Starting October 1, 2023, the GFW began injecting HTTP 301 and 302 responses to connections destined for 1.1.1.1:80, redirecting clients to China's National Anti-Fraud Center (182.43.124.6, AS58519 China Telecom Cloud). Over 6,169 HTTP requests from a Tencent Cloud Beijing vantage point (AS45090), the GFW injected 301 responses at a 9.06% rate and 302 responses at a 28.5% rate.

From September 5–20, 2023, the GFW blocked 1.1.1.1:443 via TCP RST injection; starting October 1, 2023, the mechanism shifted to HTTP packet injection on port 80, while port 443 behavior became inconsistent across ASes — from one AS45090 vantage point, HTTPS connections to 1.1.1.1 still succeeded while other observers confirmed RST injection.

Major observations detection

Injected GFW packets for 1.1.1.1:80 carry a consistent IP TTL of 251 (matching the real Cloudflare server), IP IDs of 0x99b3 (301 responses) and 0x4c57 (302 responses), and TCP flag patterns of PSH+ACK (301) versus PSH+ACK+FIN (302), providing stable per-injection-type fingerprints observable in packet captures.

Experiment (Table: IP ID, TTL, TCP Flags) evaluation

The GFW's HTTP injection for 1.1.1.1:80 does not suppress the real Cloudflare response: the legitimate 301 from the actual server arrives after the injected packet, confirming the GFW operates as a race-condition injector rather than a transparent drop-and-replace proxy.

Analysis on the injection to 1.1.1.1:80 detection

An internet-wide scan of 500k IP addresses from an in-country VPS vantage point found TCP establishment-interception injections on 43,479 addresses (8.7% of scanned), with over 70% concentrated in two Akamai ASes (AS16625 and AS20940). The injection pattern — triggered by the first packet sent to these addresses — is consistent with targeted blocking of domain-fronting proxies hosted on Akamai CDN.

2025-alaraj-iran-refraction §4.1.2 packet-injectionrst-injectionip-blocking

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 rst-injectionip-blockingpacket-injectiondpi

136 Russian government domains (25.09% of 542 accessible ones) blocked access to all tested countries outside Russia, and a further 112 (20.66%) were accessible only from Russian and Kazakhstani vantage points. Geoblocking was implemented via heterogeneous, uncoordinated mechanisms—DNS timeouts, TCP timeouts, HTTP 403 Forbidden responses, and explicit blockpages—across different domains, indicating an ad hoc emergency response with no central policy.

2023-ramesh-network §4.2 ip-blockingdns-poisoningpacket-injection

Data center VPSes predominantly experienced TCP connection timeouts and resets—with the highest-blocking VPS censoring 96.8% of tested domains—while residential ISPs were substantially more likely to inject explicit blockpages citing Roskomnadzor's registry, confirming that blocking mechanism varies significantly by network tier even when blocking rates are similar.

2020-ramesh-decentralized §VI-B rst-injectionip-blockingpacket-injectionkeyword-filtering

Approximately 10% of respondents (n=23) held uncertain or incorrect beliefs about which actor was responsible for a given block, systematically conflating government censorship with geoblocking, paywalls, and platform-side restrictions. This misidentification cascaded into inappropriate tool selection and inaccurate risk assessment: users who could not distinguish state blocking from licensing restrictions could neither choose the right circumvention tool nor accurately gauge the legal jeopardy of accessing the content. Respondents specifically requested a pre-visit blocking-actor classification tool.

2017-gebhart-internet §5.2.3, §5.4.1, §6.2.1 ip-blockingpacket-injection

Users in Thailand relied on incident-driven tool selection—running a fresh Google search for a proxy or VPN each time they hit a block—which the paper identifies as a systematic vulnerability: the Thai Royal Police exploited this pattern after the 2014 coup by linking a phishing application to a government block page, harvesting email addresses and gaining application-level access to Facebook profile information. The paper further notes that orchestrated stricter censorship could drive users to a government-operated malicious tool.

2017-gebhart-internet §5.3.3, §6.2.2 ip-blockingpacket-injection