Slitheen replaces only 'leaf' HTTP resources (images, video) in overt-site responses with covert content, reusing all TCP/IP headers verbatim and forwarding packets immediately on arrival. This forces every observable feature—packet size, direction, inter-arrival timing—to be identical to a genuine access of the overt page, eliminating the censor's ability to apply latency analysis, website fingerprinting, or protocol fingerprinting to distinguish decoy sessions from normal traffic.

Schuchard et al. demonstrated that latency differences caused by a decoy routing proxy communicating with a distant covert destination are sufficient not only to detect the use of decoy routing but also to fingerprint which specific censored webpage the client accessed. All prior decoy routing systems (Telex, Cirripede, Curveball, TapDance, Rebound) remained vulnerable to this attack at time of publication.

§4.1 detection

Measurement of the Alexa top 10,000 TLS sites showed that the fraction of traffic replaceable by a Slitheen relay varies from 0% (Facebook, due to large TLS records preventing leaf replacement) to 100% (Wikipedia, Yahoo). For representative sites: Reddit achieved 70% ±10% of leaf bytes replaced (19% ±3% of total page bytes), Gmail 87.7% ±0.2% of leaf bytes (23% ±9% total), and Quora 99% ±5% of leaf bytes (20% ±10% total), as reported in Table 2.

§6.1, Table 2 evaluation

Table 1 shows Slitheen is the first decoy routing system to simultaneously defend against latency analysis, website fingerprinting, and protocol fingerprinting attacks, while also resisting TCP replay and Crazy Ivan active attacks. This security is achieved at the cost of requiring symmetric flows and inline blocking—requirements previously considered prohibitive—which the authors argue are increasingly met by commercial DPI traffic-shaping appliances (e.g., Sandvine) already deployed by ISPs.

§4.5, Table 1 evaluation

TapDance's non-blocking asymmetric design leaves the overt connection open but abandoned, enabling an active censor to inject a TCP ACK carrying a stale sequence number; the overt server responds with its true TCP state, exposing the discrepancy and confirming decoy routing. The attack requires no clean-path routing capability: the injected packet is forwarded through the tainted path by the non-blocking TapDance station itself.

§2.2, §4.3 detection

Censorship classifiers and traffic analysis attacks consistently exploit the initial seconds of a proxy connection, where packet-size, inter-arrival-time, and burst features are maximally discriminative. Cited work demonstrates that website fingerprinting classifiers trained solely on the first few seconds of Tor traffic achieve high accuracy, and real-world GFW detection of fully-encrypted protocols also targets early-connection bytes.

2025-pereira-extended §1 traffic-shapewebsite-fingerprintml-classifierdpifully-encrypted-detect

Relying on third-party email providers to verify users was demonstrated by Ling et al. to leave Tor's BridgeDB vulnerable to censors capable of creating multiple accounts, enabling bridge enumeration via sock-puppet attacks at scale. Active and passive detection techniques — including traffic flow analysis, DPI, website fingerprinting, and active probing — have been demonstrated in prior work to reveal Tor bridges, making Tor inaccessible for the majority of users in some regions.

2023-tulloch-lox §2.2.1 active-probingdpitraffic-shapewebsite-fingerprintip-blocking

SiegeBreaker explicitly acknowledges two unresolved attack vectors: (1) latency-based traffic analysis attacks (forced-asymmetry / RAD-style), which the system does not mitigate, and (2) website fingerprinting attacks against the proxied traffic, for which no defense is implemented. Additionally, the email-based control channel is vulnerable to a censor who can delay or block emails to the controller's address, disrupting rule installation before the client's SYN packet arrives.

2020-sharma-siegebreaker §3, §4.1, §4.3 traffic-shapewebsite-fingerprintdpi

A three-stage detection pipeline exploiting the "dual-role" behavioral fingerprint of single-IP circumvention relays achieved 23.2% recall (96/414 ground-truth relays) with a 0.18% false-positive rate against 97,651 benign TLS servers, for an overall accuracy of 99.5%. The ground-truth set covered OpenVPN, WireGuard, and SOCKS relays identified in a 17 TB single-day backbone trace (WIDE Project, April 9, 2025).

2026-almutairi-server §3.4, Table 1 traffic-shapedpiflow-correlation

The paper identifies a fundamental architectural vulnerability in single-IP circumvention designs: a relay must generate new observable flows (via DNS or TLS SNI) to reach end services after receiving client connections, creating a detectable server-and-client behavioral contrast. A relay accessing user-facing domains (news, social media) scores high on a Relay Suspicion Score (w=0.9) versus infrastructure domains (w=0.1). The paper argues this host-level signal is censorship-invariant and cannot be concealed by link obfuscation.

2026-almutairi-server §2.4, §4 traffic-shapedpisni-blocking

Simulations extending the ENEM19 game-theory framework show that ephemeral proxy schemes (modeled on Snowflake/Lantern) effectively neutralize both the "optimal" and "aggressive" censors from the original framework. In overprovisioned settings (proxies arriving at 250/step vs. 200 clients/step), even the null censor scenario outperforms either censor in equal-arrival settings. Over 90% of waiting users receive a proxy within 1 time step. The critical variable is not censor sophistication but proxy arrival rate relative to client demand—high proxy churn combined with high arrival rate defeats both enumeration strategies tested.

2026-fares-game §4, Fig 1, Fig 2, Table 1 dpitraffic-shape