27 of 80 tested VPN providers had servers within a single AS (AS 9009, M247 Ltd), and VPNalyzer identified 14 providers sharing 4 specific IP blocks within that AS; 2 additional providers shared an IP block in AS 60068 (Datacamp). Such infrastructure concentration enables censors to block multiple VPN products simultaneously with a single IP-range or AS-level rule.

VPNalyzer is the first study to measure DNS leaks during tunnel failure, discovering that 8 VPN providers — including TunnelBear and Private Internet Access — allow DNS queries to bypass their kill switch or firewall rules, exposing users' ISP IP addresses and queried domain names to their ISP and DNS resolvers outside the tunnel.

§VI-B evaluation

Only 11 of 80 tested VPN providers supported IPv6 connectivity; 5 providers — Astrill VPN, Norton Secure VPN, Turbo VPN, SurfEasy VPN, and a university VPN — failed to block IPv6 traffic when the VPN tunnel did not support it, silently leaking all IPv6 data directly to the user's ISP even when IPv4 was fully tunneled.

§VI-A evaluation

Among 80 tested VPN providers, 26 leaked user traffic during tunnel failure: 18 exhibited a missing or broken kill switch leaking all traffic types, and 8 additional providers leaked only DNS traffic. In a case study of 39 top providers with all security settings explicitly enabled ('custom secure mode'), 10 still leaked traffic, with 6 leaking even with the 'kill switch' feature activated.

§VI-B, §VI-H evaluation

29 of 80 VPN providers — including paid services — configure clients to resolve DNS through third-party public resolvers (Google Public DNS, Cloudflare, OpenDNS, Quad9) rather than provider-operated infrastructure. Three self-hosted solutions (Algo, Streisand, Outline) hardcode public DNS with no easy override, causing connection failures in regions where those services are blocked.

§VI (Fig. 5) evaluation

Brussee measures a systematic pattern of Chinese government websites actively blocking access from outside China (the "reverse Great Firewall"), publishing a CSV dataset of affected domains (available at zenodo.org/records/18172145). The paper frames this outbound geo-blocking as a cybersecurity-motivated practice — Chinese authorities classify foreign access to domestic government infrastructure as an attack surface — distinct from the inbound information control goal of the GFW.

2026-brussee-reverse-great-firewall §3, §5 ip-blockingasn-blackholing

Brussee develops a conceptual framework distinguishing two logics of government geo-blocking: (1) information control (blocking inbound foreign content from domestic users) and (2) data sovereignty / attack-surface reduction (blocking outbound access by foreign actors to domestic systems). Chinese government site blocking of external IPs is motivated primarily by the second logic, creating an asymmetric internet topology where CN citizens cannot reach the outside world, and outside actors cannot probe CN government infrastructure.

2026-brussee-reverse-great-firewall §2, §4 ip-blockingasn-blackholing

The April 2026 enforcement wave against Chinese VPN resellers operates primarily through administrative "reporting + line-cutting" (通报+拔线) mechanisms enforced via Ministry of Industry and Information Technology bulletins, not packet-level DPI changes. Operators report that newly acquired upstream resources are reported and cut with recovery periods described as "uncontrollable," and that upstream providers typically do not refund resellers after enforcement actions.

2026-ermao-april-airport-outage §一句话结论 / §这轮波动到底发生了什么 ip-blockingasn-blackholing

The dominant enforcement mechanism in April 2026 was administrative 'reporting + line-cutting' (通报 + 拔线) backed by MIIT bulletins, not protocol-level DPI changes. Operators reported that newly acquired upstream resources were reported to authorities quickly after acquisition, recovery timelines were uncontrollable, and some upstream providers refused refunds after enforcement actions, producing sustained capacity contraction across the shared VPN-reseller ecosystem.

2026-ermao-april-airport-outage §这轮波动到底发生了什么 ip-blockingasn-blackholing

The April 2026 enforcement cycle created a resource-scarcity feedback loop: upstream providers cut lines with no obligation to refund resellers, newly acquired replacement resources can themselves be reported and cut within days, and stable-resource availability windows are described as "越来越短" (increasingly short) while costs rise concurrently. The overall effect is systemic capacity contraction forecast to continue through at least May 2026.

2026-ermao-april-airport-outage §这轮波动到底发生了什么 / §四月后的趋势判断 ip-blockingasn-blackholingthrottling

Shared domestic-entry transit architectures (国内入口 + 海外转发) suffered disproportionate impact because all nodes sharing a single domestic entry point went down simultaneously when that entry was reported and cut. Operators described configurations degrading from 'three-line redundancy to single entry,' eliminating failover capacity under enforcement pressure.

2026-ermao-april-airport-outage §为什么中转机场这次受冲击更明显 ip-blockingasn-blackholing