Evasion strategies are strongly censor-specific: TCB Teardown strategies that achieve 80–96% against the GFW fail completely (0%) against Kazakhstan's HTTPS MITM; India's Airtel is defeated uniquely by a 'Stutter Request' (duplicating the PSH/ACK and replacing IP length to 64) at 100% success, which scores only 3% against the GFW. Geneva converged on distinct species for each censor within 4–8 hours of live training.

Geneva, a genetic algorithm using four packet-manipulation primitives (drop, tamper, duplicate, fragment), independently re-derived 30 of 36 (83.3%) previously published evasion strategies in controlled lab experiments and discovered successful strategies in 23 of 27 live training sessions against China's GFW, yielding 4 unique species, 8 subspecies (5 novel), and 21 fundamentally different variants. Each training session ran for 4–8 hours against a real censor.

§5, Abstract defense

Geneva experiments revealed that the GFW determines TCP three-way handshake completion using only the presence of the ACK flag — without validating sequence numbers. Upon receiving a RST or RST/ACK before the handshake completes, the GFW enters a resynchronization state approximately 50% of the time rather than tearing down its TCB; strategies that exploit this pre-handshake window achieve 92–95% success rates (Strategies 3 and 4).

§5.2 Species 2: TCB Teardown detection

The GFW does not verify TCP checksums or validate RST flag combinations: Strategy 5 using the entirely invalid flag set FRAPUN with TTL 10 achieved 96% success. Separately, increasing the TCP data offset (dataofs) field to 10 in an insertion duplicate causes the GFW to reinterpret the beginning of the HTTP payload as TCP header bytes, preventing keyword detection and achieving 98% success (Strategy 2) — while the destination server discards the malformed packet.

§5.2 Species 1 and Species 2 detection

Geneva's Segmentation species — fragmenting HTTP requests at the TCP layer without IP fragmentation, segment overlapping, or insertion packets — achieved 94–98% success against the GFW, 100% against India's Airtel ISP, and 100% against Kazakhstan's HTTPS MITM, making it the only strategy class effective across all three tested censors. These strategies require neither raw sockets nor root privilege.

§5.2 Species 3: Segmentation defense

Russian TSPU devices directly block ECH by dropping ClientHello messages that contain both an ECH extension and the outer SNI hostname "cloudflare-ech.com" — the static outer SNI Cloudflare advertises in all its ECH configurations. Blocking affects both TLS and QUIC. ECH connections to servers with Cloudflare ECH support but outside Cloudflare's official IP ranges are NOT blocked. TCP segmentation alone or TLS record fragmentation alone did NOT bypass TSPU ECH blocking, but combining both techniques did circumvent it. TSPU has also added TCP reassembly capabilities that defeat previously effective fragmentation-only bypasses.

2025-niere-encrypted §5, Figure 5 dpirst-injectionmiddlebox-interference

The GFI's HTTP and HTTPS filters are now stateful (requiring initial SYN packet with matching sequence numbers) and have been activated on all TCP ports—not only standard ports 80 and 443 as reported by prior studies. This is a significant departure from previous work that found stateless HTTP/HTTPS blocking limited to standard ports. The HTTP filter injects a 403 Forbidden blockpage (not RST packets as used by the GFW), while HTTPS injects a single RST+ACK packet. The GFI also exhibits TCP non-compliance (not requiring a full three-way handshake to trigger filtering), enabling outside-in measurement without in-country servers.

2025-tai-irblock §2.1, §3.2 dpirst-injectionpacket-injectionmiddlebox-interference

China's Great Firewall showed anomalous inconsistency: 13 test vectors produced mixed outcomes—TCP RST injection on some executions and a clean server response on others—with circumvention rates between 10% and 35% across 100 executions per vector. The authors attribute this to heterogeneous GFW infrastructure components applying different HTTP parsing logic, a departure from the GFW's usual consistency.

2024-m-ller-turning §5.2 dpirst-injectionkeyword-filteringmiddlebox-interference

Server-side censorship evasion strategies require zero client-side changes: clients bypass censorship without installing software or even being aware of the evasion, and this approach has been adopted in production tools including Psiphon's packetman. The packet manipulations exploit weaknesses in how censors track or tear down TCP connections, occurring entirely at the server during the three-way handshake.

2023-tran-crowdsourcing §1 Introduction dpirst-injectionmiddlebox-interference

The paper identifies three distinct GFW resynchronization-state triggers with protocol-specific behavior: (1) a server payload on any non-SYN+ACK packet causes resync on the next SYN+ACK or client ACK-flagged packet for all protocols; (2) a server RST causes resync on the next client packet for all protocols except HTTPS; (3) a SYN+ACK with a corrupted acknowledgment number triggers resync only for FTP. Strategy 1's 50% per-attempt success rate for HTTP is confirmed to result from the 50% probability of the GFW entering the resynchronization state on an injected RST, consistent with Wang et al. [36].

2020-bock-come §5.1 dpirst-injectionmiddlebox-interference

The paper presents 11 purely server-side censorship evasion strategies requiring zero client-side software, successfully bypassing censorship in China, India, Iran, and Kazakhstan across DNS-over-TCP, FTP, HTTP, HTTPS, and SMTP. All strategies manipulate only TCP handshake packets (primarily the SYN+ACK) and were verified against 17 versions of 6 client operating systems (Windows XP–Server 2018, MacOS, iOS, Android, Ubuntu, CentOS) with unmodified clients.

2020-bock-come §1, §5, Table 2 dpirst-injectionmiddlebox-interference