GFW blocking was keyed on both IP address and port number, not IP address alone. Bridges with port 22 (SSH) open had that port remain reachable even as other ports on the same IP were blocked, confirming per-(IP, port) tuple granularity in the GFW blocklist.

All bridges in a given Tor Browser release batch were blocked simultaneously within a 20-minute window, and every blocking event occurred during China Standard Time business hours (between 10:40 and 17:00 CST). The combination of unpredictable multi-day delay followed by abrupt simultaneous batch blocking suggests a semi-manual process: human analysts discover bridges after an irregular delay, then an automated system applies blocks.

§4 Results, Table 3 evaluation

China's firewall never blocked a bridge before its public Tor Browser release, despite bridges being discoverable earlier via bug-tracker tickets and source code commits. The four bridges distributed only in Orbot (not Tor Browser) remained unblocked throughout the experiment, indicating the GFW monitors end-user software releases rather than upstream repositories or alternative distribution channels.

§4 Results detection

The Great Firewall of China blocked newly published obfs4 Tor Browser default bridges after delays of 7, 2, 18, 11, and 36 days following the first public software release, and up to 57 days after bridges were first discoverable via bug-tracker ticket filing. Iran showed no blocking of the same default bridges across the entire five-month measurement period.

§4 Results, Table 2 evaluation

Some obfs4 bridges exhibited a roughly 24-hour periodic semi-blocking pattern from China, where bridges cycled between reachable and blocked states with a ~24-hour period. This diurnal pattern differed between the two China probe sites and between bridges, and one blocking failure coincided with a documented nationwide GFW outage that also briefly restored access to Google services.

§4 Results, Figure 3 evaluation

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

China Telecom Group reportedly issued directives to Guangdong Telecom in April 2026 requiring comprehensive rectification of cross-border leased-line (IEPL/专线) businesses used for circumvention, with Guangzhou leading enforcement and other Guangdong cities expected to follow sequentially. The targeting is infrastructure-class-specific (IEPL lines as a category) rather than generalized protocol blocking.

2026-ermao-april-airport-outage §广东方向专项整治传闻的影响 ip-blockingport-blocking

IP and port blocking dropped from 30% of countries historically to only 9% during the study period (six countries), with the decline attributed to difficulty maintaining ephemeral blocklists, CDN collateral damage, and IPv6 expansion. Iran is a significant exception: it has implemented port allowlisting — permitting only ports 80, 443, and 53 — on multiple occasions, blocking all other ports entirely.

2023-master-worldwide §4.3, Table 2 ip-blockingport-blocking

Camoufler's blocking-resistance relies on collateral-damage economics: IM platforms had ~2.5 billion active users as of January 2019 (projected >3 billion by 2022) and are embedded in essential business and commercial operations (airline e-tickets, professional collaboration tools). Blocking all IM to disrupt Camoufler would require the censor to harm its own economy; the threat model requires only that the censor permits at least one IM platform, in which case Camoufler remains operational.

2021-sharma-camoufler §3.1, §7 ip-blockingport-blocking

Protozoa uses the economic and social indispensability of popular WebRTC conferencing services as a censorship deterrent: blocking all WebRTC traffic imposes prohibitive collateral damage on legitimate commerce and communication. This 'parasitism' strategy means the circumvention tool inherits the blocking immunity of the carrier without requiring any protocol mimicry at the network level. Protozoa requires only one reachable WebRTC service to function, and Table 3 confirms at least five services remained unblocked in China during testing.

2020-barradas-poking §3, §7.2 ip-blockingport-blocking

Of 229 Thai Internet users surveyed, 63% (n=144) had attempted to circumvent censorship, and of those, roughly 90% (n=132) reported success using VPNs (32.64%), proxies (32.64%), or Tor (23.61%). Failures were isolated to proxies (n=2), VPNs (n=2), and alternative searches (n=3), indicating that existing circumvention tools were technically adequate but that availability and comprehensibility—not raw capability—were the binding constraints on user success.

2017-gebhart-internet §5.2.1, Table 2 ip-blockingport-blocking