Providers of the Russian Federation, for the most part, use the systems of deep traffic analysis (DPI, Deep Packet Inspection) to block sites included in the register of banned. There is no single standard for DPI, there is a large number of implementations from different DPI providers that differ in the type of connection and type of work.

There are two common types of DPI connection: passive and active.
Passive DPI
Passive DPI-DPI connected to the provider network in parallel (not in the section) either through a passive optical splitter or using the mirroring of user traffic. This connection does not slow down the speed of the network provider in the case of insufficient DPI performance, which is why it is used by large providers. DPI with this type of connection can technically only detect an attempt to query for prohibited content, but not to suppress it. To circumvent this restriction and block access to the denied site, DPI sends a specially crafted HTTP packet to the user requesting the blocked URL, redirecting to the stub page of the provider, as if the requested resource itself had been sent by the user (the IP address of the sender and the TCP sequence are forged). Because the DPI is physically located closer to the user than the requested site, the forged response reaches the user's device faster than the real response from the site.
v1d0q 17 august 2017, 17:40