Version 2 (modified by phw, 8 years ago) (diff)

Added information about how web sites are blocked.

China (#4744, #4185)

Summary of the current situation

Most of the time, the directory authorities as well as the public relays are blocked. Besides, the Great Firewall of China is blocking most bridges. This is done by looking for new Tor connection and if a connection is found by the firewall, it tries to scan to the connection destination. It then tries to establish a Tor connection with the destination and if it succeeds, it is blocked. An analysis can be found at: and at .

First witnessed

The follow-up scanning strategy to block Tor bridges became known in October 2011 (#4185). According to other reports, this type of follow-up scanning might even date back to 2010: .

Last witnessed

The block is still ongoing despite blocking outages occurring every now and then.

Types of Tor censorship

  • Deep packet inspection: #4744
  • IP blocking:
    • All 8 directory authorities seem to be blocked on the IP layer. They respond neither to TCP, nor to ICMP requests.
  • IP:port blocking:
    • Public relays as well as bridges are usually blocked by IP:port. Presumably, to limit collateral damage. The block is done by dropping the SYN/ACK segment which is sent by the bridge to the Tor client.
  • Spoofed RST segments:
    • Spoofed RST segments to terminate TCP connections to bridges have been observed. However, the IP:port blocking seems to be more common.
  • Active probing:
    • After DPI boxes detected the Tor cipher list, seemingly random machines connect to the suspected bridge and try to start a Tor connection. If this probing succeeds, the bridge is blocked. There is reason to believe, that the IP addresses of these machines is spoofed.
  • Web site block:
    • All web sites containing the string "" in the Host field are blocked when accessed over HTTP. The connection is terminated by spoofed RST segments.
      $ telnet 80
      Connected to
      Escape character is '^]'.
      GET / HTTP/1.1
      Connection closed by foreign host.

Types of non-Tor censorship

Ways to bypass censorship

Type of firewall

  • The Great Firewall Of China
  • Manufacturer: China. There are probably no off-the-shelf products.

Reproducing the blocking

  • Follow-up scanning can be triggered with the tool tcis: . The tool sends a Tor TLS client hello to a given machine, the DPI boxes will detect it and start follow-up scanning.
  • Open SOCKS proxies in China can be used to send the "bait".