The bulk-transfer mode requires both the censored client and the cooperating proxy to accept incoming TCP connections, rendering it unusable for clients behind NAT without port-forwarding capability. Rendezvous mode is unaffected because it only requires the client to send a single outbound request. The authors note that many real-world residential users are behind NAT, limiting practical deployment of the bidirectional channel.

OSS operators—not the censor—are the primary abuse-detection risk for high-bandwidth use. PDFmyURL's published policy blocks clients making more than 100 requests in 2 hours that cumulatively consume more than 1000 seconds of server CPU and more than 10% of CPU resources. The authors were blocked by PDFmyURL and Twitter during high-bandwidth tests, suggesting that covert use must stay well below these thresholds.

§6.2 evaluation

Online scanning services span security scanners, ad networks (Google AdSense), web diagnostics, and link shorteners—categories economically important enough that blocking them wholesale causes severe collateral damage. The paper identifies five broad OSS categories with dozens of providers, and notes that translation services, photo printers, RSS aggregators, and image hosts are additional unexplored candidates, making exhaustive enumeration by a censor infeasible.

§2, §3, §9 defense

OSS throughput varies from 250 B/s (vURL/HTTP-302) to 265 KB/s (PDFmyURL/JavaScript-onload). High-rate OSSes—Dr.Web at 20 KB/s, GoMo at 22–175 KB/s, PDFmyURL at 160–265 KB/s—support bulk bidirectional transfer; low-rate OSSes (AdSense 500 B/s, vURL 250 B/s) are suited only for rendezvous. Concurrent streams scale linearly (2× aggregate throughput) for all tested OSSes except AdSense, which rate-limits per source IP.

§5.2, Table 5 evaluation

In the standard redirect design the cooperating proxy's IP address or domain name appears in plaintext HTTP redirect responses, because the censored client cannot present a valid TLS certificate to the OSS and must use plain HTTP. A censor inspecting OSS-bound traffic can extract the proxy address from the Location header or URL query parameters. The no-redirect variant (client and server each initiate single scans of each other) eliminates this leakage at the cost of higher latency and server-side OSS enumeration.

§7 detection