Conficker-like traffic to TCP port 445 constitutes more than 40% of packets observed at the UCSD /8 Network Telescope and Windows XP/NT hosts consistently emit exactly 2-packet SYN flows; γC stayed within the narrow band 1.98–2.02 throughout an entire month (January 2012) with no large-scale outages. A second signal from default Windows 3-SYN flows (approximately 156 million flows/month from ~14K hosts/hour) provides a non-malware-specific validation stream with inter-packet times consistently between 3.09 and 3.37 seconds.

In the August 2012 Bell-Dery BGP route leak, TTL analysis at per-prefix granularity revealed that two IP addresses within AS577 maintained constant TTLs and unaffected packet rates throughout the disruption, while 37 of 38 other active /16 prefixes experienced significant volume drops and TTL changes indicating rerouting through longer paths. This demonstrates that BGP route leaks can affect subnets within a single AS asymmetrically, and that TTL inspection can identify unaffected sub-AS paths.

§IV-B evaluation

During the February 2012 Dodo-Telstra BGP route leak, AS1221 (Telstra) exhibited a 20-minute congestion phase in which γC and γ3 both dropped while η rose from approximately 3 to 5 seconds, followed by a complete outage during which zero darknet sources were observed from the AS. The congestion phase produced measurable packet loss before the full blackout, providing an early-warning window of roughly 20 minutes.

§IV-A evaluation

IBR-derived metrics γ (average SYN retransmits per flow) and η (inter-packet time between retransmits) can distinguish packet-loss-induced outages from packet-filtering censorship: during Libya's 2011 packet-filtering phase γC remained near pre-censorship values despite reduced source counts, whereas BGP route leaks caused measurable γ decreases and η increases. This difference exists because filtering reduces the host population but preserves per-flow OS retransmit behavior, while congestion causes routers to drop individual packets mid-flow.

§IV-C, §IV-D evaluation

Libya's 2011 Internet shutdown combined two distinct censor techniques across separate episodes: BGP-level route withdrawal and later packet filtering. During the packet-filtering episode, γC remained near its pre-censorship baseline (~2.0 packets/flow) even as the number of reachable Conficker sources dropped, confirming that the mechanism was per-subnet allowlisting rather than link saturation.

§IV-C detection

The largest single source of censored domains in the GNL is MESA lab's SNI monitoring dataset (E21-SNI-Top200w.txt) containing 57,362 censored domains, and E21-SNI-Top120W-20221020.txt with 36,467 domains—totaling over 93K domains from network tap data alone for a single country (E21 = Ethiopia per InterSecLab attribution). A separate Xinjiang dataset (XJ-CUCC-SNI-Top200w.txt) contains 13,604 domains. These datasets "do not seem to come from popular domain lists, and instead appear to be gathered from network taps," confirming that Geedge builds censorship target lists directly from passive traffic observation.

2026-sheffey-geedge §4.2, Table 3 dpisni-blockingmeasurement-platform

Of 6,915,266 domains extracted from the 572 GiB Geedge Networks Leak (GNL), 298,955 censored domains (93.7% of all GNL-censored domains) appear in neither Tranco top-1M nor CitizenLab test lists. Measurements across China (Guangzhou/Nanjing), Myanmar, Pakistan, and Algeria confirmed censorship via DNS injection and SNI-based TLS connection termination. The GNL covers 25–62% of Tranco-censored domains across countries, showing substantial but incomplete overlap. This vendor-side ground truth reveals a censorship surface roughly two orders of magnitude larger than curated academic test lists.

2026-sheffey-geedge §4.1, Table 2 dpisni-blockingdns-poisoningmeasurement-platform

CensorAlert aggregates censorship signals from heterogeneous open sources — including OONI, Cloudflare Radar, NetBlocks, GitHub Issues of circumvention tools (Hysteria, Xray), Net4People BBS, NTC Party forum, Mastodon, X, Telegram channels, and arXiv — normalizing each item into a common schema preserving timestamp, source, raw data, and provenance with a link to the original content.

2026-zohaib-extended §2 (Data Sources) measurement-platform

Systematic measurement platforms (OONI, Censored Planet, Cloudflare Radar, NetBlocks) have inherent blind spots due to geographic coverage and protocol-specific test constraints; critical censorship discoveries — including GFW fully-encrypted protocol blocking and regional Chinese censorship — were first surfaced by user reports on forums and GitHub issue pages of circumvention tools, not by automated measurement infrastructure.

2026-zohaib-extended §1 measurement-platformfully-encrypted-detect

CensorAlert generates text embeddings (OpenAI text-embedding-3-small) from each item's summary, title, and tags to cluster semantically similar reports within configurable time windows; near-duplicates such as reposts, copied headlines, and translations are collapsed into a single canonical post that preserves all original source URLs and metadata.

2026-zohaib-extended §2 (AI-based Scoring) measurement-platform

CensorAlert's LLM agent scores each ingested item 0–5 on five independent dimensions — credibility, novelty, impact, timeliness, and verifiability — then computes a normalized significance score (0–10) from these components; items are processed every two hours using OpenAI GPT-5 Thinking (hosted on Azure) constrained to return structured JSON output.

2026-zohaib-extended §2 (AI-based Scoring) measurement-platform