In Brunei, censorship is confined to AS10094, which serves approximately 70% of the country's Internet users. The censor injects RST packets bearing a distinctive fingerprint — the censored query's IP ID field — in response to HTTP requests containing censored Host headers, and censors on all ports without residual censorship. A SYN followed immediately by a PSH+ACK with a censored payload is sufficient to trigger blocking without a completed TCP handshake.

Censoring middleboxes' TCP non-compliance — specifically, their willingness to censor bidirectionally without completing the three-way handshake — enables external vantage points outside a censoring country to trigger and measure censorship without any local endpoint participation. The approach requires only a confirmed censored domain per AS, evidence of bidirectional censorship, and minimal residual censorship.

§2 evaluation

Geneva — originally designed to evolve censorship-evasion packet sequences — was repurposed by inverting its fitness function to discover censorship-triggering packet sequences instead. Training against non-responsive IP addresses allows Geneva to attribute all responses to middleboxes, enabling fully automated discovery of triggering strategies without any endpoint cooperation.

§2 evaluation

The endpoint-free methodology fails when bidirectional censorship is absent or when residual censorship is pervasive: experiments in Burundi, Equatorial Guinea, Myanmar, and Kyrgyzstan could not confirm bidirectional censorship, rendering automated triggering-and-measurement inapplicable. Residual censorship causes false positives by making innocuous domains appear blocked following a censored query.

§3 evaluation

Tajikistan routes virtually all national egress and ingress traffic through a single state-run AS (AS51346, Tojiktelecom) under a 2016 national decree, creating a centralized chokepoint. The censor injects RST+ACK packets with a unique 22-byte all-zero payload, censors on all ports, and requires two PSH+ACK packets containing the censored content before injecting — possibly modeling typical multi-resource HTTP browsing behavior.

§3 detection

The GFI's HTTP and HTTPS filters are now stateful (requiring initial SYN packet with matching sequence numbers) and have been activated on all TCP ports—not only standard ports 80 and 443 as reported by prior studies. This is a significant departure from previous work that found stateless HTTP/HTTPS blocking limited to standard ports. The HTTP filter injects a 403 Forbidden blockpage (not RST packets as used by the GFW), while HTTPS injects a single RST+ACK packet. The GFI also exhibits TCP non-compliance (not requiring a full three-way handshake to trigger filtering), enabling outside-in measurement without in-country servers.

2025-tai-irblock §2.1, §3.2 dpirst-injectionpacket-injectionmiddlebox-interference

Internet-wide IPv4 scanning found 386,187 IP addresses yielding amplification factors ≥ 100× via TCP middlebox reflection, with 82.9% of responses from the top 1 million IPs confirmed as originating from on-path middleboxes rather than endpoints. Nation-state censorship infrastructure dominates: China's GFW alone accounts for approximately 154 million responding IP addresses sharing a 3× RST+ACK (54 bytes each) fingerprint.

2021-bock-weaponizing §5.3, §5.5, Table 4 middlebox-interferencerst-injectionpacket-injectionmeasurement-platform

Nation-state censors produce characteristic TCP response fingerprints: China's GFW sends 3× RST+ACK (54 bytes each) from ~170 million IPs; Iran's infrastructure sends 402–405-byte FIN+PSH+ACK plus 54-byte RST+PSH+ACK from 8.6 million IPs (75.7% of responsive Iranian addresses); Saudi Arabia sends a 97-byte PSH+ACK plus 2× 1,354-byte PSH+ACKs at 18.9× amplification from 400,000+ IPs. Most nation-state censors produce less than 4× amplification due to compact block pages.

2021-bock-weaponizing §5.5, Table 4 rst-injectionpacket-injectionmiddlebox-interference

The server-side variant of the blind VPN inference attack—where an in/on-path adversary exploits predictable NAT assignment and tunnel routing semantics to inject spoofed packets indistinguishable from legitimate encrypted traffic—has remained unacknowledged and unmitigated across all tested platforms since its concurrent disclosure in 2019. Unlike the client-side variant, which received partial fixes from Google (CVE-2019-9461, CVE-2024-49734) and Apple (iOS 17.2.1), no vendor has proposed a viable remediation or claimed ownership of the server-side attack surface.

2026-tolley-architectural §2.1, §3.1, §3.4 traffic-shaperst-injectionmiddlebox-interference

An internet-wide scan of 500k IP addresses from an in-country VPS vantage point found TCP establishment-interception injections on 43,479 addresses (8.7% of scanned), with over 70% concentrated in two Akamai ASes (AS16625 and AS20940). The injection pattern — triggered by the first packet sent to these addresses — is consistent with targeted blocking of domain-fronting proxies hosted on Akamai CDN.

2025-alaraj-iran-refraction §4.1.2 packet-injectionrst-injectionip-blocking

Iran's censorship of refraction-networking proxies (Conjure via Psiphon) is not monolithic: different ISPs independently deploy different techniques and timelines. Over 800 million logged Conjure connections from July 2023–February 2025 across 10+ Iranian ASes show TCI (AS58224, ~33% of traffic) uses packet injection, while MCCI/Hamrah-e Avval (AS197207, ~22%) applies IP-based blocking, and some ASes (Parsonline AS16322, Shatel AS31549) show no proxy blocking at all.

2025-alaraj-iran-refraction §4 rst-injectionip-blockingpacket-injectiondpi