2025-sheffey-extended
findings extracted from this paper
-
Two of the 8 handshake-accepting injected IPv4 addresses host active services reachable both inside and outside China: 103.230.123.190 runs OpenSSH 8.2p1 on port 22, and 103.246.246.144 redirects 0.164% of all censored-domain requests to a website serving forbidden adult content.
-
The authors recommend that users encrypt DNS queries (DoT or DoH) to prevent the GFW's on-path injectors from intercepting and poisoning them, and additionally block all outgoing traffic to the known pool of GFW-injected IP addresses to avoid silently connecting to potentially surveillance-oriented infrastructure.
-
GFW DNS AAAA responses for censored domains return 622 IPv6 addresses: 30 from Facebook's 2a03:2880::/32 network (all sharing interface identifier face:b00c:0:25de), and 592 malformed Teredo addresses in the 2001::/32 range that directly hex-encode entries from the IPv4 pool in the lower 32 bits rather than following RFC 4380 Teredo structure. The Teredo addresses' server IPv4 (0.0.0.0) and port (0) fields are nonsensical.
-
Of 1922 IPv4 addresses collected from GFW-injected DNS A responses to 5,000 queries for censored domains, 8 (0.4%) actually accepted TCP handshakes when probed from within China. The other 1914 addresses were either silent or unreachable.
-
Six injected IPv4 addresses (8.7.198.46, 39.109.122.128, 46.82.174.69, 59.24.3.174, 93.46.8.90, 103.97.3.19) accept TCP SYN→SYN+ACK from within China but immediately reply RST when the client sends application data (PSH flag). These hosts mirror IPID values from probe packets, show no response from outside China, and appear to operate statelessly — suggesting GFW-controlled surveillance infrastructure that collects connection metadata without revealing itself.