packet-injection   Packet injection (general)

An internet-wide scan of 500k IP addresses from an in-country VPS vantage point found TCP establishment-interception injections on 43,479 addresses (8.7% of scanned), with over 70% concentrated in two Akamai ASes (AS16625 and AS20940). The injection pattern — triggered by the first packet sent to these addresses — is consistent with targeted blocking of domain-fronting proxies hosted on Akamai CDN.

2025-alaraj-iran-refraction §4.1.2 detection

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 detection

Wallbleed was a buffer over-read in the GFW's DNS injection subsystem that caused middleboxes to append up to 125 bytes of their own process memory to forged DNS responses. The bug persisted for at least two years (confirmed from October 2021); the GFW issued an incorrect partial patch in November 2023 (Wallbleed v2 remained exploitable) and fully patched it in March 2024. Over 5.1 billion Wallbleed responses were collected during continuous measurement, and an IPv4-wide scan found 242 million IP addresses across 381 autonomous systems receiving Wallbleed-injected responses — including some traffic whose source and destination were both outside China, due to routing through China's network border.

2025-fan-wallbleed §1–§3, §7 deployment

Iran's DNS censor now injects two distinct block-page IPs: 10.10.34.36 (≈87% of 47,633 censored domains) and 10.10.34.34 (≈13%). Both originate from the same network node at Iran's border. Prior research (Aryan et al. 2013) described only 10.10.34.34. The IP injected correlates strongly with the HTTP censorship method applied: domains with 10.10.34.34 in DNS receive TCP RST via HTTP (86.8% of RST cases), while domains with 10.10.34.36 in DNS receive HTTP block pages (84.6% of block-page cases).

2025-lange-i-ra-nconsistencies §3.1, Table 2 detection

Over 2.5 months (Nov 2024–Jan 15, 2025), IRBlock scanned all 11M Iranian IPv4 addresses daily, finding 6.8M IPs subject to DNS poisoning and HTTP blockpage injection, and 5.4M IPs subject to UDP-based traffic disruption. Testing over 700M FQDNs (500M apex domains) revealed 6M banned FQDNs from 3.3M censored apex domains. Of 537 active ASes in Iran, 485 (90.3%) exhibited blocking for at least 25% of assigned IPs. DNS and HTTP censorship overlapped at >99% of censored IPs; UDP blocking was a strict subset of DNS-censored IPs, affecting ~5M addresses.

2025-tai-irblock §5.1, §1 evaluation

The GFI's HTTP and HTTPS filters are now stateful (requiring initial SYN packet with matching sequence numbers) and have been activated on all TCP ports—not only standard ports 80 and 443 as reported by prior studies. This is a significant departure from previous work that found stateless HTTP/HTTPS blocking limited to standard ports. The HTTP filter injects a 403 Forbidden blockpage (not RST packets as used by the GFW), while HTTPS injects a single RST+ACK packet. The GFI also exhibits TCP non-compliance (not requiring a full three-way handshake to trigger filtering), enabling outside-in measurement without in-country servers.

2025-tai-irblock §2.1, §3.2 detection

The GFI operates three distinct DNS/HTTP injectors with different fake IP addresses (10.10.34.34, 10.10.34.35, 10.10.34.36) and partially overlapping blocklists—mirroring the GFW's triplet-censor architecture. Injector 10.10.34.35 exhibits TTL reflection (injected response TTL = probe TTL − hop count), identical to the GFW. No IP exclusively receives injections from 10.10.34.34 (a smaller, selective component); the two primary injectors 10.10.34.35 and 10.10.34.36 handle the majority of censorship. Different injectors maintain distinct domain blocklists, meaning which domains a user sees as censored depends on routing through their AS.

2025-tai-irblock §5.4, Table 2 detection

Since August 2023, Henan Province has operated its own TLS SNI-based and HTTP Host-based censorship middleboxes that inspect and block traffic exiting the province—a second filtering layer on top of the national GFW. The Henan Firewall is fingerprinted by a unique TCP RST+ACK injection carrying a fixed 10-byte payload (0x01 02 03 04 05 06 07 08 09 00), IP ID 0x0001, and an observed TTL of 58. Unlike the GFW, it injects resets only toward the client, performs no residual censorship, and requires no TCP handshake to trigger. Longitudinal testing (Nov 2023–Mar 2025, Tranco top 1M daily + 227M CZDS domains weekly) found the Henan Firewall blocked a cumulative 4.2 million domains—more than five times the GFW's cumulative blocklist—and at peak blocked ten times more domains than the GFW.

2025-wu-regional-censorship §4.4 / §5 detection

HTTP Request Smuggling—a web-security vulnerability that exploits CL/TE header parsing ambiguities between a front-end (censor) and back-end (web server)—can be systematically repurposed as a censorship circumvention technique. By hiding a censored Host in the body of a benign outer request, the censor parses only the uncensored outer request while the destination server processes both, successfully bypassing HTTP censorship in China (19 vectors), Iran (254 vectors), and Russia (all 2,015 vectors) from the evaluated vantage points.

2024-m-ller-turning §3 / §8 defense

Iran's censor contains an implementation bug: when the Content-Length header carries an invalid (non-integer) value and a Transfer-Encoding header is also present, the censor gracefully skips the invalid CL value and attempts to parse subsequent traffic, but fails to correctly interpret the TE header—causing it to pass the smuggled (censored) request. This bug enabled 254 of 2,015 evaluated test vectors to bypass Iranian censorship, all using the CL*/TE or CL/TE* vector types.

2024-m-ller-turning §5.2 / §5.3 detection

The "port shadow" exploit abuses five shared, limited resources in Linux conntrack/Netfilter (and analogous frameworks in BSD, Windows) to let an off-path attacker intercept or redirect encrypted VPN traffic, de-anonymize a VPN peer's source IP, or portscan a peer hidden behind a VPN server — all without compromising the VPN's cryptographic layer. Four concrete attacks are demonstrated; formal model checking with bounded model checking verified six process-isolation mitigations that prevent the shared-resource collision.

2024-mixon-baca-snitch Abstract, §3, §5 detection

Iran's censor injects an HTTP block page consistently but contains an implementation bug: it fails to parse the TE header when a CL header with an invalid (non-integer) value is present, causing it to pass subsequent traffic. 254 of the evaluated test vectors circumvented Iran's censor; the 'Wrapping' CL*/TE strategy (e.g., 'Content-Length: <len>\u00FF\x0aX: X') was especially effective, exploiting this graceful-degradation fault.

2024-niere-http-smuggling §5.3 (Wrapping strategy, Iran discussion) detection

The Russian censor at the tested Moscow vantage point (ASN 50867, China Unicom-equivalent private ISP) inspects only the first HTTP packet of the first TCP segment in a TCP stream and never blocks a second HTTP request, whether coalesced in the same TCP packet or sent in a subsequent one. All 2,015 web-server-accepted test vectors evaded Russian censorship, including standard-compliant whitespace-injection vectors (e.g., 'Content-Length\x20: <len>\x20').

2024-niere-http-smuggling §5.2 (Russia paragraph) detection

The GFW DNS injector vulnerability enabled reflective amplification attacks with a baseline factor of 4.04× (46-byte payload → 186-byte response). Combined with routing loops — approximately 1,000 destination IP addresses in China were found to loop packets across the GFW more than 30 times, with 159 persisting after two days and a maximum of 119 loop iterations per query — the effective amplification factor reached 481.17×, sufficient to generate 100 Gbps of attack traffic from just over 200 Mbps of source traffic.

2024-sakamoto-bleeding §5.2 Reflective Amplification Attack evaluation

The GFW's DNS packet injector (Injector 3, identified by TTL mirroring and zero IP ID) contained an out-of-bounds read vulnerability: due to missing label-length and null-terminator validation, malformed DNS requests caused the injector to copy adjacent stack memory into forged responses. Over three days in October 2023, researchers collected over 1 TB of data containing over 13 billion leaks, ~87.43% with non-duplicate content, including live Internet traffic transiting China's backbone and stack frames of the GFW's packet-handling processes.

2024-sakamoto-bleeding §3 Vulnerability deployment

Starting October 1, 2023, the GFW began injecting HTTP 301 and 302 responses to connections destined for 1.1.1.1:80, redirecting clients to China's National Anti-Fraud Center (182.43.124.6, AS58519 China Telecom Cloud). Over 6,169 HTTP requests from a Tencent Cloud Beijing vantage point (AS45090), the GFW injected 301 responses at a 9.06% rate and 302 responses at a 28.5% rate.

2023-gfw-blocking-1111 Major observations / Analysis on the injection to 1.1.1.1:80 detection

From September 5–20, 2023, the GFW blocked 1.1.1.1:443 via TCP RST injection; starting October 1, 2023, the mechanism shifted to HTTP packet injection on port 80, while port 443 behavior became inconsistent across ASes — from one AS45090 vantage point, HTTPS connections to 1.1.1.1 still succeeded while other observers confirmed RST injection.

2023-gfw-blocking-1111 Major observations detection

Injected GFW packets for 1.1.1.1:80 carry a consistent IP TTL of 251 (matching the real Cloudflare server), IP IDs of 0x99b3 (301 responses) and 0x4c57 (302 responses), and TCP flag patterns of PSH+ACK (301) versus PSH+ACK+FIN (302), providing stable per-injection-type fingerprints observable in packet captures.

2023-gfw-blocking-1111 Experiment (Table: IP ID, TTL, TCP Flags) evaluation

The GFW's HTTP injection for 1.1.1.1:80 does not suppress the real Cloudflare response: the legitimate 301 from the actual server arrives after the injected packet, confirming the GFW operates as a race-condition injector rather than a transparent drop-and-replace proxy.

2023-gfw-blocking-1111 Analysis on the injection to 1.1.1.1:80 detection

In Brunei, censorship is confined to AS10094, which serves approximately 70% of the country's Internet users. The censor injects RST packets bearing a distinctive fingerprint — the censored query's IP ID field — in response to HTTP requests containing censored Host headers, and censors on all ports without residual censorship. A SYN followed immediately by a PSH+ACK with a censored payload is sufficient to trigger blocking without a completed TCP handshake.

2023-nourin-detecting §3 detection

Geneva — originally designed to evolve censorship-evasion packet sequences — was repurposed by inverting its fitness function to discover censorship-triggering packet sequences instead. Training against non-responsive IP addresses allows Geneva to attribute all responses to middleboxes, enabling fully automated discovery of triggering strategies without any endpoint cooperation.

2023-nourin-detecting §2 evaluation

Tajikistan routes virtually all national egress and ingress traffic through a single state-run AS (AS51346, Tojiktelecom) under a 2016 national decree, creating a centralized chokepoint. The censor injects RST+ACK packets with a unique 22-byte all-zero payload, censors on all ports, and requires two PSH+ACK packets containing the censored content before injecting — possibly modeling typical multi-resource HTTP browsing behavior.

2023-nourin-detecting §3 detection

AS201776 (Miranda-Media Ltd) is responsible for the largest volume of Russian transit censorship by destination IP count, affecting approximately 16,000 IP addresses in Ukraine from US and Sydney vantage points. AS3216 (PJSC Vimpelcom) has the widest geographic reach—delivering blockpages for traffic destined to 8 countries—but impacts no more than 1,000 IP addresses per country from any single vantage point.

2023-ortwein-towards §5 Preliminary Results / Table 1 evaluation

Scanning the IP address spaces of 18 countries surrounding Russia, the authors identify Russian transit censorship affecting at least 8 countries (Afghanistan, Azerbaijan, Kyrgyzstan, Kazakhstan, Lithuania, South Korea, Tajikistan, and Ukraine), attributable to at least 6 Russian ASes. Only 2 of these 8 countries (Kyrgyzstan and Kazakhstan) had been reported in prior work, and the collateral damage is characterized as a lower bound due to the study's blockpage-only methodology.

2023-ortwein-towards §5 Preliminary Results evaluation

The study's three vantage points (US university, AWS Sydney, AWS Tokyo) produce substantially different transit censorship observations: the US vantage point detects blockpages in all 8 affected countries, while Sydney and Tokyo detect transit censorship only in Kazakhstan and Ukraine. This variance is attributed to routing path differences across vantage points, confirming that transit censorship coverage is highly path-dependent.

2023-ortwein-towards §5 Preliminary Results evaluation

AS60299 (Mezhdugorodnyaya Mezhdunarodnaya Telefonnaya Stanciya Ltd) and AS201776 (Miranda-Media Ltd) deploy commercial DPI technology manufactured by Russian company VAS Experts to perform transit censorship. Ukraine is subject to transit censorship by the most Russian ASes (at least 5: AS3216, AS25227, AS35816, AS47203, AS201776), likely due to post-2022 re-routing of Ukrainian Internet traffic through Russian telecommunications infrastructure.

2023-ortwein-towards §5 Preliminary Results deployment

Manual analysis of 700+ unique packet groupings from possibly tampered connections yielded 19 high-confidence tampering signatures — up from 6 in prior work — covering 86.9% of all possibly tampered connections. Post-SYN signatures account for 43.2% of possibly tampered connections (99.5% matching a known signature), post-ACK for 16.1% (98.7%), and post-first-data-packet (PSH+ACK) for 5.3% (97.9%), with 19 signatures described as flag-sequence patterns of the form ⟨X→Y⟩ in Table 1.

2023-raman-global §4.1, Table 1 detection

136 Russian government domains (25.09% of 542 accessible ones) blocked access to all tested countries outside Russia, and a further 112 (20.66%) were accessible only from Russian and Kazakhstani vantage points. Geoblocking was implemented via heterogeneous, uncoordinated mechanisms—DNS timeouts, TCP timeouts, HTTP 403 Forbidden responses, and explicit blockpages—across different domains, indicating an ad hoc emergency response with no central policy.

2023-ramesh-network §4.2 deployment

Chinese DNS censorship operates symmetrically — injecting forged responses for both inbound and outbound DNS packets regardless of whether any real service exists at the destination IP. This means any DNS response received for a probe sent to a closed-port IP inside China is unambiguously a censorship injection, not a legitimate resolver reply.

2022-bhaskar-many §3.1 detection

Internet-wide IPv4 scanning found 386,187 IP addresses yielding amplification factors ≥ 100× via TCP middlebox reflection, with 82.9% of responses from the top 1 million IPs confirmed as originating from on-path middleboxes rather than endpoints. Nation-state censorship infrastructure dominates: China's GFW alone accounts for approximately 154 million responding IP addresses sharing a 3× RST+ACK (54 bytes each) fingerprint.

2021-bock-weaponizing §5.3, §5.5, Table 4 evaluation

Censoring middleboxes respond to non-compliant TCP sequences because they must handle asymmetric routing and cannot rely on observing both sides of a connection. The hSYN; PSH+ACKi sequence elicited responses from 69.6% of 184 tested censoring middleboxes with a maximum amplification of 7,455×, while a lone PSH+ACK with no prior handshake elicited responses from 33.2% of middleboxes.

2021-bock-weaponizing §2, §3.3 detection

Nation-state censors produce characteristic TCP response fingerprints: China's GFW sends 3× RST+ACK (54 bytes each) from ~170 million IPs; Iran's infrastructure sends 402–405-byte FIN+PSH+ACK plus 54-byte RST+PSH+ACK from 8.6 million IPs (75.7% of responsive Iranian addresses); Saudi Arabia sends a 97-byte PSH+ACK plus 2× 1,354-byte PSH+ACKs at 18.9× amplification from 400,000+ IPs. Most nation-state censors produce less than 4× amplification due to compact block pages.

2021-bock-weaponizing §5.5, Table 4 detection

Routing loops within censoring infrastructure create effectively infinite TCP amplification: 53,041 of the top 1 million responding IP addresses showed routing loop behavior spanning 2,763 /24 prefixes. Two Russian ISP censorship systems with infinite routing loops continuously sent amplified traffic for approximately 6 days after a single 2-packet trigger sequence, and 6 GFW IP addresses in China sent data indefinitely.

2021-bock-weaponizing §5.6, §6 evaluation

GFWatch discovered 1,781 unique forged IPv4 addresses used in GFW DNS poisoning, yet injection is non-random: only 600 (33.6%) account for 99% of all censored responses, with the remainder in a long tail responsible for just 1%. The forged IPv4 pool is dominated by addresses belonging to Facebook (783 IPs, 44%), WZ Communications (277, 15.6%), Twitter (200, 11.2%), and Dropbox (180, 10.1%); all forged IPv6 responses use the bogus Teredo prefix 2001::/32.

2021-hoang-great §5.1, §5.2, Figure 8 detection

Analyzing over 3 million OONI network measurements (2016–2020) from 17 ASes covering 98.45% of broadband and 90.94% of mobile subscribers in Spain, the study detected 16 unique blockpages, 2 DPI vendors (Fortinet/Fortigate in Telefonica; Allot in Vodafone), and 78 blocked websites across copyright, political, civil-rights, and referendum categories.

2021-ververis-understanding §3, §4 evaluation

The GFW's DNS injection infrastructure comprises three distinct packet injectors, fingerprinted by combinations of IP-DF bit, IP-TTL behavior, DNS-AA flag, and DNS-TTL: Injector 1 (IP DF=0, incrementing IP TTL, DNS AA=1, DNS TTL=60) filters 88 domains including most Google properties; Injector 2 (IP DF=1, randomized IP TTL, DNS AA=0) handles ~24,729 domains; Injector 3 (IP DF=0, IP ID=0, fixed IP TTL, DNS AA=0) covers ~22,948 domains as a subset of Injector 2's domains. Over a 9-month study (Sept 2019–May 2020) sending 2.8 billion queries, 119.6 million forged responses were observed.

2020-anonymous-triplet-censors §4.1, Table 3 detection

Injector 3 mirrors the probe packet's IP TTL in its injected reply rather than using a fixed TTL. This defeats TTL-limited localization probes: the injected reply only reaches the prober when the probe's initial TTL equals 2n−1 (where n is the hop distance to the injector); at lower TTLs the mirrored TTL is too small for the reply to return. All three injectors appear co-located (inter-probe delays within 0.2 ms of each other), confirmed from 7 vantage points across 5 continents, and the behavior is consistent across 62% of all 36K tested Chinese IP prefixes.

2020-anonymous-triplet-censors §4.3 detection

ICLab's semi-automated block page discovery — combining HTML tag-frequency vector clustering with locality-sensitive hashing (LSH) of page text — identified 48 previously unknown block page signatures from 13 countries: 15 via structural clustering across 5 countries and 33 via textual similarity clustering across 8 countries. The system seeds from 308 manually verified regular expressions and uses a URL-to-country ratio sort (largest ratio discovered: 286) to prioritize candidates for manual review, eliminating reliance on brittle hand-maintained regex lists alone.

2020-niaki-iclab §IV-C detection

Between January 2017 and September 2018, ICLab conducted 53,906,532 measurements of 45,565 URLs across 62 countries and 234 ASes, detecting blocking of 3,602 unique URLs in 60 countries via DNS manipulation, TCP packet injection, and block page delivery. Iran blocked 20–30% of Alexa top-500 URLs — more than any other monitored country — while Saudi Arabia consistently blocked roughly 10%. The global trend in detected censorship shows a steady decrease, which the authors attribute to rising adoption of TLS and circumvention tools.

2020-niaki-iclab §V evaluation

ICLab's longitudinal monitoring detected censorship shifts coinciding with political events weeks before press coverage: Turkey's filtering rate rose from roughly 3% to 5% in late April 2017 — with blocked content shifting from pornography to news and political sites — ahead of a June 2017 constitutional referendum. India's censorship dropped from roughly 2% to 0.8% following a net neutrality announcement in late 2017, then partially recovered to roughly 1.5% after mid-2018 regulations clarified that illegal-content filtering would continue. Within the same country, different blocking techniques were applied to different content categories simultaneously (e.g., Turkey used DNS manipulation for illegal/streaming URLs but block pages for pornography and news).

2020-niaki-iclab §V-C, Table III evaluation

Of 19,493,925 TCP packet injection events ICLab detected, only 0.7% (143,225) could be definitively attributed to censorship after multi-heuristic filtering; a further 58% (15,589,882) were RST-or-ICMP-unreachable events classified only as 'probable censorship' because ordinary network failure could not be excluded. Block pages appeared in just 3.4% of definitively-censored injections, meaning the vast majority of censor-side TCP disruption is covert. DNS manipulation detection achieved a false positive rate of approximately 10⁻⁴ using a threshold of θ=11 autonomous systems, cross-checked against block page observations.

2020-niaki-iclab §IV-B, §V-A detection

FilterMap identified 90 blockpage clusters from 90 vendors and actors across 103 countries using 374 million measurements from ~45,000 vantage points against 18,736 sensitive domains; 87 of these signatures were previously unknown. Commercial filters were detected in 36 out of 48 countries rated 'Not Free' or 'Partly Free' by Freedom House, with Fortinet alone present in at least 60 countries.

2020-raman-measuring §V deployment

The Great Firewall of China does not inject blockpages — it resets connections via TCP RST injection — making it invisible to blockpage-based detection systems. In contrast, the Iran firewall accounted for 97.1% of disruptions observed in Iranian vantage points, and the Bahrain and Saudi Arabia firewalls caused 71.2% and 80.2% of disruptions respectively, all using application-layer blockpage injection.

2020-raman-measuring §V-A-2 detection

Data center VPSes predominantly experienced TCP connection timeouts and resets—with the highest-blocking VPS censoring 96.8% of tested domains—while residential ISPs were substantially more likely to inject explicit blockpages citing Roskomnadzor's registry, confirming that blocking mechanism varies significantly by network tier even when blocking rates are similar.

2020-ramesh-decentralized §VI-B evaluation

A proposed HTTP censorship detection algorithm combining status-code comparison, response-length Z-score, HTML TF-vector cosine similarity, and redirect-hostname matching achieves F1 scores of 0.83 (censored) and 0.77 (uncensored), outperforming OONI (0.80 / 0.70), length-difference methods (0.70 / 0.66), and HTML-similarity methods (0.52 / 0.34) on a manually annotated set of 3,000 responses across six Indian ISPs.

2020-singh-india §4.3, Table 1 evaluation

All detected HTTP censorship events in BSNL and MTNL are attributable to infrastructure shared with or operated by Airtel and ACT, demonstrating that upstream ISP filtering creates collateral censorship visible to downstream networks. Isolated cross-ISP leakage was also observed: Vodafone's censorship notice appeared in 2 Jio tests, and Airtel's appeared in 2 Vodafone tests.

2020-singh-india §5.1.3 evaluation

Oman and Qatar deploy layered blocking: after a TCP handshake to geti2p.net completes normally, a TCP RST is injected immediately after the TLS ClientHello (SNI-based blocking), while HTTP connections to the mirror site receive injected packets redirecting to explicit national block pages. Kuwait applied only the HTTP mirror block, and only at one of six tested ASes (AS47589, Kuwait Telecommunication Company), with all other Kuwaiti networks leaving I2P fully accessible—illustrating significant ISP-level variation within a single country.

2019-hoang-measuring §5.2–5.3 detection

Over one month, 54K measurements from 1.7K ASes in 164 countries detected I2P blocking in exactly five countries: China (DNS poisoning of homepage and 3 of 10 reseed servers), Iran (TCP RST injection with HTTP 403 on mirror site), Oman and Qatar (SNI-based blocking of HTTPS homepage plus TCP injection with block-page redirect on HTTP mirror), and Kuwait (TCP injection on mirror site at AS47589 only). All other tested countries left I2P fully reachable.

2019-hoang-measuring §5, Table 2 evaluation

By comparing echo-server (bidirectional) versus discard-server (inbound-only) results across 11 censoring countries, Quack finds that only 4 countries (China, Egypt, Jordan, Turkey) also block inbound traffic; the remaining 7 apply DPI exclusively to outbound data. Direction-sensitive blocking is a confirmed capability of deployed middleboxes.

2018-vandersloot-quack §6.3 detection

Censors in Russia, Iran, and India implement all three measured censorship techniques simultaneously: block pages, RST injection, and TTL anomalies. Iran and Cyprus censoring ASes censor content across many URL categories (including General News, Internet Services, Pornography, Gambling), while most other censoring ASes restrict only a few category types.

2017-cho-churn §4, Table 2 detection

Combining boolean network tomography with BGP path churn from the ICLab platform identifies 108 censoring ASes located in 49 countries across 4.9M measurements, reducing the candidate set of potential censoring ASes by 97% on average. 97.9% of constructed SAT CNFs return exactly one solution enabling exact AS-level censor identification, with less than 0.7% returning no solution.

2017-cho-churn Abstract, §4 evaluation

Approximately 10% of respondents (n=23) held uncertain or incorrect beliefs about which actor was responsible for a given block, systematically conflating government censorship with geoblocking, paywalls, and platform-side restrictions. This misidentification cascaded into inappropriate tool selection and inaccurate risk assessment: users who could not distinguish state blocking from licensing restrictions could neither choose the right circumvention tool nor accurately gauge the legal jeopardy of accessing the content. Respondents specifically requested a pre-visit blocking-actor classification tool.

2017-gebhart-internet §5.2.3, §5.4.1, §6.2.1 evaluation

Users in Thailand relied on incident-driven tool selection—running a fresh Google search for a proxy or VPN each time they hit a block—which the paper identifies as a systematic vulnerability: the Thai Royal Police exploited this pattern after the 2014 coup by linking a phishing application to a government block page, harvesting email addresses and gaining application-level access to Facebook profile information. The paper further notes that orchestrated stricter censorship could drive users to a government-operated malicious tool.

2017-gebhart-internet §5.3.3, §6.2.2 detection

Time-series analysis across five ISPs over six months reveals a near-universal stasis in January–February where blocklist changes were negligible for all ISPs, followed by significant fluctuations (e.g., a +20–35% swing in TCP unreachability between February and March for PTCL, Wateen, Qubee, and WiTribe). A ubiquitous drop in TCP-unreachability outcomes occurred December–January, suggesting a seasonal or policy-driven relaxation followed by re-tightening.

2016-aceto-analyzing §V-A evaluation

DNS tampering in Pakistan takes at least two distinct sub-forms: WiTribe and Nayatel redirect blocked domains to explicit block-page IPs (DNS resolution returns a routable address that serves a block page), while PTCL returns both failing IPs and explicit block pages, indicating that PTCL applies DNS tampering without user notification in some cases (NXDOMAIN-like) and with a block page in others. Qubee passes DNS entirely and applies content-level HTTP tampering at roughly 80% of measurements for blocked URLs.

2016-aceto-analyzing §V detection

Across five Pakistani ISPs measured over six months (Oct 2013–Mar 2014), censorship splits cleanly by ISP: WiTribe, PTCL, and Nayatel block via DNS tampering, while Wateen and Qubee block via HTTP content tampering. The two techniques do not overlap within a single ISP, demonstrating that Pakistan's censorship infrastructure is ISP-heterogeneous rather than centrally normalized.

2016-aceto-analyzing §V evaluation

A university closed survey of 64 Pakistani users found that 51% evade censorship using VPNs (Hotspot Shield being the most prominent), 25% use web proxies, 17% use Tor/onion routing, and approximately 7.2% use CDNs, mirror sites, search-engine caches, or web-based DNS lookup services.

2016-aceto-analyzing §V-B evaluation

A censor can mount a zero-collateral-damage flooding attack by injecting fake CRS-protocol-conformant traffic into open channels, inflating the apparent CTP and evicting real circumvention traffic to throttled or sacrificial protocols. If injection is costless the censor can drive real circumvention throughput to zero while keeping all channels nominally open; the attack is equally effective against both throttling and dumping CTP control strategies.

2016-elahi-framework §6.1 detection

For the same blocked resource (YouTube) in Pakistan, UBICA found at least three distinct ISP-level techniques in parallel: Micronet Broadband and Witribe Pakistan use DNS injection redirecting to explicit blockpages; Pakistan Telecom Company Ltd. returns DNS responses yielding only 11.7% plausible IPs; while Transworld Associates and National Wi-Max/IMS apply HTTP tampering with no DNS interference, confirmed by passing TCP reachability tests but failing content-size ratio checks.

2015-aceto-monitoring §3.1 evaluation

In South Korea, adult websites (e.g., hardsextube.com) were censored exclusively via HTTP content substitution — a JavaScript redirect to the official blockpage http://warning.or.kr — with 98% of content-size-ratio samples falling below the 0.3 detection threshold, while no DNS tampering or TCP-level blocking was observed. All other tested countries had fewer than 16% of samples below the threshold.

2015-aceto-monitoring §3.2 evaluation

UBICA's crowdsourced measurement campaign across 31 countries deployed 200+ probes (47 GUI clients, 188 headless clients, 16 BISmark routers) and tested more than 16,000 targets (~15,000 hostnames) over 4 months. Its content-size ratio algorithm detects blockpage substitution by comparing average resource size per country against a global baseline, using a threshold of 0.3 (midpoint between the two observed distribution modes minus a 0.2 guard interval) without requiring a pre-existing uncensored ground truth.

2015-aceto-monitoring §2, §3 evaluation

Iran's censorship infrastructure shifted from fully decentralized (Jaccard similarity ~0 across ISPs in 2007) to highly centralized by June 2011, when the Jaccard similarity between the national gateway AS 12880 and two other ISPs reached 0.94 and 0.95. Almost all 2011 blocking was accompanied by a blockpage containing an iframe redirecting to internal IP 10.10.34.34, providing direct evidence of a single choke-point filtering infrastructure.

2015-gill-characterizing §4.5, Table V detection

Across MENA countries (UAE, Tunisia, Oman, Iran, Qatar, Yemen, Saudi Arabia, Burma), over 80% of blockpage-delivering tests delivered the blockpage without DNS redirection, indicating transparent web proxies performing deep HTTP inspection rather than the cheaper DNS-intercept approach dominant in China. McAfee SmartFilter was identified in Qatar, Saudi Arabia, and UAE; Netsweepr in Qatar, UAE, and Yemen.

2015-gill-characterizing §5.1, Table VI evaluation

Yemen's national ISP (YemenNet) uses explicit blockpages for social and Internet-tools content while applying stealthy techniques — TCP RST injection and unrequited HTTP GETs — specifically for political and conflict content that is constitutionally protected. Censorship also ceases intermittently when the ISP exhausts filtering product licenses.

2015-gill-characterizing §4.2, Fig. 6 detection

Analysis of GreatFire.org's server logs (16.6M requests, 13K unique source IPs, March 18–19 2015) showed 67% of DDoS attack traffic originated from Taiwan and Hong Kong, while mainland China accounted for only 18 requests — confirming the GC weaponizes foreign browsers by intercepting traffic at China's network border, not domestic ones. The dominant attack vector (38% of requests) was pos.baidu.com (Baidu's ad network), meaning any user globally visiting a non-Baidu site that loads Baidu ad scripts became an unwitting DDoS participant without visiting any Chinese site directly.

2015-marczak-analysis §5, §7.1 policy

The Great Cannon (GC) operates as a distinct in-path system — not an extension of the GFW — capable of both injecting and suppressing traffic, enabling full man-in-the-middle capability against targeted IP addresses. Unlike the on-path GFW, the GC only examines the first data packet of each connection (avoiding TCP bytestream reassembly), targets specific destination IP addresses rather than all border traffic, and maintains a per-source-IP flow cache of approximately 16,000 entries to ignore already-processed connections.

2015-marczak-analysis §3, §3.1 detection

The GC acted probabilistically, responding to only approximately 1.75% of eligible requests (526 out of 30,000 from three measurement IP addresses) and completely ignoring one of four measurement source IPs. Flow-cache exhaustion tests confirmed the probabilistic decision is made per-flow at cache insertion time: once the ~16,000-entry cache was filled, injections resumed on previously-ignored source ports, ruling out connection-tuple hashing as the selection mechanism.

2015-marczak-analysis §3.1 evaluation

TLS/HTTPS provides complete protection against GC-style content injection: the GC can only replace unencrypted HTTP responses and cannot inject into TLS-encrypted streams. GitHub's universal TLS enforcement prevented the GC from selectively targeting GreatFire.org's repositories despite sustained attack — China had previously attempted to block GitHub entirely but reversed the block within two days due to domestic programmer backlash, leaving TLS as the effective barrier.

2015-marczak-analysis §6, §8, §9 defense

Both GFW and GC injected packets share a distinctive implementation side-channel: the IP TTL field progressively increments on successive packets injected into the same connection, paired with an incrementing TCP window size. Using this compound fingerprint, the authors identified GC activity in 8 months of Lawrence Berkeley National Laboratory enterprise border traces with only a single false-positive source IP, and used per-hop TTL probing to localize both the GFW and GC to the same network link on China Telecom (hop 12–13, 144.232.12.211→202.97.33.37) and China Unicom (hop 17–18, 219.158.101.61→219.158.101.49).

2015-marczak-analysis §3.1, §4, §6 detection

The GFW does not distinguish DNS query traffic directionality, injecting forged replies for both inbound and outbound queries on monitored links. This causes collateral censorship of DNS resolvers outside China when they contact authoritative nameservers located in or whose paths transit China, even for non-Chinese clients.

2014-anonymous-towards §2 detection

The GFW deploys DNS injection nodes only at China's border, within 2–3 hops of international transit points, across 16 border ASes. Internal probing found only 0.04% of 42,849 domestic routing paths exhibited DNS pollution, versus ~80% of externally-facing /24 subnets.

2014-anonymous-towards §5 detection

A single GFW node employs approximately 360 distinct processes, load-balanced by source and destination IP address, which collectively inject censored DNS responses at an average rate of ~2,800 packets per second, ranging from 1,100 to 4,000 pps over a day.

2014-anonymous-towards §7 detection

Client-to-server packet drops (RSTs from client to server are dropped in transit) indicate the simplest null-routing mechanism: the server's destination IP is null-routed at the censor. The method distinguishes this from server-to-client drops (stateless return-path filtering) and from RST/ICMP injection—cases where the packet is not dropped but a forged termination packet is inserted—which both appear as the 'no-packets-dropped' outcome in the IPID time series.

2014-ensafi-detecting §2 detection

Page length comparison at a 30.19% size-difference threshold achieves a 95.03% true positive rate and 1.371% false positive rate for block page detection, outperforming DOM similarity (95.35% TP, 3.732% FP) on false positive rate and cosine similarity (97.94% TP, 1.938% FP, 74.23% precision) on precision. These metrics were evaluated via ten-fold cross-validation on the ONI dataset of ~500,000 entries from 49 countries spanning 2007–2012.

2014-jones-automated §4.2, Table 1 evaluation

Applying automated block-page detection to the ONI dataset (49 countries, 2007–2012) reveals that Burma's (AS 18399) censorship mechanism shifted from DNS redirection to a transparent proxy returning a custom block page in mid-2009, then block pages largely disappeared after Burma's late-2011 political liberalization. Saudi Arabia (AS 25019) shows a similar transition with WireFilter replacing an unidentified prior tool in 2011, with two concurrent block-page templates suggesting multiple simultaneous filtering devices.

2014-jones-automated §6 evaluation

Pakistan's censorship used layered, evolving mechanisms: DNS redirection by local ISP resolvers appeared in all post-block traces, supplemented by HTTP 3XX redirection to a local provider's error page in Sep 2012 and shifting to RST injection by Aug 2013 (where ≈95% of YouTube HTTP requests received no response, vs. ≈2% pre-block). Porn blocking similarly combined DNS redirection with IP blocking (41% blacklist overlap) in Sep 2012 and RST injection in Aug 2013.

2014-khattak-look §4.2–4.3, Table 4 detection

Because TapDance does not block client-to-server packets, a censor can inject a TCP packet with a stale acknowledgment number directly to the true decoy server; the server will reply with its actual TCP sequence state, which will differ from the sequence numbers the TapDance station has been using — confirming the flow is proxied. This active packet-injection attack is qualitatively easier to execute against TapDance than against Telex or Cirripede, which used inline blocking to prevent such probes from reaching the server. Table 1 in the paper confirms that TapDance, unlike Telex, lacks replay/preplay attack resistance and has no traffic-analysis defense.

2014-wustrow-tapdance §5.2, Table 1 detection

Injecting a single replayed ACK packet every 100 ms into a SkypeMorph session is sufficient to permanently stall data transfer: the server continuously resets its sequence counter back to the replayed position and never advances, while legitimate VoIP call traffic is completely unaffected. The attack requires the censor to induce only a small amount of server-to-client packet loss to prevent the legitimate ACK counter from overtaking the injected value, as shown in Figure 5b.

2013-geddes-cover §4.3.3, Figure 5 detection

By targeting SkypeMorph's deterministic ACK-flagging schedule (one ACK every ~100 ms) and capping overall packet loss at 5–20%, a censor can drop up to 47% of ACK packets, reducing SkypeMorph throughput from its normal ~200 KB/s to 5–10 KB/s (a 90–95% reduction) while VoIP call quality remains within acceptable MOS thresholds. The attack exploits the reliability mismatch between the loss-tolerant UDP cover channel and the TCP-like retransmission layer SkypeMorph builds over it.

2013-geddes-cover §4.3.2, Figure 4 detection

Every website blocked at the DNS level in Pakistan was also blocked by a secondary HTTP-layer mechanism, ruling out the use of alternative DNS resolution (web-based lookup tools or user-generated content hosting DNS records) as a standalone bypass. Multi-IP shared-service sites such as YouTube and Wikipedia were blocked only at the HTTP level, where a Host-header match triggered censorship regardless of the destination URL.

2013-nabi-anatomy §5.1 detection

In April 2013 Pakistan transitioned from fragmented ISP-level HTTP 302 redirect blocking to centralized IXP-level fake HTTP 200 response injection (attributed to the Canadian firm Netsweeper), resulting in a uniform warning page across all test networks except one still transitioning ISP. Post-transition, 58.30% of the 307 test sites were blocked by DNS and 1.62% by fake HTTP 200 injection; IP and URL-keyword filtering remained at zero.

2013-nabi-anatomy §4.2 evaluation

Iran's nationwide censorship redirect page is hosted at private IP 10.10.34.34, operated by Data Communication Affairs (a subdivision of TCI's Information Technology Company, AS12880). Traceroute data confirms the final public hop before this private host is 195.146.33.29, registered to Data Communication Affairs, and 24 of 27 tested Iranian networks (89%) can reach it.

2012-anderson-hidden §4 deployment

Without DNSSEC, Hold-On can be defeated by a sophisticated censor that crafts injected packets with TTL and timing matching the expected legitimate reply, injecting just before its predicted arrival. When combined with DNSSEC, Hold-On is robust even against this attack because the censor cannot forge a valid DNSSEC signature; injection can still cause a denial-of-service by forcing a 'Bogus' result, but Hold-On prevents that by waiting for the legitimate validating reply.

2012-duan-hold-on §VI defense

On-path censors commonly operate on traffic mirrors rather than inline (in-path), making their systems failure-tolerant and easier to deploy. This architectural choice means on-path injectors cannot suppress the legitimate DNS reply—both the forged and authentic replies reach the resolver—creating a detectable anomaly. The same structural weakness applies to TCP RST injection and other on-path packet injection attacks.

2012-duan-hold-on §I, §II.A detection

In approximately 100,000 DNS queries over 9 days from within a censored network, injected packets were reliably distinguishable: legitimate IP TTLs were stable at either 44 or 42, while injected TTL values ranged across [0–255], and injected packets arrived well before legitimate replies because the injector co-resided within the same ISP while the recursive resolver was in another country. With a TTL threshold of ±1 and an RTT threshold of 0.5× expected RTT, the Hold-On prototype achieved 0% false positive rate and 0% false negative rate.

2012-duan-hold-on §IV.B, Table I evaluation

OONI observes that many interception devices deployed in the wild advertise their vendor and model information, making passive device identification feasible from probe-level observations alone. The framework is designed to locate interception devices and then apply probing techniques to fingerprint the specific vendor and product in use.

2012-filast-ooni §2 Goals detection

OONI's traffic manipulation test suite uses bidirectional traceroute comparison: asymmetry between inbound and outbound paths for specific source/destination port pairs is treated as an indicator that traffic is being diverted to an interception device. Additional per-flow indicators include timing differences in packets directed at specific ports and layer-7 header field manipulation detectable at the receiving endpoint.

2012-filast-ooni §5.5 Traffic Manipulation detection

DNS injection collateral damage arises from three structural properties of DNS: iterative resolution (full queries sent to root and TLD authorities), anycast routing (two resolvers may reach different physical servers via different paths), and dynamic routing through censored transit ASes. A single domain lookup may generate many queries at multiple levels, any of which can be intercepted by a censored transit AS even when both the originating resolver and the authoritative server are outside the censored network.

2012-sparks-collateral §3 detection

TraceQuery probing identified 3,120 router IPs performing DNS injection belonging to exactly 39 Chinese ASes. AS4134 (Chinanet) alone accounts for 1,952 router IPs (62.6% of injecting routers); the top 5 ASes account for over 77% of all identified injecting routers.

2012-sparks-collateral §4.2, Table 3 evaluation

Across 11 countries, censorship execution falls into at least six distinct categories: DNS redirect to localhost (Malaysia, Russia, Turkey), DNS redirect with warning page (South Korea), connection timeout with no notification (Bangladesh, India), spoofed TCP RST injection (China), spoofed HTTP 403 with warning page (Bahrain, Iran), HTTP 302 redirect (South Korea, Thailand), and spoofed HTTP 200 iframe response (Saudi Arabia). Four countries censor at DNS and eight at routers, with South Korea employing both layers simultaneously.

2012-verkamp-inferring Table 3 evaluation

Thailand uses an out-of-band device to inject spoofed HTTP 302 redirect responses, so the destination server still receives and responds to the original request — unlike inline censors in Bangladesh and India where the request is dropped before reaching the server. Saudi Arabia similarly uses an out-of-band device to inject a spoofed HTTP 200 response containing an iframe warning page loaded from a separate IP address, allowing the warning page content to be updated without modifying the censoring module.

2012-verkamp-inferring §4.2, §5 detection

The Great Firewall of China deploys at least four distinct, simultaneously-operating RST injectors with separate fingerprints (IPID 64, IPID -26, SEQ 1460, RAE). The RAE injector—which sets RST+ACK+ECN-nonce-sum flags—is the most common, with 4,162 distinct source IPs observed at UCB alone. Of 298 ICSI hosts disrupted by Chinese injectors, 102 showed fingerprints of two or more injectors acting independently on the same connection.

2009-weaver-detecting §7.1.6 detection

Injectors sending multiple RSTs with increasing sequence numbers to overcome the RST_SEQ_DATA race condition produce a detection signature (RST_SEQ_CHANGE) that cannot arise from a standards-compliant TCP endpoint: the second RST must have a sequence number exceeding both the preceding RST and any ACK yet observed from the receiver. This creates an inherent design tension — a robust injector that uses sequence-incremented multi-packet RSTs to ensure delivery is precisely the kind most detectable by passive monitoring.

2009-weaver-detecting §5 detection

Out-of-band RST injectors fundamentally face race conditions because they cannot modify in-flight packets: a data packet may pass the injector's observation point before the forged RST is generated, producing detectable out-of-sequence RSTs (RST_SEQ_DATA) or post-RST data packets (DATA_SEQ_RST). A passive detector exploiting these two race conditions, plus a third signature (RST_SEQ_CHANGE) from multi-packet injectors, reliably identifies injected RSTs across four network datasets totaling 30.2M TCP flows.

2009-weaver-detecting §5 detection

Individual RST injectors exhibit stable, idiosyncratic header-field fingerprints enabling device-level identification across geographically separated sites. Sandvine devices produce back-to-back RST pairs where the second packet's sequence number is exactly 12,503 higher than the first (a known implementation bug confirmed by Sandvine's CTO) with IPID increments of 4 then 1; 90% of 193 alerting Comcast IP addresses across all four datasets matched this fingerprint. The GFW SEQ 1460 injector always increments sequence numbers by 1,460 regardless of actual MTU or window size.

2009-weaver-detecting §7.1, Table 1 detection

Because the GFW injects forged DNS responses rather than dropping the original query packet, the legitimate response from the upstream DNS server may still arrive after the injected forgery. The authors propose two circumvention strategies: querying on a non-standard port to bypass the port-53-only injection filter, or issuing standard-port queries and selectively discarding responses matching the known bad-IP pool to recover the authentic answer.

2007-lowe-great §6.4, §8 defense

TTL manipulation experiments demonstrated that the GFW injects forged DNS responses at the router level, not at the DNS server: responses to censored domain queries exhibited inconsistent IP ident fields and wildly varying TTL values — consistent with a stateless in-path router — while control (non-censored) responses to the same server showed monotonically increasing ident and stable TTL. The injection was observed exclusively on port 53; identical queries sent to port 80 received no injected responses.

2007-lowe-great §6.4, Table 3 detection

Brightview's countermeasure requiring a minimum probe TTL of 24 (to prevent low-TTL scans from stopping at the proxy) was bypassed by sending probes with TTL=128 and examining the TTL of returned SYN/ACK packets. The UK web proxy consistently returned TTL=49 (64−15 hops), while Russian destination servers returned TTL=45–49 or TTL=113–238 depending on initial OS TTL settings. The two populations were cleanly distinguishable, defeating the fix with no change to scan logic beyond raising the probe TTL.

2006-clayton-failures Postscript defense