throttling   Throttling / bandwidth shaping

During the June 2025 Iran shutdown, circumvention tool performance diverged sharply by transport design. Psiphon's multi-protocol architecture sustained 1.5 million concurrent users—roughly one-third of its normal Iranian base. Lantern's "proxyless" protocol (domain-fronting via CDN, ~40% of Lantern's Iranian traffic) showed moderate success. Tor usage collapsed during the blackout but bridge connections surged and rebounded quickly after lifting. BeePass (serving 500k+ daily users at shutdown onset) used live A/B testing of port/obfuscation-prefix combinations to probe the censors' blocking parameters in real time. The Ceno Browser's P2P network grew from 600 active peers on June 13 to ~8,000 by July 11, indicating that decentralized fallback paths stayed up even during peak blocking.

2025-iran-shutdown-measurement §Tool Performance evaluation

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 policy

Article 19 documents that Iran combines technical filtering with formal coercion of major foreign platforms (including Telegram, Instagram, and WhatsApp) to comply with content removal orders under threat of full blocking. The report notes that Iran's 2022 Women Life Freedom protests accelerated platform blocking when foreign operators refused compliance, demonstrating that the censorship system operates in two modes: coerce-and-allow for compliant platforms, block for non-compliant ones. Domain fronting via these platforms is therefore subject to sudden revocation if political conditions change.

2026-article19-tightening-the-net §6 policy

The report maps specific Belt and Road Initiative Digital Silk Road projects through which Chinese technology vendors have transferred censorship and surveillance infrastructure to Iran, including fiber backbone investments, data-center co-location agreements, and equipment supply chains. Specific vendors named include Huawei and ZTE as network infrastructure providers, with the report noting that equipment exports include filtering-capable hardware that Iran's ISPs have deployed at network choke points.

2026-article19-tightening-the-net §4, §5 deployment

The April 2026 enforcement cycle created a resource-scarcity feedback loop: upstream providers cut lines with no obligation to refund resellers, newly acquired replacement resources can themselves be reported and cut within days, and stable-resource availability windows are described as "越来越短" (increasingly short) while costs rise concurrently. The overall effect is systemic capacity contraction forecast to continue through at least May 2026.

2026-ermao-april-airport-outage §这轮波动到底发生了什么 / §四月后的趋势判断 deployment

An infrastructure-level adversary must balance watermark detectability against connection stability: the paper's threat model requires a minimum shaping rate rmin to prevent Tor circuit stalls, timeouts, or circuit replacement, and notes that repeated poor-throughput events can cause the circuit to be abandoned before sufficient watermark evidence is accumulated. This detectability–stability trade-off constrains the practical attack to macroscopic (30-second) modulation periods rather than fine-grained packet-level timing manipulation.

2026-fan-activeflowmark-assessing-tor §III.A, §VII.A detection

The report documents that Myanmar's military has used its TSG-based infrastructure to execute targeted throttling and selective shutdowns of specific services and platforms, not only blanket internet shutdowns. This includes selective disruption of VPNs and circumvention tools during periods of civil unrest, demonstrating that Myanmar's censors have operationalized the granular per-service traffic control capabilities documented in the Geedge/MESA leak.

2025-jfm-silk-road-surveillance §5 deployment

Psiphon's multi-protocol design maintained access for approximately 1.5 million users during the June 2025 Iran shutdown — roughly one-third of its normal user base — while traffic throttling rendered many single-protocol circumvention tools functionally useless for anything beyond basic text communication.

2025-miaan-stealth-blackout Executive Summary — Resilient Response evaluation

Between 21–25 June 2025, Iranian fixed-line networks partially restored access via TCP-based protocols (SSH, WebSockets) while mobile networks and UDP-based protocols remained heavily restricted, indicating deliberate asymmetric enforcement to restore domestic data-center operation without re-enabling VPN circumvention.

2025-piotrowska-nym-iran-blackout What is working now? (As of 25 June 2025) evaluation

Active mid-connection bandwidth throttling (e.g., 100 Mbps → 50 Mbps) cleanly separates BBR from Hysteria and TCP-Brutal: BBR converges to the new rate within a few probing cycles, while Hysteria and Brutal interpret reduced bandwidth as increased packet loss and raise their sending rate further. This active probing technique resolves the BBR ambiguity that passive measurement alone cannot.

2025-wang-custom §4.4 detection

TSPU devices perform in-line packet manipulation — they can inject RST packets, drop traffic, and throttle connections — rather than routing traffic to an out-of-band sniffer that votes to block. The inline placement means TSPU can act on the first-packet payload and impose latency on all matching flows, not only on those selected by sampling. Blocking decisions are therefore applied with high recall at the ISP edge, and circumvention tools that rely on short observation windows (e.g. only obfuscating the first N bytes) are vulnerable to continued inline inspection of subsequent traffic.

2024-xue-tspu-russia §3–§4 detection

Across all years of the KIO dataset (2016–2021), a large majority of events involved full-network shutdowns and their count grew significantly from 2016 to 2019 with no significant decline observed through 2021. Censors are also increasingly employing app-specific bans and throttling alongside full shutdowns, with all three restriction categories non-mutually exclusive and rising over the period.

2023-bischof-destination §3.2, Figure 2 policy

An adversary introducing audio perturbations every 2.5 seconds (sufficient to corrupt each 20-byte chunk at 64 bps) degrades PESQ call quality to 1.6, below the 2.0 'unusable' threshold, making the attack self-defeating. However, targeting only acknowledgment windows (every ~12.5 s under Dolphin's default batch-of-5 configuration) achieves PESQ 3.6 — acceptable to human callers — while fully disrupting Dolphin data transfer.

2023-sharma-dolphin §6.2 defense

The Lox check-blockage protocol response size and time grow linearly with the number of blocked bridges — 6 kB / 11 ms at 5% blocked, 63 kB / 64 ms at 50%, and 126 kB / 122.5 ms at 100% — creating a bandwidth bottleneck a strategic and patient censor can exploit by triggering mass bridge blockages during a critical event (election, coup) to deny successful blockage migrations at the moment users most need them.

2023-tulloch-lox Figure 1, §5.2 detection

Protozoa's covert channel throughput degrades gracefully under bandwidth constraints but remains usable for common applications: average throughput is 975 Kbps at 1500 Kbps cap, 460 Kbps at 750 Kbps, and 91 Kbps at 250 Kbps. Under 2% and 5% packet loss the channel sustains 1130 Kbps and 360 Kbps, respectively, while 10% loss (near WebRTC tear-down threshold) still yields 160 Kbps without breaking the connection. Traffic analysis resistance is preserved across all these conditions, with AUC peaking at 0.65.

2020-barradas-poking §6.3, Figures 9–10 evaluation

In Iran in 2013, censors dropped or throttled certain TCP connections after 60 seconds, severely disrupting circumvention protocols like obfs4 that fuse session state with a single long-lived TCP connection, while short-lived HTTP connections were largely unaffected. obfs4 has no session concept independent of the underlying TCP connection; when that connection is terminated, all end-to-end state is lost and a new session must restart from scratch.

2020-fifield-turbo §1 detection

Hop-by-hop bottleneck localization showed that in more than 71% of measured paths the first lossy hop is located deep inside China (beyond the border), with only 34.45% of bottleneck hops coinciding with the GFW hop as detected by RST injection probing — suggesting Chinese ISP infrastructure underprovisioning rather than GFW intervention as the primary cause.

2020-zhu-characterizing §5, Figure 13 evaluation

The bottleneck exhibits strong and consistent diurnal patterns: 80–95% of receiver–sender pairs show a standard deviation of less than 3 hours in daily slowdown duration, and the patterns persist unchanged across weekends and national holidays (May 1–2 and October 1 national day). Packet loss is strictly asymmetric — occurring only for traffic entering China (inbound data and outbound ACK packets), not for traffic leaving China.

2020-zhu-characterizing §4.2 Observation 2, Observation 3, Figure 10 evaluation

The Great Bottleneck of China affects 79% of measured receiver–sender pairs, with more than 70% of those pairs suffering throughput below 1 Mbps for more than 5 hours every day. M-Lab NDT data independently corroborates this: in 64% of 75,464 tests from China, download speed was below 500 kbps.

2020-zhu-characterizing §3, §4.2 Observation 1, Figure 5 evaluation

Hong Kong is the sole geographic exception: it experiences no measurable slowdowns when accessing the foreign Internet, and Chinese mainland receivers accessing Hong Kong as a sender averaged only ~3 hours of slowdown per day — compared to 5–17 hours for US, European, and most Asian senders — making it an effective high-performance relay between mainland China and the rest of the world.

2020-zhu-characterizing §3, §4.2 Observation 1, Figure 7 evaluation

A/B testing across HTTP, HTTPS, VPN, and Shadowsocks traffic found no measurable difference in packet loss rates, ruling out censorship-targeted protocol throttling as the cause. Even at probe rates as low as one packet per 10 seconds, loss rates were similar across all protocol variants, indicating no per-connection or per-protocol speed throttling by the GFW.

2020-zhu-characterizing §4.2 Observation 4, Experiment 3 detection

The GFW's robustness depends principally on suppressed citizen demand for uncensored information, not solely on access barriers. Calibration shows censorship remains stable even if the unencouraged access rate were substantially expanded, because low demand and moderate social transmission prevent information from reaching population-wide tipping points. However, censorship is fragile to demand stimulation: scaling the encouragement intervention to all students would, per the model, inform the entire student population.

2019-chen-impact §V policy

Across eight combinations of traffic features (packet length, bi-gram packet length, inter-packet time, bi-gram inter-packet time) and two similarity metrics (EMD, KS), adversarial classification accuracy against DeltaShaper streams ranges from 72–90% in unperturbed conditions. Bi-gram inter-packet times with EMD achieves 88% accuracy, matching packet-length/EMD, but requires roughly 10x the computation (~64s vs ~6s). Bandwidth throttling to 300 Kbps degrades classifier accuracy from 88% to 75%, but also drops Skype frame rate from 30 to 5 FPS, creating collateral damage that limits censor deployment of throttling as a detection aid.

2017-barradas-deltashaper §6.4, §6.5, Table 3 detection

Tor usage in Turkey spiked sharply during the initial days of the July 2016 coup—when ISPs were actively throttling Twitter—but declined steadily in subsequent months back toward pre-coup baselines, consistent with post-coup suppression being driven by chilling effects rather than sustained network-level blocking.

2017-tanash-decline §4.1, Figures 2–3 evaluation

Comparing 5.6M pre-coup tweets (2015 Turkish general election) to 8.5M post-coup tweets (July–November 2016), the authors found 72% fewer government-censored tweets post-coup (142,492 vs. 513,719), with an estimated 43% of that decline attributable to reduced overall Twitter usage in Turkey and the remainder to user self-censorship.

2017-tanash-decline §4.1 evaluation

Anderson's analysis of Iran's network connectivity from January 2010 to 2013 uncovered two extended throttling periods with 77% and 69% decreases in download throughput respectively, plus eight to nine shorter periods; these often coincided with holidays, protest events, international political turmoils, and important anniversaries.

2016-khattak-sok §2.4.2 detection

Under degraded network conditions, CovertCast page load times increased by 2–3× at 800 Kbps (below YouTube's minimum 720p bitrate of 1.5 Mbps), with 20 of over 4,000 images dropped at 800 Kbps; at 10% packet loss, 35 images were missed due to YouTube temporarily accelerating video playback; at 20% packet loss, 720p video could not be loaded at all.

2016-mcpherson-covertcast §6.4, Fig. 6, Fig. 7 evaluation

The survey identifies 'soft censorship' — including throttling, packet-loss injection, and quality-of-experience degradation — as detected by only 2 of 13 surveyed platforms (rTurtle and UBICA) as of 2015. The paper explicitly flags this as a measurement gap, noting that soft censorship symptoms are indistinguishable from ordinary network congestion without ground-truth probes placed outside the censor's network.

2015-aceto-internet §3 / Table 2 detection

Throughput variance across Iranian ISPs collapsed nearly simultaneously during suspected throttling events, consistent with a centrally-coordinated administrative order rather than independent ISP-level decisions. Former ISP staff accounts cited in the paper indicate throttling orders were delivered by phone or fax, with smaller regional providers potentially delaying compliance—implying a brief window before universal enforcement.

2013-anderson-dimming §5.2, Fig. 8–9 evaluation

Throughput drops correlated directly with political mobilizations: the 2012-02-14 anniversary of political detentions registered a -102.9% weekly-minimum change relative to the two-month mean, and the October 2012 currency protests showed a -86.2% weekly minimum. Round-trip time did not increase proportionally during these drops, distinguishing them from ordinary congestion.

2013-anderson-dimming §5.1, Fig. 6 evaluation

Using M-Lab NDT measurements from Iran, the paper identifies two extended throttling periods: November 30, 2011 – August 15, 2012 (77% decrease in median download throughput) and October 4 – November 22, 2012 (69% decrease), plus 8–9 shorter-term disruptions. Weekly variance analysis yields even steeper figures of -98% and -82% for the two major events.

2013-anderson-dimming §5, §5.1 evaluation

During the November 2011 throttling event, every Iranian ASN under consideration experienced more than a 74% drop in throughput within the first two months; only one prefix (ITC's commercial hosting block 80.191.96.0/19) showed an increase. Academic networks (Sharif University AS12660, University of Tehran AS29068) recovered faster than consumer ISPs, suggesting selective prioritization or exemption for institutional traffic.

2013-anderson-dimming §5.2, Fig. 12 evaluation

Iran's censors preferred throttling over outright shutdown because it is less conspicuous and draws less controversy. The paper notes that NDT-style bulk-transfer tests cannot detect targeted, DPI-based throttling of specific protocols (VPN, Tor, streaming), since those present different traffic signatures than generic TCP bulk transfers. Iran's filtering infrastructure (TCI/ITC, AS12880) runs deep packet inspection as an auxiliary layer on top of ISP-level controls.

2013-anderson-dimming Abstract, §4.2, §6.1 detection

SSH transfers utilized only 15% of available bandwidth versus 85–89% for HTTP/HTTPS. When SSH was obfuscated by XORing payloads with a constant key (hiding the plaintext handshake), throughput dropped to near-zero during all trials. Applying the same obfuscation to HTTP transfers produced the same near-zero result, supporting the hypothesis that Iran whitelists known-approved protocols rather than blacklisting specific ones, which would preemptively block any unrecognized or randomized transport including Tor's obfsproxy.

2013-aryan-internet §4.4 detection

Graduated censorship — limiting the suppression rate to remain within the typical weekly variance band — evades the weekly-interval detector entirely. The paper acknowledges that detecting slow-ramp blocking requires extending the observation window beyond seven days.

2011-danezis-anomaly-based §6 detection

Iran and Libya each have a single point of control (1 AS), making complete national internet shutdown achievable with a single administrative action. Egypt's 2011 shutdown left one AS (Noor Group, 4.9% of connected IPs) operational for four days, apparently due to its role serving the Egyptian stock exchange and other core financial institutions.

2011-roberts-mapping §VI, Figure 7 deployment

The U.S. 'five strikes' program had major ISPs reduce bandwidth of accused subscribers; challenging required a $35 fee with only one permitted defense category ('unauthorized use of account'). Users responded by routing traffic through VPNs and anonymizing networks such as I2P to bypass ISP-level monitoring entirely.

2011-seltzer-infrastructures §1.4.2 policy