2014-ensafi-detecting
findings extracted from this paper
-
Approximately 10% of China's IP addresses respond to IPID probes, and 13% of those exhibit globally incrementing IPIDs, meaning roughly 1% of China's total IP address space can serve as passive measurement vantage points with no cooperation from host owners. In contrast, Tor bridge blocking from Chinese clients was observed in 58.91% of server-to-client cases versus 0% for non-China Asia-Pacific clients.
-
The GFW blocks Tor primarily via stateless SYN/ACK dropping based on the server's source IP address and port (server-to-client direction, 73.04% of CN,Tor-dir cases). Two specific Tor directory authorities account for 98.8% of client-to-server (null-routed) blocks and 72.7% of error cases, indicating selective deeper blocking of specific IP addresses beyond the common return-path filter.
-
Over 5 days of measurement, 73.04% of connections from Chinese clients to Tor directory servers were blocked server-to-client (stateless SYN/ACK dropping), 16.73% were blocked client-to-server (null routing), and only 0.63% were unblocked. Of all censored Tor directory server connections measured across all regions, 98% originated from Chinese clients.
-
Using TCP IPID side channels combined with SYN backlog state inference, the authors detect intentional packet drops between two arbitrary Internet hosts without controlling either host. The only requirements are a client with a globally incrementing IPID (~1% of IP space) and a server with an open port; an ARMA model handles autocorrelated noise.
-
Client-to-server packet drops (RSTs from client to server are dropped in transit) indicate the simplest null-routing mechanism: the server's destination IP is null-routed at the censor. The method distinguishes this from server-to-client drops (stateless return-path filtering) and from RST/ICMP injection—cases where the packet is not dropped but a forged termination packet is inserted—which both appear as the 'no-packets-dropped' outcome in the IPID time series.