From September 5–20, 2023, the GFW blocked 1.1.1.1:443 via TCP RST injection; starting October 1, 2023, the mechanism shifted to HTTP packet injection on port 80, while port 443 behavior became inconsistent across ASes — from one AS45090 vantage point, HTTPS connections to 1.1.1.1 still succeeded while other observers confirmed RST injection.

Starting October 1, 2023, the GFW began injecting HTTP 301 and 302 responses to connections destined for 1.1.1.1:80, redirecting clients to China's National Anti-Fraud Center (182.43.124.6, AS58519 China Telecom Cloud). Over 6,169 HTTP requests from a Tencent Cloud Beijing vantage point (AS45090), the GFW injected 301 responses at a 9.06% rate and 302 responses at a 28.5% rate.

Major observations / Analysis on the injection to 1.1.1.1:80 detection

Injected GFW packets for 1.1.1.1:80 carry a consistent IP TTL of 251 (matching the real Cloudflare server), IP IDs of 0x99b3 (301 responses) and 0x4c57 (302 responses), and TCP flag patterns of PSH+ACK (301) versus PSH+ACK+FIN (302), providing stable per-injection-type fingerprints observable in packet captures.

Experiment (Table: IP ID, TTL, TCP Flags) evaluation

The GFW's HTTP injection for 1.1.1.1:80 does not suppress the real Cloudflare response: the legitimate 301 from the actual server arrives after the injected packet, confirming the GFW operates as a race-condition injector rather than a transparent drop-and-replace proxy.

Analysis on the injection to 1.1.1.1:80 detection

An internet-wide scan of 500k IP addresses from an in-country VPS vantage point found TCP establishment-interception injections on 43,479 addresses (8.7% of scanned), with over 70% concentrated in two Akamai ASes (AS16625 and AS20940). The injection pattern — triggered by the first packet sent to these addresses — is consistent with targeted blocking of domain-fronting proxies hosted on Akamai CDN.

2025-alaraj-iran-refraction §4.1.2 packet-injectionrst-injectionip-blocking

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 rst-injectionip-blockingpacket-injectiondpi

Data center VPSes predominantly experienced TCP connection timeouts and resets—with the highest-blocking VPS censoring 96.8% of tested domains—while residential ISPs were substantially more likely to inject explicit blockpages citing Roskomnadzor's registry, confirming that blocking mechanism varies significantly by network tier even when blocking rates are similar.

2020-ramesh-decentralized §VI-B rst-injectionip-blockingpacket-injectionkeyword-filtering

Client-to-server packet drops (RSTs from client to server are dropped in transit) indicate the simplest null-routing mechanism: the server's destination IP is null-routed at the censor. The method distinguishes this from server-to-client drops (stateless return-path filtering) and from RST/ICMP injection—cases where the packet is not dropped but a forged termination packet is inserted—which both appear as the 'no-packets-dropped' outcome in the IPID time series.

2014-ensafi-detecting §2 ip-blockingrst-injectionpacket-injection

Pakistan's censorship used layered, evolving mechanisms: DNS redirection by local ISP resolvers appeared in all post-block traces, supplemented by HTTP 3XX redirection to a local provider's error page in Sep 2012 and shifting to RST injection by Aug 2013 (where ≈95% of YouTube HTTP requests received no response, vs. ≈2% pre-block). Porn blocking similarly combined DNS redirection with IP blocking (41% blacklist overlap) in Sep 2012 and RST injection in Aug 2013.

2014-khattak-look §4.2–4.3, Table 4 dns-poisoningrst-injectionip-blockingpacket-injection

Iran's DNS censor now injects two distinct block-page IPs: 10.10.34.36 (≈87% of 47,633 censored domains) and 10.10.34.34 (≈13%). Both originate from the same network node at Iran's border. Prior research (Aryan et al. 2013) described only 10.10.34.34. The IP injected correlates strongly with the HTTP censorship method applied: domains with 10.10.34.34 in DNS receive TCP RST via HTTP (86.8% of RST cases), while domains with 10.10.34.36 in DNS receive HTTP block pages (84.6% of block-page cases).

2025-lange-i-ra-nconsistencies §3.1, Table 2 dns-poisoningrst-injectionpacket-injection