Syria's Blue Coat proxies blocked any URL containing the string "proxy," generating 3,954,795 censored requests (53.61% of all policy-censored traffic in Dfull). The collateral damage was severe: Google Toolbar's /tbproxy/af/query API calls and Facebook social plugins (/plugins/like.php at 43.04% and /extern/login_status.php at 38.99% of facebook.com censored traffic) together account for over 80% of censored facebook.com requests, all denied with 0 allowed counterparts.

Four circumvention tool names were explicitly blocked as URL substrings with zero allowed requests passing through: hotspotshield (126,127 blocked), ultrareach (50,769), ultrasurf (31,483), and the generic keyword israel (48,119). All matching requests — including update checks and background pings — were denied at 0% pass-through rate.

§5.4, Table 9 detection

Skype.com (503,932 censored, 0 allowed) and live.com IM services were blocked with 100% denial rates at all times. During the August 3, 2011 protest events Skype accounted for up to 29.24% of all censored traffic; 9% of Skype requests were software update attempts, which were also denied, confirming content-agnostic domain-level blocking rather than content-selective filtering.

§5.1, §5.5, Tables 5 & 7 detection

Syrian censors used a custom Blue Coat URL-category to policy_redirect specific Facebook pages (Syrian.Revolution: 1,461 censored) while allowing 17.70M facebook.com requests overall — only 1.62M (8.4%) were censored. The URL-pattern matching was imprecise: www.facebook.com/Syrian.Revolution?ref=ts was blocked but the identical page with additional AJAX query parameters (__a=11&ajaxpipe=1) was not categorized as 'Blocked Site,' leaving some access through.

§6, Tables 12–13 detection

Port 9001 (Tor) ranked third among all blocked ports in Syria, behind only ports 80 and 443. Proxy SG-48 was responsible for a disproportionate share of Tor censorship — blocking Tor traffic for multiple consecutive days — while other proxies in the same deployment did not, indicating per-proxy policy specialization or traffic steering of suspected circumvention flows to dedicated blocking infrastructure.

§4 (Ports), §5.2 detection

During the June 2025 shutdown, Iranian authorities blocked international One-Time Password (OTP) SMS delivery, preventing new sign-ins to foreign secure-messaging platforms and VPN services. This forced users toward government-approved domestic platforms that lack security and privacy protections. The blockade of OTPs effectively weaponized account-recovery flows as a secondary shutdown layer, disproportionately affecting users who needed to activate new circumvention tools during the crisis.

2025-iran-shutdown-measurement §Human Rights Implications port-blockingdpikeyword-filtering

Input blocking in Chinese LLM services (DeepSeek, Qwen, Kimi, Doubao) is overwhelmingly consistent: all four services persistently block the exact same queries across all 5 measurement samples in both Simplified and Traditional Chinese. Output blocking is far less consistent, with only 29 out of 349 output-blocked queries blocked across all 5 samples. Baidu-Chat is exceptional: it performs almost no input blocking but instead relies heavily on post-search and output blocking (78.6% of blocks are output-phase).

2026-ablove-characterizing §VI-B keyword-filteringdpi

TLS connections to blocked services (instagram.com, telegram.org) were terminated by TCP RST immediately after the client's ClientHello, before any certificate exchange, confirming SNI-based DPI that reads the plaintext SNI extension and aborts the handshake. HTTP filtering additionally matched Host headers and URL keywords case-sensitively, with injected HTTP 403 pages or TCP RST responses, and case-change evasions were sometimes effective.

2025-aryapour-stealth-blackout §4.2, §4.3 sni-blockingdpirst-injectionkeyword-filtering

Iran's HTTP censor exhibits several parsing inconsistencies exploitable for evasion: (1) it is case-sensitive and ignores lowercase method variant "gET"; (2) it does not censor the Host header for HTTP version strings "HTTP", "1.1", and "example" (suggests a version regex of HTTP/.*); (3) when the Host header is absent, the path is not censored for versions "HTTP" and "HTTP/1"; (4) the body is never analyzed regardless of version. All HTTP and DNS censorship occurs at the same last-hop border node, suggesting centralized architecture.

2025-lange-i-ra-nconsistencies §3.2, Table 1 dpikeyword-filteringrst-injection

All six Chinese browsers (Baidu Searchbox, UC Browser, QQ Browser, OPPO, Redmi/Mi, VIVO) transmit the full URL of every page visited—including HTTPS pages—along with page titles and search terms out-of-band to vendor servers, entirely bypassing VPN tunnel protection. In five of six cases this data is transmitted with no cryptography or weak cryptography (purely symmetric AES with hardcoded keys, or textbook RSA with a 128-bit modulus factorable in under 3 seconds), making it readable by any on-path actor between the VPN egress and the vendor's servers.

2025-rodriguez-revisiting §4.1 dpikeyword-filtering

All six browsers grant dangerous Android permissions (READ_PHONE_STATE, INTERNET, ACCESS_NETWORK_STATE) to third-party SDKs; built-in phone browsers grant significantly more such permissions than app-store browsers. Baidu Mobile Tongji Analytics SDK—present in all six via Baidu as default search engine—collects IMEI, UUID, CUID, GAID, device MAC, and Bluetooth MAC, creating a persistent cross-app device fingerprint that identifies users across VPN sessions and survives IP changes.

2025-rodriguez-revisiting §4.3 dpikeyword-filtering