{"endpoints":{"distribution":"/v1/atlas/dpi-distribution","per_vendor":"/v1/atlas/dpi-fingerprints/{vendor_slug}"},"fingerprints":[{"blocking_method_in":["tcp-reset","tcp-timeout","ip-blocked"],"category":"state-deployed-dpi","confidence_floor":0.55,"country_prior":["RU"],"public_source":"arXiv:2203.04534 (Xue et al. IMC 2022)","signal_type_in":["block","blocking","http-blocking-tcp-reset","http-blocking-timeout","interference"],"upstream_claim_regex":"(twitter|x\\.com|facebook|instagram|signal|tor|openvpn|cloudflare|wikipedia|youtube)","vendor":"Russia TSPU","vendor_slug":"russia-tspu","weights":{"blocking_method_hit":0.2,"country_prior_hit":0.4,"regex_hit":0.2,"signal_type_hit":0.2},"what_it_is":"Roskomnadzor-mandated DPI midbox deployed at every Russian ISP since 2021 under Law 90-FZ. Default behavior is TCP RST injection on packets matching a centrally-maintained registry of blocked SNIs + IPs. Characterised in IMC 2022 Xue et al. as decentralised but uniformly configured."},{"blocking_method_in":["tcp-reset","dns-poisoned","ip-blocked","tcp-timeout"],"category":"state-deployed-dpi","confidence_floor":0.55,"country_prior":["CN"],"public_source":"Ensafi et al. IMC 2015; Wang et al. CCS 2015","signal_type_in":["block","blocking","http-blocking-tcp-reset","dns-blocking","tor-blocking","interference"],"upstream_claim_regex":"(google|facebook|twitter|x\\.com|wikipedia|telegram|whatsapp|signal|tor|github\\.com|youtube)","vendor":"China GFW","vendor_slug":"china-gfw","weights":{"blocking_method_hit":0.25,"country_prior_hit":0.35,"regex_hit":0.2,"signal_type_hit":0.2},"what_it_is":"Great Firewall — the originating large-scale state DPI. Combines DNS poisoning at recursive resolvers, SYN-ACK then RST injection on TCP, SNI / Server Name Indication keyword matching, active probing of suspected obfuscated proxies, and BGP-level null-routing for blacklisted IP ranges."},{"blocking_method_in":["tcp-reset","http-blockpage","dns-poisoned","ip-blocked"],"category":"state-deployed-dpi","confidence_floor":0.5,"country_prior":["IR"],"public_source":"Aryan et al. FOCI 2013; Citizen Lab Iran reports","signal_type_in":["block","blocking","http-blocking-blockpage","http-blocking-tcp-reset","dns-blocking","interference"],"upstream_claim_regex":"(peyvandha|10\\.10\\.34\\.34|iran\\.ir|filter|forbidden|haraam)","vendor":"Iran ARIA DPI","vendor_slug":"iran-aria-dpi","weights":{"blocking_method_hit":0.15,"country_prior_hit":0.3,"regex_hit":0.35,"signal_type_hit":0.2},"what_it_is":"Iran's state DPI system, sometimes referenced as ARIA in Citizen Lab work. Distinctive blockpage redirects to 10.10.34.34 (the famous Iranian DPI sinkhole IP) or peyvandha.ir. Heavy SNI-based TLS blocking + DNS injection."},{"blocking_method_in":["http-blockpage","tcp-reset","http-403"],"category":"commercial-dpi-appliance","confidence_floor":0.55,"country_prior":["MM","PK","ID","BD","AE","SA","BH","KH","VN","TH","TR","IQ"],"public_source":"Citizen Lab Planet Netsweeper 2018; OONI blockpage corpus","signal_type_in":["block","blocking","http-blocking-blockpage","http-blocking-tcp-reset"],"upstream_claim_regex":"(fortigate|fortinet|fortiguard|web filter violation|webfilter)","vendor":"FortiGate (Fortinet)","vendor_slug":"fortigate","weights":{"blocking_method_hit":0.2,"country_prior_hit":0.2,"regex_hit":0.45,"signal_type_hit":0.15},"what_it_is":"Fortinet FortiGate next-gen firewall family. Widely sold as a turnkey corporate / ISP filter. Distinctive blockpage HTML titled 'Web Filter Violation' or 'FortiGuard'."},{"blocking_method_in":["http-blockpage","http-403","tcp-reset"],"category":"commercial-dpi-appliance","confidence_floor":0.55,"country_prior":["MM","PK","ID","BD","TH","VN","PH","KH","LA"],"public_source":"Citizen Lab Myanmar 2021; Sangfor product docs","signal_type_in":["block","blocking","http-blocking-blockpage","http-blocking-tcp-reset"],"upstream_claim_regex":"(sangfor|x-application-context: SF-IAM|sf-iam|sf-ngaf)","vendor":"Sangfor","vendor_slug":"sangfor","weights":{"blocking_method_hit":0.2,"country_prior_hit":0.2,"regex_hit":0.5,"signal_type_hit":0.1},"what_it_is":"Sangfor IAM / NGAF — Shenzhen-based DPI vendor heavily deployed across Southeast Asia. Citizen Lab tied Sangfor gear to the Myanmar military regime's 2021 censorship build-out. Distinctive `Server: SF-IAM` HTTP header on block responses."},{"blocking_method_in":["http-blockpage","dns-poisoned","http-redirect","http-403"],"category":"commercial-dpi-appliance","confidence_floor":0.55,"country_prior":["BH","KW","QA","AE","YE","IN","PK","OM"],"public_source":"Citizen Lab 'Planet Netsweeper' 2018","signal_type_in":["block","blocking","http-blocking-blockpage","dns-blocking"],"upstream_claim_regex":"(netsweeper|deny\\.netsweeper|webadmin)","vendor":"Netsweeper","vendor_slug":"netsweeper","weights":{"blocking_method_hit":0.2,"country_prior_hit":0.25,"regex_hit":0.4,"signal_type_hit":0.15},"what_it_is":"Netsweeper Inc. (Canada) — URL categorisation + filter appliance sold to ISPs as a turnkey block-list enforcer. Citizen Lab's 'Planet Netsweeper' (2018) documented deployments across Bahrain, Kuwait, Qatar, UAE, Yemen. Distinctive 'deny.netsweeper' URL redirect pattern."},{"blocking_method_in":["http-blockpage","tcp-reset","http-403"],"category":"commercial-dpi-appliance","confidence_floor":0.55,"country_prior":["SY","BH","QA","AE","SA","KW","EG","MM","VE"],"public_source":"Citizen Lab 'Behind Blue Coat' 2011; 2013 follow-up","signal_type_in":["block","blocking","http-blocking-blockpage","http-blocking-tcp-reset"],"upstream_claim_regex":"(blue ?coat|bluecoat|proxysg|symantec[- ]proxy|proxy notification)","vendor":"Blue Coat / Symantec ProxySG","vendor_slug":"blue-coat","weights":{"blocking_method_hit":0.2,"country_prior_hit":0.25,"regex_hit":0.45,"signal_type_hit":0.1},"what_it_is":"Blue Coat (now Symantec / Broadcom) ProxySG — flagship carrier-grade DPI proxy historically associated with Gulf-state filtering. Citizen Lab 'Behind Blue Coat' 2011 first identified the gear in Syria, then UAE / SA / Bahrain / Qatar. Blockpage typically titled 'Proxy Notification'."},{"blocking_method_in":["http-blockpage","http-redirect","http-403"],"category":"commercial-dpi-appliance","confidence_floor":0.55,"country_prior":["SA","AE","KW","TN","OM","BH"],"public_source":"Citizen Lab Saudi reports 2004-2017","signal_type_in":["block","blocking","http-blocking-blockpage"],"upstream_claim_regex":"(smartfilter|secure computing|mcafee web|isu\\.net\\.sa|saudia online)","vendor":"Smartfilter (Secure Computing / McAfee)","vendor_slug":"smartfilter","weights":{"blocking_method_hit":0.2,"country_prior_hit":0.25,"regex_hit":0.45,"signal_type_hit":0.1},"what_it_is":"Smartfilter (Secure Computing -> McAfee -> Forcepoint) — URL filter long deployed by the Saudi ISU (Internet Services Unit) and other Gulf state regulators. Distinct ISU branded blockpage redirect at *.isu.net.sa."},{"blocking_method_in":["http-blockpage","tcp-reset","http-403"],"category":"commercial-dpi-appliance","confidence_floor":0.6,"country_prior":["IN","PK","EG","TR","SA","AE","MY","TH","ID","SG"],"public_source":"Cisco WSA documentation; OONI blockpage corpus","signal_type_in":["block","blocking","http-blocking-blockpage","http-blocking-tcp-reset"],"upstream_claim_regex":"(cisco|ironport|wsa[- ]notification|access denied by web security)","vendor":"Cisco Web Security (Ironport)","vendor_slug":"cisco-web-security","weights":{"blocking_method_hit":0.2,"country_prior_hit":0.2,"regex_hit":0.5,"signal_type_hit":0.1},"what_it_is":"Cisco Web Security Appliance (WSA, formerly Ironport S-series). Carrier and enterprise-grade DPI with both blockpage and TLS interception. Distinctive 'Cisco WSA Notification' blockpage or 'Access denied by web security' string."},{"blocking_method_in":["http-blockpage","tcp-reset","http-403"],"category":"commercial-dpi-appliance","confidence_floor":0.6,"country_prior":["AE","SA","TR","EG","PK","TH","IN","MY","SG"],"public_source":"Palo Alto product docs; Citizen Lab MENA reports","signal_type_in":["block","blocking","http-blocking-blockpage","http-blocking-tcp-reset"],"upstream_claim_regex":"(palo alto|pan-os|panw|url filtering[- ]block)","vendor":"Palo Alto Networks","vendor_slug":"palo-alto","weights":{"blocking_method_hit":0.2,"country_prior_hit":0.2,"regex_hit":0.5,"signal_type_hit":0.1},"what_it_is":"Palo Alto Networks PA-series next-gen firewall. Carrier-deployed in enterprise and some ISP environments. Distinctive 'URL Filtering Block' page or 'PAN-OS' in HTTP responses."},{"blocking_method_in":["tcp-reset","dns-poisoned","ip-blocked"],"category":"state-deployed-dpi","confidence_floor":0.55,"country_prior":["BY"],"public_source":"OONI 2020 Belarus election report; ISOC NetLoss","signal_type_in":["block","blocking","http-blocking-tcp-reset","dns-blocking","interference"],"upstream_claim_regex":"(beltelecom|belarus|charter97|nexta|tut\\.by|naviny)","vendor":"Belarus DPI (Beltelecom)","vendor_slug":"belarus-beltelecom-dpi","weights":{"blocking_method_hit":0.15,"country_prior_hit":0.4,"regex_hit":0.25,"signal_type_hit":0.2},"what_it_is":"Belarus state DPI infrastructure operated through Beltelecom (the dominant state telecom). During the 2020 election unrest, the country effectively cut external internet via DPI + BGP withdrawal. Persistent SNI + DNS blocking of opposition outlets remains."},{"blocking_method_in":["tcp-reset","http-blockpage","dns-poisoned"],"category":"state-deployed-dpi","confidence_floor":0.55,"country_prior":["TR"],"public_source":"OONI Turkey reports 2017-present","signal_type_in":["block","blocking","http-blocking-tcp-reset","http-blocking-blockpage","dns-blocking","interference"],"upstream_claim_regex":"(btk|telekom\\.gov\\.tr|bilgi teknolojileri|wikipedia|twitter|x\\.com)","vendor":"Turkey BTK DPI","vendor_slug":"turkey-btk-dpi","weights":{"blocking_method_hit":0.15,"country_prior_hit":0.35,"regex_hit":0.3,"signal_type_hit":0.2},"what_it_is":"Turkey's BTK (Information and Communication Technologies Authority) operates URL + SNI blocking via court orders. Wikipedia was famously blocked 2017-2019. Common pattern is DNS injection at TTNet + Türk Telekom resolvers, plus SNI-based RST."},{"blocking_method_in":["tcp-reset","http-blockpage","dns-poisoned","ip-blocked"],"category":"state-deployed-dpi","confidence_floor":0.55,"country_prior":["MM"],"public_source":"Citizen Lab Myanmar 2021; Justice for Myanmar reports","signal_type_in":["block","blocking","http-blocking-tcp-reset","http-blocking-blockpage","outage"],"upstream_claim_regex":"(facebook|twitter|whatsapp|signal|tor|vpn|wikipedia|news)","vendor":"Myanmar Military Junta DPI","vendor_slug":"myanmar-junta-dpi","weights":{"blocking_method_hit":0.2,"country_prior_hit":0.4,"regex_hit":0.2,"signal_type_hit":0.2},"what_it_is":"Post-coup DPI build-out using Sangfor + locally-deployed filtering gear under the Tatmadaw. Citizen Lab tied specific Sangfor IAM hardware to junta-controlled MPT and Mytel infrastructure in 2021-2022."},{"blocking_method_in":["tcp-reset","http-blockpage","dns-poisoned"],"category":"state-deployed-dpi","confidence_floor":0.55,"country_prior":["PK"],"public_source":"Sandvine procurement records; Citizen Lab PK reports","signal_type_in":["block","blocking","http-blocking-tcp-reset","http-blocking-blockpage","dns-blocking"],"upstream_claim_regex":"(pta|pakistan|sandvine|youtube|tiktok|wikipedia)","vendor":"Pakistan PTA Web Monitoring System","vendor_slug":"pakistan-pta-wms","weights":{"blocking_method_hit":0.15,"country_prior_hit":0.35,"regex_hit":0.3,"signal_type_hit":0.2},"what_it_is":"Pakistan Telecommunication Authority's Web Monitoring System — originally Sandvine PacketLogic, later supplemented by domestic gear. Blocked YouTube 2012-2016, Wikipedia briefly, TikTok periodically. SNI + URL filter."}],"generated_at":"2026-05-21T19:12:20.987906+00:00","honest_caveats":["Heuristic matching, not ML — false positives possible.","Public fingerprints lag vendor product updates (e.g., FortiGate redesigned its blockpage HTML in 2023; pre-2023 evidence may still match).","State DPI configurations rotate (Iranian/Chinese governments update keyword + SNI lists daily); matches age out.","An evidence row matching a vendor does NOT mean that vendor performed the block — only that the observed signal is consistent with that vendor's known behaviour pattern.","Multi-vendor environments are common: a country may run Sangfor at ISP-A and FortiGate at ISP-B — we match at evidence-row granularity, not country granularity.","Some vendors share blockpage templates with white-label clones; Sangfor + a few Sangfor OEMs are difficult to disambiguate.","We do NOT identify the operator (government vs ISP vs corporate filter); the vendor match is the device family only."],"match_stats":{"by_vendor":{"belarus-beltelecom-dpi":937,"blue-coat":30,"china-gfw":6378,"fortigate":519,"iran-aria-dpi":1870,"myanmar-junta-dpi":1709,"netsweeper":59,"pakistan-pta-wms":1449,"russia-tspu":5197,"turkey-btk-dpi":1399},"match_rate":0.22645334692648114,"n_matched":19547,"n_total_evidence":86318},"methodology":"Each fingerprint is a hand-curated rule with up to four components: country_prior (where the vendor is publicly documented as deployed), signal_type_in (which evidence row signal_type values are consistent with this vendor), blocking_method_in (which blocking_method tags are consistent), and upstream_claim_regex (a regex over the upstream_claim text). A row matches a vendor when the weighted sum of fired components >= confidence_floor. We emit at most one match per row, choosing the highest computed confidence; ties go to the rule with the most specific signal (regex > blocking_method > country_prior).","n_fingerprints":14,"schema":"voidly-dpi-fingerprints/v1","vendor_categories":["commercial-dpi-appliance","state-deployed-dpi"],"version":"v1.0","_voidly_pay":{"claim_did":"https://voidly.ai/pay/claim","for_builders":"https://voidly.ai/pay/for-builders","marketplace":"https://api.voidly.ai/v1/pay/marketplace","live_demo":"https://huggingface.co/spaces/emperor-mew/voidly-pay","universal_proxy":{"url":"https://api.voidly.ai/v1/pay/proxy","example":"https://api.voidly.ai/v1/pay/proxy?u=<https-url>&to=did:voidly:<your-did>&price=0.01","page":"https://voidly.ai/pay/proxy","note":"Paywall any public HTTPS URL with one query param. No SDK install required."},"install":{"typescript":"npm install @voidly/pay","python":"pip install voidly-pay","langchain":"pip install voidly-pay-langchain","vercel_ai":"npm install @voidly/pay-vercel-ai","mcp":"npx @voidly/pay-mcp","cli":"npm install -g @voidly/pay-cli"},"note":"Voidly Pay is the open agent-to-agent payment rail. Claim a DID + 10 starter credits in 60s, or paywall any URL via the universal proxy with one query param."}}