.
-
In measurements conducted over 10 days in early February 2006, the GFW scanned approximately two-thirds of packets from a 256-address block per hourly probe, with address selection following a structured (non-random) pattern consistent with simple modular assignment to a limited pool of IDS devices. After several days, the inspected fraction rose to nearly all addresses, suggesting a configuration change to expand capacity.
-
The GFW's keyword-blocking mechanism relies entirely on endpoints honoring injected TCP RST packets; because the IDS operates out-of-band and cannot remove packets already queued in the router's transmission path, configuring both endpoints to silently discard incoming RSTs (e.g., via `iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP`) allows blocked content to transfer unimpeded. In a controlled experiment, 28 injected RSTs were ignored and the complete blocked web page was successfully retrieved.
-
The GFW performs no stateful TCP stream reassembly, inspecting one packet at a time: splitting the blocked keyword '?falun' across two TCP segments is sufficient to evade detection entirely. Cross-device state is also absent — triggering a block on one border AS (e.g., AS9929) had no effect on traffic transiting a different Chinese border AS.
-
GFW-injected RST packets are distinguishable from legitimate endpoint RSTs by TTL: in the authors' 2006 experiments forged resets carried TTL=47 while genuine server packets carried TTL=39, consistent with the IDS sitting 8 hops closer to the client than the destination server. A 20-line FreeBSD kernel patch implementing TTL-divergence filtering was developed and demonstrated positive results in practice.
-
Tor's public relay list (a few thousand IP addresses as of 2006) can be trivially enumerated and blocked by a censor. The paper proposes 'bridge relays' drawn from Tor's existing user base of hundreds of thousands of people, creating a pool of frequently-changing IP addresses that is too large and dynamic for a censor to enumerate completely. Bridge relays rate-limit relayed connections to ~10 KB/s and publish descriptors only to a private bridge directory authority rather than the public consensus.
-
The paper proposes dividing public bridge addresses into 8 pools (n=3 bits from HMAC(identity-key, authority-secret)) each assigned a distinct distribution strategy: time-windowed release, IP-subnet-partitioned assignment, time+location combined, mailing-list rotation, email/CAPTCHA delivery, and social-trust delegation. Deploying all strategies concurrently forces the attacker to allocate resources across every channel simultaneously, making all strategies more robust than any single strategy deployed alone.
-
If bridges run on predictable ports and any TCP connection to a bridge port reveals it as a Tor bridge, a censor can scan the entire address space of residential ISP ranges to enumerate and block all bridges. The paper proposes 'scanning resistance': bridges require a nonced hash of a pre-shared password before revealing Tor behavior, and respond to unauthenticated connections by impersonating an ordinary HTTPS server (e.g., default Apache page or a random legitimate website).
-
Tor's 2006 TLS handshake contained multiple identifying fingerprints exploitable by censors: the X.509 organizationName field was set to 'Tor', the relay nickname appeared in the commonName field, clients always presented certificates (unlike browsers), and Tor used two-certificate chains (identity cert + per-session TLS cert) while most consumer HTTPS services use a single certificate. The paper flags these as sufficient for a censor to identify Tor traffic without deep payload inspection.
-
Tor encrypts payload but does not obscure traffic volume, leaving a residual publisher-vs-reader asymmetry: a user publishing a home video generates a markedly different upload/download ratio than one reading news. The paper also notes that website fingerprinting attacks — where the adversary pre-downloads hundreds of popular sites and matches traffic patterns to a Tor client's stream — remain possible even through bridge circuits, and are exacerbated by Tor's varying supported protocols (web vs. IM produce different timing signatures).
-
Theorem 1 proves that censorship resistance (CR) implies Private Information Retrieval (PIR): any system achieving low censorship susceptibility must implement PIR as an underlying primitive. CR systems cannot be built with cryptographic primitives weaker than PIR.
-
Server-deniability schemes (Publius) and data-entanglement schemes (Tangler, Dagster) both achieve censorship susceptibility of 1 under the cooperative-server model. Publius fails because the Publius URL encodes the hosting servers and document identity in public, enabling direct query filtering. Tangler and Dagster fail because their limited-width entanglement graphs allow a censor to remove a document with collateral damage too small to prevent selective censorship — only a small number of blocks per document are entangled.
-
PIR alone does not achieve censorship resistance. Using the QRA (Quadratic Residuosity Assumption) PIR scheme as a direct CR implementation, a filter can replace a query component — substituting a quadratic residue for a non-residue at the target column index — forcing the server to return an incorrect result for the targeted document while leaving all other documents unaffected, yielding censorship susceptibility of 1.
-
Theorem 3 demonstrates that having the server digitally sign its response together with the verbatim client query is sufficient to achieve CR when built atop any secure PIR protocol. This construction (sys+S) eliminates query modification as an attack vector, reducing the censor's viable strategies to query-dropping only — an advantage bounded above by the underlying PIR adversary's advantage, proving that the censor must shut down the entire service to achieve selective filtering.
-
Under a threat model granting the censor universal inspection of server communications and processing logs — with only the server's signing key withheld — data-replication systems (Freenet, Gnutella, Eternity Service) and anonymous-communication systems (Free Haven, Serjantov's scheme) all achieve censorship susceptibility of 1. Because document names are publicly known, a censor with full server visibility can selectively drop any targeted query without disrupting access to other documents.
-
The paper argues that censorship is an economic activity in which both censor and target incur costs, and that binary 'blocked/unblocked' models are as unrealistic as an omnipotent global adversary. Technology changes (e.g., moveable type, online publishing, trusted computing) can shift the cost parameters dramatically, making quantitative cost modeling — rather than binary vulnerability analysis — the correct framing for censorship-resistance evaluation.
-
Discretionary P2P networks avoid the social-choice and incentive-manipulation problems inherent in random distribution, which requires collective agreement on a system-wide resource ratio (rs, bs) and thus creates incentives to subvert voting or reputation mechanisms. By allowing nodes to self-select content, discretionary systems need no election schemes, reputation systems, or electronic cash, enabling simpler and more stable designs.
-
Under the paper's economic model, the aggregate censorship-resistance defense budget is always at least as large in a discretionary P2P network (nodes serve content they choose) as in a random-distribution network: for every node i, td ≥ ts, so the total cost imposed on the censor satisfies Σtd ≥ Σts. Equality holds only when all nodes share identical preferences (ri = rs); in all other cases discretionary distribution is strictly harder to censor.
-
In a random-distribution network, nodes whose utility is non-decreasing under censorship will set their defense budget to zero. For example, in a network with rs = 0.5 (equal red/blue), a censor shifting the distribution to rc = 0 (all blue) increases the utility of strongly blue-preferring nodes; they then invest nothing in resistance, reducing aggregate network defense.
-
Under the paper's quadratic utility function and linear defense probability P(t) = t/T, a node will invest zero resources fighting censorship when the censor's imposed distribution reduces its utility by less than half (i.e., when Ui(rc,bc) ≥ Ui(ri,bi)/2). Nodes whose preferences most diverge from the censor's are the first to resist; mild censorship therefore attracts little aggregate resistance.
-
The paper presents a systematic taxonomy of blocking criteria across ISO/OSI layers: circumstance-based (addresses including sender/receiver/kind/physical location; timing including send time, receive time, duration, frequency; data-transfer properties; services including protocols, names, addresses) and content-based (file type/MIME, statistical detection of encrypted or compressed data, pattern matching for keywords or phrases, and website fingerprinting via request-count/byte-volume signatures).
-
The paper proposes using CAPTCHAs (hard AI problems) to gate forwarder-list access, forcing the blocker to expend human resources solving every puzzle while each blockee solves only one. However, a 'stealing cycles from humans' attack allows a censor to relay CAPTCHAs to unwitting third parties (e.g., visitors to an attacker-operated website) who solve them on the censor's behalf.
-
NAT and firewalls make volunteer forwarders (JAPR) unreachable for inbound connections by default, removing the incentive for volunteers to reconfigure their systems for no personal benefit. The design response is to reverse the connection direction — JAPR initiates contact with JAPB — shifting the NAT/firewall configuration burden to the motivated blockee who gains direct benefit from solving it.
-
For a secure steganographic system the embedding ratio is at least 1:10, meaning 1 MB of web content requires 10 MB of transmitted cover data; for a system robust against active attacks (e.g., StirMark bilinear distortions) the ratio is probably 1:100. A censor need not break the steganographic algorithm with high accuracy — suspicion alone is sufficient, since the censor can probe suspected nodes directly by acting as a blockee.
-
The protocol between blockee and volunteer forwarder is designed to be transport-layer independent from the outset, allowing substitution of plain TCP with SSL tunnels, SMTP, or steganographic channels as the censor escalates detection. The system is intentionally deployed in a weak initial form to observe how quickly and in what manner the censor adapts, then hardened iteratively based on measured censor behavior.
-
The paper evaluates all major circumvention techniques available in 2003 and concludes that only application-layer proxies (HTTP, SOCKS, JAP, peek-a-booty) and IP tunneling can defeat all three blocking layers (IP filtering, DNS tampering, filtering proxies) simultaneously. Encryption alone cannot circumvent IP or DNS blocking; HTTPS hides URL paths but not the destination host; DNS-over-HTTPS/DNSSEC can detect but not defeat DNS tampering without a third-party resolver.
-
An empirical DNS survey of North Rhine-Westphalia providers (May 2003) found that kids.stormfront.org — not named in the blocking order — was returned with obscure errors by 56% of surveyed servers, while rotten.com (also not in the order) was erroneously blocked by 11% of providers. www.stormfront.org itself was blocked by 12 providers with 0% still accessible, demonstrating that real-world DNS-tampering deployments systematically over-block non-targeted names at high rates.
-
Survey of NRW provider DNS implementations revealed at least five distinct tampering strategies in the wild: name hijacking to a government redirect server, NXDOMAIN for entire zones, name astrayment to 127.0.0.1 (user's own machine) or to unallocated IPs such as 1.1.1.1, silence (no reply), and provoked SERVERFAIL. One provider (tops.net) additionally set tracking cookies on users redirected to its block-notification page, demonstrating that name hijacking creates a surveillance vector beyond the blocking itself.
-
DNS zone architecture prevents providers from blocking individual hostnames without also disrupting all other services (email, chat, file transfer) for every name in the same DNS zone. A provider blocking www.bad.example.com must create a synthetic zone for bad.example.com, requiring continuous re-synchronization with authoritative servers at 3–24 hour intervals; failing to replicate MX records blocks email to non-targeted addresses in the zone.
-
IP-level blocking causes severe over-blocking because more than 87% of all domains deploy name-based virtual hosting on shared IP addresses (per Edelman's 2003 survey of .com/.net/.org). A single blocked IP can deny access to thousands of unrelated sites; when xs4all.nl was blocked in 1996/1997, between 3,000 and 6,000 separate websites were collaterally blocked.
-
Active-server document anonymity is achieved by routing decryption through a randomly chosen ephemeral 'decrypter' node: the storer holds only ciphertext {h}k while key k is delivered separately to the decrypter via onion routing. Neither the storer nor any other single node can reconstruct the plaintext share, so a storer cannot identify the document it is hosting even by attempting to retrieve it.
-
An adversary who wishes to expose storers by having forwarders log storer identities must compromise all n−k+1 chosen forwarders before or during the publication event; forwarders that legitimately delete the storer mapping immediately after acknowledging publication render this attack ineffective unless the adversary pre-positions malicious nodes at sufficient density. The paper notes that with a reasonably large forwarder population the probability of the required simultaneous compromise is small.
-
The paper proposes a forwarder/storer role split in which forwarders hold only an anonymous return-address pointer to the storer, and deliberately forget the storer's identity upon receiving a publication acknowledgment. Because forwarders neither hold content nor retain storer addresses post-publication, coercing a forwarder after publication yields no actionable information about where shares are held.
-
Publius splits document keys into n shares where any k reconstruct the document, requiring a censor to coerce only n−k+1 servers to suppress it. Because all Publius server locations are discoverable by any reader, the paper argues this threshold is easily achievable, making location-secrecy of storers a necessary — not optional — property for censorship-resistant storage systems.
-
An attacker can conduct stealth port scans against a victim without revealing their own IP by exploiting a 'patsy' host whose OS uses a globally incrementing IP Identifier: the attacker observes ID increments of 2 (rather than 1) in the patsy's traffic when the victim sends a RST to the patsy in response to a spoofed SYN, revealing open ports. Choosing a different patsy for each port makes the scan very hard to detect.
-
The user-level norm normalizer processes a realistic 100,000-packet trace (88% TCP) at approximately 101,000 pkts/sec (397 Mb/s) with all normalizations enabled on a $1,000 AMD Athlon 1.1 GHz PC, compared to a memory-copy-only baseline of 727,270 pkts/sec; the authors conclude a kernel implementation could sustain a bidirectional 100 Mbps access link with sufficient headroom to weather high-speed small-packet flooding attacks.
-
TCP RSTs are delivered unreliably and different OS stacks apply different validity rules, so a NIDS cannot safely tear down connection state on RST alone; a 'reliable RST' scheme — sending a keep-alive ACK behind every forwarded RST and tearing down state only upon observing a confirming RST from the trusted side — resolves this without violating end-to-end semantics. The cold-start problem (state loss on restart) can be addressed statelessly by stripping payload from unknown-connection packets from untrusted hosts and probing the trusted endpoint with a keep-alive before instantiating state.
-
Passive NIDS can be evaded via three fundamental classes of ambiguity: incomplete protocol analysis (none of the four commercial systems tested by Ptacek and Newsham in 1998 correctly reassembled IP fragments), divergent end-system behavior (different OS stacks resolve overlapping TCP retransmissions differently), and topology uncertainty (low-TTL packets may not reach the victim end-system, so the NIDS cannot determine which packets are delivered).
-
A traffic normalizer placed inline ('bump in the wire') can eliminate over 70 IP/TCP packet-level ambiguities before a NIDS inspects traffic — including fragment reassembly, TTL restoration, DF flag clearing, IP option removal, and cryptographic IP ID scrambling — leaving the classifier with an unambiguous byte stream and removing the degrees of freedom an attacker needs to evade detection.
-
The paper derives a closed-form expression for the expected number of later blocks that link to the n-th block: with c=10 cross-links per block, there is a 55% probability that the 10^7th block in the system will have been linked by at least one subsequent legitimate block after 10^5 additional blocks are added. This quantifies the minimum corpus activity required before a publisher can safely announce a document and have plausible censor-resistance.
-
Dagster identifies every block by the cryptographic hash of its contents (block ID), making it infeasible for an adversary to pre-empt a name with bogus data — an attack that directly affects Publius, where an attacker who possesses a target document can insert garbage under the same name that the legitimate document would have occupied. Content-addressing also makes the system robust to the naming ambiguity observed in Freenet (where a single document was posted under three distinct capitalizations).
-
Dagster achieves censorship resistance on a single server — without geographic replication — by cryptographically intertwining legitimate and illegitimate data into a directed acyclic graph. Each new block XORs the publisher's content with c pre-existing blocks before encrypting with a fresh key, so removing any one block destroys the decodability of every block that later links to it. This creates a legal constraint: a censor cannot excise a censorable block without simultaneously destroying an unknown number of legally protected blocks that depend on it.
-
Dagster requires both clients and servers to enforce a randomness predicate rand?(x) on every block before storage or forwarding, ensuring all server-stored data is statistically indistinguishable from uniform random noise. This provides server deniability — the operator can credibly deny knowledge of content — and also closes the attack present in Publius and Freenet where a malicious client could post plaintext, potentially exposing the operator for 'knowingly' hosting illegal content.
-
Dagster's randomness predicate cannot distinguish legitimate random-looking blocks from adversarially generated filler, leaving the system vulnerable to storage-exhaustion denial-of-service: an attacker can submit arbitrarily many random blocks that pass the predicate, consuming server disk until legitimate publications are refused. The paper identifies anonymous digital cash (as proposed in the Eternity Service) or hash-cash proof-of-work as candidate mitigations but does not implement either.
-
Publius cryptographically binds the URL to both the document content and the key shares via name_i = wrap(H(M · share_i)). Any unauthorized modification to the stored encrypted file, a share, or the URL itself causes the tamper check to fail, preventing silent content substitution by a malicious server.
-
A malicious server operator with write access can mount a redirection attack by inserting a fake update file pointing to adversary-controlled content. If the client retrieves only k shares and Mallory controls k collaborating servers, all k update URLs match and the client proxy follows the redirect. A 1-bit non-updatable flag in the Publius URL blocks this vector by instructing clients to ignore all update files.
-
Publius's delete mechanism requires the publisher to supply H(server_domain · PW) per server rather than a bare password, preventing any single malicious server from learning the global password and deleting the document from all hosting servers. However, the paper acknowledges that an adversary who identifies the publisher can apply coercive ('rubber-hose') methods to obtain the URL and password directly from the author, bypassing all cryptographic protections.
-
Publius provides source anonymity once content is published but offers no connection-based anonymity at upload time. A network-layer eavesdropper between the publisher and the servers, or a server's connection log, can reveal the publisher's IP address. The paper explicitly states that Publius must be combined with a mix-network or crowd-anonymity tool (e.g., Crowds, Onion Routing) to protect publisher identity during the upload phase.
-
Publius encrypts content under a symmetric key K, then splits K into n shares using Shamir secret sharing such that any k shares reconstruct K. Each server stores the encrypted document plus one share, so an adversary must corrupt or destroy n−k+1 servers to censor the document, and increasing n or decreasing k raises the bar proportionally.
-
The paper proves that any network IDS operating without maintaining complete, OS-specific per-connection state cannot reliably reconstruct the byte stream seen by the end-system. TCP and IP reassembly ambiguities guarantee unavoidable blind spots unless the IDS performs full per-target OS emulation—a fundamental architectural limitation, not an implementation bug, that applies equally to any DPI-based censor.
-
IP-level fragment overlap attacks operate independently of TCP: crafting overlapping IP fragments whose reassembly by the IDS yields benign content while the end-system's reassembly yields the true payload. The paper demonstrates this is a separate attack surface from TCP-level evasion, exploitable below the transport layer before any TCP stream reconstruction begins.
-
Different operating systems apply different precedence rules when TCP segments overlap—some implementations use 'first data wins,' others 'last data wins.' An IDS applying a single universal reassembly policy will systematically diverge from the actual target end-system whenever overlapping segments appear, creating a predictable and repeatable evasion surface that is an inherent consequence of policy misalignment rather than a configuration flaw.
-
An 'evasion' attack exploits the mirror condition: the IDS drops a TCP segment that the end-system accepts, due to differences in overlap-resolution policy. The IDS reconstructs 'ATTCK' while the end-system sees 'ATTACK'; the missing segment carries the content that would trigger the signature, leaving the censor with an incomplete—and non-matching—view of the stream.
-
An 'insertion' attack sends TCP segments with forged TTL values low enough to expire at the IDS/censor but not at the true destination. The IDS incorporates the spurious segment into its reconstructed stream—seeing 'ATXTACK'—while the end-system assembles the intended byte stream 'ATTACK,' causing signature-based content matching to fail without disrupting delivery.
-
Anderson establishes that anonymity and physical redundancy are substitutes: 'Anonymity enables us to reduce diversity.' Tamper-resistant hardware security modules controlling anonymized file servers ensure no identifiable group of people — including sysadmins — can locate or delete a specific file without breaking a quorum of hardware modules distributed across jurisdictions.
-
Using Byzantine-fault-tolerant protocols (specifically Rampart), seven replicas suffice to resist a conspiracy of any two malicious administrators or the accidental destruction of four systems with guaranteed complete recovery. Signing all files with a system key further ensures that a full recovery is possible as long as a single valid copy and an uncompromised public key survive.
-
Effective censorship of a distributed service requires simultaneous enforcement across every jurisdiction hosting nodes. With no head office to coerce, a legal attack requires coordination across multiple independent legal systems — making successful suppression 'very expensive indeed — hopefully beyond even the resources of governments.' Local bans (e.g., country-level) do not affect nodes in other jurisdictions.
-
The Eternity Service's core design stores a file on 100 servers worldwide but retains records of only 10 for auditing, destroying the remaining 90 records. Even if a user is legally compelled to disclose all 10 known server locations and those copies are seized, 90 copies survive at unknown locations and can be retrieved via anonymous broadcast once the user leaves the jurisdiction.
-
Traffic analysis is identified as the primary threat to location secrecy in a distributed anonymous storage system: if an adversary can correlate inter-server communications or link requests to stored file locations, it can target physical seizure. The paper proposes mix-nets (Chaum 1981) for user-facing file delivery and dining-cryptographers ring protocols for inter-server communications, supplemented by traffic padding, so that even traffic analysis yields no actionable location information.