Analysis of 5.1 billion Wallbleed responses revealed that the leaked memory contains fragments of live network traffic processed by the injection device: IP/TCP/UDP/HTTP headers and payloads (including plaintext traffic not related to DNS), x86_64 Linux stack frames with ASLR-consistent pointer patterns, and what appear to be glibc stack canaries. The 166 million UPnP/SSDP snippets in leaked memory suggest the GFW device shares a memory pool with traffic from private RFC 1918 addresses, hinting at internal management-plane traffic co-located with the censorship infrastructure. A side channel — the fixed cyclic ordering of false IP addresses across injection processes — distinguishes individual GFW injector processes from each other.

Wallbleed was a buffer over-read in the GFW's DNS injection subsystem that caused middleboxes to append up to 125 bytes of their own process memory to forged DNS responses. The bug persisted for at least two years (confirmed from October 2021); the GFW issued an incorrect partial patch in November 2023 (Wallbleed v2 remained exploitable) and fully patched it in March 2024. Over 5.1 billion Wallbleed responses were collected during continuous measurement, and an IPv4-wide scan found 242 million IP addresses across 381 autonomous systems receiving Wallbleed-injected responses — including some traffic whose source and destination were both outside China, due to routing through China's network border.

§1–§3, §7 deployment

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling

TCP segmentation (splitting a DNS message into 20-byte TCP fragments) successfully circumvented DNS censorship in China for nearly all resolvers that support TCP. In Iran, TCP segmentation was only partially effective due to the censor's ability to reassemble TCP fragments when system load permits—some runs succeeded completely, others failed entirely across all resolvers. The "Last Response" mode (wait 3 seconds for the final UDP reply) was highly effective against China's on-path GFW injector for all resolvers except the fully IP-blocked Cloudflare 1.1.1.1 resolver.

2026-lange-towards §4.1, §6.2.1, §6.2.2 dns-poisoningdpi

TCP segmentation — splitting DNS-over-TCP messages into 20-byte fragments — successfully circumvented DNS censorship for 40 of 41 tested resolvers in China. In Iran, TCP segmentation is inconsistently effective: it succeeds in some scan runs and fails entirely in others, suggesting the Iranian censor can reassemble TCP fragments when processing capacity permits.

2026-niere-dpyproxy-dns §6.2.1, §6.2.2 dpidns-poisoning

Of 6,915,266 domains extracted from the 572 GiB Geedge Networks Leak (GNL), 298,955 censored domains (93.7% of all GNL-censored domains) appear in neither Tranco top-1M nor CitizenLab test lists. Measurements across China (Guangzhou/Nanjing), Myanmar, Pakistan, and Algeria confirmed censorship via DNS injection and SNI-based TLS connection termination. The GNL covers 25–62% of Tranco-censored domains across countries, showing substantial but incomplete overlap. This vendor-side ground truth reveals a censorship surface roughly two orders of magnitude larger than curated academic test lists.

2026-sheffey-geedge §4.1, Table 2 dpisni-blockingdns-poisoningmeasurement-platform

TTL-based path analysis showed that all censorship actions (DNS poisoning, HTTP injection, TLS resets) in the June 2025 shutdown occurred at the same network hop across all tested ISPs, indicating a single centralized national border gateway—likely TCI AS gateways—rather than per-ISP enforcement. Global BGP announcements were kept intact throughout, making the shutdown invisible to routing monitors while domestic connectivity collapsed.

2025-aryapour-stealth-blackout §4.5 dpidns-poisoningrst-injection