Tor's built-in country-exclusion feature provides only the illusion of control: among circuits configured to exclude the US, only 12% could be identified as definitively avoiding US territory. The remaining 88% of 'trusted' circuits fail to deliver a proof of avoidance, meaning standard Tor policy and provable security diverge sharply.

DeTor circuits have significantly lower end-to-end RTTs than standard Tor circuits because high-RTT paths cannot satisfy avoidance proofs, effectively self-selecting for shorter routes. Bandwidth distributions are similar to standard Tor. However, intentional packet-delay defenses proposed for Tor (to defeat timing attacks) would increase effective δ and reduce DeTor proof coverage, creating a tension between delay-based anonymity defenses and RTT-based geographic avoidance.

§6.2.3, §6.2.1 (δ discussion) evaluation

Never-once avoidance succeeds for 75% of source-destination pairs that do not already terminate in the US (a highly routing-central country) at δ=0.5, and for nearly all pairs avoiding less central countries. Russia is the hardest case at ~35% success (δ=0.5) due to proximity to the dense European node cluster. The median successful source-destination pair has over 1,000 valid DeTor circuits when avoiding the US and 500 when avoiding China.

§6.2.1, §6.2.4 evaluation

Never-twice avoidance — ensuring no country appears on both the entry leg (source→entry) and exit leg (exit→destination) of a Tor circuit — succeeds for 98.6% of source-destination pairs not in the same country, using only client-side RTT measurements. This directly defeats traffic-correlation deanonymization attacks that require an adversary on both legs of the circuit simultaneously.

§4.2, §6.3.1 defense

DeTor proves geographic avoidance using speed-of-light RTT constraints rather than Internet topology maps. If the measured end-to-end RTT satisfies (1+δ)·Re2e < Rmin, where Rmin is the theoretical minimum RTT that would include any point in the forbidden region, then packets provably could not have traversed that region — even against adversaries who forge traceroute and BGP responses.

§3.1, §4.1 defense

CloudTransport's passive-rendezvous design ensures clients never establish direct connections to bridges; consequently, even a censor in complete control of a bridge cannot enumerate client IP addresses without computationally intensive flow-correlation analysis. Blacklisting the IP address of a CloudTransport bridge has zero effect on CloudTransport connections, and when a bridge migrates to a new IP address this change is completely transparent to clients.

2014-brubaker-cloudtransport §4.3 ip-blockingactive-probingflow-correlation

Encrypting traffic at the application layer still discloses communicating parties to every ISP along the path; overlay anonymization is subject to blacklisting of exit nodes and traffic analysis. The paper argues that effective privacy requires building anonymity into the network routing layer itself, with the necessary tradeoff being hardware cost and routing inefficiency for privacy-requiring circuits.

2011-liu-tor §1, §8 flow-correlationip-blocking

Tor-like anonymizing overlays are easily censored because they rely on centralized, publicly visible relay lists; governments can blacklist Tor nodes or monitor all Tor exit traffic so that traffic analysis can reveal the source. Traffic to or from Tor 'essentially advertises itself as probably worth tracking.'

2011-liu-tor §1–§2 ip-blockingflow-correlationactive-probing

Tor bridges that always accept incoming connections enable a three-phase 'bridge aliveness attack': an adversary collects bridge descriptors at scale, correlates bridge uptime timestamps with pseudonymous post timestamps to narrow the candidate set (winnowing), then confirms identity via circuit-clogging and timing attacks. Because bridge descriptors remain valid indefinitely and the BridgeDB rate-limits only to one descriptor set per /24 prefix per week, an adversary with botnet or open-proxy access can hoard enough bridges for the winnowing phase to succeed.

2011-smits-bridgespa §1, §1.1 active-probingip-blockingflow-correlation

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

A three-stage detection pipeline exploiting the "dual-role" behavioral fingerprint of single-IP circumvention relays achieved 23.2% recall (96/414 ground-truth relays) with a 0.18% false-positive rate against 97,651 benign TLS servers, for an overall accuracy of 99.5%. The ground-truth set covered OpenVPN, WireGuard, and SOCKS relays identified in a 17 TB single-day backbone trace (WIDE Project, April 9, 2025).

2026-almutairi-server §3.4, Table 1 traffic-shapedpiflow-correlation