In 80% of measured paths (72 PlanetLab VPs × 5,000 Alexa targets), at least one intermediate router returns the full IP packet in ICMP time-exceeded replies (RFC1812-compliant), enabling per-hop detection of packet modifications. The majority of these full-ICMP routers reside in the network core rather than the access segment.

Middleboxes that randomize TCP sequence numbers do not update the sequence numbers inside TCP SACK blocks; tracebox found two PlanetLab VPs with stateful seq-number randomizers that cycled approximately every 20 seconds. When SACK blocks reference sequence numbers outside the current window, the Linux TCP stack waits for a full RTO instead of fast-retransmitting, producing up to 50% throughput degradation in controlled measurements.

§3.3 evaluation

Of 72 PlanetLab vantage points, 7 (~10%) automatically stripped or replaced TCP options (Multipath TCP, MD5, and Window Scale) with NOPs at the very first hop, and 2 VPs always altered TCP sequence numbers. These modifications occurred without any corresponding update to dependent fields, corrupting the TCP stream for higher-layer protocols.

§3.1 evaluation

tracebox can estimate middlebox location with an error of ≤4 hops in 61% of cases; errors above 13 hops (the length of ~60% of paths) are each below 1% individually. Of MSS-modifying middleboxes detected, 52% were located in the network core and only 2.7% close to the source vantage point.

§3.4 evaluation

tracebox identified a transparent HTTP proxy or IDS within a National Research Network (SUNET) that intercepted port-80 SYN probes but not port-21 SYN probes, producing shorter observed path lengths to port 80. It also found proxy misconfigurations causing forwarding loops for non-HTTP traffic, where ICMP replies alternated between two routers indefinitely.

§4.2 evaluation

Censoring middleboxes' TCP non-compliance — specifically, their willingness to censor bidirectionally without completing the three-way handshake — enables external vantage points outside a censoring country to trigger and measure censorship without any local endpoint participation. The approach requires only a confirmed censored domain per AS, evidence of bidirectional censorship, and minimal residual censorship.

2023-nourin-detecting §2 middlebox-interferencerst-injectionmeasurement-platform

Geneva — originally designed to evolve censorship-evasion packet sequences — was repurposed by inverting its fitness function to discover censorship-triggering packet sequences instead. Training against non-responsive IP addresses allows Geneva to attribute all responses to middleboxes, enabling fully automated discovery of triggering strategies without any endpoint cooperation.

2023-nourin-detecting §2 measurement-platformpacket-injectionmiddlebox-interference

Internet-wide IPv4 scanning found 386,187 IP addresses yielding amplification factors ≥ 100× via TCP middlebox reflection, with 82.9% of responses from the top 1 million IPs confirmed as originating from on-path middleboxes rather than endpoints. Nation-state censorship infrastructure dominates: China's GFW alone accounts for approximately 154 million responding IP addresses sharing a 3× RST+ACK (54 bytes each) fingerprint.

2021-bock-weaponizing §5.3, §5.5, Table 4 middlebox-interferencerst-injectionpacket-injectionmeasurement-platform

The authors developed 'Aladdin,' a 10-step OONI-based measurement experiment that isolates SNI-based blocking (step 1), Host-header blocking (step 2), DNS injection (step 3), system-resolver vs. DoH discrepancy (steps 4–5), TLS interception (steps 6–8), and TLSv1.3-specific SNI dependency (step 10); this methodology exposed Vodafone's Allot TLS interception that OONI's Web Connectivity test had recorded only as a generic certificate error.

2021-ververis-understanding §3.8 measurement-platformsni-blockingmiddlebox-interferencedns-poisoning

The paper enumerates at least eight distinct non-censorship motivations for server-side geo-blocking — economic sanctions, third-party liability (SESTA), copyright, GDPR compliance, security/fraud concerns, hosting costs, revenue optimization, and misconfiguration — each of which can produce the same observable signals (403 blockpages, DNS failures, TCP resets) as government censorship. Naive measurement methods that treat all location-based unavailability as censorship will produce systematic false positives.

2018-tschantz-bestiary §2, Table 1 measurement-platformmiddlebox-interference

Of 2,134 tested sites, 229 (10.7%) were invalid for inbound blocking detection due to ingress filtering or network-origin discrimination; 431 additional sites were invalid for outbound blocking detection, of which 75% were Cloudflare-hosted and 7% Fastly-hosted because anycast topology prevents RST packets from returning to the originating anycast node.

2017-pearce-augur §V-E measurement-platformmiddlebox-interference