2012-verkamp-inferring
findings extracted from this paper
-
China's censoring devices send four spoofed RST packets per filtered connection with varying sequence and ACK numbers and TTL values corresponding to roughly the hop count to the Chinese border; the IP ID field increments sequentially per TTL group, strongly implying a small cluster of out-of-band machines co-located at each border router. Because the device is out-of-band, the actual server response still arrives at the client but is preempted by the injected RSTs.
-
China's censoring device is stateful: it inspects only the first HTTP GET request after a TCP handshake and ignores subsequent requests or those without a preceding handshake. After blocking a request, it records the (src IP, dst IP, port, protocol) tuple and denies all further communication between that machine pair for approximately 12 hours, even for traffic that would not independently trigger censorship.
-
Across 11 countries, censorship execution falls into at least six distinct categories: DNS redirect to localhost (Malaysia, Russia, Turkey), DNS redirect with warning page (South Korea), connection timeout with no notification (Bangladesh, India), spoofed TCP RST injection (China), spoofed HTTP 403 with warning page (Bahrain, Iran), HTTP 302 redirect (South Korea, Thailand), and spoofed HTTP 200 iframe response (Saudi Arabia). Four countries censor at DNS and eight at routers, with South Korea employing both layers simultaneously.
-
Thailand uses an out-of-band device to inject spoofed HTTP 302 redirect responses, so the destination server still receives and responds to the original request — unlike inline censors in Bangladesh and India where the request is dropped before reaching the server. Saudi Arabia similarly uses an out-of-band device to inject a spoofed HTTP 200 response containing an iframe warning page loaded from a separate IP address, allowing the warning page content to be updated without modifying the censoring module.
-
South Korea operates DNS-based and router-based censorship simultaneously; sites blocked at the DNS resolver are a strict subset of those blocked at the router, verified by switching to an external DNS resolver and observing continued blocking at the router layer. Alternate DNS resolvers alone are therefore insufficient to circumvent South Korean censorship, in contrast to Malaysia, Russia, and Turkey where DNS-only bypass is adequate.