A proposed HTTP censorship detection algorithm combining status-code comparison, response-length Z-score, HTML TF-vector cosine similarity, and redirect-hostname matching achieves F1 scores of 0.83 (censored) and 0.77 (uncensored), outperforming OONI (0.80 / 0.70), length-difference methods (0.70 / 0.66), and HTML-similarity methods (0.52 / 0.34) on a manually annotated set of 3,000 responses across six Indian ISPs.

All detected HTTP censorship events in BSNL and MTNL are attributable to infrastructure shared with or operated by Airtel and ACT, demonstrating that upstream ISP filtering creates collateral censorship visible to downstream networks. Isolated cross-ISP leakage was also observed: Vodafone's censorship notice appeared in 2 Jio tests, and Airtel's appeared in 2 Vodafone tests.

§5.1.3 evaluation

Indian ISPs use heterogeneous and overlapping censorship mechanisms with no single technique common across all providers: DNS tampering (ACT, Airtel, BSNL, MTNL), HTTP header filtering (all six ISPs), and SNI inspection (Jio only). Individual ISPs such as ACT simultaneously apply DNS-only blocking to 233 sites, HTTP-only to 1,873 sites, and both to 1,615 sites.

§5.1, Table 2 evaluation

Across six ISPs covering 98.82% of Indian internet subscribers, only 1,115 out of 4,033 tested blocked websites (27.64%) are blocked by all six ISPs simultaneously. ACT blocks 3,721 websites while Airtel blocks only 1,892, and 215 websites are blocked by exactly one ISP with no apparent legal basis.

§5.2, Table 3 evaluation

Jio, India's largest ISP serving 49.7% of internet users, employs SNI inspection to block 2,951 out of 3,340 websites it censors — the first documented use of SNI-based blocking in India. No other of the six tested ISPs uses this technique.

§5.1.4 evaluation

Internet-wide IPv4 scanning found 386,187 IP addresses yielding amplification factors ≥ 100× via TCP middlebox reflection, with 82.9% of responses from the top 1 million IPs confirmed as originating from on-path middleboxes rather than endpoints. Nation-state censorship infrastructure dominates: China's GFW alone accounts for approximately 154 million responding IP addresses sharing a 3× RST+ACK (54 bytes each) fingerprint.

2021-bock-weaponizing §5.3, §5.5, Table 4 middlebox-interferencerst-injectionpacket-injectionmeasurement-platform

Between January 2017 and September 2018, ICLab conducted 53,906,532 measurements of 45,565 URLs across 62 countries and 234 ASes, detecting blocking of 3,602 unique URLs in 60 countries via DNS manipulation, TCP packet injection, and block page delivery. Iran blocked 20–30% of Alexa top-500 URLs — more than any other monitored country — while Saudi Arabia consistently blocked roughly 10%. The global trend in detected censorship shows a steady decrease, which the authors attribute to rising adoption of TLS and circumvention tools.

2020-niaki-iclab §V dns-poisoningpacket-injectionrst-injectionmeasurement-platform

Data center VPSes predominantly experienced TCP connection timeouts and resets—with the highest-blocking VPS censoring 96.8% of tested domains—while residential ISPs were substantially more likely to inject explicit blockpages citing Roskomnadzor's registry, confirming that blocking mechanism varies significantly by network tier even when blocking rates are similar.

2020-ramesh-decentralized §VI-B rst-injectionip-blockingpacket-injectionkeyword-filtering

Combining boolean network tomography with BGP path churn from the ICLab platform identifies 108 censoring ASes located in 49 countries across 4.9M measurements, reducing the candidate set of potential censoring ASes by 97% on average. 97.9% of constructed SAT CNFs return exactly one solution enabling exact AS-level censor identification, with less than 0.7% returning no solution.

2017-cho-churn Abstract, §4 measurement-platformrst-injectionpacket-injection

OONI's experiment-control methodology explicitly favors false positives over false negatives: it is preferable to generate more censorship candidate events for further investigation than to miss genuine interference. Mismatch between experiment and control data is not always a definitive signal of manipulation but is treated as sufficient cause for flagging, and data collection and analysis are treated as distinct phases.

2012-filast-ooni §4 Methodology measurement-platformdpikeyword-filteringdns-poisoningrst-injection

An internet-wide scan of 500k IP addresses from an in-country VPS vantage point found TCP establishment-interception injections on 43,479 addresses (8.7% of scanned), with over 70% concentrated in two Akamai ASes (AS16625 and AS20940). The injection pattern — triggered by the first packet sent to these addresses — is consistent with targeted blocking of domain-fronting proxies hosted on Akamai CDN.

2025-alaraj-iran-refraction §4.1.2 packet-injectionrst-injectionip-blocking