Users in Thailand relied on incident-driven tool selection—running a fresh Google search for a proxy or VPN each time they hit a block—which the paper identifies as a systematic vulnerability: the Thai Royal Police exploited this pattern after the 2014 coup by linking a phishing application to a government block page, harvesting email addresses and gaining application-level access to Facebook profile information. The paper further notes that orchestrated stricter censorship could drive users to a government-operated malicious tool.

Approximately 10% of respondents (n=23) held uncertain or incorrect beliefs about which actor was responsible for a given block, systematically conflating government censorship with geoblocking, paywalls, and platform-side restrictions. This misidentification cascaded into inappropriate tool selection and inaccurate risk assessment: users who could not distinguish state blocking from licensing restrictions could neither choose the right circumvention tool nor accurately gauge the legal jeopardy of accessing the content. Respondents specifically requested a pre-visit blocking-actor classification tool.

§5.2.3, §5.4.1, §6.2.1 evaluation

Nearly 70% (n=160) of respondents reported self-censoring online for fear of the law. Frequency of exposure to blocked content was a statistically significant, ordered predictor of self-censorship (Goodman-Kruskal's gamma = 0.421, 95% CI [0.247, 0.595], p < 0.05), with self-censorship increasing monotonically as exposure to blocked content increased. Notably, self-censorship rates did not differ significantly between respondents inside and outside Thailand, suggesting the chilling effect extends beyond the reach of domestic ISP-level blocking.

§5.5.1 evaluation

Of 229 Thai Internet users surveyed, 63% (n=144) had attempted to circumvent censorship, and of those, roughly 90% (n=132) reported success using VPNs (32.64%), proxies (32.64%), or Tor (23.61%). Failures were isolated to proxies (n=2), VPNs (n=2), and alternative searches (n=3), indicating that existing circumvention tools were technically adequate but that availability and comprehensibility—not raw capability—were the binding constraints on user success.

§5.2.1, Table 2 evaluation

Social media—primarily Facebook—was the dominant venue for direct, experienced threats: 9 of 15 respondents who had content blocked reported being censored on Facebook, and respondents observed that government censorship was shifting away from website blocking toward social media surveillance precisely because social media platforms are 'hard to block.' Respondents lacked any effective technical defenses against peer reporting, group-administrator censorship, and intermediary liability; they relied instead on social management strategies such as abbreviating references to royalty, running 'trial posts,' and self-censoring likes and shares.

§5.2.4, §5.3.1, §6.1.1 evaluation

An internet-wide scan of 500k IP addresses from an in-country VPS vantage point found TCP establishment-interception injections on 43,479 addresses (8.7% of scanned), with over 70% concentrated in two Akamai ASes (AS16625 and AS20940). The injection pattern — triggered by the first packet sent to these addresses — is consistent with targeted blocking of domain-fronting proxies hosted on Akamai CDN.

2025-alaraj-iran-refraction §4.1.2 packet-injectionrst-injectionip-blocking

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 rst-injectionip-blockingpacket-injectiondpi

136 Russian government domains (25.09% of 542 accessible ones) blocked access to all tested countries outside Russia, and a further 112 (20.66%) were accessible only from Russian and Kazakhstani vantage points. Geoblocking was implemented via heterogeneous, uncoordinated mechanisms—DNS timeouts, TCP timeouts, HTTP 403 Forbidden responses, and explicit blockpages—across different domains, indicating an ad hoc emergency response with no central policy.

2023-ramesh-network §4.2 ip-blockingdns-poisoningpacket-injection

Data center VPSes predominantly experienced TCP connection timeouts and resets—with the highest-blocking VPS censoring 96.8% of tested domains—while residential ISPs were substantially more likely to inject explicit blockpages citing Roskomnadzor's registry, confirming that blocking mechanism varies significantly by network tier even when blocking rates are similar.

2020-ramesh-decentralized §VI-B rst-injectionip-blockingpacket-injectionkeyword-filtering

Time-series analysis across five ISPs over six months reveals a near-universal stasis in January–February where blocklist changes were negligible for all ISPs, followed by significant fluctuations (e.g., a +20–35% swing in TCP unreachability between February and March for PTCL, Wateen, Qubee, and WiTribe). A ubiquitous drop in TCP-unreachability outcomes occurred December–January, suggesting a seasonal or policy-driven relaxation followed by re-tightening.

2016-aceto-analyzing §V-A dns-poisoningpacket-injectionip-blocking

The Great Cannon (GC) operates as a distinct in-path system — not an extension of the GFW — capable of both injecting and suppressing traffic, enabling full man-in-the-middle capability against targeted IP addresses. Unlike the on-path GFW, the GC only examines the first data packet of each connection (avoiding TCP bytestream reassembly), targets specific destination IP addresses rather than all border traffic, and maintains a per-source-IP flow cache of approximately 16,000 entries to ignore already-processed connections.

2015-marczak-analysis §3, §3.1 packet-injectiondpiip-blocking