Default Tor connections to a private bridge inside China were detected by the Great Firewall via active probing: an initial connection succeeded, followed by a probe from a Chinese IP address approximately 15 minutes later that performed a TLS handshake and then blacklisted the (IP, port) combination. Subsequent connection attempts resulted in a successful SYN followed by spoofed TCP RSTs terminating both the client and bridge connections.

Manually-generated FTE regexes achieve a 100% misclassification rate against all six tested DPI systems — appid, l7-filter, YAF, bro, nProbe, and the proprietary enterprise-grade DPI-X — for HTTP, SSH, and SMB target protocols. Each regex took less than 30 minutes to specify and debug against known classifiers.

§4.2, Figure 4 defense

FTE proxy overhead compared to socks-over-ssh: the intersection-ssh format incurred 0% average latency increase and only 16% bandwidth overhead (1,164 KB vs. 1,348 KB per Alexa Top 50 site). The worst-case auto-http format incurred 29% latency increase (5.5 s vs. 7.1 s) and 181% bandwidth overhead (3,279 KB), primarily due to ciphertext expansion and FTE/SOCKS negotiation on persistent empty TCP connections.

§5, Figure 5–6 evaluation

An FTE-tunneled Tor circuit using intersection, manual, and auto HTTP formats successfully traversed the Great Firewall of China from a VPS inside China to a server in the United States on port 80. A persistent tunnel polling a censored URL every five minutes remained active for one month until VPS account termination, with no blocking observed.

§6 deployment

Regex-based DPI is fundamentally vulnerable to format-transforming encryption: because every tested system (including the proprietary enterprise-grade DPI-X, rated for 1.5 Gbps at $8,000) classifies protocols solely by membership in a regular language, any ciphertext can be guaranteed to match any chosen regex. The paper argues this forces DPI to adopt machine learning, active probing, or non-regular semantic checks — but notes that making such checks fast, scalable, and low-false-positive at line rate for arbitrary target protocols remains an open problem.

§3, §7 detection

Re-testing in 2025 on a Pixel 10 Pro XL running Android 16 with October 2025 security updates confirmed that blind in/on-path VPN inference attacks remain fully viable despite CVE-2019-9461, CVE-2019-14899, and CVE-2024-49734 having been formally closed. All three core attack primitives—VPN-assigned internal IP discovery, active connection inference, and TCP reset injection via sequence/acknowledgment window scanning—succeeded across OpenVPN, WireGuard, and NordLynx.

2026-tolley-architectural §5.1–5.3 traffic-shaperst-injectionactive-probing

Six widely deployed VPN and circumvention tools—OpenVPN, WireGuard/NordLynx, NordWhisper, Orbot (Tor on Android), Lantern, and Psiphon—all failed to block internal IP inference, connection-state detection, and TCP reset injection under identical adversarial conditions on fully patched Android 16. Application-layer obfuscation in Lantern and Psiphon did not prevent TCP-layer disruption; Orbot's VPN-style encapsulation of Tor traffic was bypassed via the same tunnel-level side channels.

2026-tolley-architectural §5.2, §5.4–5.5 traffic-shaperst-injectionactive-probing

The paper proposes an Internet Freedom vulnerability registry with five design principles: persistent cross-vendor tracking under shared identifiers (e.g., IF-ARCH-2025-001) as long as a risk remains reproducible; human-centered impact ratings anchored to harm potential for journalists and dissidents rather than CVSS-style exploitability scores; timestamped re-verification hooks with linked PCAPs and minimal reproduction scripts; a structured media interface to counter vendor narrative capture; and open public APIs for integration into risk dashboards so that users of tools like Orbot or Lantern can directly query their configuration's exposure to known metadata-based attacks.

2026-tolley-architectural §6.1–6.5 traffic-shaperst-injectionactive-probing

By 2018 the GFW shifted from blocking Tor bridges by (IP, port) tuples to blocking the entire IP address. A blocked bridge remains inaccessible for exactly 12 hours; the block renews to 12 hours if any additional Tor connection attempt is made during that window, after which the GFW re-scans and removes the IP from the blacklist if Tor is no longer running.

2018-dunna-analyzing §4.2 dpiactive-probingip-blockingrst-injection

TapDance's non-blocking asymmetric design leaves the overt connection open but abandoned, enabling an active censor to inject a TCP ACK carrying a stale sequence number; the overt server responds with its true TCP state, exposing the discrepancy and confirming decoy routing. The attack requires no clean-path routing capability: the injected packet is forwarded through the tainted path by the non-blocking TapDance station itself.

2016-bocovich-slitheen §2.2, §4.3 active-probingrst-injection

Because TapDance does not block client-to-server packets, a censor can inject a TCP packet with a stale acknowledgment number directly to the true decoy server; the server will reply with its actual TCP sequence state, which will differ from the sequence numbers the TapDance station has been using — confirming the flow is proxied. This active packet-injection attack is qualitatively easier to execute against TapDance than against Telex or Cirripede, which used inline blocking to prevent such probes from reaching the server. Table 1 in the paper confirms that TapDance, unlike Telex, lacks replay/preplay attack resistance and has no traffic-analysis defense.

2014-wustrow-tapdance §5.2, Table 1 active-probingpacket-injectionrst-injection