An ISP-Scale Deployment of TapDance

Without per-site connection limits, popular decoy hosts risk resource exhaustion (Apache's default cap is 150 simultaneous connections); enforcing an initial limit of 30 concurrent clients per site—coordinated across stations via a central collector—kept the median site load at ~5 simultaneous clients, with the 99th-percentile site peaking at 37 after the limit was raised to 45.

§3.5, §4.3, Figure 9 deployment generic

Filtering candidate decoy sites by a minimum 15 KB TCP window eliminated 24% of the initial ~5,500 HTTPS hosts; a 30-second HTTP-timeout floor eliminated a further 11%; and AES-128-GCM cipher-suite support requirements eliminated an average of 32%—together reducing the viable decoy-site pool by approximately 55% before any live reachability tests.

§3.3, Figures 2–3 defense tls-fingerprint generic

The one-week trial served over 50,000 unique users (peak daily count: 57,000) with up to 4,000 concurrent sessions simultaneously, demonstrating that a four-station refraction deployment co-located at two mid-sized network operators can support tens of thousands of real censored users.

§4.2, Figures 4, 7 evaluation generic

The trial explicitly obtained no evidence about TapDance's resistance to adversarial censor countermeasures: its scale and duration were judged small enough that censors likely did not observe it, leaving theoretical censorship-resistance claims unvalidated against active blocking responses.

§2, §6 evaluation active-probingip-blocking generic

TapDance was deployed on four ISP uplinks (two 40 Gbps, two 10 Gbps) using commodity 1U servers running a Rust/PF_RING zero-copy implementation; CPU load remained below 25% while handling a peak of ~14,000 new TLS connections per second across 34 cores, with cumulative mirrored traffic peaking at 55 Gbps across all stations.

§3.1, §4.1, Figure 1 deployment ip-blockingactive-probing generic