CensorSpoofer decouples the upstream channel (URLs hidden via steganography in IM/Email) from the downstream channel (web content injected into spoofed UDP/VoIP flows), so the proxy's real IP is never revealed to any user. This asymmetric architecture provides perfect insider-attack resistance: even if all users are compromised, they can only learn cover dummy-host IPs, not the spoofer's address.

A censor can compare the predicted AS path from the claimed dummy host to the client against the actual observed ingress entry point of the spoofed downstream traffic; inconsistency reveals the dummy host as a cover. For clients in China Telecom (ASN 4134) and China Unicom (ASN 4837), 100% of 225 candidate dummy hosts passed AS-path consistency filtering; for clients in ASN 4538 only 18.2% (41/225) passed, sharply narrowing the usable pool for smaller ASes.

§5.2.3, Table 2 detection

Port-scanning 10,000 randomly selected non-China IPs found 1,213 (12.1%) acceptable as VoIP dummy hosts (SIP, RTP, RTCP ports not in 'closed' or 'host seems down' states). Of 100 sampled dummy hosts tracked over time, over 90% remained usable for more than 2 hours and over 80% for more than 6 hours; the total usable pool was stable across a 7-day measurement window (Feb. 9–16, 2012).

§7.2.2 evaluation

The MIT ANA Spoofer project shows that over 400 ASes (22%) and 88.7 million IP addresses (15.7%) permit outbound IP address spoofing, constraining where CensorSpoofer proxy nodes can be deployed. ASes applying ingress/egress filtering make IP-spoofing-based downstream channels infeasible from those locations.

§4.2 deployment

Using G.711 or G.722-64 codecs (64 Kbps downstream), CensorSpoofer clients in China downloaded Wikipedia's HTML file in approximately 6 seconds and the full 160 KB page in approximately 27 seconds; Tor and a proxy-based system (NetShade) were measurably faster. The iLBC codec limits downstream throughput to 15.6 Kbps, and all codecs impose equivalent dummy-traffic cost on the dummy host (G.711 consumes 87.2 Kbps at the dummy host).

§7.2.1, Table 1 evaluation

InterSecLab's 76-page analysis of the Geedge/MESA leak (based on nine months of indexing and translating >100,000 documents) characterizes the Tiangou Secure Gateway (TSG) product line as a commercially deployable detection stack that combines deep packet inspection, real-time mobile subscriber monitoring, active probing, ML-based traffic classifiers, and granular per-region rule sets. TSG is not a research prototype — leaked documentation includes deployment timelines and client government interactions for Kazakhstan, Ethiopia, Pakistan, Myanmar, and one unnamed country, with censorship rules explicitly tailored to each region.

2025-interseclab-internet-coup §3–§5 (InterSecLab report) dpiactive-probingml-classifiersni-blockingip-blockingtraffic-shapefully-encrypted-detect

Justice for Myanmar documents that Geedge Networks supplied Myanmar's military junta with GFW-derived surveillance and censorship infrastructure under Belt and Road frameworks following the February 2021 coup. The deployed system (Tiangou Secure Gateway / TSG) incorporates the same DPI, active-probing, and ML-classifier capabilities as the domestic Chinese GFW, giving Myanmar one of the most technically capable censorship systems in Southeast Asia.

2025-jfm-silk-road-surveillance §3, §5 dpisni-blockingip-blockingtraffic-shapeml-classifieractive-probing

Snowflake's sustained operation in heavily censored regions demonstrates that WebRTC must remain accessible to users, which in turn requires that TURN servers remain unblocked to support NAT traversal for peer-to-peer WebRTC connections. This transitive unblockability makes TURN service providers viable rendezvous channels for the Bridge Distribution Problem.

2025-vilalonga-extended §3.2 Bridge Distribution Problem ip-blockingactive-probing

TURN servers used by major applications such as Facebook Messenger for media relay are hypothesized to be less likely blocked in censored regions due to collateral damage to legitimate WebRTC traffic. Providers like Cloudflare, Metered Video, and ExpressTURN supply geographically distributed TURN infrastructure that can be used without any special configuration by a censorship evasion system.

2025-vilalonga-extended §1 Introduction & Background dpiactive-probingip-blocking

Traffic splitting across N TURN proxies (1 ≤ N ≤ M) is hypothesized to resist active probing because each TURN server responds to probing requests identically to a regular TURN server, providing no distinguishing signal. Additionally, proxy ephemerality combined with splitting allows on-the-fly migration to new proxies when existing ones are blocked, maintaining connectivity even under partial blocking.

2025-vilalonga-extended §3.3 Censorship Evasion active-probingip-blockingdpi

The paper defines Unauthenticated Push (UP) channels as a distinct archetype from signaling/rendezvous channels, characterized by three properties: strictly unidirectional delivery, no client authentication or account association required, and higher bandwidth (kilobytes to megabytes) to support software updates rather than just minimal proxy-address exchanges. This design deliberately shifts operational-security burden onto senders to approach receiver anonymity.

2025-vines-extended §1–§3 ip-blockingactive-probing