TSPU devices perform in-line packet manipulation — they can inject RST packets, drop traffic, and throttle connections — rather than routing traffic to an out-of-band sniffer that votes to block. The inline placement means TSPU can act on the first-packet payload and impose latency on all matching flows, not only on those selected by sampling. Blocking decisions are therefore applied with high recall at the ISP edge, and circumvention tools that rely on short observation windows (e.g. only obfuscating the first N bytes) are vulnerable to continued inline inspection of subsequent traffic.

Russia's TSPU ("Средства противодействия угрозам") system is deployed inline at individual ISP edges rather than at centralized internet exchange points, producing substantial per-ISP heterogeneity: some providers apply layer-7 SNI/Host filtering while others rely primarily on IP-prefix blocklists, and QUIC/HTTP3 is blocked at several major providers. Rollout timing and enforcement depth vary measurably across autonomous systems, meaning a single "Russia passes/fails" test fixture systematically underestimates blocking coverage.

§4–§5 deployment

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling

The report maps specific Belt and Road Initiative Digital Silk Road projects through which Chinese technology vendors have transferred censorship and surveillance infrastructure to Iran, including fiber backbone investments, data-center co-location agreements, and equipment supply chains. Specific vendors named include Huawei and ZTE as network infrastructure providers, with the report noting that equipment exports include filtering-capable hardware that Iran's ISPs have deployed at network choke points.

2026-article19-tightening-the-net §4, §5 dpisni-blockingthrottling

TLS connections to blocked services (instagram.com, telegram.org) were terminated by TCP RST immediately after the client's ClientHello, before any certificate exchange, confirming SNI-based DPI that reads the plaintext SNI extension and aborts the handshake. HTTP filtering additionally matched Host headers and URL keywords case-sensitively, with injected HTTP 403 pages or TCP RST responses, and case-change evasions were sometimes effective.

2025-aryapour-stealth-blackout §4.2, §4.3 sni-blockingdpirst-injectionkeyword-filtering

Censoring middleboxes predominantly use RST injection rather than in-path packet dropping because injecting forged RST/RST+ACK packets does not require the middlebox to sit in the data path — off-path copies of packets suffice. The GFW specifically injects both RST and RST+ACK packets simultaneously after an offending PSH, a known idiosyncratic signature, while Iran's censor uses post-handshake RST injection (⟨SYN;ACK→RST⟩) and packet drops at the same stage.

2023-raman-global §2.1, §4.1 rst-injectiondpisni-blocking

The GFW enforces SNI-based blocking on every TCP port (not just 443), triggering TCP RST injection and a penalty box for known-censored hostnames (e.g., facebook.com, zh.wikipedia.org) in the TLS ClientHello. The SNI blocklist is separate from the HTTP keyword blocklist — keyword-derived subdomains in the SNI did not trigger censorship. No evidence was found for indiscriminate HTTPS decryption or certificate substitution.

2021-rambert-chinese §4.6 sni-blockingrst-injectiondpi

In HTTP tests, more than 50% of filter responses that indicated censorship contained an injected HTML blockpage; the remainder used TCP RST injection or connection timeout. In HTTPS measurements, canonical template matching had a failure rate of only 1.9%, and 95% of Hyperquack measurements completed within 3.5 hours across ~45,000 vantage points.

2020-raman-measuring §III-A, §IV dpirst-injectionsni-blockingmeasurement-platform