How governments block the internet

When a device queries an ISP DNS resolver for a blocked domain, the resolver returns a manipulated answer — either pointing the user at a censorship notice page, a black hole IP, or no answer at all. Trivially circumvented with DoH/DoT, but still the default in many countries because it works on every device with zero config and requires no DPI.

We compare DNS answers from inside-country probe nodes against a clean control resolver. Disagreement on the A/AAAA record for known-controversial domains = dns-poisoning. CensoredPlanet Satellite contributes the largest share of this signal.

In a normal HTTPS connection, the client tells the server which hostname it wants via SNI before the encrypted tunnel is established. Censoring middleboxes read this field and inject a TCP RST or drop the packet if the SNI matches a blocklist. Encrypted Client Hello (ECH) defeats this, but adoption is still low.

Failed TLS handshake (no cert delivered) for blocked hostname BUT successful TLS to control hostname on same IP. We also fingerprint the cert when one IS delivered — multiple probes seeing the same anomalous fingerprint is strong evidence.

The Great Firewall pioneered this in the early 2000s. A passive tap mirrors all traffic to an inspection engine. When a forbidden keyword, hostname, or TLS fingerprint matches, the engine fires off TCP RST packets to both endpoints with spoofed source addresses. The client and server both see what looks like a normal connection termination.

Connections that succeed initially then die at suspicious wall-clock times (during ClientHello, mid-stream after a specific byte sequence). Statistical: RST counts to certain destinations 1000× higher than control.

For plain HTTP traffic (or sites still serving some content over HTTP), middleboxes can rewrite the response inline. The user sees a government "this site is restricted under article X" notice instead of the real content. The blockpage HTML often gets fingerprinted across ISPs in the same country — same wording, same logo.

HTTP response with status 200 or 451 containing blockpage signatures (logos, specific text). Compared against control fetches that succeed normally.

An ISP stops announcing its IP prefixes to the global BGP table. Every router in the world stops knowing how to reach those addresses. Users in that ASN see "no internet" — not "Twitter is slow", just nothing.

CAIDA IODA aggregates ~6 independent signals (BGP, active probing, DNS query rates, dark-net traffic) into a single "is this ASN online" score. We ingest IODA every 6h and create an incident when score drops below threshold.

OONI ships specially-crafted invalid HTTP requests (`http_invalid_request_line` test) that no real server would respond to. A reply to these — usually from a transparent proxy or inline DPI box — proves a middlebox is present on the path.

OONI http_invalid_request_line + http_header_field_manipulation. Reply where there should be none = middlebox.

The Tor network publishes its directory authorities. Censors fetch the list daily and add all relay IPs to blocklists. Pluggable transports (obfs4, snowflake, meek) disguise Tor traffic as something else.

OONI tor test connects to known Tor directory authorities + a sample of relays. Failure to reach = blocked.

A passive middlebox modifies headers in flight. Common patterns: strip security headers (HSTS, CSP), inject tracking headers, downgrade upgrade-to-HTTPS hints, or block specific User-Agent strings.

OONI http_header_field_manipulation sends known header patterns and checks what arrives at the test server. Difference = manipulation.