2021-bock-weaponizing
findings extracted from this paper
-
Internet-wide IPv4 scanning found 386,187 IP addresses yielding amplification factors ≥ 100× via TCP middlebox reflection, with 82.9% of responses from the top 1 million IPs confirmed as originating from on-path middleboxes rather than endpoints. Nation-state censorship infrastructure dominates: China's GFW alone accounts for approximately 154 million responding IP addresses sharing a 3× RST+ACK (54 bytes each) fingerprint.
-
Censoring middleboxes respond to non-compliant TCP sequences because they must handle asymmetric routing and cannot rely on observing both sides of a connection. The hSYN; PSH+ACKi sequence elicited responses from 69.6% of 184 tested censoring middleboxes with a maximum amplification of 7,455×, while a lone PSH+ACK with no prior handshake elicited responses from 33.2% of middleboxes.
-
Nation-state censors produce characteristic TCP response fingerprints: China's GFW sends 3× RST+ACK (54 bytes each) from ~170 million IPs; Iran's infrastructure sends 402–405-byte FIN+PSH+ACK plus 54-byte RST+PSH+ACK from 8.6 million IPs (75.7% of responsive Iranian addresses); Saudi Arabia sends a 97-byte PSH+ACK plus 2× 1,354-byte PSH+ACKs at 18.9× amplification from 400,000+ IPs. Most nation-state censors produce less than 4× amplification due to compact block pages.
-
Routing loops within censoring infrastructure create effectively infinite TCP amplification: 53,041 of the top 1 million responding IP addresses showed routing loop behavior spanning 2,763 /24 prefixes. Two Russian ISP censorship systems with infinite routing loops continuously sent amplified traffic for approximately 6 days after a single 2-packet trigger sequence, and 6 GFW IP addresses in China sent data indefinitely.