China's AS-level topology is shallow and concentrated: CHINANET and CNCGROUP together account for 63.9% of 133 unique foreign peerings, 87% of internal ASes are within one hop of a border AS, and just 24 border/backbone ASes serve as effective choke points for all international traffic. The TTL of GFW RST packets is now crafted to prevent IDS localization by TTL inspection, requiring TTL-incrementing probe packets to identify filtering device positions.

The study located 495 router interfaces with attached IDS filtering devices across China, with CHINANET holding 79.4% and CNCGROUP 17.4%. The two ISPs use fundamentally different placement strategies: CHINANET distributes filtering across provincial networks (80% of its 21 served provinces operate their own filtering devices, Guangdong alone hosting 84 of 374 CHINANET interfaces), while 90% of CNCGROUP's 82 filtering interfaces concentrate in its backbone.

§4.4, Table 2, Table 3 evaluation

CNCGROUP's filtering interface count has grown to three times its 2007 level, now accounting for 17.4% of all 495 filtering interfaces found, while CHINANET's count has remained stable since 2007. This divergence indicates CNCGROUP is actively expanding its censorship infrastructure while CHINANET's filtering capacity has matured.

§4.4 evaluation

The GFW is fully stateful as of 2010: probing all 11,824 Chinese IP prefixes with single TCP packets containing the keyword 'falun' produced no RST responses, confirming that a complete TCP handshake must precede any filtering trigger. Earlier measurements (2006, 2007) reported contradictory results; this study finds statefulness is now universal across all probed prefixes.

§4.1 detection

14 of 495 filtering interfaces (2.9%) are located in non-border internal ASes, all but two belonging to CHINANET provincial subsidiaries. The paper notes that CHINANET's provincial filtering architecture creates infrastructure capable of inspecting inter-provincial domestic traffic, even though there is no current evidence it is being used for that purpose.

§4.4, Table 2 detection

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 rst-injectionip-blockingpacket-injectiondpi

OONI data shows anomaly rates in Russia's top five ASes (including Rostelecom AS12389, Vimpelcom AS8402) rose from roughly 7–11% in January and early February 2022 to 12–21% in mid-March 2022, with social-media and news domains such as Facebook, Twitter, Instagram, and BBC going from available to near-completely blocked after the invasion.

2023-ramesh-network §4.1 dpirst-injectionip-blockingdns-poisoning

By 2018 the GFW shifted from blocking Tor bridges by (IP, port) tuples to blocking the entire IP address. A blocked bridge remains inaccessible for exactly 12 hours; the block renews to 12 hours if any additional Tor connection attempt is made during that window, after which the GFW re-scans and removes the IP from the blacklist if Tor is no longer running.

2018-dunna-analyzing §4.2 dpiactive-probingip-blockingrst-injection

Table 1 of the survey documents that by 2013–2014 censors were deploying simultaneous blocking across BGP, DNS, IP/port filtering, TCP disruption, TLS, and application-layer keyword filtering. No single detection tool in the survey covers all six layers; the most comprehensive, OONI (2012), covers DNS, IP/port, TCP, TLS, keyword, and HTTP but notes only partial BGP coverage.

2015-aceto-internet Table 1 bgp-hijackdns-poisoningport-blockingip-blockingrst-injectiontls-fingerprintkeyword-filteringdpi

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling