The Great Firewall of China deploys at least four distinct, simultaneously-operating RST injectors with separate fingerprints (IPID 64, IPID -26, SEQ 1460, RAE). The RAE injector—which sets RST+ACK+ECN-nonce-sum flags—is the most common, with 4,162 distinct source IPs observed at UCB alone. Of 298 ICSI hosts disrupted by Chinese injectors, 102 showed fingerprints of two or more injectors acting independently on the same connection.

Injectors sending multiple RSTs with increasing sequence numbers to overcome the RST_SEQ_DATA race condition produce a detection signature (RST_SEQ_CHANGE) that cannot arise from a standards-compliant TCP endpoint: the second RST must have a sequence number exceeding both the preceding RST and any ACK yet observed from the receiver. This creates an inherent design tension — a robust injector that uses sequence-incremented multi-packet RSTs to ensure delivery is precisely the kind most detectable by passive monitoring.

§5 detection

Out-of-band RST injectors fundamentally face race conditions because they cannot modify in-flight packets: a data packet may pass the injector's observation point before the forged RST is generated, producing detectable out-of-sequence RSTs (RST_SEQ_DATA) or post-RST data packets (DATA_SEQ_RST). A passive detector exploiting these two race conditions, plus a third signature (RST_SEQ_CHANGE) from multi-packet injectors, reliably identifies injected RSTs across four network datasets totaling 30.2M TCP flows.

§5 detection

Individual RST injectors exhibit stable, idiosyncratic header-field fingerprints enabling device-level identification across geographically separated sites. Sandvine devices produce back-to-back RST pairs where the second packet's sequence number is exactly 12,503 higher than the first (a known implementation bug confirmed by Sandvine's CTO) with IPID increments of 4 then 1; 90% of 193 alerting Comcast IP addresses across all four datasets matched this fingerprint. The GFW SEQ 1460 injector always increments sequence numbers by 1,460 regardless of actual MTU or window size.

§7.1, Table 1 detection

The proposed countermeasure of ignoring RST packets with anomalous TTLs (to defeat GFW injection, per Clayton et al. 2006) is impractical: 28% of normal responder-terminated TCP flows have RST TTLs differing from prior data packets, with changes clustering around 64, 96, 128, and 192. Of 200 randomly sampled flows with differing TTLs, only 2 triggered the injection detector, confirming the high false-positive rate of single-field TTL heuristics.

Appendix C defense

An internet-wide scan of 500k IP addresses from an in-country VPS vantage point found TCP establishment-interception injections on 43,479 addresses (8.7% of scanned), with over 70% concentrated in two Akamai ASes (AS16625 and AS20940). The injection pattern — triggered by the first packet sent to these addresses — is consistent with targeted blocking of domain-fronting proxies hosted on Akamai CDN.

2025-alaraj-iran-refraction §4.1.2 packet-injectionrst-injectionip-blocking

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 rst-injectionip-blockingpacket-injectiondpi

Iran's DNS censor now injects two distinct block-page IPs: 10.10.34.36 (≈87% of 47,633 censored domains) and 10.10.34.34 (≈13%). Both originate from the same network node at Iran's border. Prior research (Aryan et al. 2013) described only 10.10.34.34. The IP injected correlates strongly with the HTTP censorship method applied: domains with 10.10.34.34 in DNS receive TCP RST via HTTP (86.8% of RST cases), while domains with 10.10.34.36 in DNS receive HTTP block pages (84.6% of block-page cases).

2025-lange-i-ra-nconsistencies §3.1, Table 2 dns-poisoningrst-injectionpacket-injection

The GFI's HTTP and HTTPS filters are now stateful (requiring initial SYN packet with matching sequence numbers) and have been activated on all TCP ports—not only standard ports 80 and 443 as reported by prior studies. This is a significant departure from previous work that found stateless HTTP/HTTPS blocking limited to standard ports. The HTTP filter injects a 403 Forbidden blockpage (not RST packets as used by the GFW), while HTTPS injects a single RST+ACK packet. The GFI also exhibits TCP non-compliance (not requiring a full three-way handshake to trigger filtering), enabling outside-in measurement without in-country servers.

2025-tai-irblock §2.1, §3.2 dpirst-injectionpacket-injectionmiddlebox-interference

In Brunei, censorship is confined to AS10094, which serves approximately 70% of the country's Internet users. The censor injects RST packets bearing a distinctive fingerprint — the censored query's IP ID field — in response to HTTP requests containing censored Host headers, and censors on all ports without residual censorship. A SYN followed immediately by a PSH+ACK with a censored payload is sufficient to trigger blocking without a completed TCP handshake.

2023-nourin-detecting §3 rst-injectionpacket-injectionmiddlebox-interference

Tajikistan routes virtually all national egress and ingress traffic through a single state-run AS (AS51346, Tojiktelecom) under a 2016 national decree, creating a centralized chokepoint. The censor injects RST+ACK packets with a unique 22-byte all-zero payload, censors on all ports, and requires two PSH+ACK packets containing the censored content before injecting — possibly modeling typical multi-resource HTTP browsing behavior.

2023-nourin-detecting §3 rst-injectionpacket-injectionmiddlebox-interference