ip-blocking   IP-list blocking

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 detection

Chinese users treat full proxy/VPN (Shadowsocks, V2Ray/Clash, commercial VPNs) as the '终极大杀器' (ultimate solution) for bypassing GitHub DNS poisoning, implying that lighter-weight DNS-only fixes fail in some network environments where the censor adds firewall-layer blocking beyond DNS.

2026-anon-6-github-dns §3 使用代理或 VPN deployment

Rule-based proxy tools (Clash, Shadowsocks, V2Ray) are documented as the most reliable solution for accessing GitHub from China, with split-tunneling rules routing only GitHub traffic through the proxy while keeping domestic traffic on the direct path. Git command-line tools require explicit proxy configuration (git config --global http.proxy http://127.0.0.1:7890) to route clone/push operations, as they do not inherit system proxy settings automatically.

2026-anon-github-2026-6-dns §方法二 defense

The GFW blocks GitHub via DNS poisoning across at least four domains — github.com, assets-cdn.github.com, github.global.ssl.fastly.net, and raw.githubusercontent.com — causing connection timeouts and page-load failures for mainland China users. The block is persistent as of February 2026, affecting both browser access and command-line git operations.

2026-anon-github-2026-6-dns Introduction / §方法一 detection

LetsVPN's exit is described as part of a broader pattern: a wave of 'airport' (proxy subscription service) outages across multiple providers in April 2026, documented in a companion article titled '2026年四月份各大机场断线详解,' indicating coordinated or systematic GFW blocking affecting the circumvention ecosystem broadly during this period.

2026-anon-letsvpn-vpn §协议写死，特征太明显 (reference to companion article) deployment

The article documents that large-scale 'one-click' commercial VPN providers with static protocol stacks have become effectively non-viable in China, while subscription-based proxy node services using open-source clients (Clash, Shadowrocket) with server-side rapid IP and datacenter switching demonstrate substantially greater resilience to GFW blocking waves.

2026-anon-letsvpn-vpn §为啥傻瓜式一键VPN越来越难活 & §应该怎么选替代方案 evaluation

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 policy

Article 19 documents that Iran combines technical filtering with formal coercion of major foreign platforms (including Telegram, Instagram, and WhatsApp) to comply with content removal orders under threat of full blocking. The report notes that Iran's 2022 Women Life Freedom protests accelerated platform blocking when foreign operators refused compliance, demonstrating that the censorship system operates in two modes: coerce-and-allow for compliant platforms, block for non-compliant ones. Domain fronting via these platforms is therefore subject to sudden revocation if political conditions change.

2026-article19-tightening-the-net §6 policy

Brussee measures a systematic pattern of Chinese government websites actively blocking access from outside China (the "reverse Great Firewall"), publishing a CSV dataset of affected domains (available at zenodo.org/records/18172145). The paper frames this outbound geo-blocking as a cybersecurity-motivated practice — Chinese authorities classify foreign access to domestic government infrastructure as an attack surface — distinct from the inbound information control goal of the GFW.

2026-brussee-reverse-great-firewall §3, §5 deployment

Brussee develops a conceptual framework distinguishing two logics of government geo-blocking: (1) information control (blocking inbound foreign content from domestic users) and (2) data sovereignty / attack-surface reduction (blocking outbound access by foreign actors to domestic systems). Chinese government site blocking of external IPs is motivated primarily by the second logic, creating an asymmetric internet topology where CN citizens cannot reach the outside world, and outside actors cannot probe CN government infrastructure.

2026-brussee-reverse-great-firewall §2, §4 policy

ShieldShare demonstrates that an Android application can route all hotspot-client traffic through a VPN tunnel without root access by using a SOCKS5/HTTP/HTTPS proxy layer between the hotspot and the VPN, with per-client traffic accounting and quota management. The system works because Android's native hotspot does not forward VPN routing tables to connected clients; ShieldShare interposes a proxy that handles this. Released as open-source.

2026-edorh-shieldshare §Abstract deployment

ShieldShare's modular architecture (VPN detection, hotspot management, HTTP/HTTPS/SOCKS5 proxy forwarding, traffic metering) shows that community-proxy deployment on commodity Android hardware is technically feasible without root, and that accurate per-client bandwidth allocation and accounting can be maintained under the constraint. The evaluation confirms reliable routing of client traffic through VPN tunnels.

2026-edorh-shieldshare §Abstract, §Evaluation deployment

The April 2026 enforcement wave against Chinese VPN resellers operates primarily through administrative "reporting + line-cutting" (通报+拔线) mechanisms enforced via Ministry of Industry and Information Technology bulletins, not packet-level DPI changes. Operators report that newly acquired upstream resources are reported and cut with recovery periods described as "uncontrollable," and that upstream providers typically do not refund resellers after enforcement actions.

2026-ermao-april-airport-outage §一句话结论 / §这轮波动到底发生了什么 policy

China Telecom Group issued directives to Guangdong Telecom requiring comprehensive rectification of cross-border dedicated-line (IEPL/跨境专线) services used for circumvention. Guangzhou launched enforcement first; other Guangdong cities were expected to follow, threatening widespread IEPL line interruptions for providers using Guangdong Telecom as their domestic ingress.

2026-ermao-april-airport-outage §广东方向专项整治传闻的影响 deployment

China Telecom Group reportedly issued directives to Guangdong Telecom in April 2026 requiring comprehensive rectification of cross-border leased-line (IEPL/专线) businesses used for circumvention, with Guangzhou leading enforcement and other Guangdong cities expected to follow sequentially. The targeting is infrastructure-class-specific (IEPL lines as a category) rather than generalized protocol blocking.

2026-ermao-april-airport-outage §广东方向专项整治传闻的影响 policy

The dominant enforcement mechanism in April 2026 was administrative 'reporting + line-cutting' (通报 + 拔线) backed by MIIT bulletins, not protocol-level DPI changes. Operators reported that newly acquired upstream resources were reported to authorities quickly after acquisition, recovery timelines were uncontrollable, and some upstream providers refused refunds after enforcement actions, producing sustained capacity contraction across the shared VPN-reseller ecosystem.

2026-ermao-april-airport-outage §这轮波动到底发生了什么 deployment

The April 2026 enforcement cycle created a resource-scarcity feedback loop: upstream providers cut lines with no obligation to refund resellers, newly acquired replacement resources can themselves be reported and cut within days, and stable-resource availability windows are described as "越来越短" (increasingly short) while costs rise concurrently. The overall effect is systemic capacity contraction forecast to continue through at least May 2026.

2026-ermao-april-airport-outage §这轮波动到底发生了什么 / §四月后的趋势判断 deployment

Shared domestic-entry transit architectures (国内入口 + 海外转发) suffered disproportionate impact because all nodes sharing a single domestic entry point went down simultaneously when that entry was reported and cut. Operators described configurations degrading from 'three-line redundancy to single entry,' eliminating failover capacity under enforcement pressure.

2026-ermao-april-airport-outage §为什么中转机场这次受冲击更明显 detection

Transit/relay architectures (国内入口 + 海外转发) suffered disproportionate impact because multiple nodes share a single domestic entry point: when that entry is reported or cut, the entire batch of nodes fails simultaneously. Operators described this as "三线变单线" (three-line to single-line collapse), with only direct-connect fallback remaining — at higher latency and with worse peak-hour performance.

2026-ermao-april-airport-outage §为什么中转机场这次受冲击更明显 evaluation

Iran executed a full-stack internet shutdown beginning at 18:45 UTC on January 8, 2026, withdrawing BGP prefix announcements nationwide and causing routing failures that prevented clients from completing TCP handshakes. Traffic dropped to effectively zero within hours of the shutdown's onset.

2026-free-the-internet-iran-internet-shutdown §Issue body / Abstract deployment

During Iran's near-complete February 2026 shutdown, DNS-based tunneling (dnstt over UDP port 53) was identified by the community as the only functioning circumvention method, with participants successfully sharing public dnstt server configurations to maintain connectivity.

2026-gusgustavo-iran-internet-shutdown Issue body / community comments defense

Iran experienced a near-complete internet shutdown on February 28, 2026 beginning at approximately 07:00 UTC, with Cloudflare Radar measuring ~98% connectivity loss relative to the previous week, affecting Tehran, Fars, Isfahan, Alborz Province, and Razavi Khorasan simultaneously.

2026-gusgustavo-iran-internet-shutdown Issue body evaluation

Community experimentation during the February 2026 Iran shutdown revealed heterogeneity across ISPs in what survived: participants tested different DNS resolvers and ISPs to find working dnstt paths, indicating the BGP withdrawal was not perfectly uniform across all Iranian autonomous systems.

2026-gusgustavo-iran-internet-shutdown Issue comments evaluation

CensorLess's function refresher automatically retires serverless bridges and deploys fresh ones in batches across diverse regions; the expected time until a bridge is identified and blocked in practice is 2 days (per Fifield et al.), while Tor bridges in China are discovered within 2–36 days. The old bridge is only removed after all clients have completed live migration to a new URL, maintaining uninterrupted connectivity.

2026-kang-censorless-serverless §4.5 defense

CensorLess's threat model explicitly relies on a rational-censor assumption: the censor will not block entire cloud-provider IP ranges or domain namespaces because the collateral damage to legitimate business services would be politically and economically unacceptable. AWS Lambda's inherent IP-address ephemerality (new IPs on each invocation, function lifetime up to 15 minutes) means even censors willing to attempt enumeration face a continuously shifting target distributed across the cloud provider's global address space.

2026-kang-censorless-serverless §4.2 defense

CensorLess vanilla mode costs $0.27/month for a single proxy processing 6.76 GB of traffic monthly, a 97.1% reduction (34.4×) over SpotProxy's optimal single-NIC configuration ($9.28/month). The private mode, which adds a t4g.micro EC2 VPS for end-to-end encryption via SOCKS, costs $3.41/month — still 63.3% cheaper than SpotProxy's cheapest option. Costs remain below $3.50/day even when scaling to 300 proxies.

2026-kang-censorless-serverless §6.3, Figure 6 evaluation

The paper documents the compounding effect of U.S. sanctions and Iranian state censorship on app distribution: sanctions block Iranian users from Apple's App Store via IP/payment geolocation, while Iranian censorship simultaneously blocks Apple's CDN endpoints for app downloads. The combined effect forces 100% of iOS app distribution in Iran through unofficial channels, making the sanctions-censorship interaction a structural condition rather than an edge case.

2026-khanlari-iranian-ios-stores §1, §2 policy

The study finds that apps distributed via Iranian third-party iOS stores frequently contain embedded third-party tracking SDKs and piracy libraries inserted during repackaging, and that cracked/modified binaries have stripped or replaced code-signing certificates with enterprise distribution certificates. The paper quantifies developer revenue loss from piracy and documents that the repackaging process introduces both surveillance and integrity risks that users are generally unaware of.

2026-khanlari-iranian-ios-stores §5, §6 evaluation

Khanlari and Rahmati conduct the first comprehensive empirical study of Iranian third-party iOS app stores, collecting over 1,700 iOS app packages from three major stores. The ecosystem emerged because U.S. sanctions barred Iranian users and developers from accessing Apple's App Store and developer services, while Iranian censorship simultaneously blocked official app download infrastructure. The stores distribute both Iranian-exclusive apps (unavailable on the App Store) and cracked/modified versions of paid international apps.

2026-khanlari-iranian-ios-stores §3, §4 deployment

DNS censorship of encrypted protocols is inconsistent in both China and Iran. In China, Yandex resolvers are censored only when the SNI extension is present; omitting SNI bypasses censorship for these resolvers. In Iran, DoH requires SNI omission for Quad9, Google, Adguard, CleanBrowsing, and NextDNS resolvers, but works with SNI for Yandex and Cisco resolvers. These inconsistencies suggest resolvers have been accidentally missed by censors, highlighting the value of automated tools that trial all resolver-mode combinations rather than hard-coding a single strategy. The support evaluation found 47 resolvers supporting DoH, 16 supporting DoH3, and only 8 supporting DoQ out of ~65 tested.

2026-lange-towards §6.2, Table 2 evaluation

DPYProxy-DNS tested 8 circumvention modes against DNS censorship from vantage points in Iran (AS201295, Mashhad) and China (AS4837, China Unicom). In Iran, DoQ was entirely uncensored even with the SNI extension present; DoH3 worked for all Cloudflare and NextDNS resolvers. Iran's censor operates in-path (not on-path like the GFW), making the "Last Response" mode (wait 3s for the last UDP reply) ineffective in Iran but highly effective in China. Auto-mode averaged 12.32s (median 8.28s) in Iran and 13.78s (median 12.90s) in China to discover a working combination.

2026-lange-towards §6.2, §6.3 evaluation

CAPTCHAs co-occurred with 'Resource Inaccessible' in 70% of CAPTCHA reports and appeared in 23% of all 'Resource Inaccessible' reports; overall 14% of the 119 reports involved one or both problems. Two CAPTCHA failure modes were identified: excessive repetitive CAPTCHAs and broken CAPTCHA servers that made the underlying website permanently inaccessible. The 'Unusual traffic detected from your computer' Google error appeared in 5% of all reports.

2026-micallef-reportor-facilitating-user §6.1.2 evaluation

17% of ReporTor reports cited broken content; investigation found that several websites returned HTTP 403 errors through Tor Browser but loaded normally in Firefox, revealing deliberate differential treatment of Tor traffic masquerading as technical failure. Blocked resources included advertising platforms (e.g., t.co) and JavaScript files handling cookie-consent dialogs, and 8% of reports involved authentication failures where initial page load succeeded but subsequent auth steps were silently refused.

2026-micallef-reportor-facilitating-user §6.1.3 evaluation

Two mechanistically distinct blocking categories account for Tor exit-node inaccessibility: explicit blocks (deliberate CDN/WAF configuration, e.g., Akamai Bot Manager renders AirBnB inaccessible over Tor) and dynamic blocks (abuse-detection systems that flag Tor exit-node IPs because pooled traffic from diverse users raises apparent abuse scores, triggering rate-limiting or blocking despite no explicit Tor policy). Cloudflare does not block Tor by default, but its aggressive IP scoring results in disproportionate blocking in practice.

2026-micallef-reportor-facilitating-user §6.1.1 evaluation

'Resource Inaccessible' was the most frequently reported issue (61% of 119 submitted reports) during a month of naturalistic Tor Browser browsing, followed by CAPTCHAs (18%), Broken Content (17%), Other Issues (13%), and Timeouts (5%). These categories document the operational failure modes that degrade everyday Tor Browser usability beyond protocol-level censorship.

2026-micallef-reportor-facilitating-user §6.1, Figure 3 evaluation

DPYProxy-DNS's automated probe-and-select mode identified a working DNS circumvention in an average of 13.78 seconds (median 12.90s) in China and 12.32 seconds (median 8.28s) in Iran across 100 runs each; best-case startup was 0.32s (China) and 0.47s (Iran) when the first-tried combination succeeded, while worst-case exceeded 30.72s in China and 58.16s in Iran due to the slow Last Response mode (3s fixed wait per attempt) being selected early in the randomized probe order.

2026-niere-dpyproxy-dns §6.3 evaluation

The GFW operates as an on-path censor that injects forged DNS responses faster than the real resolver but cannot suppress the legitimate response from also arriving. Waiting approximately 3 seconds and accepting the last-received UDP response circumvented GFW DNS injection for 40 of 41 tested public resolvers in China; the single exception (Cloudflare 1.1.1.1) was IP-blocked via packet dropping rather than injection racing.

2026-niere-dpyproxy-dns §6.2.1 defense

MITM-DomainFronting reached 1.8k GitHub stars and 170 forks by May 2026 and was merged into Xray-core mainline (PR XTLS/Xray-core#4348), making it deployable via a standard v2rayN/v2rayNG JSON config with no separate install step. The author additionally notes that Gemini explicitly IP-blocks Iranian addresses, demonstrating that certain Google services enforce IP-geolocation blocking at the application layer — a layer that SNI-based CDN fronting cannot bypass regardless of the fronted SNI.

2026-patterniha-mitm-domainfronting README / intro and limitations deployment

The GNL reveals that Geedge actively maintains dedicated VPN-infrastructure tracking datasets. The China-specific component includes 7,016 domains in a "vpn-finder-plugins" repository (mesalab_git/intelligence-learning-engine), 4,810 NordVPN server domains, and a Pakistan-specific file listing 68 Psiphon CDN domains (geedge_docs/TSGEN/.../Psiphon-CDN_20240430.json) dated April 2024. A Myanmar deployment file (M22-VPN List.html, 27 domains) further confirms country-specific VPN blocklists are operationally maintained. The "Appsketch" program reverse-engineers VPN apps to extract domains and IP addresses for blocking.

2026-sheffey-geedge §4.2, Table 3 detection

Obscura proxies resist active probing by never exposing open ports or accepting incoming connections; combined with a large ephemeral volunteer pool (analogous to Snowflake's scale), the vast IP address space and rapid proxy rotation make exhaustive enumeration infeasible without causing sufficient collateral damage to deter the censor — consistent with the absence of observed blind-blocking campaigns against Snowflake.

2026-vilalonga-obscura-enabling-ephemeral §5.1 defense

IODA Active Probing shows Iran's global Internet connectivity dropped to approximately 3% on February 28, 2026, and had not recovered as of the report date (59+ days). This matches the near-3% floor seen during the January 2026 protests shutdown, establishing a repeatable operational baseline for the regime's tiered blocking posture.

2026-wkrp-internet-pro-tiered IODA Data: The Discrepancy in the Signals evaluation

Iran officially unveiled 'Internet Pro' on April 14, 2026: a permanent tiered-access system granting selective unfiltered international connectivity to state actors and approved businesses at ~10x normal pricing (~$1–3/GB), while restricting the general population to the National Information Network (NIN). This institutionalizes what the regime frames as 'Internet Sovereignty,' converting international access from a general right to a government-granted privilege.

2026-wkrp-internet-pro-tiered The Architecture of Tiered Access: "Internet Pro" policy

IODA telescope and Google Product signals, corroborated by Cloudflare Radar and Kentik traffic data, show selective whitelist restoration: Google Search and Images are accessible via the NIN while Google Maps is not, and IranCell (AS44244) shows a slight diurnal Telescope traffic increase consistent with 'Internet Pro' access—demonstrating that selective per-service and per-ASN whitelisting is operationally active.

2026-wkrp-internet-pro-tiered IODA Data: The Discrepancy in the Signals deployment

The economic cost of Iran's ongoing Internet shutdown is estimated at 40 million USD per day (FactNameh), with the digital retail sector collapsing and approximately 10 million Iranians dependent on the digital economy losing access. VPN workarounds under 'Internet Pro' pricing are prohibitively expensive, rendering circumvention economically unviable for the general population.

2026-wkrp-internet-pro-tiered The Economic Toll evaluation

During the June 2025 Israel-Iran war, IODA observed that BGP routing announcements remained largely intact while Active Probing and Telescope signals showed a near-total Internet blackout—a 'stealth blackout' technique that hides shutdown actions behind maintained routing infrastructure. This pattern was replicated in the February 28, 2026 shutdown, where Active Probing dropped to ~3% while BGP remained stable.

2026-wkrp-internet-pro-tiered The New Normal in Comparative Perspective detection

PCAP analysis from inside Russia confirmed the filter is fingerprint-based, not IP-based: every failed DTLS connection shared the same JA3/JA4 fingerprint, while a single connection with a different JA3/JA4 fingerprint succeeded and sustained full-speed data transfer, eliminating the hypothesis that censors had enumerated the large proxy IP space.

2026-wkrp-snowflake-targeted-dtls-filtering kad09 original report, Issue #422 comment (Apr 5 2026) detection

An internet-wide scan of 500k IP addresses from an in-country VPS vantage point found TCP establishment-interception injections on 43,479 addresses (8.7% of scanned), with over 70% concentrated in two Akamai ASes (AS16625 and AS20940). The injection pattern — triggered by the first packet sent to these addresses — is consistent with targeted blocking of domain-fronting proxies hosted on Akamai CDN.

2025-alaraj-iran-refraction §4.1.2 detection

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 detection

MCCI (AS197207) blocks proxy IPs proportionally to observed connection volume: the more connections a phantom IP receives, the faster it gets blocked. A controlled experiment with a fresh /27 IPv4 subnet divided into 7 /30 sub-ranges with increasing weights confirmed that higher-weighted subnets were blocked first, demonstrating that the censor infers proxy IP reputation from traffic rate rather than from a static blocklist.

2025-alaraj-iran-refraction §4.2.3 detection

The report documents IMSI-catcher and mobile-network interception deployments in Pakistan that complement fixed-line DPI infrastructure. Mobile broadband users (dominant internet access mode in Pakistan) face surveillance at both the carrier level and via OTT platform coercion, with major platforms (YouTube, Twitter/X, TikTok) receiving and complying with blocking and content takedown orders from PTA, reducing the scope of accessible content even for users not running circumvention tools.

2025-amnesty-pakistan-shadows §6 deployment

Pakistan's PECA (Prevention of Electronic Crimes Act) and PTA (Pakistan Telecommunication Authority) regulations grant authority to block content without court orders, enabling the deployment of a persistent national filtering infrastructure. The report documents 11,000+ URLs blocked by PTA and confirms that VPN use and circumvention tools are among the targeted categories, with blocking orders issued under national security grounds.

2025-amnesty-pakistan-shadows §2, §4 policy

Amnesty International's 102-page investigation identifies a multi-vendor surveillance stack deployed in Pakistan: Chinese DPI (Geedge/MESA-derived), Canadian social-media monitoring (Netsweeper), and Emirati commercial spyware (Pegasus and FinFisher). The system enables deep packet inspection, SNI-based filtering, and traffic-shape classification at national scale, including targeted interception of encrypted messaging apps and VPN traffic.

2025-amnesty-pakistan-shadows §3, §5 deployment

The Russian DPI maintains two whitelists that exempt flows from the freeze: (1) a SNI-based whitelist covering select domains (visible in the TLS ClientHello), and (2) a CIDR-based whitelist of IP subnets for trusted destination servers. The SNI whitelist can be exploited by VLESS+Reality clients using an allowed SNI value as the apparent destination; the CIDR whitelist requires routing through an IP from a whitelisted prefix, making circumvention 'extremely difficult' without an intermediate node in a whitelisted subnet.

2025-hyperion-cs-censor-has-new upd3, upd4 detection

Russia's mobile operators (MTS, Beeline, MegaFon, Yota) deployed a TCP connection-freezing technique in mid-2025 that silently halts packet delivery after approximately 15–20 KB of server-to-client data within a single TCP connection, without sending RST packets, causing clients to stall until timeout. The trigger requires: (1) TLS 1.3 or TLS 1.2 over TCP, (2) destination IP located in a foreign datacenter ASN (e.g., Hetzner, DigitalOcean), and (3) cumulative in-connection payload exceeding the threshold.

2025-hyperion-cs-censor-has-new Problem description detection

InterSecLab's 76-page analysis of the Geedge/MESA leak (based on nine months of indexing and translating >100,000 documents) characterizes the Tiangou Secure Gateway (TSG) product line as a commercially deployable detection stack that combines deep packet inspection, real-time mobile subscriber monitoring, active probing, ML-based traffic classifiers, and granular per-region rule sets. TSG is not a research prototype — leaked documentation includes deployment timelines and client government interactions for Kazakhstan, Ethiopia, Pakistan, Myanmar, and one unnamed country, with censorship rules explicitly tailored to each region.

2025-interseclab-internet-coup §3–§5 (InterSecLab report) detection

Justice for Myanmar documents that Geedge Networks supplied Myanmar's military junta with GFW-derived surveillance and censorship infrastructure under Belt and Road frameworks following the February 2021 coup. The deployed system (Tiangou Secure Gateway / TSG) incorporates the same DPI, active-probing, and ML-classifier capabilities as the domestic Chinese GFW, giving Myanmar one of the most technically capable censorship systems in Southeast Asia.

2025-jfm-silk-road-surveillance §3, §5 deployment

The report documents that Myanmar's military has used its TSG-based infrastructure to execute targeted throttling and selective shutdowns of specific services and platforms, not only blanket internet shutdowns. This includes selective disruption of VPNs and circumvention tools during periods of civil unrest, demonstrating that Myanmar's censors have operationalized the granular per-service traffic control capabilities documented in the Geedge/MESA leak.

2025-jfm-silk-road-surveillance §5 deployment

Iran's DNS censor injects a correct, static IP address for 385 domains across 10 groups — including 372 Google-related domains (resolving to 216.239.38.120), 2 Bing domains, 2 DuckDuckGo domains, Yandex, CIA, MI5, and Mossad. This previously unreported behavior likely enables surveillance (routing traffic to a controlled IP) or rapid follow-on blocking (nullrouting the injected static IP is cheaper than maintaining DPI rules per domain).

2025-lange-i-ra-nconsistencies §3.1, Table 6, Figure 3 detection

Russian transit censorship propagates to ASNs outside Russia: ASN 216071 (Netherlands) shows 38 top-10k URLs with 59% confirmed blockpage rate, ASN 6939 (Sweden) shows 4 URLs at 75%, and ASN 3214 (Germany) shows 4 URLs at 75%, all attributable to peering with Russian ASNs known to employ transit censorship.

2025-lipphardt-1-800-censorship §4.2, Table 2 evaluation

Venezuela and Cuba exhibit average unblocked rates of 68.83% and 69.70% respectively across 461,114 and 5,501 OONI tests, placing roughly 31% and 30% of probes as blocked — censorship rates comparable to documented heavy-censor states — despite being routinely excluded from standard censoring-country lists.

2025-lipphardt-1-800-censorship §4.3, Table 3 evaluation

Among the most commonly transit-censored popular URLs (top-10k rank, ≥90% confirmed blockpage rate from Russian transit ASNs, not blocked elsewhere in those countries), turbovpn.com appears alongside Russian opposition news and social-media pages, demonstrating that Russia's VPN-blocking lists propagate into foreign transit ASNs.

2025-lipphardt-1-800-censorship Table 5, §4.2 evaluation

Ceno Browser's decentralized peer-to-peer network grew from approximately 600 active peers on June 13 to nearly 8,000 by July 11, 2025 — a 13× increase in under 30 days — with some Ceno connections remaining online throughout the full blackout, indicating that P2P architectures without fixed enumerable infrastructure can survive centralized application-layer shutdowns.

2025-miaan-stealth-blackout Executive Summary — Resilient Response evaluation

Lantern's proxyless protocol accounted for approximately 40% of its traffic during the June 2025 Iran shutdown, demonstrating that a direct-server / proxyless transport mode provided a significant load-bearing fallback when conventional proxy infrastructure was blocked by centralized DPI enforcement.

2025-miaan-stealth-blackout Executive Summary — Resilient Response evaluation

Iran's June 2025 shutdown enforced a four-layer DPI topology: ISP-administered DPI boxes, centrally commanded DPI at large ISPs under the Communications Regulatory Authority, DPI at Tehran IX that filters domestic-only transit traffic, and DPI at internationally-linked networks — almost all funneling through AS48159 (Telecommunications Infrastructure Company, TIC).

2025-piotrowska-nym-iran-blackout How is the blackout being enforced? detection

IP blocking during the June 2025 Iran shutdown targeted large portions of address space belonging to major VPS hosting providers — Hetzner, DigitalOcean, Linode, and others — commonly used to host VPN and proxy servers, with small exceptions carved out for infrastructure deemed critical.

2025-piotrowska-nym-iran-blackout IP blocking of hosting providers detection

Chinese browsers transmit GPS coordinates alongside persistent user IDs (IMEI, GAID, CUID) and client IPs to vendor servers with poor transport security; an attacker with access to this stream can trivially detect VPN use without any DPI—GPS coordinates placing a user inside China combined with a non-Chinese client IP is an unambiguous VPN-use signal. This correlation attack succeeds against VPNs with perfect traffic obfuscation because the detection side-channel is entirely outside the encrypted tunnel.

2025-rodriguez-revisiting §5, §6 detection

The blocking-resistance of CenPush derives from the collateral damage a censor would incur by blocking APNs or FCM: doing so would break push notifications for every app on iOS or Android respectively. This is the same collateral-damage deterrent mechanism that makes CDN-based domain fronting and TLS-over-CDN transports resilient, applied to the control plane rather than the data plane.

2025-sharma-cenpush §2, §4 defense

CenPush uses mobile platform push-notification services (APNs, FCM) as a blocking-resistant control channel for distributing fresh proxy IPs and client configuration to users in censored regions. Push notification infrastructure is already widely deployed, has high collateral-damage cost to block, and is a server-push channel — meaning the client never has to initiate a query to an out-of-band endpoint that a censor could block.

2025-sharma-cenpush §1, §3 defense

CenPush is implemented and evaluated specifically for Tor bridge distribution, replacing the existing polled bridge-line fetching with push delivery. The design is presented as a general mechanism applicable to any circumvention tool that needs to push fresh proxy addresses to clients — not just Tor bridges — whenever censors block the tool's normal update channel.

2025-sharma-cenpush §3, §5 deployment

Censorship enforcement varies dramatically across Iranian ASes. AS58224 (TCI, 3.6M IPs) blocks 89-98% of IPs across DNS injectors and 87.6% for UDP. AS197207 (MCCI, 2.3M IPs) and AS44244 (IranCell, 1.3M IPs) show near-zero censorship (0.15-0.76% across injectors). AS31549 (RASANA, 577k IPs) blocks 97-99% for DNS/HTTP but 64% for UDP. Some IPs— including those belonging to the Iranian President's website and Ministry of Foreign Affairs—are deliberately exempted from bidirectional censorship. Two exempted MFA IPs (109.201.19.184 and 109.201.27.67) appear linked to APT15 (Playful Taurus) C&C infrastructure.

2025-tai-irblock §5.1, §5.2, Table 1 evaluation

IRBlock discovered that 1.7M of 3.3M blocked apex domains (52%) were attributed to blanket suffix-level blocking rules rather than individual domain listings. Examples include regex patterns targeting all Israeli domains (.il TLD), adult content (.porn), and country-coded suffixes (.com.mx, .my.id). Of 87K Tranco-ranked apex domains analyzed, 37% fell into adult content, with entertainment and gambling following. Approximately 1.27M apex domains were jointly censored by both DNS and HTTP filters, while the two filters maintained operationally independent blocklists for a significant fraction of domains.

2025-tai-irblock §5.3 detection

Proxy placement requirements vary dramatically by country topology: Turkmenistan requires just 1 AS for 75% coverage, Oman requires 3, Afghanistan 5, Iran 10, and China 12. Turkmenistan's extreme centralization means a single transit AS intercepts virtually all paths, whereas China's fragmented routing fabric demands far more deployment sites to achieve equivalent coverage.

2025-umesh-improved §5.4, Table 4, Figure 6 evaluation

When politically uncooperative ASes are excluded from the candidate pool — specifically Russia's AS12389 and Iranian transit ASes AS49100 and AS198154 — the framework recomputes cumulative coverage over remaining candidates and still identifies viable cooperative deployment sites for Iran. This demonstrates that geopolitical filtering can be incorporated into the placement optimization without losing coverage entirely.

2025-umesh-improved §5.3, Figure 5 deployment

For Iran, a greedy cumulative-coverage analysis over 22,799 resolver-to-uncensored-AS paths shows that the top 5 ASes cover 59% and the top 10 ASes cover 76.6% of all DNS resolution paths. AS3257 (GTT Communications) and AS174 (Cogent Communications) each appear in approximately 15.7% of paths and contribute nearly all their usage as unique (non-overlapping) paths.

2025-umesh-improved §5.2, Figure 3–4 evaluation

An AS+IXP multigraph fusing CAIDA traceroutes (13.6M paths), 256M BGP updates from RouteViews/RIPE RIS, and IXP membership data yields 87,157 AS vertices, 1,588 IXP vertices, and 510,810 edges — an order of magnitude richer than BGP-only baselines. Hidden private peering links and IXP fabric connections invisible to BGP alone materially affect coverage estimates for refraction networking proxy placement.

2025-umesh-improved §1, §4.5 evaluation

Snowflake's sustained operation in heavily censored regions demonstrates that WebRTC must remain accessible to users, which in turn requires that TURN servers remain unblocked to support NAT traversal for peer-to-peer WebRTC connections. This transitive unblockability makes TURN service providers viable rendezvous channels for the Bridge Distribution Problem.

2025-vilalonga-extended §3.2 Bridge Distribution Problem defense

TURN servers used by major applications such as Facebook Messenger for media relay are hypothesized to be less likely blocked in censored regions due to collateral damage to legitimate WebRTC traffic. Providers like Cloudflare, Metered Video, and ExpressTURN supply geographically distributed TURN infrastructure that can be used without any special configuration by a censorship evasion system.

2025-vilalonga-extended §1 Introduction & Background defense

Traffic splitting across N TURN proxies (1 ≤ N ≤ M) is hypothesized to resist active probing because each TURN server responds to probing requests identically to a regular TURN server, providing no distinguishing signal. Additionally, proxy ephemerality combined with splitting allows on-the-fly migration to new proxies when existing ones are blocked, maintaining connectivity even under partial blocking.

2025-vilalonga-extended §3.3 Censorship Evasion defense

The paper enumerates five adversarial attack surfaces against a video-steganography UP channel: (1) wholesale blocking of the hosting platform, (2) mass-scanning and blocking encoded videos (noted as generally cost-prohibitive per the steganography literature), (3) enumerating videos via pseudorandom tags (feasible but hampered by tag-list overlap with unrelated content and time-window dynamics), (4) banning accounts posting encoded videos, and (5) tracking anticensorship users viewing encoded content. The pseudorandom tag window design specifically prevents preemptive enumeration because the top-n results for a tag at epoch t differ from those at t±1.

2025-vines-extended §2.1 detection

The paper defines Unauthenticated Push (UP) channels as a distinct archetype from signaling/rendezvous channels, characterized by three properties: strictly unidirectional delivery, no client authentication or account association required, and higher bandwidth (kilobytes to megabytes) to support software updates rather than just minimal proxy-address exchanges. This design deliberately shifts operational-security burden onto senders to approach receiver anonymity.

2025-vines-extended §1–§3 defense

A concrete UP channel implementation uses keyed steganographic encoding embedded in videos posted to a public hosting service (e.g., flickr.com), addressed via a time-epoch pseudorandom tag generator drawn from publicly known trending-topic lists. Clients query the top-n videos matching the current epoch tag and attempt decryption; real-world video size variability supports data transmissions from a few kilobytes (configuration updates) to megabytes (software updates).

2025-vines-extended §2 defense

A passive, router-level VPN fingerprinting technique exploits the design convention that all user traffic is tunneled to a single VPN server IP. By counting packets per device-to-IP session at the home router and flagging sessions where PACKETS_COUNT exceeds threshold T=500 within WINDOW=300 seconds, the method achieved a 100% detection rate for all VPN implementations that route all traffic through one server, with zero false positives across uncontrolled 4-day experiments.

2024-almutairi-fingerprinting §III–IV detection

The authors propose two countermeasures: (1) widespread adoption of traffic splitting so not all user traffic is routed through a single VPN tunnel, neutralizing the single-destination session signature; and (2) VPN servers should rotate at random intervals so that no prolonged session to one IP accumulates enough packets to trigger the threshold T.

2024-almutairi-fingerprinting §VI defense

Testing 9 popular VPN providers (ProtonVPN, Hide.me, Turbo VPN, Kaspersky VPN, Hotspot Shield, Secure VPN, Fast VPN Pro, VPN Super, VPN Gate), 7 were successfully detected. KasperskyVPN evaded detection because it exchanged keepalive packets with a secondary server exactly every 300 seconds, matching the chosen WINDOW, causing the session counter to reset. Hotspot Shield evaded because of previously documented traffic leakage where not all traffic is tunneled.

2024-almutairi-fingerprinting §IV-D, Table II evaluation

Snowflake has been deployed in Tor Browser and Orbot for several years and served as a significant circumvention tool during the Russia 2021 network disruptions and Iran 2022 protests. The paper documents a history of deployment and blocking attempts, providing empirical evidence that the ephemeral WebRTC proxy design has sustained availability under real censor pressure across multiple high-profile events.

2024-bocovich-snowflake §1, §6 deployment

Snowflake's blocking resistance rests on a large, constantly changing pool of volunteer WebRTC proxies implemented as lightweight JavaScript browser extensions or web pages. Because the proxy population is in constant churn and new addresses appear faster than censors can enumerate and block them, IP-list blocking is structurally ineffective. The system is designed so that when an in-use proxy goes offline, the client seamlessly migrates to another with no disruption to upper network layers.

2024-bocovich-snowflake §1, §2 defense

Snowflake proxies are simple enough to run as JavaScript inside a web page or browser extension, making them far cheaper to operate than a traditional VPN or proxy server. This low operational cost enables a large volunteer pool (orders of magnitude more participants than server-hosted bridge networks), which is the structural property that makes IP enumeration hard for censors.

2024-bocovich-snowflake §2, §3 defense

Registration-dependent Refraction Networking schemes such as Conjure create multiple single points of failure: censors can block registration channels independently of phantom connections. Domain fronting, a primary registration channel, has been progressively banned by major CDNs — Microsoft Azure in 2021 and Fastly in early 2024 — reducing its viability as a covert registration mechanism.

2024-chen-extended §1 Introduction detection

Cloud-hosted services represent an open measurement problem for ZMap because IPs are shared, ephemeral, and behind CDN layers, making traditional IP-to-service attribution unreliable. The paper identifies reconciling scan-based observation with cloud infrastructure as a key challenge for the next decade.

2024-durumeric-ten-years-zmap Abstract — open problems evaluation

IPv6 measurement remains an open problem for ZMap because the address space is too large for exhaustive single-packet enumeration, unlike IPv4. This asymmetry means IPv6-addressed infrastructure is structurally harder to enumerate via blocklisting.

2024-durumeric-ten-years-zmap Abstract — open problems evaluation

ZMap can scan the entire public IPv4 address space on a single port in under 45 minutes on a gigabit connection; with a 10 GigE connection and PF_RING, the same scan completes in 5 minutes. This makes Internet-wide enumeration of proxy infrastructure operationally trivial for any well-resourced actor.

2024-durumeric-ten-years-zmap Project overview evaluation

For Tier 2 apps (IP geo-blocking only), using a VPN with a foreign endpoint was sufficient to restore access. For Tier 1 apps (SIM + IP geo-blocking), the authors confirmed that (1) removing the Indian SIM card and accessing via WiFi, or (2) intercepting HTTP traffic with a MITM proxy to suppress or rewrite the carrier_region=IN parameter, fully bypassed server-side censorship. The authors note that Indian users primarily rely on mobile Internet, making SIM removal impractical as a user-facing solution.

2024-gosain-out §4.3, §5 defense

Across four major Indian ISPs (Reliance Jio, Airtel, Vodafone-Idea, and ACT) cumulatively serving more than 95% of Indian clients, the authors found zero network-level interference with 220 banned Chinese apps. DNS resolved to legitimate addresses, TCP and TLS handshakes completed successfully with actual app servers, and responses were served directly by app publishers — not by ISP middleboxes.

2024-gosain-out §4.2 evaluation

After India imposed a permanent ban in January 2021, seven of the eight previously SIM-only-blocked apps escalated to dual-factor filtering: they continued extracting carrier_region=IN from the SIM card while simultaneously adding IP geo-blocking. Accessing these apps now requires both a VPN (for source IP masking) and SIM removal or carrier_region parameter suppression; MICO Chat remained the sole app using only SIM-based blocking.

2024-gosain-out §4.3 (Permanent ban subsection), Table 2 evaluation

Seven of the 220 banned apps (Tier 1, including TikTok, Likee, Kwai, UC Browser, FaceU, Hago, and V-Fly) used the Android TelephonyManager.getSimCountryISO() API to read the primary SIM's country code and embed a carrier_region=IN parameter in HTTP requests, enabling server-side identification and blocking of Indian users regardless of source IP or VPN state. A dual-SIM phone with an Indian SIM in the secondary slot only (primary empty or non-Indian) bypassed the check.

2024-gosain-out §4.3 detection

India's app-filtering architecture is three-tiered: 136/220 apps (Tier 3) are inaccessible only via official app stores and trivially accessible after sideloading; 23 apps (Tier 2) additionally enforce IP geo-blocking; and 7 apps (Tier 1) combine IP geo-blocking with SIM-based locale detection. One outlier, ChessRush, restricted content at CDN edge servers serving Indian users, requiring both a foreign source IP and a foreign CDN edge server (via foreign DNS resolver) to bypass.

2024-gosain-out §4 (Summary), §4.3 evaluation

GFWeb tested 1.02 billion domains against the GFW over 20 months and discovered 943,000 pay-level domains blocked by HTTP filters and 55,000 by HTTPS filters — the largest GFW blocklist dataset ever published. The HTTP-to-HTTPS ratio (17:1) confirms that the GFW's HTTPS keyword-based and SNI-based blocking covers far fewer domains than its HTTP host-header blocking, likely because HTTPS blocks carry higher collateral-damage risk.

2024-hoang-gfweb Abstract, §5.1 detection

NetShuffle targets edge networks — small autonomous systems and entities that obtain IP address blocks from upstream providers — as a new class of support base for circumvention infrastructure. This class has received scant attention from prior work, which has focused on cloud providers and volunteer desktop machines. Edge networks represent a large pool of diverse IP space that is harder to block via ASN blackholing compared to a small number of major cloud providers.

2024-kon-netshuffle §1, §2 defense

NetShuffle decouples regular proxy services (e.g., HTTPS proxies, Tor bridges) from their network addresses via continuous in-network change using programmable switches at edge networks. Because the network location of a proxy is in constant flux, blocking by IP or address enumeration becomes structurally ineffective: the proxy service itself is unchanged but its visible address rotates continuously.

2024-kon-netshuffle §1, §3 defense

NetShuffle was prototyped in testbed environments and operated on a live campus network for more than one month. The evaluation shows that the in-network address shuffling provided by programmable switches is transparent to both services and clients and incurs negligible performance overhead, validating the drop-in appliance deployment model.

2024-kon-netshuffle §5 evaluation

SpotProxy's active fleet-management algorithm continuously searches for cheaper Spot and regular VM instances and migrates the proxy fleet to lower-cost options. The paper demonstrates that this approach yields significant cost savings compared to operating a fixed fleet of on-demand instances, while simultaneously improving anti-blocking properties through higher IP churn.

2024-kon-spotproxy §4, §5 defense

SpotProxy exploits cloud Spot VMs — instances backed by excess capacity that can be reclaimed at any moment and re-spawned at new IP addresses — to create a high-churn proxy fleet. The observation is that Spot VM preemption, which is an operational liability for normal workloads, is a circumvention asset: it continuously refreshes proxy IP addresses, making censor enumeration and blocklisting structurally ineffective.

2024-kon-spotproxy §1, §3 defense

SpotProxy adapts both WireGuard and Snowflake to work with its active proxy migration mechanism, demonstrating that the approach is protocol-agnostic. The active migration mechanism allows clients to move between proxies seamlessly without performance degradation or connection disruption when a proxy is replaced — a requirement for any high-churn proxy infrastructure.

2024-kon-spotproxy §3, §5 defense

EU sanctions enforcement was deeply non-uniform across member states and over time: 77% of blocking autonomous systems enacted enforcement within 3 months of the initial sanctions, but adoption timelines, block-list coverage, and over/under-compliance patterns varied substantially by country and ISP. Austria blocked certain domains months after Germany despite advance specification; domains removed from the German list were eventually de-blocked with significant lag; the newly registered sputnikglobe.com was not widely blocked as of the study's writing.

2024-kristoff-internet §4.2, Figure 1 deployment

IP-level access control was the most complete and effective sanctions enforcement mechanism—applied at or near the content destination—but was also the least commonly deployed approach. The paper attributes its rarity to the over-blocking risk when multiple services share a single IP address; one observed instance involved DDoS-mitigation providers performing IP-based enforcement that did not appear in DNS measurements.

2024-kristoff-internet §5.4 evaluation

The authors propose a 'shim' pluggable transport that splits client traffic across N PT connections using unmodified existing PT bridges as proxies and a gateway bridge that correlates streams back into a Tor circuit via the Turbo Tunnel reliability pattern. This architecture enables all existing and future PTs to benefit from traffic splitting without modifying each PT's client or server code individually.

2024-lorimer-extended §3 defense

Amazon SQS routes client traffic through a single fixed HTTPS endpoint (https://sqs.us-east-1.amazonaws.com), making it infeasible for a censor to distinguish circumvention-bound SQS traffic from legitimate AWS service traffic; blocking this signaling channel would require blocking all Amazon SQS, imposing significant collateral damage on businesses and developers.

2024-pu-exploring §2.2 defense

The automated probe list generation system discovered 45.79 potentially blocked domains per 1,000 domains crawled, compared to 4.11 for FilteredWeb — over 10× higher efficacy. It uncovered 1,490 potentially blocked domains in crawls of just 71,960 URLs, versus 1,255 blocked domains found by Hounsel et al. in crawls of 1,000,000 URLs, with 1,473 of the 1,490 domains not overlapping with prior work.

2024-tang-automatic §5.5 evaluation

GFW verification tests confirmed over 90% of OONI-detected DNS anomalies as true blocks: 429/457 domains in Beijing and 422/461 in Shanghai. In total, 527 unique domains were confirmed censored via DNS, HTTP, and HTTPS filters; an additional 718 domains suspected blocked due to IP-address-level blocking of their hosting servers rather than domain-level entries.

2024-tang-automatic §5.6 detection

VPS-based vantage points in Singapore and India detected censorship patterns similar to 'free' locations, failing to observe blocking known to be enforced by local ISPs following government directives. This occurred because ISP-level censorship is implemented per-carrier rather than centrally, and the VPS provider's ISP did not enforce those blocks — confirmed by re-testing from a residential IP that did observe the expected blocks.

2024-tang-automatic §6.2 detection

Separating the Broker role (a server that holds and manages bridge information) from both the rendezvous channel and the censorship evasion system enables modular protocol design: the rendezvous carrier can be swapped independently of the proxy system. The authors identify broker authentication and multi-broker load distribution as open problems not addressed in the current prototype.

2024-vilalonga-looking §3.1, §5 defense

Google Cloud Pub/Sub is blocked entirely in China, limiting the system's applicability in the highest-censorship environment. Azure Pub/Sub is a structurally weaker candidate for rendezvous channels because each created resource receives a unique per-resource domain, enabling censors to block it with minimal collateral damage compared to blocking a shared Google or AWS endpoint.

2024-vilalonga-looking §4.1 deployment

The paper surveys the rendezvous channel design space and identifies at least six prior carrier approaches: domain fronting via CDNs, AMP cache proxying, Amazon SQS queues, push notification services, email tunneling (Mailet, SWEET), and cryptocurrency covert channels (MoneyMorph). Pub/Sub adds bidirectional real-time messaging with broad IoT/enterprise adoption as a new carrier class not previously evaluated for circumvention rendezvous.

2024-vilalonga-looking §2.2 defense

The paper documents that bridge distribution across major circumvention tools (Tor Browser's Moat, Snowflake) relies entirely on domain fronting (meek) for automated, user-friendly bootstrapping. This concentration means a censor that defeats domain fronting — or that pressures CDN providers to stop offering it — removes essentially all automated bridge-discovery pathways simultaneously, leaving only manual out-of-band methods (email/Telegram accounts) that require many user interactions.

2024-vines-communication §2.1 evaluation

Raceboat formalizes a decomposition of application-protocol-tunneling channels into three reusable components (Transport, User Model, Encoding) and a channel manager that supports mixing unidirectional channels. By composing seven different channels from these modular components (including email, AWS S3, and Redis variants), the paper demonstrates that the current ad-hoc one-protocol-one-implementation model wastes significant re-implementation effort: the same transport or encoding logic is duplicated across Snowflake, meek, CloudTransport, and others.

2024-vines-communication §1–§5 defense

The paper argues that a greater diversity of signaling channels reduces the censor's leverage: when many independent services (cloud storage, email, push notifications, domain fronting) can each bootstrap a circumvention connection, a censor must block all of them to prevent access, and the collateral damage of blocking each may deter action. Skyhook specifically targets cloud storage as an additional independent pathway alongside existing channels like meek, Raven (email), and PushRSS.

2024-vines-ten §1 defense

Combining a CNN flow classifier with host-based temporal accumulation eliminates all false positive classifications after observing at most 38 flows per host while maintaining perfect recall for all obfs4 and obfs⋆ bridges. The scheme requires only 14 bits of state per (IP, port) pair; tracking 4×10⁹ destination services requires no more than 50 GiB of storage, feasible on commodity hardware.

2024-wails-precisely §VI-A–B, Algorithm 1, Table VI detection

Russia's TSPU ("Средства противодействия угрозам") system is deployed inline at individual ISP edges rather than at centralized internet exchange points, producing substantial per-ISP heterogeneity: some providers apply layer-7 SNI/Host filtering while others rely primarily on IP-prefix blocklists, and QUIC/HTTP3 is blocked at several major providers. Rollout timing and enforcement depth vary measurably across autonomous systems, meaning a single "Russia passes/fails" test fixture systematically underestimates blocking coverage.

2024-xue-tspu-russia §4–§5 deployment

DeResistor-generated evasion strategies achieve an overall success rate of up to 98.61% against GFW (across vantage points in Qingdao, Shanghai, and Beijing) for the best strategy, and 100% in both India (Bangalore) and Kazakhstan (Oral) for the top-performing strategy, while standalone Geneva strategies tested in the same environment achieve comparable or slightly lower rates on some censors but are blocked at the IP level before training completes.

2023-amich-deresistor §6.3, Table 2 evaluation

GFW employs layered blocking for high-value targets: DNS poisoning for domains like google.com and wikipedia.org combined with null-routing of their hosting IPs, meaning packet-manipulation tools that operate at the TCP/HTTP layer (e.g., Geneva, DeResistor) cannot generate or test evasion strategies because no response is received to the initial SYN — the blocking occurs below the layer those tools target.

2023-amich-deresistor §6.1 detection

17 of 35 interview participants used game accelerators or GFW ladders interchangeably to connect to international gaming platforms; several popular VPNs bundle game acceleration, and open-source accelerators (e.g., Steam++, rebranded as Watt Toolkit) provide partial GFW-evasion covering GitHub, Google Authenticator, Pixiv, Discord, and Twitch. The paper recommends CRSes market as gaming accelerators to provide plausible deniability, while capping active accounts or rebranding periodically to avoid attracting censor attention as popularity grows.

2023-feng-study §9.2, §9.3 defense

The GFW engages in a continuous IP-blocking race against VPN services: participants reported that when one VPN goes down, others fail simultaneously, and banned services recover 'after a while,' suggesting coordinated blocking waves followed by IP rotation. Major foreign providers (ExpressVPN, NordVPN) now have no mainland China server nodes, rendering them ineffective for Chinese users.

2023-feng-study §8.2 detection

Starting October 1, 2023, the GFW began injecting HTTP 301 and 302 responses to connections destined for 1.1.1.1:80, redirecting clients to China's National Anti-Fraud Center (182.43.124.6, AS58519 China Telecom Cloud). Over 6,169 HTTP requests from a Tencent Cloud Beijing vantage point (AS45090), the GFW injected 301 responses at a 9.06% rate and 302 responses at a 28.5% rate.

2023-gfw-blocking-1111 Major observations / Analysis on the injection to 1.1.1.1:80 detection

From September 5–20, 2023, the GFW blocked 1.1.1.1:443 via TCP RST injection; starting October 1, 2023, the mechanism shifted to HTTP packet injection on port 80, while port 443 behavior became inconsistent across ASes — from one AS45090 vantage point, HTTPS connections to 1.1.1.1 still succeeded while other observers confirmed RST injection.

2023-gfw-blocking-1111 Major observations detection

CensorWatch found that 2,370 of 3,745 websites covered by a 2018 temporary court injunction (which was withdrawn in early 2019) remained blocked by at least one Indian ISP, indicating ISPs do not routinely update blocklists to implement unblocking orders. Additionally, three ASes (Hathway AS17488, YOU Broadband AS18207, RailTel AS24186) continued to block avaaz.org despite an explicit government unblocking order issued on 18 January 2019.

2023-katira-censorwatch §6.1, §6.2 policy

IP and port blocking dropped from 30% of countries historically to only 9% during the study period (six countries), with the decline attributed to difficulty maintaining ephemeral blocklists, CDN collateral damage, and IPv6 expansion. Iran is a significant exception: it has implemented port allowlisting — permitting only ports 80, 443, and 53 — on multiple occasions, blocking all other ports entirely.

2023-master-worldwide §4.3, Table 2 evaluation

Residual censorship — where a censor detects an objectionable connection via one method and then blocks all traffic between the same 3-tuple (client IP + server IP + port) or 4-tuple (client IP + port + server IP + port) for a short duration — was documented in China, Iran, and Kazakhstan. This means a single detected circumvention attempt can trigger temporary IP-level blocking of the entire endpoint regardless of protocol.

2023-master-worldwide §4.3 detection

The largest measurement study of Turkmenistan censorship to date tested 15.5 million domains and found more than 122,000 domains censored using separate blocklists for DNS, HTTP, and HTTPS. Reverse-engineering the blocking rules revealed approximately 6,000 over-blocking rules that cause incidental filtering of more than 5.4 million additional domains — a 44x collateral damage ratio relative to intentionally blocked domains.

2023-nourin-measuring §Results detection

The authors' blockpage-based methodology cannot detect transit censorship implemented via TCP RST injection or packet drops, because distinguishing these from transient network errors requires identifying their location on the routing path. As a result, the 8-country, 6-AS finding is explicitly characterized as a lower bound on the true extent of Russian transit censorship.

2023-ortwein-towards §4.1 Gathering Blockpages / §6 Conclusion evaluation

Previous work reported that Myanmar ISPs selectively applied DNS blocking versus TCP/IP blocking, but analysis of the underlying data revealed they applied both concurrently. The apparent difference arose because some OONI volunteers bypassed DNS tampering by using public DNS resolvers (Cloudflare, Google Public DNS) and subsequently experienced IP-level blocking instead, making measurements appear selective when they were not.

2023-raman-advancing §3.1 evaluation

Post-handshake tampering signatures (⟨SYN;ACK→RST⟩ and ⟨SYN;ACK→RST+ACK⟩) constitute 34.4% of tampered connections from Iranian networks, but over 70% from Sri Lanka networks and over 81% from Turkmenistan networks, suggesting that censors in the latter two countries disproportionately block at the IP/TCP-handshake level before any application-layer content is visible — consistent with IP-list-based blocking rather than SNI-based DPI.

2023-raman-global §4.1 detection

CERTainty demonstrates that state-level DNS censorship in China, Iran, and Russia operates through resolver-level injection: queries sent to in-country resolvers return IPs whose TLS certificates do not correspond to the queried domain, revealing blockpage or sinkhole destinations. This pattern is distinguishable from CDN or geographic DNS behavior precisely because blockpage servers cannot present a valid certificate for the censored hostname.

2023-ramesh-certainty Abstract / §5–6 evaluation

Following the invasion, Psiphon user counts and VPN usage in Russia increased many-fold and correlated with specific censorship events, while multiple access paths to Tor (direct connections, bridges, pluggable transports) were progressively blocked. Despite this surge, circumvention tools reached only a small fraction of all Russian Internet users, indicating that aggressive multi-vector blocking and lack of user awareness left most people unable to access censored resources.

2023-ramesh-network §6 evaluation

Of the Tranco top-10K domains, 286 (3.26%) returned geoblocking signatures for all Russian vantage points in May 2022, with CDN-mediated blocking dominant: 87 domains via Cloudflare and 57 via Akamai. DNS-level geoblocking alone affected 68 domains, and 29 domains implemented both DNS and TCP geoblocking simultaneously, rendering public-resolver circumvention of DNS blocks ineffective for those targets.

2023-ramesh-network §5.1 evaluation

OONI data shows anomaly rates in Russia's top five ASes (including Rostelecom AS12389, Vimpelcom AS8402) rose from roughly 7–11% in January and early February 2022 to 12–21% in mid-March 2022, with social-media and news domains such as Facebook, Twitter, Instagram, and BBC going from available to near-completely blocked after the invasion.

2023-ramesh-network §4.1 evaluation

136 Russian government domains (25.09% of 542 accessible ones) blocked access to all tested countries outside Russia, and a further 112 (20.66%) were accessible only from Russian and Kazakhstani vantage points. Geoblocking was implemented via heterogeneous, uncoordinated mechanisms—DNS timeouts, TCP timeouts, HTTP 403 Forbidden responses, and explicit blockpages—across different domains, indicating an ad hoc emergency response with no central policy.

2023-ramesh-network §4.2 deployment

Documented Internet shutdown events grew from 75 in 2016 to 213 in 2019 across 33 countries, with individual shutdowns lasting from hours to 472 days (Chad). These shutdowns completely sever IP connectivity, rendering all existing circumvention tools (Tor, VPNs, Shadowsocks, etc.) non-functional since they require at least partial Internet access to operate.

2023-sharma-dolphin §1–2 deployment

Relying on third-party email providers to verify users was demonstrated by Ling et al. to leave Tor's BridgeDB vulnerable to censors capable of creating multiple accounts, enabling bridge enumeration via sock-puppet attacks at scale. Active and passive detection techniques — including traffic flow analysis, DPI, website fingerprinting, and active probing — have been demonstrated in prior work to reveal Tor bridges, making Tor inaccessible for the majority of users in some regions.

2023-tulloch-lox §2.2.1 detection

The Lox check-blockage protocol response size and time grow linearly with the number of blocked bridges — 6 kB / 11 ms at 5% blocked, 63 kB / 64 ms at 50%, and 126 kB / 122.5 ms at 100% — creating a bandwidth bottleneck a strategic and patient censor can exploit by triggering mass bridge blockages during a critical event (election, coup) to deny successful blockage migrations at the moment users most need them.

2023-tulloch-lox Figure 1, §5.2 detection

Lox's trust level scheme (L=0 through L=4, requiring 30, 14, 28, 56, and 84 days respectively per level before upgrading, per Table 2) with blockage inheritance — invited users inherit their inviter's blockage count d — prevents a censor from resetting their reputation through self-invitation after causing blocking events, while users with d ≥ 4 become ineligible to migrate, capping the damage a persistent infiltrator can do.

2023-tulloch-lox §4.2.1, §2.4.2, Table 2 defense

After blocking all *.google.com subdomains on September 22, 2022, China's censor lifted the block specifically for FCM endpoints on October 1 while leaving other Google services (Docs, Groups, Sites) blocked through at least February 2023. This selective whitelist exception — made after only days of blocking — indicates the censor judged the collateral damage to apps relying on FCM to be unacceptable.

2023-xue-use §5.1, Figure 5 deployment

The COVID-19 Wuhan lockdown caused geolocating Twitter users in China to increase 1.4-fold immediately, remaining 10% above pre-crisis baseline long-term; approximately 320,000 new Chinese users joined Twitter due to the crisis, and the available VPN application's ranking on the Chinese iPhone App Store jumped significantly around 23 January 2020 and maintained that elevated rank.

2022-chang-covid-19 Crisis Increased Censorship Circumvention evaluation

In countries with no Great Firewall-equivalent censorship (Germany, Italy) and in less-censored authoritarian states (Iran — Persian Wikipedia; Russia — Russian Wikipedia) that experienced comparable COVID-19 outbreaks, no analogous spillover to politically sensitive content was observed; Wikipedia engagement in those countries increased generally but did not show disproportionate access to historically censored topics, confirming the gateway effect is specific to high-censorship environments.

2022-chang-covid-19 Comparison with Other Countries Affected by the Crisis / Table 1 evaluation

Once mainland China users circumvented the Great Firewall during COVID-19, they disproportionately followed politically sensitive accounts: international news agencies at 1.31x the expected rate, Chinese citizen journalists at 1.42x, and political activists at 1.23x — all relative to Hong Kong users as a control — while state media accounts saw only a 1.06x increase and entertainment accounts a 0.85x decrease, confirming a selective gateway to censored political content.

2022-chang-covid-19 Crisis Provided a Gateway to Censored Political Information / Types of Twitter accounts evaluation

Circumvention activity varied strongly by geographic proximity to the crisis: Hubei province, the epicenter, saw Twitter volume double relative to pre-lockdown baseline and sustain that doubling 30 days after the crisis, while mobility decreases from Baidu location data correlated with Twitter user increases across provinces — but two weeks after lockdown, the elevated Twitter usage could no longer be explained by mobility restrictions or New Year seasonality, indicating crisis-induced circumvention becomes self-sustaining.

2022-chang-covid-19 Increases in Circumvention Occurred throughout China / Fig. 4 evaluation

Chinese-language Wikipedia views grew from 12.8 million per day in December 2019 to 13.9 million during the Wuhan lockdown (24 January–13 March) and peaked at 14.7 million per day from mid-February through April 2020; the crisis disproportionately increased views of pages selectively blocked by the Great Firewall prior to 2015, of historical Chinese leaders since Mao, and of current officials — categories expected only under a gateway effect — and these elevated levels persisted through May 2020.

2022-chang-covid-19 Crisis Provided a Gateway to Censored Political Information / Fig. 3 and Fig. 7 evaluation

DNEye detected DoTH (DoT and DoH) blocking across the largest number of ASes in China, with interference against Cloudflare, Quad9, AdGuard, and CleanBrowsing resolvers emerging in early March 2021. Blocking patterns varied per-AS rather than following a centralized GFW DNS-level policy, indicating individual ISP implementation. Saudi Arabia, by contrast, showed coordinated SNI-based blocking of the same DoH resolvers across different ASes, indicating centralized policy.

2022-hoang-measuring §4.2, Table 5 detection

29 of 80 VPN providers — including paid services — configure clients to resolve DNS through third-party public resolvers (Google Public DNS, Cloudflare, OpenDNS, Quad9) rather than provider-operated infrastructure. Three self-hosted solutions (Algo, Streisand, Outline) hardcode public DNS with no easy override, causing connection failures in regions where those services are blocked.

2022-ramesh-vpnalyzer §VI (Fig. 5) evaluation

27 of 80 tested VPN providers had servers within a single AS (AS 9009, M247 Ltd), and VPNalyzer identified 14 providers sharing 4 specific IP blocks within that AS; 2 additional providers shared an IP block in AS 60068 (Datacamp). Such infrastructure concentration enables censors to block multiple VPN products simultaneously with a single IP-range or AS-level rule.

2022-ramesh-vpnalyzer §VI-D evaluation

34 of 41 obfuscated OpenVPN configurations and 18 of 20 UDP configurations were co-located with vanilla TCP OpenVPN servers within the same /29 subnet; probing the /29 subnet of a suspected obfuscated or UDP endpoint revealed nearby vanilla TCP servers, enabling confirmation by 'guilt by association' even when the obfuscated endpoint itself resisted direct fingerprinting. Some providers additionally share infrastructure across different VPN brands, further compounding exposure.

2022-xue-openvpn §7.5, §9.1 detection

Dominant failure modes differ systematically by country: China (AS45090) shows connect timeouts in 75% of DoT failures (IP-level blocking); Kazakhstan (AS48716) shows post-TLS-handshake timeouts in 72% of DoT failures (likely ACK or segment discard after handshake); Iran (AS197207) shows TLS handshake timeouts in 80% of DoT failures. Packet capture analysis confirmed that timeouts during and after the TLS handshake correspond to unacknowledged TCP segments, not connection resets.

2021-basso-measuring §V-F, §V-G, Table VIII evaluation

In AS197207 (Iran, MCI), approximately 50% of DoT endpoints failed consistently — the only case across all tested ASN/protocol combinations where failure exceeded 20%. In Kazakhstan (AS48716) and China (AS45090), more than 80% of DoT and DoH endpoints were always reachable.

2021-basso-measuring §V-F, Table VII evaluation

In AS197207 (Iran), Google's DoT endpoint 8.8.4.4:853 is blocked 100% of the time while 8.8.8.8:853 is always accessible, regardless of SNI value. TLSv1.3 handshake analysis (hiding server certificates) confirmed no SNI correlation, establishing that Google's DoT blocking depends solely on the destination IP endpoint.

2021-basso-measuring §V-I, Table X detection

A low-bandwidth attacker can sustain indefinite availability attacks by periodically re-triggering residual censorship: China's 3-tuple HTTP system requires only 4 spoofed packets every 3 minutes. For 4-tuple systems requiring full source-port coverage (65,535 ports), Kazakhstan needs 1,093 packets/sec (~634 kbps HTTP) and Iran needs 729 packets/sec (~422 kbps HTTP)—achievable with commodity hardware. Iran achieved 100% attack success against all 17 geographically disparate victim vantage points tested.

2021-bock-your §V.B, §VI evaluation

Switching source IP via VPN, Tor, or HTTP proxy is the primary victim-side mitigation because residual censorship is tuple-keyed; however, if the proxy entry node's path also crosses the censor, the attacker can redirect the attack at the proxy itself. On the censor side, null-routing middleboxes could eliminate the vulnerability by validating TCP sequence/acknowledgment numbers before dropping traffic, or by replacing null routing with an explicit block-page response.

2021-bock-your §VII defense

Residual censorship—where a censor continues blocking all traffic on a 3- or 4-tuple after an initial censorship event—is active in China (HTTP: 90s 3-tuple RST injection; ESNI: 120–180s 3+4-tuple null routing), Iran (HTTP+SNI: 180s 4-tuple null routing, occasionally up to 5 minutes; protocol filter: 60s), and Kazakhstan (HTTP+SNI: 120s 4-tuple null routing). A December 2020 Quack scan found 3-tuple stateful disruption in 33 countries and null-routing censorship in 18, suggesting much broader applicability.

2021-bock-your §IV, Table I evaluation

All tested censors (China, Iran, Kazakhstan) can be triggered statelessly—without completing a TCP 3-way handshake—using a SYN with decremented sequence number followed by a PSH+ACK containing the forbidden payload. This stateless triggering enables fully off-path, source-spoofed attacks: an adversary with packet-spoofing capability can residually censor a victim pair they have no on-path access to.

2021-bock-your §IV, §V.A detection

Iran and Kazakhstan reset the residual censorship timer whenever the censor observes any matching packet from the victim, so TCP retransmissions from the victim's own stack inadvertently extend the blocking window far beyond the nominal 120–180s. China's HTTP residual censorship has only ~50% per-request reliability from some vantage points due to heterogeneous GFW middlebox load-balancing, but reliability plateaus near 100% after 7 repeated censorship triggers sent ahead of time.

2021-bock-your §IV (timer reset), §IV (reliability), Fig. 2 evaluation

In China (AS45090), HTTP/3 over QUIC has a lower overall failure rate (27.1%) than HTTPS over TCP (37.3%), but hosts that time out during the TCP handshake (TCP-hs-to, indicating IP blocking) always also fail over QUIC — while hosts blocked via TLS-hs-to or conn-reset (SNI-based methods) nearly always succeed over QUIC.

2021-elmenhorst-web §5.1, Table 1, Figure 3a evaluation

In India (AS55836), TCP and QUIC failure rates closely track each other (15.0% vs 12.0%), with every TCP-hs-to and route-err failure matched by a corresponding QUIC failure, confirming IP-based blocking affects both protocols equally. In contrast, India AS14061 (VPS) shows 16.3% TCP failure entirely from route-err but only 0.1% QUIC failure, suggesting the VPS vantage point sits outside the censored path.

2021-elmenhorst-web §5.1, Table 1, Figure 3b detection

Across all four studied countries (China, Iran, India, Kazakhstan), HTTP/3 over QUIC had consistently lower failure rates than HTTPS over TCP: 27.1% vs 37.3% in China, 16.2% vs 34.4% in Iran, and 12.0% vs 15.0% in India (AS55836). The only QUIC-specific interference method observed was black-holing during the QUIC handshake (QUIC-hs-to); no RST injection or SNI-based QUIC filtering was detected.

2021-elmenhorst-web §5, Table 1 evaluation

CacheBrowser and CDNReaper require clients to contact foreign CDN front-end IPs directly, but this only works for DNS-based CDNs; anycast CDNs use the same IP globally, so bypassing local DNS still routes the client to a local front-end. Only approximately 11% of Alexa top-1k websites use DNS-based CDNs across the five tested countries, and for potentially blocked sites (Citizen Lab lists), CacheBrowser can access only ~18% of 2,769 blocked URLs in Brazil.

2021-gosain-too §5.2, Table 1, Fig. 14 evaluation

Domain fronting is undermined when CDN front-ends are located within the censor's jurisdiction because the censor can coerce the CDN provider to disable domain fronting on those front-ends. Russia coerced Google, Amazon, and Microsoft to halt Telegram's use of domain fronting; the paper's measurements confirm that CDN front-ends for popular services (YouTube, Facebook, Instagram) are hosted within all five tested countries.

2021-gosain-too §5.2 evaluation

IP blocking in Myanmar was non-deterministic within individual ASes: Frontiir (AS58952) blocked Facebook's IP 157.240.15.36 but not 31.13.82.36, indicating ISPs used incomplete address lists. Different websites were blocked on different networks, and DNS interference was inconsistent even within a single ISP's resolvers, confirming that censorship was decentralized rather than implemented via a national choke point.

2021-padmanabhan-multi-perspective §3.3 detection

Post-coup, Myanmar ISPs shifted from primarily DNS-based blocking (dominant in 2020) to IP-based blocking. Blocking Fastly's IP 151.101.1.195 triggered collateral unavailability of more than 10,000 co-hosted websites; blocking a Google-hosted IP (172.217.194.121) rendered snapchat.com, getoutline.org, and others unreachable on at least 4 ASes during Feb. 24–27, 2021.

2021-padmanabhan-multi-perspective §3.3 evaluation

On Feb. 5, 2021, Campana Mythic (AS136168) announced Twitter's 104.244.42.0/24 prefix—apparently intending to blackhole Twitter traffic locally as part of the national Twitter block—but the route leaked to operators in Singapore and Vietnam, causing collateral disruption for Twitter users outside Myanmar. This accidental BGP leak corroborates evidence that Myanmar ISPs were independently implementing IP-level censorship without a centralized national kill switch.

2021-padmanabhan-multi-perspective §3.4 deployment

Camoufler's blocking-resistance relies on collateral-damage economics: IM platforms had ~2.5 billion active users as of January 2019 (projected >3 billion by 2022) and are embedded in essential business and commercial operations (airline e-tickets, professional collaboration tools). Blocking all IM to disrupt Camoufler would require the censor to harm its own economy; the threat model requires only that the censor permits at least one IM platform, in which case Camoufler remains operational.

2021-sharma-camoufler §3.1, §7 defense

Spain's blocking infrastructure, initially mandated for copyright and gambling enforcement, was repurposed to block 24 unique Catalan referendum URLs during October 2017, including the IPFS gateway and two GitHub Pages domains. GitHub Pages was blocked only via DNS manipulation (pointing to 127.0.0.1) rather than HTTP blocking specifically to avoid collateral blocking of all of GitHub.

2021-ververis-understanding §3.1.1, §3.3, §4 policy

Domain shadowing makes all three traffic indicators — connecting URL, SNI, and Host header — appear to belong to an allowed shadow domain while fetching content from a blocked back-end domain via CDN. Unlike domain fronting, it exploits a legitimate CDN feature (arbitrary back-end binding) rather than a SNI/Host mismatch quirk, so CDNs cannot disable it by enforcing header consistency without breaking legitimate use cases such as third-party service outsourcing via CNAME. The technique was demonstrated successfully accessing www.facebook.com from a heavily censored country.

2021-wei-domain §3.3, §6.2 defense

Saudi Arabia's blocking decisions closely track diplomatic ruptures: Qatari news sites were blocked in 2017 amid the Gulf crisis, Iranian news sites in 2018 following severed diplomatic relations, and Turkish outlets Anadolu and TRT Arabic in April 2020 amid Ankara–Riyadh tensions — the Turkish blocks were partly triggered by a citizen Twitter campaign calling for the block.

2020-alharbi-opening §3.3 policy

Saudi Arabia progressively unblocked VoIP and messaging applications after 2017: all 18 tested apps were blocked during 2013–2017, 67% were accessible in 2018, 93% in 2019, and all except WeChat in 2020, following CITC's 2017 announcement lifting the ban on compliant applications.

2020-alharbi-opening §3.2 evaluation

Protozoa successfully bypassed censorship in China, Russia, and India using whereby.com as a carrier. Despite several WebRTC services being blocked in China (appr.tc, discordapp.com, hangouts.google.com, messenger.com), at least seven alternatives remained reachable (aws.amazon.com/chime, coderpad.io, gotomeeting.com, slack.com, whereby.com, and others), ensuring carrier availability. Covert sessions over the alternative services coderpad.io and appr.tc achieved AUCs of 0.58 and 0.60, respectively, and average throughput of 1388–1420 Kbps.

2020-barradas-poking §7.2, Table 3 evaluation

Protozoa uses the economic and social indispensability of popular WebRTC conferencing services as a censorship deterrent: blocking all WebRTC traffic imposes prohibitive collateral damage on legitimate commerce and communication. This 'parasitism' strategy means the circumvention tool inherits the blocking immunity of the carrier without requiring any protocol mimicry at the network level. Protozoa requires only one reachable WebRTC service to function, and Table 3 confirms at least five services remained unblocked in China during testing.

2020-barradas-poking §3, §7.2 defense

Testing the Alexa top-20,000 websites from within Iran, 3,595 IP addresses (17.9%) triggered the protocol filter at least 8 out of 10 times, and 3,499 (17.4%) were affected all 10 times. IP address provider is not correlated with filtering; instead, specific IP prefixes are targeted—for Cloudflare, only two prefixes (104.18.0.0/16 and 104.31.82.0/24) were fully affected while all others were unaffected.

2020-bock-detecting §4.2 evaluation

MoneyMorph's threat model exploits the economic cost of blocking entire cryptocurrency networks: the censor is left with a binary choice — ban the full blockchain (incurring economic harm to the censored region) or allow all transactions including covert bootstrapping traffic. This assumption is grounded in the censor's observed tolerance of Bitcoin despite known circumvention use.

2020-minaei-moneymorph §2.2, §3 defense

The majority of censored websites are blocked in only one or two countries, with political and news content showing the strongest geographic specificity. Figure 3 shows that of domains blocked in China, Iran, and Turkey, only 29 are blocked in both China and Turkey, while 27,852 are China-only and 1,564 are Iran-only, demonstrating that cross-region client-to-client proxying is broadly applicable.

2020-nasr-massbrowser §III-C, Figure 3 evaluation

MassBrowser proxies operate on NATed IP addresses shared with other users and services, meaning blocking them imposes collateral damage on unrelated parties. The proxy IP pool scales linearly with user count via client-to-client proxying, and IPs rotate as volunteers move between networks, making enumeration-and-block strategies progressively more costly for censors.

2020-nasr-massbrowser §III-E, §IV-A defense

In a traffic sample from a major non-anonymous circumvention tool (3.56 TB total, Feb 21, 2008), 48% of all proxied traffic belonged to websites that were not censored in Iran. Integrating CacheBrowsing to fetch CDN-hosted censored content directly further saves 41% of Buddy bandwidth for Alexa top-1000 websites.

2020-nasr-massbrowser §IV-B, §V-C evaluation

ICLab's commercial VPN vantage points reside in data-center ('content') ASes for 41% of monitored networks, which may experience less aggressive censorship than residential ISPs, making VPN-based measurements a systematic lower bound on blocking rates faced by ordinary users. In countries where both VPN and volunteer-operated device (VOD) vantages coexist, identical block pages were observed from both AS types, indicating similar overt blocking policies, but covert IP-based or RST-injection blocking may still differ by AS class.

2020-niaki-iclab §III-B evaluation

Kazakhstan's 2019 HTTPS interception affected 7.0% of 6,736 measured TLS hosts when probed from North America and 24% when probed from inside the country; all affected paths traversed AS9198 (Kazakhtelecom), with 95% of injections occurring at two specific IP addresses (92.47.151.210 or 92.47.150.198), indicating a highly centralized interception infrastructure.

2020-raman-investigating §4.2.1–§4.2.2 evaluation

Of 44,797 CDN-served domains on the April 2019 Roskomnadzor blocklist, 99.6% (44,615) were hosted on Cloudflare—attributable to Cloudflare's free tier with minimal vetting enabling rapid mirror-domain creation by blocked operators; the blocklist also contained 1,769 responsive circumvention-related domains, confirming that circumvention infrastructure is an active and documented blocklist target.

2020-ramesh-decentralized §V-B, Table III–IV deployment

Seven years of Roskomnadzor blocklist history (Nov 2012–April 2019) show the list grew to 132,798 unique domains and 324,695 unique IPs, with a dramatic spike in 2018 when Russia blocked Telegram by adding subnets covering approximately 16 million IP addresses—producing major collateral damage to co-hosted Google and Amazon services and illustrating that subnet-level blocking is the blunt instrument of last resort for CDN-hosted targets.

2020-ramesh-decentralized §VI-A, §II-B evaluation

Data center VPSes predominantly experienced TCP connection timeouts and resets—with the highest-blocking VPS censoring 96.8% of tested domains—while residential ISPs were substantially more likely to inject explicit blockpages citing Roskomnadzor's registry, confirming that blocking mechanism varies significantly by network tier even when blocking rates are similar.

2020-ramesh-decentralized §VI-B evaluation

Despite Russia's decentralized ISP ecosystem, 9 of 14 residential probes observed more than 90% of 98,098 tested blocklist domains blocked, and all 14 probes observed at least 49% blocked—demonstrating that coordinated nationwide censorship without centralized choke-points is achievable through legal mandates and commodity equipment alone.

2020-ramesh-decentralized §VI-B evaluation

During a major censorship event in April 2019, new censor techniques blocked many Psiphon transports while TapDance remained accessible, causing a 4× increase in the fraction of TapDance-enabled clients' traffic and daily users peaking above 25,000—with no measurable degradation in connection success rate or per-session throughput under the increased load.

2020-vandersloot-running §4.5 evaluation

The paper identifies 47 Cloudflare IP addresses that are already blocked by the GFW despite being shared by at least 85 websites, contradicting the prior assumption that censors avoid blocking shared CDN IPs due to collateral damage. This suggests censors will accept significant collateral damage to block CDN-hosted content when the set of co-hosted non-forbidden pages is deemed manageable.

2019-chai-importance §4.3 detection

Of the Alexa top 1 million websites censored in China, 84.5% are blocked by IP address, meaning that even if both DNS hijacking and SNI filtering are fully circumvented, the vast majority of blocked sites remain inaccessible. Only 66 currently censored sites can be unblocked by ESNI alone (combined with an encrypted DNS channel), while 101,049 ESNI-supported sites remain blocked by IP.

2019-chai-importance §4.1, §4.3 evaluation

In China's Great Firewall, SNI filtering is almost never the sole blocking mechanism: only 70 of the 21,446 SNI-filtered sites are exclusively censored via SNI. The GFW uses SNI filtering as a 'third gatekeeper' — applied after DNS hijacking and IP blocking — and maintains separate blacklists for SNI filtering and DNS hijacking, evidenced by 2,764 sites under DNS injection but not SNI filtering.

2019-chai-importance §4.1 detection

The GFW's robustness depends principally on suppressed citizen demand for uncensored information, not solely on access barriers. Calibration shows censorship remains stable even if the unencouraged access rate were substantially expanded, because low demand and moderate social transmission prevent information from reaching population-wide tipping points. However, censorship is fragile to demand stimulation: scaling the encouragement intervention to all students would, per the model, inform the entire student population.

2019-chen-impact §V policy

When given a free 18-month subscription to a premium VPN (retail value US$25/month), only 55% of treated Chinese university students activated the tool, and less than 5% of active users regularly browsed blocked foreign news websites. By contrast, 86% activated a placebo free Youku (Netflix-equivalent) account within a week, isolating low demand—not friction—as the barrier.

2019-chen-impact §III.A, Table 2 evaluation

Acquisition of politically sensitive information produced broad, durable attitude change: access-plus-encouragement moved the median student from the 47th to the 56th percentile across all measured outcome dimensions. Students became more pessimistic about Chinese economic growth (elicited incentive-compatibly), more skeptical of government performance, more likely to plan exit via foreign graduate school, and more likely to report having withdrawn stock-market investments.

2019-chen-impact §IV, §III.C (Figure 1) evaluation

Peer-to-peer knowledge spillovers were statistically significant but small: a student who actively browsed foreign news and learned of a sensitive event made her dormitory roommate 12.7 percentage points more likely to answer a quiz on that event correctly. Model calibration showed this transmission rate is insufficient to propagate knowledge to the broader student population given the low share of initially informed students.

2019-chen-impact §IV.B evaluation

Modest financial incentives (US$2.50 per quiz requiring a visit to the NYT Chinese edition) produced a persistent increase in foreign-news browsing: after the 4-month encouragement ended, Group-AE students spent 3.4 min/week more on top foreign news sites than access-only peers (6.7 min/week among active users). By the experiment's end, 23% of newly exposed students paid US$4.50/month to continue uncensored access out of pocket.

2019-chen-impact §III.B–C, §II.B evaluation

For IPv4, Conjure derives both the phantom host IP and TCP port from the client's registration seed, making exhaustive scanning infeasible: a censor enumerating from a /10 of potential client source IPs (4 million addresses) against a /16 of phantom IPs (65K addresses) across all 65K ports would require approximately 50 years at 10 Gbps with ZMap. Phantom hosts are additionally firewalled to respond only to the registering client IP, defeating single-vantage-point ZMap scans.

2019-frolov-conjure §6.2.1 defense

IPv6 phantom addresses drawn from an ISP's /32 prefix provide 2^96 potential addresses, making exhaustive enumeration and pre-image attacks computationally infeasible. Analysis of 4013 observed IPv6 addresses in a deployed /32 found approximately 75 bits of entropy (out of a maximum 96), with enough overlap with legitimate address distributions that blocking high-entropy addresses would produce significant collateral damage to real IPv6 services.

2019-frolov-conjure §6.2.2 defense

A proxy assignment algorithm derived from the Gale-Shapley college admissions game, using multi-feature utility functions across five client metrics (proxy utilization capped at T, new-proxy request rate, blocked-proxy usage, known-blocked count, client distance) achieves superior connected-client ratios and lower wait times compared to state-of-the-art rBridge in all tested ecosystem configurations (Static, Slow, Alive, Popular), without requiring knowledge of individual client types at assignment time.

2019-nasr-enemy §IV, §VII defense

The Chinese GFW enumerated all Tor bridges within approximately one month by deploying censoring agents that impersonated regular users, demonstrating that CAPTCHA- and email-based proxy distribution mechanisms are ineffective against resourceful state-level censors who can create large numbers of accounts and use human-based CAPTCHA-solving platforms.

2019-nasr-enemy §I, §II-B detection

Omnipresent censors who distribute censoring agents across diverse geographic locations obtain significantly more proxies than circumscribed censors confined to a single subnet, because location diversity improves their utility scores in proximity-weighted proxy assignment systems.

2019-nasr-enemy §VII-B detection

A game-theoretic optimal censorship strategy — in which coordinated agents maximize a joint utility combining proxy discovery and blocking impact (equation 3, parameterized by ω) — is significantly stronger than both aggressive (immediate block) and conservative (timed-delay) heuristic strategies evaluated in prior work including rBridge; changing ω (surveillance vs. blocking preference) further modulates the damage a censor can inflict on any given distribution profile.

2019-nasr-enemy §VII-C evaluation

In a static proxy pool (λ=0, no new proxies added), the fraction of connected censored clients decreases monotonically to near zero regardless of censorship strategy, even at low censoring-agent fractions (ρ=0.05) and against a non-strategic aggressive censor with a strict-balanced distributor profile.

2019-nasr-enemy §VII-A evaluation

By 2018 the GFW shifted from blocking Tor bridges by (IP, port) tuples to blocking the entire IP address. A blocked bridge remains inaccessible for exactly 12 hours; the block renews to 12 hours if any additional Tor connection attempt is made during that window, after which the GFW re-scans and removes the IP from the blacklist if Tor is no longer running.

2018-dunna-analyzing §4.2 detection

obfs4 successfully established Tor circuits on the authors' own unpublished bridge relays but failed to connect to any public obfs4 bridge, consistent with the GFW having scraped and blacklisted public bridge addresses. This demonstrates that address confidentiality is a prerequisite for obfs4's effectiveness, independent of its obfuscation properties.

2018-dunna-analyzing §5.1 evaluation

Despite I2P's decentralized design, a censor can block more than 95% of peer IP addresses known to a stable I2P client by operating only 10 routers in the network. The censor learns this by passively monitoring the distributed netDb through injected floodfill and non-floodfill nodes, exploiting the fact that I2P's peer-discovery mechanism exposes the near-complete address space to any sufficiently resourced participant.

2018-hoang-empirical Abstract, §6 detection

A blocking rate of more than 70% of I2P peer IP addresses is sufficient to cause significant latency in web browsing activities, while blocking more than 90% of peer IP addresses can make the I2P network unusable. The cost to reach the 95% blocking threshold is operating only 10 censor-controlled routers.

2018-hoang-empirical Abstract evaluation

Of approximately 32K active I2P peers observed daily during a three-month measurement (February–April 2018), roughly 6,000 peers came from 30 countries with poor Press Freedom scores (index > 50); China led with more than 2,000 peers, followed by Singapore (~700) and Turkey (~600). This suggests I2P is being used as a Tor/VPN alternative in heavily censored regions, despite China configuring I2P peers to hidden mode by default.

2018-hoang-empirical §5.3.2 evaluation

A simpler but effective complement to IP-list blocking is to block access to I2P's small set of hardcoded reseed servers: first-time users cannot fetch RouterInfos of other peers and are entirely prevented from joining the network. Reseed servers are functionally equivalent to Tor directory authorities as a single point of failure for bootstrapping.

2018-hoang-empirical §2, §6.1 detection

New Twitter users who joined because of the Instagram block were initially apolitical (80% Chinese-language preference vs. 39% for existing Chinese Twitter users; ~80% of first follows were entertainment/sports accounts) but within two days their rate of political discussion about Hong Kong converged with that of established users. This confirms the gateway effect operates without pre-existing political motivation and without a Streisand-style backlash.

2018-hobbs-sudden 4. Politicization policy

Blocked Chinese-language Wikipedia pages received approximately 160,000 more views on September 29, 2014 (the day Instagram was blocked) than in the preceding week, covering politically sensitive topics — Tiananmen Square, mainland leaders, and the PRC blocked-sites list — that long-term VPN users would not be browsing for the first time. By November 1, Chinese-language Twitter accounts had accumulated 33,750 more followers than pre-block trend projections.

2018-hobbs-sudden 4. Politicization / Figure 4 / Figure 5 evaluation

When governments suddenly block previously uncensored, habitual-use platforms, affected users acquire VPN/proxy tools to restore access — and those tools then incidentally unlock all long-blocked content. The authors call this the 'gateway effect': sudden censorship backfires not through political backlash but through habit-driven evasion that permanently expands information access. The effect is strongest for indispensable, hard-to-substitute services.

2018-hobbs-sudden Theory: Gateway effects in information access policy

China's September 29, 2014 Instagram block caused VPN Express to jump from rank 1,229 to rank 6 among all iPhone app downloads in China in a single day, and four of the top ten free productivity apps that day were VPNs (VPN Express, GreenVPN, VPNArtifact, VPN in Touch). The prior day, no VPN appeared in the top 10.

2018-hobbs-sudden 2. Effects of the Instagram block on VPN acquisition evaluation

On the day Instagram was blocked, geo-located Twitter users from mainland China increased ~30% and new account creation jumped more than 600%. A full 53% of previously active Instagram users (estimated 8–16 million people) continued accessing Instagram via evasion tools after the block, compared with roughly 0.026% of all Chinese Internet users who used Twitter before the block — demonstrating the Firewall's baseline efficacy and the magnitude of the gateway-driven surge.

2018-hobbs-sudden 3. Expanded Access to Blocked Websites / 1. Direct effects of the Instagram block evaluation

China actively censors websites far outside the popular-traffic tier: many discovered censored domains appear in the tail of the Alexa Top 1,000,000, and some are absent from Alexa entirely. This demonstrates the GFW pursues content-classified hosts regardless of traffic rank, not only high-visibility platforms.

2018-hounsel-automatically §5.2, Figure 3 detection

Across 85,421 Cloudflare-hosted domains crawled from five vantage points, 524 websites employed country-based blocking (Cloudflare error 1009). Ukraine (VPN) received 313 geo-blocks while Scotland (same VPN provider) received only 175, suggesting that IP/ASN reputation or exit-node characteristics cause significant variation in observed blocking rates even when controlling for the access method.

2018-tschantz-bestiary §4, Table 2 evaluation

Because a disproportionate number of Tor exit nodes are located in the EU, GDPR-motivated blanket blocking of EU IP ranges creates collateral access restrictions for Tor users globally. This illustrates that privacy-protective legislation and censorship-circumvention infrastructure can have directly competing effects when server-side enforcement is implemented via coarse geographic IP filtering.

2018-tschantz-bestiary §7 policy

After GDPR took effect on May 25, 2018, 74 websites that had previously served all three EU vantage points (London, Sofia, Frankfurt) began blocking them; 40 returned explicit 'Blocked due to GDPR' blockpages with HTTP 403, 7 used HTTP 451 Unavailable For Legal Reasons, and all 47 sites with explicit blockpages were local news outlets.

2018-tschantz-bestiary §6, Table 3 evaluation

Ukraine and Scotland both used the same VPN provider yet Ukraine received 1,874 CAPTCHA challenges vs. 309 for Scotland, and 1,519 browser verification challenges vs. 1,091 — a roughly 6× and 1.4× difference respectively. Only Ukraine was flagged as a VPN or Tor node by OctoNet's HTTP filter, indicating that IP/ASN reputation drives security-motivated blocking independently of the transport protocol used.

2018-tschantz-bestiary §5, Table 2 detection

The trial explicitly obtained no evidence about TapDance's resistance to adversarial censor countermeasures: its scale and duration were judged small enough that censors likely did not observe it, leaving theoretical censorship-resistance claims unvalidated against active blocking responses.

2017-frolov-isp-scale §2, §6 evaluation

TapDance was deployed on four ISP uplinks (two 40 Gbps, two 10 Gbps) using commodity 1U servers running a Rust/PF_RING zero-copy implementation; CPU load remained below 25% while handling a peak of ~14,000 new TLS connections per second across 34 cores, with cumulative mirrored traffic peaking at 55 Gbps across all stations.

2017-frolov-isp-scale §3.1, §4.1, Figure 1 deployment

Approximately 10% of respondents (n=23) held uncertain or incorrect beliefs about which actor was responsible for a given block, systematically conflating government censorship with geoblocking, paywalls, and platform-side restrictions. This misidentification cascaded into inappropriate tool selection and inaccurate risk assessment: users who could not distinguish state blocking from licensing restrictions could neither choose the right circumvention tool nor accurately gauge the legal jeopardy of accessing the content. Respondents specifically requested a pre-visit blocking-actor classification tool.

2017-gebhart-internet §5.2.3, §5.4.1, §6.2.1 evaluation

Nearly 70% (n=160) of respondents reported self-censoring online for fear of the law. Frequency of exposure to blocked content was a statistically significant, ordered predictor of self-censorship (Goodman-Kruskal's gamma = 0.421, 95% CI [0.247, 0.595], p < 0.05), with self-censorship increasing monotonically as exposure to blocked content increased. Notably, self-censorship rates did not differ significantly between respondents inside and outside Thailand, suggesting the chilling effect extends beyond the reach of domestic ISP-level blocking.

2017-gebhart-internet §5.5.1 evaluation

Of 229 Thai Internet users surveyed, 63% (n=144) had attempted to circumvent censorship, and of those, roughly 90% (n=132) reported success using VPNs (32.64%), proxies (32.64%), or Tor (23.61%). Failures were isolated to proxies (n=2), VPNs (n=2), and alternative searches (n=3), indicating that existing circumvention tools were technically adequate but that availability and comprehensibility—not raw capability—were the binding constraints on user success.

2017-gebhart-internet §5.2.1, Table 2 evaluation

Users in Thailand relied on incident-driven tool selection—running a fresh Google search for a proxy or VPN each time they hit a block—which the paper identifies as a systematic vulnerability: the Thai Royal Police exploited this pattern after the 2014 coup by linking a phishing application to a government block page, harvesting email addresses and gaining application-level access to Facebook profile information. The paper further notes that orchestrated stricter censorship could drive users to a government-operated malicious tool.

2017-gebhart-internet §5.3.3, §6.2.2 detection

Social media—primarily Facebook—was the dominant venue for direct, experienced threats: 9 of 15 respondents who had content blocked reported being censored on Facebook, and respondents observed that government censorship was shifting away from website blocking toward social media surveillance precisely because social media platforms are 'hard to block.' Respondents lacked any effective technical defenses against peer reporting, group-administrator censorship, and intermediary liability; they relied instead on social management strategies such as abbreviating references to royalty, running 'trial posts,' and self-censoring likes and shares.

2017-gebhart-internet §5.2.4, §5.3.1, §6.1.1 evaluation

Only 4 Indian ASes are needed to intercept >90% of AS-level paths from all Indian ASes to censored sites; 10 ASes cover ~95% of paths. Fewer than 5,000 edge routers spread across those ASes would suffice for nationwide IP filtering, with ~70% of those routers belonging to just two private ISPs (Bharti Airtel AS9498 and Tata Comm. AS4755).

2017-gosain-mending §4.1, Table 2, Table 3 evaluation

If India deployed centralized filtering at its key ASes, approximately 121,931 foreign-origin paths (1.15% of all Internet paths to censored sites worldwide) that transit Indian ASes would experience collateral blocking, affecting non-Indian users in Finland, Hong Kong, Singapore, Malaysia, the US, and elsewhere who have no connection to Indian censorship law.

2017-gosain-mending §4.1, §4.4 policy

India's federated censorship model — each ISP independently enforces government blacklists — produces dramatically inconsistent filtering: Airtel censored only 1 of 50 pornographic sites probed, while MTNL censored 45 of 50; Reliance Jio censored 0 sites across all 540 test URLs. A well-informed user can escape censorship through a judicious choice of ISP.

2017-gosain-mending §3.1, Table 1 evaluation

A CAPTCHA-gated registration scheme with sequences of reCAPTCHAs at random intervals and short solve windows limits automated censor deployment. With 5 minutes spent per registration, a human adversary working non-stop for 24 hours can create at most 288 censors; combined with a 12-hour registration reset cycle, this bounds the adversary's censor accumulation rate.

2017-heydari-scalable §IV-B defense

For complete blockage (>99%) over 10 hours, the adversary requires a swarming ratio of 12.8, translating to 128,000 censors against a single server with 10,000 CoAs. Scaling to a 10-server, 10-interface deployment forces the adversary to operate 106,700 humans in parallel; with a 5-minute CAPTCHA registration and a 12-hour reset cycle, achieving complete blockage within 10 hours requires 1,067 non-stop human operators in the first two hours.

2017-heydari-scalable §IV-A, §IV-B evaluation

A credit-based accounting method dynamically assigns users to larger groups as their trust score accumulates (credit increases by G−1 per unblocked interval), requiring a user's credit to be twice the group's risk before joining. This reduces the total number of CoAs needed while making it costly for censor agents to infiltrate large groups, since they must wait through many clean intervals before the group reaches exploitable size.

2017-heydari-scalable §IV-D defense

A proof-of-concept Linux prototype using UMIP (open-source MIPv6) with three routers and five commodity machines (2.4GHz Intel Core 2 Duo, 4GB RAM) demonstrated correct CoA rotation every 10 seconds. Signaling overhead was reduced to one-third of standard MIPv6 by eliminating return routability messages; per-packet transmission overhead was 24 bytes (IPsec ESP), identical to the baseline secure-channel cost, yielding zero net overhead attributable to the MTD mechanism.

2017-heydari-scalable §IV-E evaluation

The MI-MTD framework uses Mobile IPv6 Care-of Addresses (CoAs) rotated among randomized user groups every shuffling interval. With 1,000,000 users, 5,000 censors, and 10,000 CoAs (swarming ratio φ=0.5), per-interval access probability is 60.88%; over one minute with 10-second shuffling intervals, blocking probability drops to approximately 0.358%, meaning users retain ~99.6% chance of access.

2017-heydari-scalable §IV-A defense

Ad server domains are structurally immune to censor blocking due to collateral-damage risk: Google DoubleClick is embedded in 1,843,854 publisher sites and PubMatic in 215,046, making IP-blocking of these domains prohibitively costly for any censor. Measurements of Alexa top-10K confirm the top 20 ad servers handle more than 75.6% of all ad requests.

2017-javaid-online §4.2, §4.3 deployment

Relay-based circumvention severely degrades ad relevance: across Alexa top-500 uncensored sites, the overlap between ad sets fetched via Tor and the direct-path ground truth averaged only 28%, with near-zero overlap for sites serving geo-targeted ads. For blocked sites, only ~16% of ads shown via Tor were in the user's language.

2017-javaid-online §3.2, Table 3 evaluation

ADVENTION's split-path design — fetching publisher content via relay and ad requests via the direct path — raises average ad-set overlap from 28% (Tor) to 70%; combining ADVENTION with Intelligent Relay Selection (language-matched relay) further increases average overlap to ~80%. For blocked sites, ADVENTION with IRS raised ad relevance from ~16% to 100%.

2017-javaid-online §5.1, §5.3, §5.4 evaluation

In the heavily censored environment (E3), all successful connections used meek domain-fronting bridges (meek-amazon: 11 participants, meek-google: 9, meek-azure: 3); not a single participant successfully connected using flashproxy, fte, fte-ipv6, obfs4, or scramblesuit, despite all being available as built-in options.

2017-lee-usability §7.3.1, Table 3 evaluation

The authors recommend 'smart automation' for bridge selection: the client first connects via a hard-to-censor bridge, then contacts a central Tor server over that Tor connection to identify the best available bridge for the user's location and network conditions, then reconnects using that bridge — eliminating the manual trial-and-error that caused 79% of attempts to fail. This is contrasted with 'naive automation' (sequential blind retry) which avoids UI friction but wastes time on non-working bridges.

2017-lee-usability §8 defense

Participants spent 64–78% of their total connection time on the progress/waiting screen (not in the configuration UI), and the simulated censorship environment was the dominant predictor of connection time (Kruskal–Wallis χ² = 80.5, df = 2, p < 10⁻¹⁵). In E3, each failed bridge attempt added several minutes of timeout before the user could retry, compounding the overall latency.

2017-lee-usability §7.3.3, Table 4 evaluation

79% of total user attempts (363 of 458) to connect to Tor in simulated censored environments failed. In the most heavily censored condition (E3, requiring a meek or custom bridge), only 50% (10/20) of participants using the original interface connected, and even with the redesigned interface only 68% (13/19) succeeded within 40 minutes.

2017-lee-usability §7.3, Table 2 evaluation

A redesigned Tor Launcher interface significantly increased success rates (Pearson χ² = 2.808, p < 0.047) and reduced median connection time in E3 from 40:08 to 20:25 (Mann–Whitney Z = −1.84, p < 0.0328, r = 0.172); configuration time also dropped significantly (Z = −3.28, p < 0.0005, r = 0.307). Changes included eliminating yes/no bridge and proxy question screens, adding auto-detection for proxies, consolidating options, and surfacing meek bridges as a fallback recommendation.

2017-lee-usability §6.2, §7.3.1–7.3.3, Table 2 defense

Never-once avoidance succeeds for 75% of source-destination pairs that do not already terminate in the US (a highly routing-central country) at δ=0.5, and for nearly all pairs avoiding less central countries. Russia is the hardest case at ~35% success (δ=0.5) due to proximity to the dense European node cluster. The median successful source-destination pair has over 1,000 valid DeTor circuits when avoiding the US and 500 when avoiding China.

2017-li-detor §6.2.1, §6.2.4 evaluation

Tor's built-in country-exclusion feature provides only the illusion of control: among circuits configured to exclude the US, only 12% could be identified as definitively avoiding US territory. The remaining 88% of 'trusted' circuits fail to deliver a proof of avoidance, meaning standard Tor policy and provable security diverge sharply.

2017-li-detor §1, §6.2.1 evaluation

China's Internet censorship ecosystem is bilateral: the GFW handles technical blocking while separate government agencies (MIIT, TCA, MPS, MSS) handle non-technical regulation, and 'these two components do not operate synchronously.' Google Scholar is considered a legal service by Chinese regulators but is incidentally blocked as collateral damage because it falls under the google.com domain, blocked since 2010.

2017-lu-accessing §2 policy

Bridges that carry clients are highly stable: their median lifetime is 116 days (~4 months) and 84% never change IP address, with 90% having at most one IP change. This means current censor policies that remove bridge IP blocks every 25 hours are far more conservative than necessary — an adversary could sustain blocks for months without significant collateral damage.

2017-matic-dissecting §V-B, Figure 3 evaluation

Default bridges — whose IP addresses are hardcoded in the Tor Browser Bundle — carry 91.4% of all bridge clients globally in April 2016, and 86.1% in Iran and 69.2% in Syria. Because these addresses are trivially obtainable from the Tor Browser Bundle configuration files, a censor can block the vast majority of bridge users in a country at any time.

2017-matic-dissecting §V-E, Table II evaluation

Four OR ports (443, 8443, 444, 9001) account for 82% of all active public bridge fingerprints as of April 2016, down from 95% in March 2013 but still concentrated. Scanning just three of these ports (443, 8443, 9001) is sufficient to deanonymize 71% of all active public bridges. Additionally, CollecTor's published per-bridge usage statistics allow a censor to rank bridges by client count per country and identify the highest-impact OR ports to scan next.

2017-matic-dissecting §V-D, Figure 6, Table IV detection

Because Bangladesh's ban targeted specific named applications rather than underlying protocols, users successfully substituted functionally equivalent but unlisted apps: 'Banning Facebook, Viber, and Whatsapp for security purposes was not sufficient. For example, I used IMO to operate those apps. So, ultimately, nothing happened.' Authorities responded by expanding the blocklist to cover substitute apps, producing a reactive cat-and-mouse dynamic over the 26-day ban.

2017-morshed-when Findings – Response to the Ban detection

The Bangladesh Telecommunication Regulatory Commission (BTRC) directed ISPs to block Facebook, Viber, WhatsApp, and Facebook Messenger on November 18, 2015; the ban expanded over 26 days to include Twitter, Skype, IMO, and Instagram, with a coincidental 1-hour complete internet blackout at the outset. Blocking was enforced at the ISP level via written BTRC directives, targeting specific named platforms rather than underlying protocols or ports.

2017-morshed-when Background deployment

At least one participant was unable to use VPN during Bangladesh's ban because her Windows Phone (Lumia) did not carry VPN client apps in its app store, leaving her 'totally unable to communicate' for the ban's duration despite awareness of the workaround. Device platform and app-store access restrictions created a hard circumvention barrier independent of user intent or technical knowledge.

2017-morshed-when Findings – Response to the Ban evaluation

During Bangladesh's 2015 internet ban, police conducted roadside stops and physically inspected mobile phones for VPN software, confiscating devices found with VPN installed and asserting VPN use was illegal — despite no official government directive prohibiting VPN. This extra-legal enforcement, carried out by low-ranking constables, created a chilling deterrent effect on circumvention adoption beyond the technical challenge of blocking.

2017-morshed-when Findings – Response to the Ban policy

Prior to Bangladesh's 2015 internet ban, only 1 of 21 study participants had prior knowledge of VPN or IP-masking software; during the 26-day ban, VPN knowledge spread virally through social networks until it was described as 'fairly commonplace,' with adoption driven almost entirely by peer-to-peer instruction rather than technical documentation. Users required only procedural knowledge — installation steps and connection — not understanding of VPN mechanics.

2017-morshed-when Findings – Response to the Ban evaluation

Aggregate measurements across nearly 180 countries over 17 days found that 60% of reflectors experienced some degree of connectivity disruption; the bias of detected blocks toward Citizen Lab Block List sites held for both inbound and outbound filtering, and temporal variability corroborated documented censorship events around political timelines.

2017-pearce-augur §VI-B evaluation

Validation against the Citizen Lab Block List (CLBL) showed that for 99% of reflectors, more than 56.7% of detected inbound-blocked sites were CLBL-listed (vs. 56.7% CLBL composition of the input dataset); 95% of reflectors showed the same directional bias for outbound filtering, confirming the method detects real censorship rather than measurement noise.

2017-pearce-augur §VI-A, Figure 5 evaluation

CloudFlare platform policy creates outsized blocking: 80% of CloudFlare-hosted websites discriminate against at least 60% of studied Tor exits, while Amazon- and Akamai-hosted sites show high policy diversity. Social networking and shopping sites are the most aggressive discriminators — 50% block over 60% of studied exits — while search engines are least aggressive, with 83% blocking fewer than 20% of exits.

2017-singh-characterizing §6.4 evaluation

Conservative exit policies (Reduced-Reduced, which additionally blocks SSH, Telnet, and IRC ports beyond the default) have no statistically significant correlation with IP blacklisting rates or abuse complaint volume. Web-traffic accounts for 98.88% of all connections on Reduced-Reduced exits, confirming that ports 80/443 are the primary abuse vector and that port-restriction does not meaningfully reduce exposure.

2017-singh-characterizing §5.5 evaluation

7% of 84 commercial IP blacklists proactively blacklist Tor exit relay IPs as a matter of policy: the Snort IP and Paid Aggregator blacklists listed newly deployed relay IPs within 3 hours of their first appearance in the Tor consensus and maintained the listing for the entire relay lifetime. In total, 88% of all Tor exits appear on at least one commercial blacklist, compared to 9% of VPNGate and 69% of HMA VPN endpoints.

2017-singh-characterizing §5.2, §5.3, §5.6 detection

Real Tor users browsing the Alexa Top 1M websites via deployed exit relays experience failed HTTP requests at rates of 15.8–33.4% and failed HTTPS handshakes at rates of 35.0–49.6%, representing severe service degradation compared to non-Tor browsing (Table 8).

2017-singh-characterizing §7, Table 8 evaluation

20.03% of Alexa Top 500 website front-page loads showed discrimination against Tor exit users. Exercising search functionality on compatible sites raised discrimination by 3.89% (to 21.33%), while exercising login functionality raised it by 7.48% (to 24.56%), demonstrating that headless front-page-only crawlers significantly underestimate the true blocking rate Tor users face.

2017-singh-characterizing §6.4, Table 6 evaluation

The Republic of Cyprus National Betting Authority (NBA) blocklist grew from 95 URL entries in February 2013 to 2,563 entries in April 2017 — approximately 27 times its initial size — with entries specifying full URL paths rather than just domain names, requiring DPI-capable infrastructure for correct enforcement.

2017-ververis-internet §4.1 evaluation

The northern Cyprus ISP Multimax (AS197792) employed IP-based blocking rather than DNS hijacking, and its blocked-site list — including Wikipedia, Tor Project, Wikileaks, and Psiphon — matched Turkish ISP blocklists rather than the RoC NBA gambling blocklist, demonstrating that geopolitically distinct ISP operators on the same island implement categorically different censorship regimes.

2017-ververis-internet §6.6 evaluation

China's Great Firewall adds sites to its blacklist within hours of their becoming newsworthy and drops them again just as quickly; conversely, Pakistan's pornography crackdown used a rarely-updated blocklist, causing 50% of consumption to shift to unlisted sites. An outdated probe list will therefore underestimate GFW effectiveness and overestimate effectiveness in countries with static lists.

2017-weinberg-topics §1 detection

Analysis of 758,191 URLs across 22 probe lists found near-zero URL-level Jaccard similarity between nearly all list pairs (most < 0.01), including between country blacklists; even at hostname level, blacklists share little with each other or with researcher-curated lists like ONI's 12,107-URL list, indicating that any single probe list systematically misses large portions of what is actually censored.

2017-weinberg-topics §3.3, Tables 1–2 evaluation

Topic correlation analysis across 2,904 list-topic pairs (585 significant after Bonferroni correction at α = 0.05) shows social media is disproportionately represented in country blacklists relative to the broader web; video-sharing sites are also frequently blocked, likely to suppress political organization, copyright infringement, or competition with local businesses.

2017-weinberg-topics §7.1, Table 3 detection

Syria's 2015 blocklist contained a disproportionately large share of software-related sites because censors applied indiscriminate TLD-based blocking of all .il (Israeli) domain names regardless of content, demonstrating that non-topic-based criteria (country-code TLD, ASN) can sweep in entirely unrelated infrastructure and are detectable only through anomaly spot-checks rather than content analysis.

2017-weinberg-topics §7.1 detection

Time-series analysis across five ISPs over six months reveals a near-universal stasis in January–February where blocklist changes were negligible for all ISPs, followed by significant fluctuations (e.g., a +20–35% swing in TCP unreachability between February and March for PTCL, Wateen, Qubee, and WiTribe). A ubiquitous drop in TCP-unreachability outcomes occurred December–January, suggesting a seasonal or policy-driven relaxation followed by re-tightening.

2016-aceto-analyzing §V-A evaluation

GhostPost's client-server coordination channel transfers only metadata and small text payloads, making it neither bandwidth-intensive nor latency-sensitive. The paper explicitly concludes that 'practically any means of communication, including low-performance covert channels, are adequate' for the coordination channel, enabling operation over DNS tunnels, steganographic channels, or other constrained transports when the central server's HTTPS endpoint is blocked.

2016-douglas-ghostpost §2.1 defense

Salmon simulations show that a censor with agents comprising 1% of 10,000 users can block at most 4A servers (one block per agent per full group) against a system with 1,000–2,000 servers; server groups with a hard cap of M=10 users that fill entirely with legitimate users before any agent joins become permanently invincible to server discovery. The censor's optimal strategy is to ensure each agent is always alone in its group at the time of joining, which requires knowing the user arrival rate — information Salmon withholds by not publishing user statistics.

2016-douglas-salmon §5.1 / §5 evaluation

Without recommendation-tree grouping logic, a censor starting agents at trust level 6 who each recommend 1–2 additional agents (requiring 4–5 months of waiting) can cut off over 95% of users even at agent percentages in the 15–30% range, as shown in Figure 6. With recommendation-tree grouping enforced, the same attack at equivalent agent fractions produces dramatically lower service disruption because agents cluster among themselves rather than spreading across innocent user groups.

2016-douglas-salmon §5.3 / Figure 6 detection

Salmon's trust-level mechanism (7 discrete levels; promotion from level n to n+1 requires 2^(n+1) days; banning triggered when suspicion exceeds T=1/3) reduces the fraction of users cut off by an attacking censor by more than 3× relative to rBridge under the same agent-percentage conditions. Simulations with 10,000 users (1–10% censor agents) and 1,000–2,000 servers show that trust levels keep high-seniority innocent users isolated from newer users where agents concentrate.

2016-douglas-salmon §5.2 / §3.6 defense

A single harvesting script running for 9 days on one free Amazon EC2 instance verified 3,101 working VPN Gate servers by testing 44,039 IP addresses, demonstrating that VPN Gate's collective defense mechanism — which relies on detecting automated scanning patterns — can be fully bypassed by routing successive queries through previously verified VPN servers. This result implies that a censor could, with no collateral damage, essentially completely shut down VPN Gate by blocking all verified servers.

2016-douglas-salmon §4.1 evaluation

All bridges in a given Tor Browser release batch were blocked simultaneously within a 20-minute window, and every blocking event occurred during China Standard Time business hours (between 10:40 and 17:00 CST). The combination of unpredictable multi-day delay followed by abrupt simultaneous batch blocking suggests a semi-manual process: human analysts discover bridges after an irregular delay, then an automated system applies blocks.

2016-fifield-censors §4 Results, Table 3 evaluation

China's firewall never blocked a bridge before its public Tor Browser release, despite bridges being discoverable earlier via bug-tracker tickets and source code commits. The four bridges distributed only in Orbot (not Tor Browser) remained unblocked throughout the experiment, indicating the GFW monitors end-user software releases rather than upstream repositories or alternative distribution channels.

2016-fifield-censors §4 Results detection

The Great Firewall of China blocked newly published obfs4 Tor Browser default bridges after delays of 7, 2, 18, 11, and 36 days following the first public software release, and up to 57 days after bridges were first discoverable via bug-tracker ticket filing. Iran showed no blocking of the same default bridges across the entire five-month measurement period.

2016-fifield-censors §4 Results, Table 2 evaluation

Some obfs4 bridges exhibited a roughly 24-hour periodic semi-blocking pattern from China, where bridges cycled between reachable and blocked states with a ~24-hour period. This diurnal pattern differed between the two China probe sites and between bridges, and one blocking failure coincided with a documented nationwide GFW outage that also briefly restored access to Google services.

2016-fifield-censors §4 Results, Figure 3 evaluation

GFW blocking was keyed on both IP address and port number, not IP address alone. Bridges with port 22 (SSH) open had that port remain reachable even as other ports on the same IP were blocked, confirming per-(IP, port) tuple granularity in the GFW blocklist.

2016-fifield-censors §4 Results detection

A single undergraduate ported Castle to two closed-source commercial RTS games (each with >8.5 million copies sold, from different studios) in under 6 hours per game using a ~500-LOC Python/AutoHotkey codebase; 17 of the Top 20 best-selling RTS games share the unit-command structure Castle requires, and 11 have community-decoded replay formats, enabling rapid adaptation to new titles.

2016-hahn-games §7, Table 1 defense

Mailet resists proxy enumeration because clients communicate exclusively through widely-used email hosting providers over standard POP3/SMTP/IMAP ports; no direct client-to-Mailet-server connection ever exists, so even if a censor learns a Mailet server's IP address, blocking it requires blocking all email to major providers — collateral damage that is politically infeasible.

2016-li-mailet §1, §2.1 defense

CovertCast's broadcast model decouples server workload from client count: one server can serve unlimited simultaneous clients without per-connection overhead, unlike hide-within systems such as FreeWave where server costs grow linearly with users. This architecture also defeats Sybil-based DoS attacks, because flooding the server with fake client requests does not increase server load — the server never processes individual client connections.

2016-mcpherson-covertcast §2, §7.2 defense

Because CovertCast clients connect to live-streaming service infrastructure (e.g., YouTube servers) rather than to CovertCast servers directly, IP-address blacklisting of CovertCast infrastructure does not allow censors to identify or disrupt client connections. Discovering the CovertCast server's IP address is therefore irrelevant to the censor's blocking goal.

2016-mcpherson-covertcast §7.3 defense

Naive interference measurement systematically misclassifies CDN geographic routing as blocking (and vice versa): when China or Russia resolves twitter.com to a non-US IP, a naive detector must decide whether that is a CDN point of presence or interference. Joint iterative analysis of DomainSimilarity and IPTrust scores is required to separate authentic CDN footprints from block-page redirections.

2016-scott-satellite §1, §2.4, §2.4.1 detection

The top 10 CDNs collectively host nearly 20% of the Alexa top 10,000 domains (1,967 domains); CloudFlare alone accounts for ~10% of those sites (726 domains) and operates across 75 ASes with 107,008 IP addresses. CDN-hosted domains receive disproportionate interference relative to their 20% share, suggesting censors target popular shared-infrastructure sites as a high-leverage blocking strategy.

2016-scott-satellite §4.2, Table 3, Table 4, §4.3 evaluation

Real-world CDN HTTPS deployments leak the identity of visited websites through three distinct channels — TLS certificate contents (A2, B1, B2 deployments), the plaintext SNI field (B1), and dedicated IP address mappings (B2) — enabling censors to block CDNBrowsing connections via standard DPI or IP filtering without collateral damage to non-forbidden CDN content. Each leakage channel requires inspecting only a single packet from an HTTPS connection, making the attack low-cost and deployable on off-the-shelf censorship boxes.

2016-zolfaghari-practical §3.1 detection

Winter and Lindskog [157] (2012) documented that the GFW used TLS SNI inspection in combination with IP/port filtering and TCP disruption to block Tor, as recorded in the survey's Table 1. This is one of the earliest published accounts of the GFW applying SNI-based blocking specifically to a circumvention protocol, demonstrating that the GFW correlated multiple detection signals rather than relying on any single technique.

2015-aceto-internet Table 1 detection

Table 1 of the survey documents that by 2013–2014 censors were deploying simultaneous blocking across BGP, DNS, IP/port filtering, TCP disruption, TLS, and application-layer keyword filtering. No single detection tool in the survey covers all six layers; the most comprehensive, OONI (2012), covers DNS, IP/port, TCP, TLS, keyword, and HTTP but notes only partial BGP coverage.

2015-aceto-internet Table 1 detection

Applying a regional binomial hypothesis test (p=0.7, significance 0.05) to Encore measurements independently confirmed censorship of youtube.com in Pakistan, Iran, and China, and of twitter.com and facebook.com in China and Iran, validating passive cross-origin measurement against prior independent reports of filtering.

2015-burnett-encore §7.2 evaluation

In 8,573 controlled testbed measurements across image, stylesheet, and script task types, Encore produced zero false negatives and a ~5% false positive rate in India (attributed to unreliable network connectivity rather than filtering), establishing that cross-origin browser probes reliably detect DNS, IP, and HTTP filtering under stable network conditions but require aggregation to control noise.

2015-burnett-encore §7.1 evaluation

The GFW blocks Tor primarily by dropping SYN/ACK segments entering China from blacklisted IP/port pairs, not by dropping SYN segments leaving China. Of 142,802 CN→Tor-Relay measurements, 81.52% were Server-to-client-dropped versus only 0.55% Client-to-server-dropped. Blocking Tor directory authorities also showed substantial Client-to-server drops (19.61%), suggesting authorities may be treated differently.

2015-ensafi-analyzing §4.1, Table 1 detection

GFW filtering failures — cases where blocked Tor traffic passed through — showed no conspicuous geographic patterns across China. The maximum observed Pearson correlation coefficient between neighboring clients' failure counts was 0.26 (near-zero), and failure cases were geographically distributed in proportion to Internet penetration, not clustered by province or ISP region.

2015-ensafi-analyzing §4.2, Figure 6, Figure 8 evaluation

GFW failures are both persistent and intermittent: four client/server pairs showed all 22 hourly measurements over a full day returning No-packets-dropped (entirely unblocked), while many others showed only sporadic failures. Temporal analysis showed failures cluster in bursts of hours, with probability of a second failure decaying sharply beyond ~5 hours after the first.

2015-ensafi-analyzing §4.1, §4.2, Figure 7 evaluation

Routing is the dominant structural factor in GFW failures. CERNET (the Chinese Educational and Research Network) accounted for 503 of 135 destination IPs' failures — by far the most of any network — and packets transiting CERNET→CERNET links reached Tor destinations at an r=0.9896 ratio, near 1.0. Within CHINANET and CNC Group backbones, the Tor-to-non-Tor traversal ratio dropped to 0.403 and 0.272 respectively (Table 4), indicating heavy intra-ISP filtering.

2015-ensafi-analyzing §5.2, §5.3, Table 3, Table 4 evaluation

Of GFW-blocked websites in the Alexa top 1000, 82% are already hosted on CDN infrastructure; for news websites specifically, the figure rises to 85%. This was measured by scraping GreatFire.org blocked-site data and verifying CDN hosting for each domain.

2015-holowczak-cachebrowser §5.2 evaluation

Akamai's China-based edge servers self-censor, returning HTTP 403 for GFW-forbidden content, while Akamai's mapping system (located outside China) returns valid edge server IPs to Chinese users even for forbidden domains, and non-Chinese Akamai edge servers serve all content freely. This partial self-censorship structure is driven by the requirement to operate CDN infrastructure inside China.

2015-holowczak-cachebrowser §3.2.1 detection

The GFW universally uses DNS poisoning rather than IP blocking to censor CDN-hosted content. Across all tested CDN providers (Akamai, CloudFlare, CloudFront, EdgeCast, Fastly, SoftLayer), no CDN edge server IPs were IP-filtered, because a single provider like Akamai hosts content on 170,000 shared edge servers—blocking any IP would collaterally block hundreds of thousands of unrelated publishers.

2015-holowczak-cachebrowser §3.2, §3.3 detection

The Great Cannon (GC) operates as a distinct in-path system — not an extension of the GFW — capable of both injecting and suppressing traffic, enabling full man-in-the-middle capability against targeted IP addresses. Unlike the on-path GFW, the GC only examines the first data packet of each connection (avoiding TCP bytestream reassembly), targets specific destination IP addresses rather than all border traffic, and maintains a per-source-IP flow cache of approximately 16,000 entries to ignore already-processed connections.

2015-marczak-analysis §3, §3.1 detection

The GC acted probabilistically, responding to only approximately 1.75% of eligible requests (526 out of 30,000 from three measurement IP addresses) and completely ignoring one of four measurement source IPs. Flow-cache exhaustion tests confirmed the probabilistic decision is made per-flow at cache insertion time: once the ~16,000-entry cache was filled, injections resumed on previously-ignored source ports, ruling out connection-tuple hashing as the selection mechanism.

2015-marczak-analysis §3.1 evaluation

Routing traffic from a user on ISP-B through a peer relay on ISP-A (which applied only HTTP-level filtering and permitted HTTPS) produced the smallest page load times in most cross-ISP comparison runs, beating both HTTPS/domain-fronting and Tor. The performance gain is attributed to lower end-to-end latency on the intra-country cross-ISP path relative to international relay routes.

2015-nisar-case §3.2 / Figure 2c / Insight-3 evaluation

Direct circumvention via HTTPS/domain-fronting from Pakistan achieved an average throughput of ≈1.5 Mbps, whereas static proxies located in the US, Europe, and Asia yielded less than 0.9 Mbps in most cases. Page load times for the YouTube homepage (≈360 KB) were significantly lower under the direct method, and a TCP slow-start model predicts throughput could reach ≈2 Mbps if the flow completed within slow start.

2015-nisar-case §3.2 / Figure 1 / Table 2 evaluation

Across two major Pakistani ISPs, blocking mechanisms varied substantially for the same URL: ISP-A applied HTTP-level blocking with redirection to a block page, while ISP-B deployed multi-stage blocking combining DNS-level resolution to localhost and independent HTTP/HTTPS request dropping. A single ISP also used different filtering techniques for different URL categories (e.g., YouTube vs. HTTPS-accessible sites).

2015-nisar-case §3.2 / Table 1 evaluation

In experiments using 200 back-to-back fetches of the YouTube homepage (≈360 KB), HTTPS produced lower page load times than Tor in most cases because Tor circuits do not optimize for performance and often select longer paths. Tor's page load times varied widely as circuits changed approximately every 10 minutes, producing a heavy tail in the latency distribution.

2015-nisar-case §3.2 / Figure 2a evaluation

Twitter's country-withheld content mechanism relies on a browser-set location cookie, not IP geolocation; the authors confirmed that viewing a known-withheld Turkish tweet via a Turkish proxy server did not trigger the withholding display, but manually changing the Twitter app's location setting to 'Turkey' did — meaning any Turkish user who sets their location to a different country can bypass the entire withholding mechanism without Tor or a VPN.

2015-tanash-known §7 defense

Turkey's filtering of Twitter relied overwhelmingly on DNS manipulation over IP blocking: as of April 24, 2014, only 167 IP addresses were blocked versus 40,566 domain names. Users who received valid DNS answers could browse Twitter without further interference, making foreign DNS servers (Google 8.8.8.8, OpenDNS) an effective circumvention mechanism — reportedly graffitied across Turkey in protest of the ban.

2014-anderson-global §4.1 detection

When Turkish users shifted to foreign DNS providers as a circumvention mechanism, Türk Telekom escalated by rerouting traffic destined for Google Public DNS (8.8.8.8 and 8.8.4.4) to a local DNS server serving false answers (Event E, March 28), causing a rapid drop in Tor and YouTube availability across all Atlas probes regardless of DNS configuration. At least 6 distinct shifts in filtering strategy were documented within a two-week period.

2014-anderson-global §4.1 detection

Probing ~150,000 open DNS resolvers inside China over two weeks found that more than 99.85% provided polluted answers for blocked domains. The small fraction of clean resolvers achieved this by forwarding queries to Google Public DNS or OpenDNS via uncensored tunnels, or by locally dropping responses containing known GFW 'Bad IP' addresses (174 identified IPs).

2014-anonymous-towards §4 evaluation

CloudTransport's passive-rendezvous design ensures clients never establish direct connections to bridges; consequently, even a censor in complete control of a bridge cannot enumerate client IP addresses without computationally intensive flow-correlation analysis. Blacklisting the IP address of a CloudTransport bridge has zero effect on CloudTransport connections, and when a bridge migrates to a new IP address this change is completely transparent to clients.

2014-brubaker-cloudtransport §4.3 defense

Skype.com (503,932 censored, 0 allowed) and live.com IM services were blocked with 100% denial rates at all times. During the August 3, 2011 protest events Skype accounted for up to 29.24% of all censored traffic; 9% of Skype requests were software update attempts, which were also denied, confirming content-agnostic domain-level blocking rather than content-selective filtering.

2014-chaabane-censorship §5.1, §5.5, Tables 5 & 7 detection

Approximately 10% of China's IP addresses respond to IPID probes, and 13% of those exhibit globally incrementing IPIDs, meaning roughly 1% of China's total IP address space can serve as passive measurement vantage points with no cooperation from host owners. In contrast, Tor bridge blocking from Chinese clients was observed in 58.91% of server-to-client cases versus 0% for non-China Asia-Pacific clients.

2014-ensafi-detecting §5, Table 1 evaluation

The GFW blocks Tor primarily via stateless SYN/ACK dropping based on the server's source IP address and port (server-to-client direction, 73.04% of CN,Tor-dir cases). Two specific Tor directory authorities account for 98.8% of client-to-server (null-routed) blocks and 72.7% of error cases, indicating selective deeper blocking of specific IP addresses beyond the common return-path filter.

2014-ensafi-detecting §5 detection

Over 5 days of measurement, 73.04% of connections from Chinese clients to Tor directory servers were blocked server-to-client (stateless SYN/ACK dropping), 16.73% were blocked client-to-server (null routing), and only 0.63% were unblocked. Of all censored Tor directory server connections measured across all regions, 98% originated from Chinese clients.

2014-ensafi-detecting §5, Table 1 evaluation

Using TCP IPID side channels combined with SYN backlog state inference, the authors detect intentional packet drops between two arbitrary Internet hosts without controlling either host. The only requirements are a client with a globally incrementing IPID (~1% of IP space) and a server with an open port; an ARMA model handles autocorrelated noise.

2014-ensafi-detecting §2 evaluation

Client-to-server packet drops (RSTs from client to server are dropped in transit) indicate the simplest null-routing mechanism: the server's destination IP is null-routed at the censor. The method distinguishes this from server-to-client drops (stateless return-path filtering) and from RST/ICMP injection—cases where the packet is not dropped but a forged termination packet is inserted—which both appear as the 'no-packets-dropped' outcome in the IPID time series.

2014-ensafi-detecting §2 detection

By deploying covert channels inside legitimate high-traffic web services (e.g., OpenSearch sites), Facade raises the censor's cost of blocking to unacceptable collateral damage: blocking Facade requires blocking the legitimate web service, which harms local businesses and normal users. Facade explicitly assumes censors are unwilling to block major platforms such as AWS or popular search services.

2014-jones-facade §3.2, §5.1 defense

Pakistan's censorship used layered, evolving mechanisms: DNS redirection by local ISP resolvers appeared in all post-block traces, supplemented by HTTP 3XX redirection to a local provider's error page in Sep 2012 and shifting to RST injection by Aug 2013 (where ≈95% of YouTube HTTP requests received no response, vs. ≈2% pre-block). Porn blocking similarly combined DNS redirection with IP blocking (41% blacklist overlap) in Sep 2012 and RST injection in Aug 2013.

2014-khattak-look §4.2–4.3, Table 4 detection

Before censorship, porn traffic averaged 8.4–11.5% of HTTP bandwidth across residential and SOHO users respectively. Post-censorship, this fraction fell to ≈3.5–4.0% for residential and ≈2.0–3.7% for SOHO users. Even after accounting for traffic shifted to unblocked alternate porn domains and the contemporaneous SSL/VPN increase, porn traffic did not return to pre-block levels, suggesting censorship achieved partial demand suppression despite being bypassable via alternate DNS resolvers.

2014-khattak-look §6.1, Table 7, Table 11 evaluation

For decentralized videoconferencing systems (e.g., Skype) where peers communicate directly, publicly distributing the Facet server's conferencing ID allows a censor to pinpoint the server's IP address via active probing. Centralized systems (e.g., Google Hangout, FaceTime) hide the proxy IP behind the provider's relay server, making active probing unable to identify the Facet server.

2014-li-facet §5 (Service Discovery), §8 detection

After VPN Gate blocked the GFW's original probe IP (210.72.128.200, operated by China Science and Technology Network / CSTNET), the GFW authority immediately pivoted to Amazon EC2 and commercial hosting (Gorilla Servers) to enumerate relay lists, using a Python-urllib user agent at fixed polling intervals. Following this adaptation, approximately 80% of all VPN Gate servers became unreachable from China.

2014-nobori-vpn §6.3, Figure 13 detection

The GFW authority discovered VPN Gate and deployed an automated IP-blocking tool within four days of launch: the List Server was blocked on March 11, 2013 (day 3), and automated scanning of the full server list began by March 12 (day 4). This automated tool polled and blocked all listed IP addresses several times per day.

2014-nobori-vpn §6.3 detection

Innocent IP mixing — inserting IP addresses of critical Internet infrastructure (DNS roots, Windows Update servers, popular mail servers) into the relay list distributed to users — forces the censor to manually verify each address before blocking. In March 2013, the GFW blocked every IP VPN Gate mixed in within 30 minutes, demonstrating it was trusting the list without verification; after the technique was noticed (March 20), the GFW switched to verifying IPs first, substantially slowing its blocking cadence.

2014-nobori-vpn §4.2, §6.3 defense

After deploying innocent IP mixing and collaborative spy detection, VPN Gate raised server reachability from China from a low of ~30% to 78.5% by June 19, 2013, sustaining 60–70% reachability through end of August. On August 29, 2013, VPN Gate served 9,000 daily unique IP addresses from China versus Tor's estimated 3,000.

2014-nobori-vpn §6.2, Figure 12 evaluation

If a communication protocol is regularly used for business and commerce, blocking it may be too politically and economically costly for a censor. The paper posits that censorship resistance achieved as a side-effect of widespread general adoption is harder to defeat than a niche protocol designed solely to circumvent censorship.

2014-tan-censorship §1–§2 defense

GNS uses a proof-of-work-gated network flood for key revocation, requiring an adversary to block flood traffic on every path between the revocation origin and all peers to suppress it. This is substantially more robust than X.509 certificate revocation lists, which an adversary can render ineffective by simply blocking access to CRL servers — a weakness severe enough that browser vendors must bundle revocation lists inside software updates.

2014-wachs-censorship-resistant §A.5 defense

Blockchain-based naming systems such as Namecoin are insufficient under a strong adversary model where a nation-state can muster more computational resources than all other participants combined, allowing it to produce alternative valid chain histories. This vulnerability is most acute during system bootstrapping and in censored regions where the user base is small, precisely the conditions under which a censorship-resistant naming layer is most needed.

2014-wachs-censorship-resistant §6 evaluation

All three prior end-to-middle (E2M) schemes — Telex, Cirripede, and Decoy Routing — require an inline flow-blocking component at the participating ISP, which adds latency, introduces a single point of failure, and may violate carrier SLAs. In private discussions with ISPs, the authors found that despite willingness to assist Internet freedom technically and financially, none were willing to deploy existing E2M technologies due to these operational impacts. TapDance removes the inline blocking requirement entirely, requiring only a passive tap and packet-injection capability.

2014-wustrow-tapdance §1, §6 deployment

IBR-derived metrics γ (average SYN retransmits per flow) and η (inter-packet time between retransmits) can distinguish packet-loss-induced outages from packet-filtering censorship: during Libya's 2011 packet-filtering phase γC remained near pre-censorship values despite reduced source counts, whereas BGP route leaks caused measurable γ decreases and η increases. This difference exists because filtering reduces the host population but preserves per-flow OS retransmit behavior, while congestion causes routers to drop individual packets mid-flow.

2013-benson-gaining §IV-C, §IV-D evaluation

Libya's 2011 Internet shutdown combined two distinct censor techniques across separate episodes: BGP-level route withdrawal and later packet filtering. During the packet-filtering episode, γC remained near its pre-censorship baseline (~2.0 packets/flow) even as the number of reachable Conficker sources dropped, confirming that the mechanism was per-subnet allowlisting rather than link saturation.

2013-benson-gaining §IV-C detection

In every ISP where URL filtering was empirically confirmed, the 'proxy anonymizer' category was actively blocked. Netsweeper blocked 6/6 submitted proxy domains in YemenNet (AS 12486), 5/6 in Du UAE (AS 15802), and 6/6 in Ooredoo Qatar (AS 42298); McAfee SmartFilter blocked 5/5 anonymizer-category submissions in Etisalat UAE (AS 5384). Blue Coat in UAE and Qatar did not confirm—Etisalat appears to use SmartFilter for URL filtering atop a Blue Coat proxy appliance for traffic management.

2013-dalek-method §4.3–4.5, Table 3 detection

Online scanning services span security scanners, ad networks (Google AdSense), web diagnostics, and link shorteners—categories economically important enough that blocking them wholesale causes severe collateral damage. The paper identifies five broad OSS categories with dozens of providers, and notes that translation services, photo printers, RSS aggregators, and image hosts are additional unexplored candidates, making exhaustive enumeration by a censor infeasible.

2013-fifield-oss §2, §3, §9 defense

OSS throughput varies from 250 B/s (vURL/HTTP-302) to 265 KB/s (PDFmyURL/JavaScript-onload). High-rate OSSes—Dr.Web at 20 KB/s, GoMo at 22–175 KB/s, PDFmyURL at 160–265 KB/s—support bulk bidirectional transfer; low-rate OSSes (AdSense 500 B/s, vURL 250 B/s) are suited only for rendezvous. Concurrent streams scale linearly (2× aggregate throughput) for all tested OSSes except AdSense, which rate-limits per source IP.

2013-fifield-oss §5.2, Table 5 evaluation

In the standard redirect design the cooperating proxy's IP address or domain name appears in plaintext HTTP redirect responses, because the censored client cannot present a valid TLS certificate to the OSS and must use plain HTTP. A censor inspecting OSS-bound traffic can extract the proxy address from the Location header or URL query parameters. The no-redirect variant (client and server each initiate single scans of each other) eliminates this leakage at the cost of higher latency and server-side OSS enumeration.

2013-fifield-oss §7 detection

Because FreeWave is VoIP-provider-agnostic, blocking it requires censors to block all VoIP services simultaneously — a politically and economically costly action given that approximately one-third of U.S. businesses used VoIP by 2011 and penetration was forecast to reach 79% by 2013. The authors argue this collateral-damage cost makes wholesale VoIP blocking infeasible for most censors.

2013-houmansadr-i §V / §II-A defense

FreeWave routes client VoIP connections through oblivious intermediary nodes (e.g., Skype supernodes) rather than directly to the FreeWave server, so even if a censor discovers the server's VoIP ID or IP address it cannot block clients via IP filtering. This 'server obfuscation' is absent from SkypeMorph and StegoTorus; the authors note that Chinese censors enumerated all Tor bridges—on which SkypeMorph depends—in under a month, rendering those transports instantly blockable.

2013-houmansadr-i §IX-A defense

Over 72 days, the authors observed 814,667,299 blog posts (average 11,314,823/day; peak 13,083,878/day). To blacklist all potential MIAB drop points, a censor would need to block 33,361,754 FQDNs (5% of all web servers per Netcraft) or 1,803,345 second-level domains (1.4% of global domain registrations); even a fully-maintained static blacklist retains an 11–12% daily miss ratio as new blogs appear.

2013-invernizzi-message §5.1, Figure 4 evaluation

Existing censorship-resistant systems share a fundamental vulnerability: they require the user to know a finite set of entry points (bridge addresses, rendezvous points, or ISP-level collaborators) that a censor can enumerate by impersonating a legitimate user. China has blocked the majority of Tor bridges since 2010 and Iran blocked all encrypted traffic in 2012, demonstrating this attack is operationally deployed at scale.

2013-invernizzi-message §1 detection

MIAB reduces the bootstrap requirement to only the operator's public key — no pre-shared rendezvous point is needed — by using blog pings as a real-time broadcast discovery channel. Since every blog post on the Internet is a potential drop point, the censor cannot enumerate entry points by posing as a legitimate user, unlike Collage (requires an up-to-date task database) or Telex (requires ISP collaboration).

2013-invernizzi-message §3 defense

All 307 blocked websites in Pakistan's test dataset were accessible via CoralCDN (by appending .nyud.net to the hostname) and via Google, Bing, and Internet Archive search-engine caches at the time of the study (2013), representing simple but underutilized bypass vectors. The paper flags these as 'surprisingly unexplored' circumvention options.

2013-nabi-anatomy §5.2, §5.3 defense

A controlled survey of 67 technically literate users in Pakistan found that ~45% primarily use public VPN services (Hotspot Shield, Spotflux), 24% use web proxies, and 11% use HTTP proxies such as Ultrasurf to bypass censorship. The survey population skews technical, so real-world adoption of low-friction tools among average users is likely higher.

2013-nabi-anatomy §4.3 evaluation

GoAgent, the most widely used circumvention tool among the 1,175 surveyed users, routes traffic through Google App Engine IP addresses also used by Gmail and Google Apps for Businesses. The GFW resorts to DNS poisoning of appspot.com domains rather than IP-blocking these shared addresses because a blanket IP block would disrupt commercially critical Google services — and GoAgent bypasses the poisoned DNS by connecting directly to the unblocked IPs, making surgical separation of circumvention traffic from business traffic infeasible.

2013-robinson-collateral §2 Tool Usage, §3 Collateral Freedom Matters defense

Among 1,175 Chinese circumvention users surveyed in late 2012, purpose-built anti-censorship platforms showed severe attrition: Freegate had 44.3% former users but only 15.3% current users, while GoAgent and paid VPNs (piggybacking on commercially indispensable infrastructure) were the top two most-used tools in the past month. The median respondent had used four different types of circumvention tools, indicating frequent switching driven by blocking events.

2013-robinson-collateral §2 Tool Usage, Figure 2.1 evaluation

China's 2012 real-name registration law for consumer-facing online services (including VPNs) is designed to enable censors to segment circumvention-related consumer VPN traffic from business VPN traffic — permitting selective blocking of consumer VPNs while leaving corporate VPNs operational. The GFW had already demonstrated protocol-level VPN blocking capability; registration provides the identifying information needed to apply that capability selectively rather than as a blunt instrument.

2013-robinson-collateral §1 Introduction, §3 Collateral Freedom Matters policy

Key distribution is the primary bootstrapping weakness of steganography-based censorship-resistance systems: a censor can simply block stego-key distribution. Identity-based steganographic tagging (IBST) eliminates this attack surface by requiring only a single master public key, which can be bundled with the client software — no key distribution inside the censored area is necessary.

2013-ruffing-identity-based §1 Introduction / §4 defense

China's GFW was able to enumerate all Tor bridges distributed via IP address or Gmail account in under a month, demonstrating that standard small-subset distribution strategies are insufficient against a state-level adversary controlling large numbers of accounts and Sybils.

2013-wang-rbridge §2.1 detection

As of March 2013, Tor is documented as blocked in China, Iran, Syria, Ethiopia, the UAE, and Kazakhstan. Blocking techniques range from simple IP address blacklisting to a sophisticated hybrid consisting of deep packet inspection (DPI) and active probing.

2013-winter-towards §1 detection

When using a foreign encrypted email provider (AlienMail), the censor observes only an encrypted connection to the foreign mail server (e.g., Gmail's servers in the U.S.); it cannot see the recipient address or the SWEET server's IP, making spam-filtering-style blocking of the SWEET endpoint entirely infeasible. This anonymity is provided by the mail provider's own TLS, requiring no additional obfuscation from the client.

2013-zhou-sweet §1, §3 defense

Iran has deployed a 'dual-stack' addressing pattern in which the same server receives both a globally routable public IP and an RFC1918 private address, enabling failover between global and domestic routing. DNS records document this for entities ranging from ISPs (acc4.pishgaman.net: 81.12.49.108 / 10.8.218.4) to government organizations (Vice Presidency for Management Development: 10.30.5.163 / 10.30.5.148) and private companies.

2012-anderson-hidden §5, Appendix Fig. 8 deployment

Iran's nationwide censorship redirect page is hosted at private IP 10.10.34.34, operated by Data Communication Affairs (a subdivision of TCI's Information Technology Company, AS12880). Traceroute data confirms the final public hop before this private host is 195.146.33.29, registered to Data Communication Affairs, and 24 of 27 tested Iranian networks (89%) can reach it.

2012-anderson-hidden §4 deployment

A scan of the full 10.0.0.0/8 block from within Iran identified 45,928 active hosts, including 20,060 on Telnet (port 23), 9,960 on HTTP (port 80), 8,029 on SSH (port 22), and 2,510 on DNS (port 53). Identified participants include TCI, government ministries (Agriculture, Education, Science), universities, and ADSL providers, establishing the private network as a purposefully designed national intranet in place since at least 2010.

2012-anderson-hidden §4, §5 deployment

Because Ultrasurf is a single-hop proxy where client ingress and remote web-server egress share the same IP address, any web server contacted through the network can log and report the proxy IP. The paper notes an attacker running a popular web server for a short time would passively harvest the full set of Ultrasurf server addresses for subsequent IP-list blocking.

2012-appelbaum-technical §6.9 detection

Flash proxies successfully relayed Tor traffic from within China in December 2011, but the test relied on a simple HTTP-based rendezvous blockable by IP address; the authors identify rendezvous — getting just a few bytes (the client's IP address) out of the censored region — as the bottleneck that determines whether the entire proxy system remains operational.

2012-fifield-evading §4.4, §6 deployment

Because browser-based proxies can only initiate outbound connections, flash proxies connect to censored clients rather than the reverse, requiring the facilitator to maintain a registry of client IP addresses; a censor can impersonate a legitimate flash proxy to query the facilitator and enumerate the IP addresses of circumvention users.

2012-fifield-evading §5.1 detection

Flash proxies provide mean throughput of 79.7 KB/s when uninterrupted — comparable to direct Tor (69.5 KB/s) — but throughput drops to 56.6 KB/s (20–40% lower) when proxies alternate on 8-second duty cycles, with most variance attributable to Tor circuit reconstruction overhead rather than transport switching.

2012-fifield-evading §4.2 evaluation

DEFIANCE's Address-Change Signaling (ACS) requires each client to contact a sequence of IP addresses with precise timing (per-user wait and window parameters) and a one-time passphrase derived from NET provisioning. Connections arriving out of order, outside the timing window, or lacking the correct passphrase receive only innocuous content, so a censor probing a suspected address block finds only normal commodity servers.

2012-lincoln-bootstrapping §4 defense

A balls-and-bins analysis shows that an adversary conducting N full rounds of a rate-limited rendezvous protocol discovers only 63% of a pool of N entry points; full coverage requires N ln N rounds (the coupon collector's bound). Concretely, with three 8-hour shifts of 100 humans performing 60-minute CAPTCHA+proof-of-work challenges, an adversary discovers ~2,400 entry points per day, exhausting a static pool of 10,000 addresses in roughly 19 days.

2012-lincoln-bootstrapping §3 evaluation

NET payloads are wrapped in three nested layers — (1) steganographic encoding plus transport encryption with a factory digital signature, (2) proof-of-life (CAPTCHA), and (3) proof-of-work (computational puzzle) — so that even an adversary who harvests many payloads cannot decode them faster than gateway addresses can be rotated. The payload format is explicitly extensible to add harder challenges as adversaries improve.

2012-lincoln-bootstrapping §3.3 defense

The mod_freedom Apache module hooks into the HTTP 404 ErrorDocument handler and steganographically embeds encrypted NET payloads in image responses to valid RP requests, while returning normal content to all other clients. Using Identity-Based Encryption (IBE, Boneh-Franklin) keyed on the server's hostname eliminates any need for out-of-band public-key distribution and allows deployment on thousands of volunteer webservers without mutual trust.

2012-lincoln-bootstrapping §3.1 defense

Large-scale email and HTTPS enumeration of Tor bridges using 500+ PlanetLab nodes and 2,000 Yahoo accounts discovered 2,365 distinct bridges over approximately one month. The bridge https server rate-limits distribution to 3 bridges per 24-bit IP prefix per day, and the email server to 1 reply per account per day; these controls are circumvented by sourcing requests from hundreds of distinct prefixes. Bridge distribution follows a weighted coupon collector model proportional to bridge bandwidth, not uniform probability.

2012-ling-extensive §III-B, §III-C, §IV-A, §V-A detection

A single malicious Tor middle router advertising 10 MB/s bandwidth discovered 2,369 distinct bridges in 14 days. The catch probability is determined solely by the aggregated bandwidth M = k·b of malicious middle routers regardless of how that bandwidth is distributed across nodes: three routers at 10 MB/s each achieve strictly greater catch probability than 512 nodes at 50 KB/s each. This means a well-resourced single node is equivalent to or surpasses hundreds of low-bandwidth Sybil nodes.

2012-ling-extensive §IV-B, §V-B, Theorem 3 detection

SkypeMorph decouples bridge reachability from IP address: clients identify a bridge solely by its Skype ID, so a bridge can change IP address and port at any time without redistributing contact information through BridgeDB. This makes IP-list blocking of known bridges ineffective; a censor that discovers a bridge's current IP cannot prevent the bridge from migrating to a new one while remaining reachable to existing clients.

2012-moghaddam-skypemorph §8 (Mobile Bridges) defense

After a Tor client inside China connected to a US-based bridge, that bridge subsequently received a series of Tor connection-initiation messages from different Chinese hosts — consistent with GFW active probing triggered by the initial client connection. The probe burst was followed by loss of the original client connection, demonstrating a two-phase detect-then-block pattern: passive identification of suspicious traffic triggers active re-probing to confirm the protocol before blocking.

2012-moghaddam-skypemorph §1 detection

Under the Cirripede 'random ASes' deployment scenario — where 0.4%–1.0% of ASes deploy decoy routers — routing-capable wardens need only disconnect themselves from 0.85%–3.04% of the Internet to obtain clean (decoy-free) paths to all remaining destinations. Even at 10% Internet-wide deployment, wardens are cut off from only 7%–9% of non-participating ASes on average.

2012-schuchard-routing §4.2, Figure 2 detection

56% of logins tied to legitimate users discussing the Russian election originated from Russia, compared to only 1% of logins for the 25,860 spam accounts, with Japan accounting for 14% of spam logins. 39% of IP addresses used by the attackers appeared in the CBL blacklist for email spam and malware distribution, compared to 21% of IPs tied to legitimate users, confirming that the attack infrastructure was shared with conventional spam/malware operations.

2012-thomas-adapting §4.3 detection

The attack demonstrates that spam-as-a-service markets built for commercial spam (fake reviews, URL advertising) were directly repurposed for political censorship without modification, using the same compromised-host pools (39% blacklisted IPs) and bulk account infrastructure. This convergence means technical defenses against commercial spam infrastructure simultaneously constrain politically-motivated censorship operations by actors who lack direct Internet-access control.

2012-thomas-adapting §6 policy

Content-oblivious replication delegates ongoing availability maintenance to 'manifest guarantors' — nodes holding content manifests — who periodically sample chunk replication factors and restore missing replicas without knowing the plaintext they protect, freeing the original publisher from any post-publication obligation. Two honest manifest holders (one content, one key) are sufficient to maintain replication with overwhelming probability even under adversarial conditions and high churn.

2012-vasserman-one-way §3.3 defense

Simulation over erasure code parameters uniformly sampled from m∈[1,5] and n∈[5,500] shows that a 50-of-500 code is the best trade-off between overhead and robustness: it requires nearly 10× storage overhead to support 2^60 variable-size chunks and allows the network to tolerate more than 70% node failure before data is lost. Replication combined with erasure coding yields better durability than either strategy alone.

2012-vasserman-one-way §4, Figure 2 evaluation

One-way indexing separates a published file into encrypted content blocks (indexed by hash1(block)), a content manifest (indexed by hash2(keyword)), and a key manifest (indexed by hash3(keyword)), so a storer holding all content chunks cannot recover the plaintext or keywords without inverting a cryptographic one-way function. Using distinct hash functions for each manifest type also minimizes the probability that a single node stores both manifests, preventing correlation.

2012-vasserman-one-way §3.1 defense

A censor can compare the predicted AS path from the claimed dummy host to the client against the actual observed ingress entry point of the spoofed downstream traffic; inconsistency reveals the dummy host as a cover. For clients in China Telecom (ASN 4134) and China Unicom (ASN 4837), 100% of 225 candidate dummy hosts passed AS-path consistency filtering; for clients in ASN 4538 only 18.2% (41/225) passed, sharply narrowing the usable pool for smaller ASes.

2012-wang-censorspoofer §5.2.3, Table 2 detection

CensorSpoofer decouples the upstream channel (URLs hidden via steganography in IM/Email) from the downstream channel (web content injected into spoofed UDP/VoIP flows), so the proxy's real IP is never revealed to any user. This asymmetric architecture provides perfect insider-attack resistance: even if all users are compromised, they can only learn cover dummy-host IPs, not the spoofer's address.

2012-wang-censorspoofer §4 defense

Port-scanning 10,000 randomly selected non-China IPs found 1,213 (12.1%) acceptable as VoIP dummy hosts (SIP, RTP, RTCP ports not in 'closed' or 'host seems down' states). Of 100 sampled dummy hosts tracked over time, over 90% remained usable for more than 2 hours and over 80% for more than 6 hours; the total usable pool was stable across a 7-day measurement window (Feb. 9–16, 2012).

2012-wang-censorspoofer §7.2.2 evaluation

The MIT ANA Spoofer project shows that over 400 ASes (22%) and 88.7 million IP addresses (15.7%) permit outbound IP address spoofing, constraining where CensorSpoofer proxy nodes can be deployed. ASes applying ingress/egress filtering make IP-spoofing-based downstream channels infeasible from those locations.

2012-wang-censorspoofer §4.2 deployment

A blocked Tor bridge becomes reachable again after approximately 12 hours if Chinese scanners are unable to reach it continuously. In the authors' experiment, one bridge (port 23941) whitelisted to their Chinese VPS via iptables was unblocked within 12 hours despite remaining actively used, while an unrestricted bridge (port 27418) stayed blocked indefinitely.

2012-winter-great §4.2 detection

Of 2819 public Tor relays in the February 2012 consensus, only 47 (1.6%) were reachable via TCP from within China. After three days, only 1 of those 47 remained reachable. The GFC blocks relays by IP:port tuple rather than by IP to minimize collateral damage to co-hosted services.

2012-winter-great §4.1, §4.3 detection

If a large site such as Google or Wikipedia scrambled all served content using a publicly known de-scrambling algorithm, the censor faces a strict all-or-nothing blocking decision: it cannot selectively filter banned scrambled content without blocking the entire site, since scrambled legitimate and banned content are computationally indistinguishable prior to running S⁻¹. This property scales the political cost of blocking proportionally to the size of the co-scrambling platform.

2011-bonneau-scrambling §1 defense

Transmitting the de-scrambling algorithm S⁻¹ as in-page JavaScript alongside AJAX-fetched scrambled content eliminates the need for special client software installation or trusted public-key distribution, removing the primary bootstrapping vulnerability that cryptographic censorship-resistance schemes (including Tor) share — a vulnerability exploited when Iran blocked Tor by filtering its Diffie-Hellman parameter bit sequence.

2011-bonneau-scrambling §1, §3 defense

If clients probe the top 1,000 Alexa-ranked sites to discover a deflecting router, a censor would have to block more than 95% of those 1,000 sites to prevent any client from joining Cirripede. Clients aware of failed probes can continue cycling through additional popular sites, further raising the blocking cost.

2011-houmansadr-cirripede §6.3, Figure 5c defense

Simulations on the CAIDA AS-level topology (January 2011 snapshot) show that deploying Cirripede deflecting routers at just 1 tier-1 AS enables 97% of Internet clients to use the system, and 2 participating tier-1 ASes achieve 100% client reachability. When clients probe only the Alexa top-30 most popular sites as overt destinations, 2 tier-1 ISPs still yield 100% reachability.

2011-houmansadr-cirripede §6.3, Figure 5b deployment

Cloud-based onion routing confronts censors with a collateral-damage dilemma: blocking a cloud provider's IP prefixes requires blocking all co-hosted services (Amazon EC2 hosted over 1 million instances sharing common IP prefixes in 2010), while allowing the traffic means circumvention succeeds. Rotating IP addresses—by retiring and spinning up new VM instances or via DHCP/gratuitous ARPs—reduces the window a blocked address remains in service, forcing censors into a perpetual cat-and-mouse game across all major cloud providers simultaneously.

2011-jones-hiding §2.3 defense

COR does not solve the bootstrapping problem: a user's first connections to the COR bootstrapping network are vulnerable to the same IP-enumeration and blocking attacks as public Tor directory connections. To mitigate directory-partitioning attacks, directory retrieval is always performed through an existing COR circuit, and directories return only a random subset of available nodes rather than the full list—but this subset-delivery design is itself exploitable by a malicious directory that can fingerprint users via uniquely-assigned relay subsets.

2011-jones-hiding §2.3, §3.1, §5 defense

Decoy routing places the circumvention service at transit routers rather than fixed-IP edge proxies, so the client addresses packets to any reachable decoy destination and the router hijacks the flow on the client's behalf. A single well-placed router may lie on paths to millions of destinations, making circumvention proxies appear ubiquitously deployed from an adversary's perspective. Blocking such a router requires disrupting ordinary traffic for large fractions of the Internet, qualitatively raising the cost of IP-address-based censorship.

2011-karlin-decoy §1.2 defense

An adversary aware of a decoy router's location can force decoy-routed flows to be unprocessable by fragmenting all packets below the size of a complete TCP header in the first fragment, preventing flow assignment and forcing the router into expensive reassembly. Alternatively, the adversary can use small-fragment attacks to grow the router's state table, analogous to NAT resource exhaustion. The paper identifies fragmentation-based denial as a harder-to-mitigate attack class than sentinel replay.

2011-karlin-decoy §4.2 detection

The BBC has distributed international audio and video through Akamai CDN since 2003 using URLs that do not include bbc.co.uk, making URL and IP-based blocking harder than targeting *.bbc.co.uk directly. However, individual Akamai edge machines have been blocked in China, causing thousands of co-hosted websites to become collaterally unavailable, illustrating the concentration risk when many services share CDN IP space.

2011-kathuria-bypassing §4.2 defense

During the December 2010 Nobel Peace Prize ceremony blocking in China, of two Psiphon nodes brought online for the BBC English News site, one was blocked almost immediately while the other remained available throughout the weekend, serving 387 logins on the ceremony day with no direct promotional channel available. A non-BBC-branded live-stream page promoted via a bit.ly URL released one hour before the ceremony received 4,236 clicks, with approximately 50% from China, accounting for about one-third of total stream viewers.

2011-kathuria-bypassing §3.3 deployment

During the June 2009 blocking of BBC Persian in Iran, the BBC observed a more-than-fourfold increase in traffic to its BBC Persian TV Internet live stream, with geographic IP lookups confirming the majority of streaming originated from inside Iran. The BBC deployed Psiphon web-proxy nodes — chosen over alternatives because they required no executable installation on the user's PC and could be hosted by a trusted third party — promoted via email newsletters, Twitter, Facebook, and on-air announcements.

2011-kathuria-bypassing §3.1 deployment

BBC Chinese's multi-channel Psiphon promotion — radio broadcasts three times daily with additional trails, daily email newsletters, and ad hoc tweets — allowed its service to reach page-view parity with BBC Persian's established Psiphon deployment within eight weeks of launch in September 2010. Separately, a third-party BBC Persian iPhone app using full-text RSS feeds received over 50% of its downloads from inside China, demonstrating that syndicated full-text content distributed across multiple third-party sites and apps is difficult for censors to enumerate and block.

2011-kathuria-bypassing §3.2, §4.3 deployment

Encrypting traffic at the application layer still discloses communicating parties to every ISP along the path; overlay anonymization is subject to blacklisting of exit nodes and traffic analysis. The paper argues that effective privacy requires building anonymity into the network routing layer itself, with the necessary tradeoff being hardware cost and routing inefficiency for privacy-requiring circuits.

2011-liu-tor §1, §8 defense

Tor-like anonymizing overlays are easily censored because they rely on centralized, publicly visible relay lists; governments can blacklist Tor nodes or monitor all Tor exit traffic so that traffic analysis can reveal the source. Traffic to or from Tor 'essentially advertises itself as probably worth tracking.'

2011-liu-tor §1–§2 detection

Channel blocking risk in Proximax is modeled as an independent Poisson process with rate λj; when a proxy is advertised on multiple channels simultaneously the risk parameters add (Λi = γ + Σλj), so each additional dissemination channel shortens expected proxy lifetime 1/Λi. The analytic result is that redundant multi-channel broadcasting is strictly suboptimal once cumulative risk exceeds the marginal usage gain.

2011-mccoy-proximax §3.1 defense

A sophisticated censor can infiltrate a proxy distribution system, accumulate large numbers of proxy addresses and channel identities, and delay mass-blocking for weeks or months to maximize information before acting. The paper argues this is self-limiting: delayed blocking extends proxy lifetimes (benefiting system yield), and the infiltrating account's subtree reputation score degrades sharply the moment it begins blocking proxies, triggering exclusion from future proxy assignments.

2011-mccoy-proximax §4 detection

Proximax uses fast-flux DNS — multiple IP addresses registered to one personalized domain with short TTLs and round-robin rotation — to resist channel-level DNS blocking. When a channel's domain is blocked, the system issues a fresh individualized hostname, forcing the censor to repeat discovery rather than permanently suppressing the channel with a single DNS entry removal.

2011-mccoy-proximax §2.2 defense

Open proxy distribution registrations are vulnerable to adversary flooding with fictitious accounts that inflate yield scores via dummy connections. Proximax uses invitation-only registration with RICO-style subtree reputation scoring — a compromised sub-node taints the entire inviting user's subtree — and sub-linearly credits usage from closely clustered source IP prefixes to limit bot-driven inflation.

2011-mccoy-proximax §2.2, §4 defense

Proximax frames proxy distribution as a yield-maximization problem: the expected yield of a proxy is its attracted usage Ui divided by its total blocking risk Λi. A dissemination channel should only be assigned a proxy if the channel's own yield ratio u/λ exceeds the proxy's current yield ratio; otherwise the added risk outweighs the additional traffic and the channel must not be used at all.

2011-mccoy-proximax §3.3 defense

China has only 3 points of control covering approximately 240 million IP addresses (roughly 80 million IPs per point of control), the lowest ratio among large-population countries. This enabled China to cut off nearly all Internet access for the Xinjiang region for ten months beginning July 2009.

2011-roberts-mapping §II, §VI deployment

Eastern Asia averages 4.80 points of control and a complexity score of 1.54 across 510 million IP addresses, while Eastern Europe averages 19.10 PoC and a complexity score of 11.35 across 74 million IPs — nearly twice the complexity of any other region. Russia specifically has 2,346 autonomous systems and a complexity score of 19.39, versus China's 177 ASes and score of 0.11.

2011-roberts-mapping §II, Table II, Table III evaluation

By 2009, the top 150 autonomous systems carried approximately 50% of all Internet traffic globally, up from roughly 30% in 2007. Akamai alone claimed approximately 20% of all web traffic, and the proposed Level 3 / Global Crossing merger would have covered over half the world's IP addresses.

2011-roberts-mapping §I evaluation

Each round of copyright enforcement drove deeper architectural decentralization: centralized servers (BBSs/FTP) → central directory (Napster) → supernodes (KaZaA/Grokster) → pure protocol (BitTorrent). Even after Grokster was shut down its software continued to work, because no fixed corporate entity remained as the control point.

2011-seltzer-infrastructures §1.1 defense

When RIAA filed suit against more than 30,000 individual filesharers, users migrated toward anonymous channels, small-world networks of vetted peers, ephemeral pointers, and user-generated IP blacklists for spoofed-peer detection. The University of Washington demonstrated IP-to-person attribution is unreliable — a networked laser printer received a DMCA takedown notice.

2011-seltzer-infrastructures §1.3 defense

Over a 14-day evaluation in April 2011, CensMon tested 4,950 unique URLs from 2,500 domains across 174 agents in 33 countries, detecting 951 unique URLs from 193 domains as filtered. Manual verification of all 193 flagged domains found only 3 false positives, demonstrating high precision for an automated distributed monitor.

2011-sfakianakis-censmon §4.2 evaluation

Among all filtered URLs detected, HTTP filtering accounted for 48.5%, IP address blocking for 33.3%, and DNS manipulation for 18.2%. Of the domains blocked at the HTTP layer in China, 71% were blocked due to URL keyword filtering rather than HTML response content filtering.

2011-sfakianakis-censmon §4.2, Figure 2 evaluation

CensMon detected zero instances of partial web-page content filtering across 4,950 tested URLs during April 2011, indicating that censors at that time uniformly applied coarse-grained techniques — full URL block, IP blacklist, or DNS hijack — rather than inline content modification at the sub-page level.

2011-sfakianakis-censmon §4.2 evaluation

Some politically active bloggers in the studied country deliberately continued publishing on officially court-blocked platforms, reasoning that official blockage created a legal defense against persecution: 'if they say you wrote this on your blog, I will say all of these blogs are blocked according to this court decision—they don't exist and they are officially inaccessible to citizens.' This co-option of censor infrastructure as a shield was treated as a serious protective strategy.

2011-shklovski-online §Blocked sites as a form of protection defense

Blocking in the studied country was erratic and inconsistent: some geographic areas accessed the Internet through channels outside the main government-controlled pipeline and experienced no blocking, while other areas experienced sudden unexplained block-and-unblock cycles (e.g., a video sharing site and a microblogging site were blocked for 2-3 days in 2010 and then unblocked without explanation). Users frequently could not distinguish between deliberate blocking and ordinary technical outages, and this ambiguity itself amplified self-censorship among users who had not been directly targeted.

2011-shklovski-online §Blocking as an Abstract Concept / National Internet space policy

Users lacking technical circumvention skills bypassed blocking via social relays: technically savvy friends or contacts in unblocked regions copied blocked content into email or reposted it on social network profiles, allowing censored information to reach users who had no direct access to proxies or anonymizers. This informal bypass required no circumvention software on the recipient's end.

2011-shklovski-online §Reliance on social ties policy

Tor bridges that always accept incoming connections enable a three-phase 'bridge aliveness attack': an adversary collects bridge descriptors at scale, correlates bridge uptime timestamps with pseudonymous post timestamps to narrow the candidate set (winnowing), then confirms identity via circuit-clogging and timing attacks. Because bridge descriptors remain valid indefinitely and the BridgeDB rate-limits only to one descriptor set per /24 prefix per week, an adversary with botnet or open-proxy access can hoard enough bridges for the winnowing phase to succeed.

2011-smits-bridgespa §1, §1.1 detection

National-level filtering is not homogeneous: the administrative burden of maintaining up-to-date filtering rules at national scale leads states to delegate implementation to regional authorities or individual ISPs, producing measurable filtering differences between geographic regions and providers within the same country.

2011-wright-fine-grained §2, §6 policy

At the time of writing, the Tor network had no publicly announced exit nodes located on the Chinese mainland, making direct Tor-based measurement of GFW filtering unavailable. The paper generalizes this: heavily filtered countries show systematically low availability of relay services, precisely where measurement need is highest.

2011-wright-fine-grained §4.2 evaluation

Telex embeds steganographic tags in TLS ClientHello nonces using elliptic-curve Diffie-Hellman, placing proxy stations at ISP level on paths between the censor's network and popular uncensored destinations. Because the cover destinations are ordinary popular HTTPS websites, the censor cannot block Telex without simultaneously blocking a large class of legitimate TLS traffic — converting the censor's own reluctance to over-block into an unblockability guarantee.

2011-wustrow-telex §2, §4 defense

A PlanetLab node in Beijing successfully loaded all 100 Alexa top-100 websites through a prototype Telex station at the University of Michigan; without Telex, 17 of the 100 sites were blocked (including facebook.com, youtube.com, blogspot.com, and twitter.com from the top 10), using forged RST packets, false DNS results, and destination IP blackholes. The median latency overhead for routing through Telex was approximately 60% for the 83 unblocked sites.

2011-wustrow-telex §8.4 evaluation

China's AS-level topology is shallow and concentrated: CHINANET and CNCGROUP together account for 63.9% of 133 unique foreign peerings, 87% of internal ASes are within one hop of a border AS, and just 24 border/backbone ASes serve as effective choke points for all international traffic. The TTL of GFW RST packets is now crafted to prevent IDS localization by TTL inspection, requiring TTL-incrementing probe packets to identify filtering device positions.

2011-xu-internet §3.2, §3.3, §2 evaluation

Rateless erasure coding with ε=0.01 adds only a 0.5% storage and traffic overhead. Consistent hashing of message identifiers to task-database entries ensures that when 50% of tasks are replaced, sender and receiver still share at least one task if three or more tasks are mapped per identifier. At a 10× send rate, message recovery succeeds even if 90% of published vectors are blocked.

2010-burnett-chipping §4.2, §4.3, Figure 4, Figure 5a defense

Collage leverages platform-scale user-generated content—Flickr's 3.6 billion images with 6 million new per day and Twitter's ~500K tweets/day as of 2009—as a covert channel substrate. Because the censor cannot block all UGC platforms simultaneously without removing massive amounts of legitimate content, the system achieves availability and user deniability that fixed-infrastructure proxies (e.g., Tor relays) cannot: accessing Flickr or Twitter does not implicate the user as a circumvention tool operator.

2010-burnett-chipping §1, §4.1 defense

A dynamic binary-tree partitioning algorithm solves the proxy distribution problem with at most k(1 + ⌈log₂(n/k)⌉) total proxy keys: partition n users into k groups in round 1, then halve each compromised group on each compromise event. Each of k adversaries can trigger at most ⌈log₂(n/k)⌉ compromises, bounding total proxy expenditure tightly.

2010-mahdian-fighting §4 Theorem 3 defense

The static proxy distribution problem — giving k²-adversarial users keys from m proxies so that all n−k legitimate users retain at least one uncompromised proxy — requires at most O(k² log n) keys and cannot be solved with fewer than Ω(k log(n/k)) keys. This establishes the information-theoretic cost of one-shot proxy distribution against k colluding informants among n users.

2010-mahdian-fighting §3 Theorem 2 defense

By reusing keys already held by trusted (non-suspicious) users for ℓ−1 of ℓ subgroups when bisecting the suspicious cohort — issuing only one fresh key per round — the total proxy count drops from O(k log n) to O(k² log n / log log n) in expectation. The information-theoretic lower bound is Ω(k log(n/k) / log(k + log n)), so this bound is tight in n up to a factor of k.

2010-mahdian-fighting §4 Theorems 4–6 defense

In invitation-based proxy networks (modeled on Psiphon's trust-tree), a single adversary can invite fake accounts as children in the trust tree, multiplying the effective adversary count k and invalidating sublogarithmic key budgets. For k=1 adversary on a trust tree of depth O(log n), an O(log n)-key algorithm exists by keeping the 'suspicious group' always rooted at a subtree boundary; for k>1 this remains an open problem.

2010-mahdian-fighting §5 Theorem 7 defense

In the Clouds P2P protocol, a blocking attack against a specific topic requires adversaries to occupy at least 50% of the 200-peer region closest to the resource provider to be effective; below that threshold, query messages routed through multiple paths bypass the censorship. This 50% threshold holds regardless of the number of clouds κ created per peer.

2009-backes-anonymity §5.4 evaluation

Because Skype relies on a central login server, it is technically possible for a censor to block Skype, but the paper observes that blocking widely-deployed services like Skype or Google inflicts real economic harm, making it a credible deterrent. Additionally, Skype's proprietary, closed-source protocol and P2P architecture make it harder to characterize and selectively filter than open protocols.

2009-cao-skyf2f §V.C defense

SkyF2F's friend-to-friend service model, where a server publishes its appid only to trusted contacts rather than publicly, provides significant resistance to both sybil attacks (malicious censor-controlled servers) and DoS exhaustion attacks. A censor posing as a client can establish many tunnels to exhaust a public server's resources; restricting service to a trusted friend list eliminates most of this attack surface.

2009-cao-skyf2f §V.A defense

SkyF2F tunnels censored traffic through Skype's encrypted overlay network, forcing the censor into an all-or-nothing dilemma: blocking SkyF2F requires blocking Skype entirely, which causes actual economic damage to businesses and users who depend on it. Because Skype users are identified by pseudonym and all messages are routed to overlay addresses rather than Internet addresses, IP-based blocking, DNS filtering, port blocking, and keyword filtering are all rendered ineffective.

2009-cao-skyf2f §V.A defense

Using Tor exit nodes to query the bridge authority, the authors enumerated 247 bridge descriptors over two weeks (out of 1,716 active bridges during that period). An adversary running a relay advertising just 10 MBps of bandwidth would discover 63% of bridges that relay at least 40 circuits and 87% of bridges running at least 80 circuits, because all Tor clients proactively build circuits every 10 minutes.

2009-mclachlan-risks §3.2 detection

The architectural coupling of 'surfing' and 'serving' in Tor's bridge design—where enabling the bridge service is required to use Tor as a client—means a bridge always accepts connections whenever its operator is online, allowing a remote non-global adversary to probe a bridge's availability at negligible cost (less than 2 bps per bridge per status check via SYN/RST). Of the 247 enumerated bridges, only an average of 29.6 (just over 10%) were accessible at any given moment, providing a highly discriminating availability signal for intersection attacks.

2009-mclachlan-risks §2.2, §4.2 evaluation

Centralized proxy-discovery services are reliably disabled by censors: both Anonymizer and SafeWeb were blocked in China by targeting their central discovery sites, and Wikipedia identified and blocked all 700+ Tor anonymizing relay servers to prevent anonymous edits. Any single publicly-known host that handles proxy distribution becomes the censor's primary and sufficient target.

2008-sovran-pass §2 detection

99.88% of 1,607 tested Chinese recursive DNS servers returned tampered responses for censored domains. Tampered responses drew from a pool of only 8 IP addresses, compared to 441–454 distinct IPs returned by U.S. control servers for the same query set — with 366 censored domains sharing exactly those 8 IPs.

2007-lowe-great §6.1, Table 1 detection

A hybrid two-stage blocking system (IP-redirect first stage, URL-proxy second stage) can be exploited as an oracle to enumerate blocked IP addresses by sending TCP packets with a TTL sufficient to reach the first-stage redirector but insufficient to reach the destination. Non-redirected IPs return ICMP TTL-expired from an intermediate router, while redirected IPs return a SYN/ACK from the web proxy impersonating the destination. A live scan of a /24 subnet confirmed 17 redirected IP addresses, yielding 91 associated hostnames across 9 of those IPs.

2006-clayton-failures §5.2 defense

Using a simple dialup connection, the CleanFeed oracle scan enumerated IP addresses at up to 98 addresses/second. At this rate, the ~8.3 million Russian IP addresses (the IWF reported 25% of known illegal sites were hosted in Russia) could be scanned in under 24 hours, and the full routable IPv4 space (32% of 2^32 addresses) in approximately 160 days. A suitable filtered dialup account was available for free, with phone costs under £15.

2006-clayton-failures §5.2 evaluation

The CleanFeed first stage populates its IP blocklist by automatically resolving hostnames from the IWF database via DNS. Content providers can serve false DNS results pointing to high-traffic third-party IP addresses (e.g., Google cache servers at 66.102.9.104), causing the first stage to redirect legitimate traffic through the proxy. Automated IP-update processes cannot reliably distinguish a genuine IP migration from a spoofed DNS result, and this can cause legitimate sites to be blocked collaterally.

2006-clayton-failures §4.3 detection

The hybrid two-stage design's architectural vulnerability is that circumventing either stage independently defeats the system: end-users can tunnel via Tor or JAP to bypass both stages entirely, while content providers can serve different content to IWF crawlers versus real users, exploiting the fact that only 33% of IWF hotline reports were substantiated as potentially illegal. The system's precision is entirely contingent on content-provider cooperation, which cannot be assumed.

2006-clayton-failures §4, §6 defense

Tor's public relay list (a few thousand IP addresses as of 2006) can be trivially enumerated and blocked by a censor. The paper proposes 'bridge relays' drawn from Tor's existing user base of hundreds of thousands of people, creating a pool of frequently-changing IP addresses that is too large and dynamic for a censor to enumerate completely. Bridge relays rate-limit relayed connections to ~10 KB/s and publish descriptors only to a private bridge directory authority rather than the public consensus.

2006-dingledine-design §5.1 defense

The paper proposes dividing public bridge addresses into 8 pools (n=3 bits from HMAC(identity-key, authority-secret)) each assigned a distinct distribution strategy: time-windowed release, IP-subnet-partitioned assignment, time+location combined, mailing-list rotation, email/CAPTCHA delivery, and social-trust delegation. Deploying all strategies concurrently forces the attacker to allocate resources across every channel simultaneously, making all strategies more robust than any single strategy deployed alone.

2006-dingledine-design §7.4, §7.8 defense

If bridges run on predictable ports and any TCP connection to a bridge port reveals it as a Tor bridge, a censor can scan the entire address space of residential ISP ranges to enumerate and block all bridges. The paper proposes 'scanning resistance': bridges require a nonced hash of a pre-shared password before revealing Tor behavior, and respond to unauthenticated connections by impersonating an ordinary HTTPS server (e.g., default Apache page or a random legitimate website).

2006-dingledine-design §9.3 defense

The paper presents a systematic taxonomy of blocking criteria across ISO/OSI layers: circumstance-based (addresses including sender/receiver/kind/physical location; timing including send time, receive time, duration, frequency; data-transfer properties; services including protocols, names, addresses) and content-based (file type/MIME, statistical detection of encrypted or compressed data, pattern matching for keywords or phrases, and website fingerprinting via request-count/byte-volume signatures).

2004-k-psell-achieve §4, Appendix A defense

The paper proposes using CAPTCHAs (hard AI problems) to gate forwarder-list access, forcing the blocker to expend human resources solving every puzzle while each blockee solves only one. However, a 'stealing cycles from humans' attack allows a censor to relay CAPTCHAs to unwitting third parties (e.g., visitors to an attacker-operated website) who solve them on the censor's behalf.

2004-k-psell-achieve §5.3 defense

NAT and firewalls make volunteer forwarders (JAPR) unreachable for inbound connections by default, removing the incentive for volunteers to reconfigure their systems for no personal benefit. The design response is to reverse the connection direction — JAPR initiates contact with JAPB — shifting the NAT/firewall configuration burden to the motivated blockee who gains direct benefit from solving it.

2004-k-psell-achieve §6.4 deployment

The paper evaluates all major circumvention techniques available in 2003 and concludes that only application-layer proxies (HTTP, SOCKS, JAP, peek-a-booty) and IP tunneling can defeat all three blocking layers (IP filtering, DNS tampering, filtering proxies) simultaneously. Encryption alone cannot circumvent IP or DNS blocking; HTTPS hides URL paths but not the destination host; DNS-over-HTTPS/DNSSEC can detect but not defeat DNS tampering without a third-party resolver.

2003-dornseif-government §2.4 defense

IP-level blocking causes severe over-blocking because more than 87% of all domains deploy name-based virtual hosting on shared IP addresses (per Edelman's 2003 survey of .com/.net/.org). A single blocked IP can deny access to thousands of unrelated sites; when xs4all.nl was blocked in 1996/1997, between 3,000 and 6,000 separate websites were collaterally blocked.

2003-dornseif-government §2.1.2 detection

Publius cryptographically binds the URL to both the document content and the key shares via name_i = wrap(H(M · share_i)). Any unauthorized modification to the stored encrypted file, a share, or the URL itself causes the tamper check to fail, preventing silent content substitution by a malicious server.

2000-waldman-publius §3.2, §3.3 defense

Publius's delete mechanism requires the publisher to supply H(server_domain · PW) per server rather than a bare password, preventing any single malicious server from learning the global password and deleting the document from all hosting servers. However, the paper acknowledges that an adversary who identifies the publisher can apply coercive ('rubber-hose') methods to obtain the URL and password directly from the author, bypassing all cryptographic protections.

2000-waldman-publius §3.4, §5.5 defense

Publius encrypts content under a symmetric key K, then splits K into n shares using Shamir secret sharing such that any k shares reconstruct K. Each server stores the encrypted document plus one share, so an adversary must corrupt or destroy n−k+1 servers to censor the document, and increasing n or decreasing k raises the bar proportionally.

2000-waldman-publius §3.2, §5.1 defense

Using Byzantine-fault-tolerant protocols (specifically Rampart), seven replicas suffice to resist a conspiracy of any two malicious administrators or the accidental destruction of four systems with guaranteed complete recovery. Signing all files with a system key further ensures that a full recovery is possible as long as a single valid copy and an uncompromised public key survive.

1996-anderson-eternity §4.6 defense

Effective censorship of a distributed service requires simultaneous enforcement across every jurisdiction hosting nodes. With no head office to coerce, a legal attack requires coordination across multiple independent legal systems — making successful suppression 'very expensive indeed — hopefully beyond even the resources of governments.' Local bans (e.g., country-level) do not affect nodes in other jurisdictions.

1996-anderson-eternity §4.1–§4.2 policy

The Eternity Service's core design stores a file on 100 servers worldwide but retains records of only 10 for auditing, destroying the remaining 90 records. Even if a user is legally compelled to disclose all 10 known server locations and those copies are seized, 90 copies survive at unknown locations and can be retrieved via anonymous broadcast once the user leaves the jurisdiction.

1996-anderson-eternity §4.3 defense