Of 2,134 tested sites, 229 (10.7%) were invalid for inbound blocking detection due to ingress filtering or network-origin discrimination; 431 additional sites were invalid for outbound blocking detection, of which 75% were Cloudflare-hosted and 7% Fastly-hosted because anycast topology prevents RST packets from returning to the originating anycast node.

Aggregate measurements across nearly 180 countries over 17 days found that 60% of reflectors experienced some degree of connectivity disruption; the bias of detected blocks toward Citizen Lab Block List sites held for both inbound and outbound filtering, and temporal variability corroborated documented censorship events around political timelines.

§VI-B evaluation

Validation against the Citizen Lab Block List (CLBL) showed that for 99% of reflectors, more than 56.7% of detected inbound-blocked sites were CLBL-listed (vs. 56.7% CLBL composition of the input dataset); 95% of reflectors showed the same directional bias for outbound filtering, confirming the method detects real censorship rather than measurement noise.

§VI-A, Figure 5 evaluation

Augur's Internet-wide ZMap scan found 22.7 million hosts (of 140 million reachable) using shared monotonically-increasing IP ID counters across 234 countries (median 1,667 reflectors per country); filtering to ethical infrastructure via CAIDA Ark reduced this to 53,130 reflectors in 179 countries (median 15 per country), representing 4,214 ASes.

§V-B, Table I evaluation

Using sequential hypothesis testing (SHT) with false positive and false negative rates both set to 10^-5, more than 90% of reflectors required 40 or fewer experiment trials to reach a blocking decision; over 17 days the system collected 207.6 million runs across 47 trials spanning 2,134 sites and 2,050 reflectors.

§IV-C, §V-D, Figure 4 evaluation

Censoring middleboxes' TCP non-compliance — specifically, their willingness to censor bidirectionally without completing the three-way handshake — enables external vantage points outside a censoring country to trigger and measure censorship without any local endpoint participation. The approach requires only a confirmed censored domain per AS, evidence of bidirectional censorship, and minimal residual censorship.

2023-nourin-detecting §2 middlebox-interferencerst-injectionmeasurement-platform

Geneva — originally designed to evolve censorship-evasion packet sequences — was repurposed by inverting its fitness function to discover censorship-triggering packet sequences instead. Training against non-responsive IP addresses allows Geneva to attribute all responses to middleboxes, enabling fully automated discovery of triggering strategies without any endpoint cooperation.

2023-nourin-detecting §2 measurement-platformpacket-injectionmiddlebox-interference

Internet-wide IPv4 scanning found 386,187 IP addresses yielding amplification factors ≥ 100× via TCP middlebox reflection, with 82.9% of responses from the top 1 million IPs confirmed as originating from on-path middleboxes rather than endpoints. Nation-state censorship infrastructure dominates: China's GFW alone accounts for approximately 154 million responding IP addresses sharing a 3× RST+ACK (54 bytes each) fingerprint.

2021-bock-weaponizing §5.3, §5.5, Table 4 middlebox-interferencerst-injectionpacket-injectionmeasurement-platform

The authors developed 'Aladdin,' a 10-step OONI-based measurement experiment that isolates SNI-based blocking (step 1), Host-header blocking (step 2), DNS injection (step 3), system-resolver vs. DoH discrepancy (steps 4–5), TLS interception (steps 6–8), and TLSv1.3-specific SNI dependency (step 10); this methodology exposed Vodafone's Allot TLS interception that OONI's Web Connectivity test had recorded only as a generic certificate error.

2021-ververis-understanding §3.8 measurement-platformsni-blockingmiddlebox-interferencedns-poisoning

The paper enumerates at least eight distinct non-censorship motivations for server-side geo-blocking — economic sanctions, third-party liability (SESTA), copyright, GDPR compliance, security/fraud concerns, hosting costs, revenue optimization, and misconfiguration — each of which can produce the same observable signals (403 blockpages, DNS failures, TCP resets) as government censorship. Naive measurement methods that treat all location-based unavailability as censorship will produce systematic false positives.

2018-tschantz-bestiary §2, Table 1 measurement-platformmiddlebox-interference

Within a single country mandate, different ISPs implement censorship with different filtering tools and mechanisms: Thailand's AS 9737 and AS 17552 use structurally distinct block-page templates (vector 17 is ~1,000 bytes using div layout; vector 8 is ~6,000 bytes using table layout). Both ISPs actively obfuscate their filtering product by reporting generic 'Server: Apache/2.2.9 (Debian)' or 'Server: Apache' HTTP headers instead of the actual product identifier.

2014-jones-automated §6 dpimiddlebox-interferencemeasurement-platform