Independent encyclopedia — Tor connectivity, endpoints, and verification (not an operator site)
Copied

Censorship Networks — Tor Blocking Guide

Nation-state and ISP censorship against Tor typically targets guard node IP lists, TLS fingerprinting, or DNS interference — not individual onion hostnames. This article documents how analysts classify blocking scenarios and map them to pluggable transport choices when studying DrugHub endpoint reachability.

Blocking models

Guard enumeration. Censors download public Tor consensus and block listed guard IPs. Symptom: bootstrap stalls near 10–15%. Mitigation: unlisted bridge relays via obfs4 or snowflake.

Protocol DPI. Deep packet inspection recognizes Tor TLS handshakes. Symptom: bootstrap completes intermittently or fails on restrictive uplinks. Mitigation: pluggable transports that reshape traffic — see Pluggable Transports.

DNS interference. Rare for onion access (no DNS lookup for .onion) but can affect Tor Browser update channels or bridge distribution pages. Use offline bridge lines when torproject.org is unreachable.

Protocol fingerprinting

Vanilla Tor exhibits distinctive byte patterns during circuit setup. Research networks document obfs4 as the first-line countermeasure: traffic appears pseudorandom. When bridge IPs are actively enumerated and blocked, snowflake volunteers provide ephemeral WebRTC proxies that resist static blocklists at the cost of higher latency.

Corporate networks

Enterprise proxies often allow HTTPS only to major cloud CDNs. meek-azure tunnels Tor through Azure-fronted domains. It is frequently the slowest option but the only one that works when outbound traffic is restricted to allow-listed SaaS endpoints. Test from the same network class before publishing reachability conclusions.

Selection matrix

Residential ISP guard block

obfs4 bridge → snowflake if burned → retry alternate mirror cluster.

Mobile carrier filtering

Carriers differ; document both obfs4 and snowflake results per carrier where possible.

Corporate HTTPS-only

meek-azure first; expect multi-second latency overhead.

No apparent block

Vanilla Tor may suffice; still verify hostnames via PGP.

See also