The GFW blocks Tor primarily by dropping SYN/ACK segments entering China from blacklisted IP/port pairs, not by dropping SYN segments leaving China. Of 142,802 CN→Tor-Relay measurements, 81.52% were Server-to-client-dropped versus only 0.55% Client-to-server-dropped. Blocking Tor directory authorities also showed substantial Client-to-server drops (19.61%), suggesting authorities may be treated differently.

GFW filtering failures — cases where blocked Tor traffic passed through — showed no conspicuous geographic patterns across China. The maximum observed Pearson correlation coefficient between neighboring clients' failure counts was 0.26 (near-zero), and failure cases were geographically distributed in proportion to Internet penetration, not clustered by province or ISP region.

§4.2, Figure 6, Figure 8 evaluation

GFW failures are both persistent and intermittent: four client/server pairs showed all 22 hourly measurements over a full day returning No-packets-dropped (entirely unblocked), while many others showed only sporadic failures. Temporal analysis showed failures cluster in bursts of hours, with probability of a second failure decaying sharply beyond ~5 hours after the first.

§4.1, §4.2, Figure 7 evaluation

Routing is the dominant structural factor in GFW failures. CERNET (the Chinese Educational and Research Network) accounted for 503 of 135 destination IPs' failures — by far the most of any network — and packets transiting CERNET→CERNET links reached Tor destinations at an r=0.9896 ratio, near 1.0. Within CHINANET and CNC Group backbones, the Tor-to-non-Tor traversal ratio dropped to 0.403 and 0.272 respectively (Table 4), indicating heavy intra-ISP filtering.

§5.2, §5.3, Table 3, Table 4 evaluation

The hybrid idle scan technique converts approximately 1% of the total IPv4 address space into passive measurement vantage points without requiring control of either the censored client or the destination server, enabling full bipartite connectivity measurements across 161 geographically stratified Chinese clients and 176 servers over 27 days. After data pruning for quality, 36% of raw measurements were usable; ARMA modeling was sufficient (over Hidden Markov Models) because only level-shift detection was needed.

§2.3, §3.2.1, §4 evaluation

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

IP and port blocking dropped from 30% of countries historically to only 9% during the study period (six countries), with the decline attributed to difficulty maintaining ephemeral blocklists, CDN collateral damage, and IPv6 expansion. Iran is a significant exception: it has implemented port allowlisting — permitting only ports 80, 443, and 53 — on multiple occasions, blocking all other ports entirely.

2023-master-worldwide §4.3, Table 2 ip-blockingport-blocking

Camoufler's blocking-resistance relies on collateral-damage economics: IM platforms had ~2.5 billion active users as of January 2019 (projected >3 billion by 2022) and are embedded in essential business and commercial operations (airline e-tickets, professional collaboration tools). Blocking all IM to disrupt Camoufler would require the censor to harm its own economy; the threat model requires only that the censor permits at least one IM platform, in which case Camoufler remains operational.

2021-sharma-camoufler §3.1, §7 ip-blockingport-blocking

Protozoa uses the economic and social indispensability of popular WebRTC conferencing services as a censorship deterrent: blocking all WebRTC traffic imposes prohibitive collateral damage on legitimate commerce and communication. This 'parasitism' strategy means the circumvention tool inherits the blocking immunity of the carrier without requiring any protocol mimicry at the network level. Protozoa requires only one reachable WebRTC service to function, and Table 3 confirms at least five services remained unblocked in China during testing.

2020-barradas-poking §3, §7.2 ip-blockingport-blocking

Of 229 Thai Internet users surveyed, 63% (n=144) had attempted to circumvent censorship, and of those, roughly 90% (n=132) reported success using VPNs (32.64%), proxies (32.64%), or Tor (23.61%). Failures were isolated to proxies (n=2), VPNs (n=2), and alternative searches (n=3), indicating that existing circumvention tools were technically adequate but that availability and comprehensibility—not raw capability—were the binding constraints on user success.

2017-gebhart-internet §5.2.1, Table 2 ip-blockingport-blocking

GFW blocking was keyed on both IP address and port number, not IP address alone. Bridges with port 22 (SSH) open had that port remain reachable even as other ports on the same IP were blocked, confirming per-(IP, port) tuple granularity in the GFW blocklist.

2016-fifield-censors §4 Results ip-blockingport-blocking