Geneva experiments revealed that the GFW determines TCP three-way handshake completion using only the presence of the ACK flag — without validating sequence numbers. Upon receiving a RST or RST/ACK before the handshake completes, the GFW enters a resynchronization state approximately 50% of the time rather than tearing down its TCB; strategies that exploit this pre-handshake window achieve 92–95% success rates (Strategies 3 and 4).

Evasion strategies are strongly censor-specific: TCB Teardown strategies that achieve 80–96% against the GFW fail completely (0%) against Kazakhstan's HTTPS MITM; India's Airtel is defeated uniquely by a 'Stutter Request' (duplicating the PSH/ACK and replacing IP length to 64) at 100% success, which scores only 3% against the GFW. Geneva converged on distinct species for each censor within 4–8 hours of live training.

Table 1, §5.1–5.4 evaluation

Geneva, a genetic algorithm using four packet-manipulation primitives (drop, tamper, duplicate, fragment), independently re-derived 30 of 36 (83.3%) previously published evasion strategies in controlled lab experiments and discovered successful strategies in 23 of 27 live training sessions against China's GFW, yielding 4 unique species, 8 subspecies (5 novel), and 21 fundamentally different variants. Each training session ran for 4–8 hours against a real censor.

§5, Abstract defense

The GFW does not verify TCP checksums or validate RST flag combinations: Strategy 5 using the entirely invalid flag set FRAPUN with TTL 10 achieved 96% success. Separately, increasing the TCP data offset (dataofs) field to 10 in an insertion duplicate causes the GFW to reinterpret the beginning of the HTTP payload as TCP header bytes, preventing keyword detection and achieving 98% success (Strategy 2) — while the destination server discards the malformed packet.

§5.2 Species 1 and Species 2 detection

Geneva's Segmentation species — fragmenting HTTP requests at the TCP layer without IP fragmentation, segment overlapping, or insertion packets — achieved 94–98% success against the GFW, 100% against India's Airtel ISP, and 100% against Kazakhstan's HTTPS MITM, making it the only strategy class effective across all three tested censors. These strategies require neither raw sockets nor root privilege.

§5.2 Species 3: Segmentation defense

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 rst-injectionip-blockingpacket-injectiondpi

TTL-based path analysis showed that all censorship actions (DNS poisoning, HTTP injection, TLS resets) in the June 2025 shutdown occurred at the same network hop across all tested ISPs, indicating a single centralized national border gateway—likely TCI AS gateways—rather than per-ISP enforcement. Global BGP announcements were kept intact throughout, making the shutdown invisible to routing monitors while domestic connectivity collapsed.

2025-aryapour-stealth-blackout §4.5 dpidns-poisoningrst-injection

TLS connections to blocked services (instagram.com, telegram.org) were terminated by TCP RST immediately after the client's ClientHello, before any certificate exchange, confirming SNI-based DPI that reads the plaintext SNI extension and aborts the handshake. HTTP filtering additionally matched Host headers and URL keywords case-sensitively, with injected HTTP 403 pages or TCP RST responses, and case-change evasions were sometimes effective.

2025-aryapour-stealth-blackout §4.2, §4.3 sni-blockingdpirst-injectionkeyword-filtering

The August 20, 2025 unconditional RST event revealed an asymmetry in the GFW's triggering mechanism: for traffic originating inside China, both the client SYN and the server SYN+ACK each independently triggered three injected RST+ACK packets (six total per connection). For traffic to China from outside, only the Chinese server's SYN+ACK triggered RSTs — the foreign client's SYN alone was insufficient. This asymmetry implies the responsible device observed the SYN+ACK from the Chinese server as the trigger condition, not a port-match rule on the SYN.

2025-gfw-port443-rst §2.1, §2.2 rst-injectionport-blockingdpi

Iran's HTTP censor exhibits several parsing inconsistencies exploitable for evasion: (1) it is case-sensitive and ignores lowercase method variant "gET"; (2) it does not censor the Host header for HTTP version strings "HTTP", "1.1", and "example" (suggests a version regex of HTTP/.*); (3) when the Host header is absent, the path is not censored for versions "HTTP" and "HTTP/1"; (4) the body is never analyzed regardless of version. All HTTP and DNS censorship occurs at the same last-hop border node, suggesting centralized architecture.

2025-lange-i-ra-nconsistencies §3.2, Table 1 dpikeyword-filteringrst-injection

In China, multiple URLs show 100% failure rates across 3–7 ASNs with near-zero confirmed blockpage rates (e.g., hkleaks.ru, blockdx.co, libgen.space each at 100% failure, avg_confirmed ≈ 0), indicating that China increasingly uses non-blockpage mechanisms — connection drops, TCP anomalies — that evade blockpage-based detection while achieving complete access denial.

2025-lipphardt-1-800-censorship §4.4, Table 4 dpirst-injection