Censor has a new method of blocking

Fragmenting large server responses across multiple independent TCP connections each below the ≈15–20 KB threshold circumvents the freeze, but at severe cost: downloading a 50 MB file requires approximately 2,560 separate TCP connections, which is operationally suspicious and significantly degrades throughput.

Notes defense dpi ru

The freezing threshold is packet-count-based rather than strictly byte-based: the censor typically freezes after 25 packets have been sent in either direction (incoming or outgoing), which averages approximately 16 KB of payload. The limit applies to both TCP and UDP flows, and varies slightly by ISP.

upd5 detection dpitraffic-shape ru

The Russian DPI maintains two whitelists that exempt flows from the freeze: (1) a SNI-based whitelist covering select domains (visible in the TLS ClientHello), and (2) a CIDR-based whitelist of IP subnets for trusted destination servers. The SNI whitelist can be exploited by VLESS+Reality clients using an allowed SNI value as the apparent destination; the CIDR whitelist requires routing through an IP from a whitelisted prefix, making circumvention 'extremely difficult' without an intermediate node in a whitelisted subnet.

upd3, upd4 detection sni-blockingip-blockingdpi ru

Russia's mobile operators (MTS, Beeline, MegaFon, Yota) deployed a TCP connection-freezing technique in mid-2025 that silently halts packet delivery after approximately 15–20 KB of server-to-client data within a single TCP connection, without sending RST packets, causing clients to stall until timeout. The trigger requires: (1) TLS 1.3 or TLS 1.2 over TCP, (2) destination IP located in a foreign datacenter ASN (e.g., Hetzner, DigitalOcean), and (3) cumulative in-connection payload exceeding the threshold.

Problem description detection dpitls-fingerprintip-blocking ru

Only SSH/SFTP and sometimes RDP are observed to pass through the Russian mobile network freeze without data-size limitations; raw TCP transfers without TLS and all common TLS-based proxy protocols (VLESS, Reality, Trojan, Shadowsocks) are subject to the 15–20 KB per-connection cap. This suggests the censor's DPI whitelist is protocol-specific and SSH's wire format is recognized as exempt.

upd2 detection dpitls-fingerprint ru