Tor DPI fingerprinting by the GFC is applied exclusively to egress traffic (from inside China to the outside world). Simulated Tor connections between domestic Chinese nodes and between external nodes connecting inward to a Chinese VPS attracted zero active scans across multiple experimental runs, indicating the detection infrastructure is positioned on the border for outbound flows only.

A blocked Tor bridge becomes reachable again after approximately 12 hours if Chinese scanners are unable to reach it continuously. In the authors' experiment, one bridge (port 23941) whitelisted to their Chinese VPS via iptables was unblocked within 12 hours despite remaining actively used, while an unrestricted bridge (port 27418) stayed blocked indefinitely.

§4.2 detection

Of 2819 public Tor relays in the February 2012 consensus, only 47 (1.6%) were reachable via TCP from within China. After three days, only 1 of those 47 remained reachable. The GFC blocks relays by IP:port tuple rather than by IP to minimize collateral damage to co-hosted services.

§4.1, §4.3 detection

Over 3295 active-probing scans observed across 17 days, 51% (1680) originated from a single IP address (202.108.181.70), while 98% of the remaining 1615 addresses were unique. All scanner IPs belong to three Chinese ASes: AS4837 (65.7%), AS4134 (30.5%), and AS17622 (3.8%). TTL analysis of 85 connections shows the scanner IPs are likely spoofed by the GFC—post-scan ping TTLs differed by +1 from during-scan TTLs.

§4.5 detection

The GFC identifies Tor connections via a unique TLS ClientHello cipher list sent by the Tor client. Once DPI boxes detect this fingerprint on outbound traffic, active scanning is initiated within minutes: scanners connect to the suspected bridge, attempt to build a Tor circuit, and if successful the IP:port tuple is blocked. This two-stage pipeline (fingerprint → confirm → block) allows dynamic bridge blocking without pre-enumeration.

§2, §4.1 detection

The DTLS ClientHello extensions field is the most prominent feature for fingerprinting Snowflake's Pion WebRTC stack. A passive DPI tool (dfind) validated against the MacMillan et al. dataset of 6,500 DTLS handshakes reliably identifies Pion-based implementations via unique extension byte patterns. Chrome randomized its extension list order starting with version 129.0.6668.58 (September 2024), yielding 6! = 720 unique permutations and hardening it against deterministic matching. Firefox adopted DTLS 1.3 by default from version 127 (May 2024), which changes the extension structure entirely and renders DTLS 1.2 mimicry obsolete for Firefox traffic.

2025-midtlien-fingerprint-resistant §3, §4.1 tls-fingerprintdpi

Beyond business-filing cross-references, the paper introduces a method of linking VPN provider families by showing they share VPN server cryptographic credentials (Shadowsocks passwords, server TLS fingerprints) across distinct app identities. This extends prior ownership-attribution methods that relied solely on corporate registry data and code similarity, adding shared live infrastructure as a linkage signal that is harder for operators to obscure.

2025-mixon-baca-hidden §3 (Methodology), §4 tls-fingerprintdpi

MinecruftPT encodes circumvention traffic steganographically inside the Minecraft Java Edition network protocol, making a censored connection appear to a network observer as an ordinary online Minecraft game session. The cover channel is a high-volume, varied-packet-size TCP protocol with a large and active user population, making statistical fingerprinting harder than for lower-volume cover protocols.

2025-tusing-minecraft-tunnels §1, §3 dpitraffic-shapetls-fingerprint

Testing from a VPS in Iran showed that standard DTLS handshakes are blocked at that vantage point, but Oscur0 avoids this blocking by transmitting only Application Data packets (with Connection ID extension per RFC 9146) after the initial one-shot setup packet, never completing a visible DTLS handshake. A proof-of-concept was implemented in approximately 600 lines of Go using the pion/dtls library.

2024-chen-extended §3 Design / Implementation dpitls-fingerprint

TLS-Attacker's Workflow Traces and Modifiable Variables mechanisms allow testers to specify arbitrary protocol flows and apply field-level modifications — including adding, removing, or overwriting individual TLS message fields — without breaking the internal TLS state machine. This makes it the standard instrument for probing how DPI systems and active-probing detectors respond to non-standard or mutated TLS handshakes.

2024-niere-tls-attacker §1 Introduction tls-fingerprintactive-probingdpi

Obfuscated proxy traffic (including Shadowsocks, VMess, VLESS, Trojan, obfs4, and REALITY) can be reliably fingerprinted by detecting encapsulated TLS handshakes — the inner TLS ClientHello that appears inside an outer encrypted tunnel. This fingerprint is protocol-agnostic: any proxy that wraps TLS-bearing application traffic will produce it. The authors deployed a similarity-based classifier within a mid-size ISP serving over one million users and demonstrated detection with minimal collateral damage.

2024-xue-fingerprinting Abstract, §5, §7 dpitls-fingerprintml-classifier