Tested across 11 vantage points in 9 Chinese cities against 77 Alexa-ranked websites (50 trials each, April–May 2017), most prior TCB evasion strategies are largely broken: TCB creation with SYN achieves only 6.9% success (88.9% Failure 2), TCB teardown with FIN achieves only 11.1% success (87.9% Failure 2), while in-order data overlapping with TTL-based insertion still achieves 90.6% success and only 3.7% Failure 2. Without any evasion strategy the baseline success rate is 2.8%.

The GFW evolved to create a TCB not only on SYN packets but also on SYN/ACK packets, and enters a 're-synchronization state' upon seeing multiple SYN packets, multiple SYN/ACK packets, or a SYN/ACK with an incorrect acknowledgment number. Once in this state, it re-synchronizes its TCB using the next client-to-server data packet or server SYN/ACK, invalidating prior TCB-creation evasion strategies that assumed the GFW used only the first SYN sequence number.

§4 detection

INTANG, a measurement-driven tool that caches the best-performing TCP evasion strategy per server IP, achieves an average success rate of 98.3% (range 93.7%–100%) from vantage points inside China. Four combined new strategies — Improved TCB Teardown, Improved In-order Data Overlapping, TCB Creation + Resync/Desync, and TCB Teardown + TCB Reversal — each independently achieve average success rates of 94.5%–96.2% inside China and 84.6%–92.7% outside China, with Failure 2 rates below 1.1%.

§7, Table 4 defense

Packets carrying an unsolicited TCP MD5 option header (RFC 2385) are silently ignored by modern Linux servers (kernel ≥ 2.6) that have not negotiated MD5 authentication, yet are accepted and processed by the GFW as normal packets that update its TCB. Crucially, none of the observed middleboxes dropped packets with MD5 options, making the MD5 header the most universally applicable insertion packet type — usable with any TCP flag (SYN, RST, or data) and immune to middlebox filtering.

§5.3, Table 3 defense

Client-side middleboxes at every tested vantage point interfere with IP-layer evasion tactics: Aliyun (6/11 nodes) discards all IP fragments, while the Tianjin China Unicom node drops packets with wrong TCP checksums or no TCP flag. IP-layer discrepancies that survive routers (e.g., IP total-length > actual length) are still dropped by some middleboxes, making IP-layer manipulations unreliable across Chinese ISPs. TCP-layer manipulations are significantly more consistent across paths.

§3, Table 2 evaluation

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 rst-injectionip-blockingpacket-injectiondpi

TTL-based path analysis showed that all censorship actions (DNS poisoning, HTTP injection, TLS resets) in the June 2025 shutdown occurred at the same network hop across all tested ISPs, indicating a single centralized national border gateway—likely TCI AS gateways—rather than per-ISP enforcement. Global BGP announcements were kept intact throughout, making the shutdown invisible to routing monitors while domestic connectivity collapsed.

2025-aryapour-stealth-blackout §4.5 dpidns-poisoningrst-injection

TLS connections to blocked services (instagram.com, telegram.org) were terminated by TCP RST immediately after the client's ClientHello, before any certificate exchange, confirming SNI-based DPI that reads the plaintext SNI extension and aborts the handshake. HTTP filtering additionally matched Host headers and URL keywords case-sensitively, with injected HTTP 403 pages or TCP RST responses, and case-change evasions were sometimes effective.

2025-aryapour-stealth-blackout §4.2, §4.3 sni-blockingdpirst-injectionkeyword-filtering

The August 20, 2025 unconditional RST event revealed an asymmetry in the GFW's triggering mechanism: for traffic originating inside China, both the client SYN and the server SYN+ACK each independently triggered three injected RST+ACK packets (six total per connection). For traffic to China from outside, only the Chinese server's SYN+ACK triggered RSTs — the foreign client's SYN alone was insufficient. This asymmetry implies the responsible device observed the SYN+ACK from the Chinese server as the trigger condition, not a port-match rule on the SYN.

2025-gfw-port443-rst §2.1, §2.2 rst-injectionport-blockingdpi

Iran's HTTP censor exhibits several parsing inconsistencies exploitable for evasion: (1) it is case-sensitive and ignores lowercase method variant "gET"; (2) it does not censor the Host header for HTTP version strings "HTTP", "1.1", and "example" (suggests a version regex of HTTP/.*); (3) when the Host header is absent, the path is not censored for versions "HTTP" and "HTTP/1"; (4) the body is never analyzed regardless of version. All HTTP and DNS censorship occurs at the same last-hop border node, suggesting centralized architecture.

2025-lange-i-ra-nconsistencies §3.2, Table 1 dpikeyword-filteringrst-injection

In China, multiple URLs show 100% failure rates across 3–7 ASNs with near-zero confirmed blockpage rates (e.g., hkleaks.ru, blockdx.co, libgen.space each at 100% failure, avg_confirmed ≈ 0), indicating that China increasingly uses non-blockpage mechanisms — connection drops, TCP anomalies — that evade blockpage-based detection while achieving complete access denial.

2025-lipphardt-1-800-censorship §4.4, Table 4 dpirst-injection