Switching source IP via VPN, Tor, or HTTP proxy is the primary victim-side mitigation because residual censorship is tuple-keyed; however, if the proxy entry node's path also crosses the censor, the attacker can redirect the attack at the proxy itself. On the censor side, null-routing middleboxes could eliminate the vulnerability by validating TCP sequence/acknowledgment numbers before dropping traffic, or by replacing null routing with an explicit block-page response.

A low-bandwidth attacker can sustain indefinite availability attacks by periodically re-triggering residual censorship: China's 3-tuple HTTP system requires only 4 spoofed packets every 3 minutes. For 4-tuple systems requiring full source-port coverage (65,535 ports), Kazakhstan needs 1,093 packets/sec (~634 kbps HTTP) and Iran needs 729 packets/sec (~422 kbps HTTP)—achievable with commodity hardware. Iran achieved 100% attack success against all 17 geographically disparate victim vantage points tested.

§V.B, §VI evaluation

Residual censorship—where a censor continues blocking all traffic on a 3- or 4-tuple after an initial censorship event—is active in China (HTTP: 90s 3-tuple RST injection; ESNI: 120–180s 3+4-tuple null routing), Iran (HTTP+SNI: 180s 4-tuple null routing, occasionally up to 5 minutes; protocol filter: 60s), and Kazakhstan (HTTP+SNI: 120s 4-tuple null routing). A December 2020 Quack scan found 3-tuple stateful disruption in 33 countries and null-routing censorship in 18, suggesting much broader applicability.

§IV, Table I evaluation

All tested censors (China, Iran, Kazakhstan) can be triggered statelessly—without completing a TCP 3-way handshake—using a SYN with decremented sequence number followed by a PSH+ACK containing the forbidden payload. This stateless triggering enables fully off-path, source-spoofed attacks: an adversary with packet-spoofing capability can residually censor a victim pair they have no on-path access to.

§IV, §V.A detection

Iran and Kazakhstan reset the residual censorship timer whenever the censor observes any matching packet from the victim, so TCP retransmissions from the victim's own stack inadvertently extend the blocking window far beyond the nominal 120–180s. China's HTTP residual censorship has only ~50% per-request reliability from some vantage points due to heterogeneous GFW middlebox load-balancing, but reliability plateaus near 100% after 7 repeated censorship triggers sent ahead of time.

§IV (timer reset), §IV (reliability), Fig. 2 evaluation

An internet-wide scan of 500k IP addresses from an in-country VPS vantage point found TCP establishment-interception injections on 43,479 addresses (8.7% of scanned), with over 70% concentrated in two Akamai ASes (AS16625 and AS20940). The injection pattern — triggered by the first packet sent to these addresses — is consistent with targeted blocking of domain-fronting proxies hosted on Akamai CDN.

2025-alaraj-iran-refraction §4.1.2 packet-injectionrst-injectionip-blocking

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 rst-injectionip-blockingpacket-injectiondpi

DeResistor-generated evasion strategies achieve an overall success rate of up to 98.61% against GFW (across vantage points in Qingdao, Shanghai, and Beijing) for the best strategy, and 100% in both India (Bangalore) and Kazakhstan (Oral) for the top-performing strategy, while standalone Geneva strategies tested in the same environment achieve comparable or slightly lower rates on some censors but are blocked at the IP level before training completes.

2023-amich-deresistor §6.3, Table 2 rst-injectiondns-poisoningip-blocking

From September 5–20, 2023, the GFW blocked 1.1.1.1:443 via TCP RST injection; starting October 1, 2023, the mechanism shifted to HTTP packet injection on port 80, while port 443 behavior became inconsistent across ASes — from one AS45090 vantage point, HTTPS connections to 1.1.1.1 still succeeded while other observers confirmed RST injection.

2023-gfw-blocking-1111 Major observations rst-injectionip-blockingpacket-injection

The authors' blockpage-based methodology cannot detect transit censorship implemented via TCP RST injection or packet drops, because distinguishing these from transient network errors requires identifying their location on the routing path. As a result, the 8-country, 6-AS finding is explicitly characterized as a lower bound on the true extent of Russian transit censorship.

2023-ortwein-towards §4.1 Gathering Blockpages / §6 Conclusion rst-injectionip-blockingmeasurement-platform

Post-handshake tampering signatures (⟨SYN;ACK→RST⟩ and ⟨SYN;ACK→RST+ACK⟩) constitute 34.4% of tampered connections from Iranian networks, but over 70% from Sri Lanka networks and over 81% from Turkmenistan networks, suggesting that censors in the latter two countries disproportionately block at the IP/TCP-handshake level before any application-layer content is visible — consistent with IP-list-based blocking rather than SNI-based DPI.

2023-raman-global §4.1 rst-injectionip-blocking