Rostelecom (AS12389) performed network-layer redirection of blacklisted traffic rather than DPI-based filtering: 40 of 343 Russian probes returned SSL certificates attributed to Russian ISPs (State Institute of Information Technologies, Rostelecom, Electron Telecom Network). The interference affected all protocols and ports holistically across Rostelecom's downstream peers, consistent with BGP-level false advertisements or forwarding rules rather than application-layer classification.

Monitoring Twitter, YouTube, Tor, and Google Public DNS across 10 Atlas probes spanning 9 ASNs cost 19,200 credits per day (under 1 probe-day equivalent), and Atlas's external queuing allowed measurement scheduling to begin within hours of reported blocks. The platform documented 6 distinct shifts in Turkey's filtering strategy and identified private-sector cooperation in Russia that would have been missed by platforms limited to DNS and HTTP measurements.

§3.2, Table 3 evaluation

LiveJournal cooperated with Russian authorities (Roskomnadzor) to segregate censored content by altering DNS A records for blacklisted blogs to a special host (208.93.0.190) that came online between February 10–17, 2014. Only 5 of 1,462 LiveJournal subdomains in Alexa's Top 1 million resolved to this address, all of which had been publicly declared in violation of Russian media law.

§4.2 detection

Turkey's filtering of Twitter relied overwhelmingly on DNS manipulation over IP blocking: as of April 24, 2014, only 167 IP addresses were blocked versus 40,566 domain names. Users who received valid DNS answers could browse Twitter without further interference, making foreign DNS servers (Google 8.8.8.8, OpenDNS) an effective circumvention mechanism — reportedly graffitied across Turkey in protest of the ban.

§4.1 detection

When Turkish users shifted to foreign DNS providers as a circumvention mechanism, Türk Telekom escalated by rerouting traffic destined for Google Public DNS (8.8.8.8 and 8.8.4.4) to a local DNS server serving false answers (Event E, March 28), causing a rapid drop in Tor and YouTube availability across all Atlas probes regardless of DNS configuration. At least 6 distinct shifts in filtering strategy were documented within a two-week period.

§4.1 detection

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling

The RKS Global report documents a two-tier Russian censorship architecture: TSPU network-layer blocking (documented by Xue et al. 2024) at the ISP level, now supplemented by mandated app-layer VPN detection in the 30 most popular Russian Android apps. This layered approach means a circumvention tool that successfully bypasses TSPU at the network layer can still be detected and reported by the app layer, closing the gap that network-only circumvention leaves open.

2026-rks-russian-apps-vpn-detection §2, §7 tls-fingerprintml-classifiermiddlebox-interference

The server-side variant of the blind VPN inference attack—where an in/on-path adversary exploits predictable NAT assignment and tunnel routing semantics to inject spoofed packets indistinguishable from legitimate encrypted traffic—has remained unacknowledged and unmitigated across all tested platforms since its concurrent disclosure in 2019. Unlike the client-side variant, which received partial fixes from Google (CVE-2019-9461, CVE-2024-49734) and Apple (iOS 17.2.1), no vendor has proposed a viable remediation or claimed ownership of the server-side attack surface.

2026-tolley-architectural §2.1, §3.1, §3.4 traffic-shaperst-injectionmiddlebox-interference

Russian TSPU devices directly block ECH by dropping ClientHello messages that contain both an ECH extension and the outer SNI hostname "cloudflare-ech.com" — the static outer SNI Cloudflare advertises in all its ECH configurations. Blocking affects both TLS and QUIC. ECH connections to servers with Cloudflare ECH support but outside Cloudflare's official IP ranges are NOT blocked. TCP segmentation alone or TLS record fragmentation alone did NOT bypass TSPU ECH blocking, but combining both techniques did circumvent it. TSPU has also added TCP reassembly capabilities that defeat previously effective fragmentation-only bypasses.

2025-niere-encrypted §5, Figure 5 dpirst-injectionmiddlebox-interference

The GFI's HTTP and HTTPS filters are now stateful (requiring initial SYN packet with matching sequence numbers) and have been activated on all TCP ports—not only standard ports 80 and 443 as reported by prior studies. This is a significant departure from previous work that found stateless HTTP/HTTPS blocking limited to standard ports. The HTTP filter injects a 403 Forbidden blockpage (not RST packets as used by the GFW), while HTTPS injects a single RST+ACK packet. The GFI also exhibits TCP non-compliance (not requiring a full three-way handshake to trigger filtering), enabling outside-in measurement without in-country servers.

2025-tai-irblock §2.1, §3.2 dpirst-injectionpacket-injectionmiddlebox-interference

The Henan Firewall is stateless in two exploitable ways: (1) it requires the TCP header to be exactly 20 bytes—enabling any TCP option (e.g., TCP Timestamps, which Windows disables by default) to bypass it entirely; (2) it does not perform TCP reassembly, so splitting a TLS ClientHello across two TCP segments such that the SNI extension straddles the boundary bypasses the censor. Both bypasses require only client-side changes and have already been implemented in Xray, GoodbyeDPI, and Shadowrocket. TLS record fragmentation (splitting the ClientHello across multiple TLS records within one TCP segment) also defeats both the Henan Firewall and the GFW, since neither performs TLS reassembly.

2025-wu-regional-censorship §4.3 / §6 sni-blockingdpimiddlebox-interference