In South Korea, adult websites (e.g., hardsextube.com) were censored exclusively via HTTP content substitution — a JavaScript redirect to the official blockpage http://warning.or.kr — with 98% of content-size-ratio samples falling below the 0.3 detection threshold, while no DNS tampering or TCP-level blocking was observed. All other tested countries had fewer than 16% of samples below the threshold.

In Italy, gambling and betting sites were censored primarily via DNS hijacking toward explicit blockpages with ISP-level plausible-DNS-resolution rates as low as 4.5% (NGI), 31.2% (Wind), and 46.1% (Telecom Italia), while the academic GARR network showed no censorship. File-sharing sites (thepiratebay.sx) faced a more aggressive multi-layer response: 2 of 4 ISPs showed less than 50% TCP reachability (versus near 100% for betting sites), and control DNS resolvers were also affected, indicating coordinated infrastructure-wide blocking rather than ISP-level DNS hijacking alone.

§3.3 evaluation

For the same blocked resource (YouTube) in Pakistan, UBICA found at least three distinct ISP-level techniques in parallel: Micronet Broadband and Witribe Pakistan use DNS injection redirecting to explicit blockpages; Pakistan Telecom Company Ltd. returns DNS responses yielding only 11.7% plausible IPs; while Transworld Associates and National Wi-Max/IMS apply HTTP tampering with no DNS interference, confirmed by passing TCP reachability tests but failing content-size ratio checks.

§3.1 evaluation

Pakistan Telecom Company Ltd. implemented DNS injection by returning 127.0.0.1 (localhost) for blocked domains, so TCP connections and HTTP requests appeared to succeed ("Content available" near 100%) while no legitimate content was served. Only 11.7% of DNS resolutions yielded a plausible IP address, yet the symptom is a silent local service response rather than an explicit blockpage, misleading users and confusing automated detection tools that rely on TCP reachability.

§3.1 evaluation

UBICA's crowdsourced measurement campaign across 31 countries deployed 200+ probes (47 GUI clients, 188 headless clients, 16 BISmark routers) and tested more than 16,000 targets (~15,000 hostnames) over 4 months. Its content-size ratio algorithm detects blockpage substitution by comparing average resource size per country against a global baseline, using a threshold of 0.3 (midpoint between the two observed distribution modes minus a 0.2 guard interval) without requiring a pre-existing uncensored ground truth.

§2, §3 evaluation

An internet-wide scan of 500k IP addresses from an in-country VPS vantage point found TCP establishment-interception injections on 43,479 addresses (8.7% of scanned), with over 70% concentrated in two Akamai ASes (AS16625 and AS20940). The injection pattern — triggered by the first packet sent to these addresses — is consistent with targeted blocking of domain-fronting proxies hosted on Akamai CDN.

2025-alaraj-iran-refraction §4.1.2 packet-injectionrst-injectionip-blocking

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 rst-injectionip-blockingpacket-injectiondpi

Wallbleed was a buffer over-read in the GFW's DNS injection subsystem that caused middleboxes to append up to 125 bytes of their own process memory to forged DNS responses. The bug persisted for at least two years (confirmed from October 2021); the GFW issued an incorrect partial patch in November 2023 (Wallbleed v2 remained exploitable) and fully patched it in March 2024. Over 5.1 billion Wallbleed responses were collected during continuous measurement, and an IPv4-wide scan found 242 million IP addresses across 381 autonomous systems receiving Wallbleed-injected responses — including some traffic whose source and destination were both outside China, due to routing through China's network border.

2025-fan-wallbleed §1–§3, §7 dns-poisoningpacket-injection

Iran's DNS censor now injects two distinct block-page IPs: 10.10.34.36 (≈87% of 47,633 censored domains) and 10.10.34.34 (≈13%). Both originate from the same network node at Iran's border. Prior research (Aryan et al. 2013) described only 10.10.34.34. The IP injected correlates strongly with the HTTP censorship method applied: domains with 10.10.34.34 in DNS receive TCP RST via HTTP (86.8% of RST cases), while domains with 10.10.34.36 in DNS receive HTTP block pages (84.6% of block-page cases).

2025-lange-i-ra-nconsistencies §3.1, Table 2 dns-poisoningrst-injectionpacket-injection

Over 2.5 months (Nov 2024–Jan 15, 2025), IRBlock scanned all 11M Iranian IPv4 addresses daily, finding 6.8M IPs subject to DNS poisoning and HTTP blockpage injection, and 5.4M IPs subject to UDP-based traffic disruption. Testing over 700M FQDNs (500M apex domains) revealed 6M banned FQDNs from 3.3M censored apex domains. Of 537 active ASes in Iran, 485 (90.3%) exhibited blocking for at least 25% of assigned IPs. DNS and HTTP censorship overlapped at >99% of censored IPs; UDP blocking was a strict subset of DNS-censored IPs, affecting ~5M addresses.

2025-tai-irblock §5.1, §1 dns-poisoningpacket-injectionhttp3-quic-block

The GFI's HTTP and HTTPS filters are now stateful (requiring initial SYN packet with matching sequence numbers) and have been activated on all TCP ports—not only standard ports 80 and 443 as reported by prior studies. This is a significant departure from previous work that found stateless HTTP/HTTPS blocking limited to standard ports. The HTTP filter injects a 403 Forbidden blockpage (not RST packets as used by the GFW), while HTTPS injects a single RST+ACK packet. The GFI also exhibits TCP non-compliance (not requiring a full three-way handshake to trigger filtering), enabling outside-in measurement without in-country servers.

2025-tai-irblock §2.1, §3.2 dpirst-injectionpacket-injectionmiddlebox-interference