Internet censorship affects over four billion people, and deployed circumvention systems share a common weakness: their endpoints are fixed and discoverable, so a patient censor can enumerate and block them. Moving-target circumvention systems instead rotate endpoints across commercial cloud address space faster than censors can react, but the field lacks a theory of when rotation works, leaving rotation intervals and pool sizes to intuition. We give the first formal account of moving-target censorship resistance by modeling the censor-defender interaction as a continuous-time timing game over a combinatorial address-domain space, generalizing FlipIt to a collateral-bounded adversary. We prove a sustainability frontier separating configurations a censor can defeat from those it cannot, and show that under the Great Firewall's 2024 shift to blocking QUIC and TLS by domain, raw rotation speed is not the binding constraint. Instead, availability is governed by the domain burn rate, $β=λ_{\mathrm{disc}}/λ_{\mathrm{intro}}$, the ratio between how quickly the censor blocks defender domains and how quickly the defender introduces fresh ones. We derive a closed-form availability law, prove that address rotation alone cannot sustain high availability when $β>1$ regardless of endpoint rotation speed, and characterize the frontier $β^\star$. We validate the analysis with an open, model-level censor-defender simulator requiring no privileged access or cloud deployment. The simulator reproduces the predicted phase transition at $β^\star$ under adversary profiles representative of the GFW, Russia's TSPU, and Iran, and shows robustness to state-dependent discovery and bursty, provider-correlated burns. The result replaces the heuristic of ``rotate faster'' with a precise operating condition: keeping the domain economy ahead of the censor.

翻译：互联网审查影响着超过四十亿人，而现有规避系统存在一个共同弱点：其端点固定且可被探测，因此有耐心的审查者能够逐一枚举并封锁这些端点。移动目标规避系统则转而以超过审查者反应速度的频率在商业云地址空间中轮换端点，但该领域缺乏关于轮换何时有效的理论，导致轮换间隔和池大小仅凭直觉确定。我们首次通过将审查者-防御者交互建模为组合地址域空间上的连续时间博弈（将FlipIt推广至具有附带限制的对手），给出了移动目标审查抵抗的形式化理论。我们证明了一个可持续性前沿面，该前沿面将审查者能够击败的配置与无法击败的配置区分开来，并表明在长城防火墙2024年转向按域名封锁QUIC和TLS的策略下，原始轮换速度并非约束瓶颈。相反，可用性受域名燃烧率$\beta=\lambda_{\mathrm{disc}}/\lambda_{\mathrm{intro}}$支配，即审查者封锁防御者域名的速度与防御者引入新域名速度之比。我们推导出一个封闭形式的可用性定律，证明当$\beta>1$时，无论端点轮换速度如何，仅靠地址轮换无法维持高可用性，并刻画了前沿点$\beta^\star$。我们通过一个无需特权访问或云部署的开源模型级审查者-防御者模拟器验证了该分析。该模拟器在代表GFW、俄罗斯TSPU和伊朗的对手配置文件下复现了$\beta^\star$处的预测相变，并表明其对状态依赖的发现过程以及突发性、供应商相关的燃烧具有鲁棒性。这一成果将"轮换更快"的启发式规则替换为精确的操作条件：保持域名经济领先于审查者。