Over 2.5 months (Nov 2024–Jan 15, 2025), IRBlock scanned all 11M Iranian IPv4 addresses daily, finding 6.8M IPs subject to DNS poisoning and HTTP blockpage injection, and 5.4M IPs subject to UDP-based traffic disruption. Testing over 700M FQDNs (500M apex domains) revealed 6M banned FQDNs from 3.3M censored apex domains. Of 537 active ASes in Iran, 485 (90.3%) exhibited blocking for at least 25% of assigned IPs. DNS and HTTP censorship overlapped at >99% of censored IPs; UDP blocking was a strict subset of DNS-censored IPs, affecting ~5M addresses.

Censorship enforcement varies dramatically across Iranian ASes. AS58224 (TCI, 3.6M IPs) blocks 89-98% of IPs across DNS injectors and 87.6% for UDP. AS197207 (MCCI, 2.3M IPs) and AS44244 (IranCell, 1.3M IPs) show near-zero censorship (0.15-0.76% across injectors). AS31549 (RASANA, 577k IPs) blocks 97-99% for DNS/HTTP but 64% for UDP. Some IPs— including those belonging to the Iranian President's website and Ministry of Foreign Affairs—are deliberately exempted from bidirectional censorship. Two exempted MFA IPs (109.201.19.184 and 109.201.27.67) appear linked to APT15 (Playful Taurus) C&C infrastructure.

§5.1, §5.2, Table 1 evaluation

IRBlock discovered that 1.7M of 3.3M blocked apex domains (52%) were attributed to blanket suffix-level blocking rules rather than individual domain listings. Examples include regex patterns targeting all Israeli domains (.il TLD), adult content (.porn), and country-coded suffixes (.com.mx, .my.id). Of 87K Tranco-ranked apex domains analyzed, 37% fell into adult content, with entertainment and gambling following. Approximately 1.27M apex domains were jointly censored by both DNS and HTTP filters, while the two filters maintained operationally independent blocklists for a significant fraction of domains.

§5.3 detection

The GFI's HTTP and HTTPS filters are now stateful (requiring initial SYN packet with matching sequence numbers) and have been activated on all TCP ports—not only standard ports 80 and 443 as reported by prior studies. This is a significant departure from previous work that found stateless HTTP/HTTPS blocking limited to standard ports. The HTTP filter injects a 403 Forbidden blockpage (not RST packets as used by the GFW), while HTTPS injects a single RST+ACK packet. The GFI also exhibits TCP non-compliance (not requiring a full three-way handshake to trigger filtering), enabling outside-in measurement without in-country servers.

§2.1, §3.2 detection

The GFI operates three distinct DNS/HTTP injectors with different fake IP addresses (10.10.34.34, 10.10.34.35, 10.10.34.36) and partially overlapping blocklists—mirroring the GFW's triplet-censor architecture. Injector 10.10.34.35 exhibits TTL reflection (injected response TTL = probe TTL − hop count), identical to the GFW. No IP exclusively receives injections from 10.10.34.34 (a smaller, selective component); the two primary injectors 10.10.34.35 and 10.10.34.36 handle the majority of censorship. Different injectors maintain distinct domain blocklists, meaning which domains a user sees as censored depends on routing through their AS.

§5.4, Table 2 detection

Wallbleed was a buffer over-read in the GFW's DNS injection subsystem that caused middleboxes to append up to 125 bytes of their own process memory to forged DNS responses. The bug persisted for at least two years (confirmed from October 2021); the GFW issued an incorrect partial patch in November 2023 (Wallbleed v2 remained exploitable) and fully patched it in March 2024. Over 5.1 billion Wallbleed responses were collected during continuous measurement, and an IPv4-wide scan found 242 million IP addresses across 381 autonomous systems receiving Wallbleed-injected responses — including some traffic whose source and destination were both outside China, due to routing through China's network border.

2025-fan-wallbleed §1–§3, §7 dns-poisoningpacket-injection

Iran's DNS censor now injects two distinct block-page IPs: 10.10.34.36 (≈87% of 47,633 censored domains) and 10.10.34.34 (≈13%). Both originate from the same network node at Iran's border. Prior research (Aryan et al. 2013) described only 10.10.34.34. The IP injected correlates strongly with the HTTP censorship method applied: domains with 10.10.34.34 in DNS receive TCP RST via HTTP (86.8% of RST cases), while domains with 10.10.34.36 in DNS receive HTTP block pages (84.6% of block-page cases).

2025-lange-i-ra-nconsistencies §3.1, Table 2 dns-poisoningrst-injectionpacket-injection

Neither China nor Iran directly block ECH ClientHello messages; instead both effectively prevent ECH by censoring encrypted DNS resolvers. China blocks Cloudflare's DoH/DoT resolver (mozilla.cloudflare-dns.com) via SNI-based blocking in TLS and QUIC, causing residual censorship of up to 360 and 180 seconds respectively. Iran blocks both Cloudflare and NextDNS DoH hostnames via DNS block-page injection, TLS TCP RST, and HTTP block pages. Iran cannot analyze QUIC, so DoQ is uncensored and enables ECH in Iran. China's NextDNS IP blackholing affected only one of two resolved IPs, leaving an uncensored path.

2025-niere-encrypted §5, Table 1, Figure 5 dns-poisoningsni-blockingrst-injectionhttp3-quic-block

The GFW DNS injector vulnerability enabled reflective amplification attacks with a baseline factor of 4.04× (46-byte payload → 186-byte response). Combined with routing loops — approximately 1,000 destination IP addresses in China were found to loop packets across the GFW more than 30 times, with 159 persisting after two days and a maximum of 119 loop iterations per query — the effective amplification factor reached 481.17×, sufficient to generate 100 Gbps of attack traffic from just over 200 Mbps of source traffic.

2024-sakamoto-bleeding §5.2 Reflective Amplification Attack dns-poisoningpacket-injection

The GFW's DNS packet injector (Injector 3, identified by TTL mirroring and zero IP ID) contained an out-of-bounds read vulnerability: due to missing label-length and null-terminator validation, malformed DNS requests caused the injector to copy adjacent stack memory into forged responses. Over three days in October 2023, researchers collected over 1 TB of data containing over 13 billion leaks, ~87.43% with non-duplicate content, including live Internet traffic transiting China's backbone and stack frames of the GFW's packet-handling processes.

2024-sakamoto-bleeding §3 Vulnerability dns-poisoningpacket-injectiondpi

136 Russian government domains (25.09% of 542 accessible ones) blocked access to all tested countries outside Russia, and a further 112 (20.66%) were accessible only from Russian and Kazakhstani vantage points. Geoblocking was implemented via heterogeneous, uncoordinated mechanisms—DNS timeouts, TCP timeouts, HTTP 403 Forbidden responses, and explicit blockpages—across different domains, indicating an ad hoc emergency response with no central policy.

2023-ramesh-network §4.2 ip-blockingdns-poisoningpacket-injection