Censorship Networks — Tor Blocking Guide
Nation-state and ISP censorship against Tor typically targets guard node IP lists, TLS fingerprinting, or DNS interference — not individual onion hostnames. This article documents how analysts classify blocking scenarios and map them to pluggable transport choices when studying DrugHub endpoint reachability.
Blocking models
Guard enumeration. Censors download public Tor consensus and block listed guard IPs. Symptom: bootstrap stalls near 10–15%. Mitigation: unlisted bridge relays via obfs4 or snowflake.
Protocol DPI. Deep packet inspection recognizes Tor TLS handshakes. Symptom: bootstrap completes intermittently or fails on restrictive uplinks. Mitigation: pluggable transports that reshape traffic — see Pluggable Transports.
DNS interference. Rare for onion access (no DNS lookup for .onion) but can affect Tor Browser update channels or bridge distribution pages. Use offline bridge lines when torproject.org is unreachable.
Protocol fingerprinting
Vanilla Tor exhibits distinctive byte patterns during circuit setup. Research networks document obfs4 as the first-line countermeasure: traffic appears pseudorandom. When bridge IPs are actively enumerated and blocked, snowflake volunteers provide ephemeral WebRTC proxies that resist static blocklists at the cost of higher latency.
Corporate networks
Enterprise proxies often allow HTTPS only to major cloud CDNs. meek-azure tunnels Tor through Azure-fronted domains. It is frequently the slowest option but the only one that works when outbound traffic is restricted to allow-listed SaaS endpoints. Test from the same network class before publishing reachability conclusions.
Selection matrix
Residential ISP guard block
obfs4 bridge → snowflake if burned → retry alternate mirror cluster.
Mobile carrier filtering
Carriers differ; document both obfs4 and snowflake results per carrier where possible.
Corporate HTTPS-only
meek-azure first; expect multi-second latency overhead.
No apparent block
Vanilla Tor may suffice; still verify hostnames via PGP.