Introduction: The Point of No Return

By December 2025, the architecture of the Runet has become inseparable from TSPU (Technical Means of Counteracting Threats). We have passed the point of no return: traffic filtering is no longer an “external filter”; it is built into the very logic of packet transmission at the backbone level. The modern TSPU system is a distributed network of neural network analyzers capable of classifying millions of connections in real-time and simulating technical failures where direct restriction is impractical.

Chapter 1. DPI Evolution: The Shift to Granular Packet Analysis.

The history of filtering systems in Russia is divided into “before” and “after” 2018. The failed attempt to restrict Telegram via IP address registries served as a lesson that forced the regulator to completely overhaul its technology stack.

1.1 Lessons of 2018: Why IP Restrictions Died

In 2018, the regulator tried to stop services by blacklisting millions of cloud provider IP addresses. The result was massive collateral damage: the collapse of banking systems, retail, and smart homes.

The regulator’s main conclusions:

• Economic Unacceptability: “Clumsy” methods cause more damage to the digital economy than the filtering effect is worth.
• Uselessness Against Distributed Networks: Dynamic IP shifting makes the registry-based approach meaningless.

1.2 The Birth of TSPU: Centralization and “Stealth Mode”

The “Sovereign Internet” law passed in 2019 shifted control from IP addresses to the physical level of the backbones. TSPU complexes—“black boxes” based on Deep Packet Inspection (DPI)—were installed at the communication nodes of all major operators.

Key features of the 2025 architecture:

1. Centralization: The telecom operator no longer manages the filtering. All commands come directly from the CMU SSOP.
2. Payload Inspection: TSPU analyzes not only headers but also the content of the packet.
3. Drop Tactics: The system is capable of restricting specific protocols without breaking the session itself or interfering with adjacent legitimate services on the same IP.

Chapter 2. Traffic Management Mechanisms: Timeouts and Session Limits.

By 2025, TSPU moved from primitive filtering to a data accumulation strategy. Now, the system doesn’t make a decision instantly; it “waits” until a session gathers a critical mass of attributes for classification.

2.1 The “13 KB” Phenomenon: Classifier Saturation Point

One of the main technical features of 2024–2025 was the dropping of HTTPS sessions exactly after the transmission of 13–16 Kilobytes of data. This is a managed stateful behavior of the DPI.

Why exactly 13–16 KB? For modern TSPU ML models, this volume is the “Saturation Point.” This range covers the connection establishment, certificate exchange, and the first encrypted Application Data packets. This is enough to classify the traffic type with high probability. Once the statistics are gathered, the system activates the restriction.

2.2 Comparative Analysis of Connectivity by Autonomous Systems (AS)

TSPU policy in 2025 is extremely heterogeneous and depends on the target IP address ownership:

2.3 Russian Hostings: “Ban-on-Sight” Strategy and BGP-Flowspec

Inside the Russian segment, systems apply immediate traffic restriction policies. Here, the system is integrated directly with the BGP routing of backbone providers.

The Mechanics of a “Black Hole”:

1. Detection: TSPU identifies an initialization packet of an illegitimate connection.
2. Signaling: CMU SSOP instantly initiates a “null route” announcement via BGP Flowspec.
3. Result: Traffic to the IP is dropped at the nearest major backbone node.

Temporary Blackholes: An innovation of 2025 is dynamic 15-minute restrictions. Upon detecting atypical traffic, the IP address is restricted for a short period. If activity resumes after the restrictions are lifted, the period increases progressively.

Chapter 3. Active Verification Mechanisms (Active Probing) in Modern Networks.

By mid-2025, the Russian TSPU system fully adopted the most effective tactic—Active Probing. While the system was previously a passive observer, it has now become an active participant in the network dialogue, capable of performing automatic server response checks.

3.1 TSPU Active Probes: Real-time Re-verification Mechanics

When a TSPU algorithm detects a connection to a foreign host that defies instant classification, the system initiates a series of probe requests from its nodes.

How an active probe works:

1. Anomaly Detection: A user initiates a connection. TSPU sees an atypical session fingerprint or packet length distribution.
2. Probe Trigger: Parallel to the user’s session (or immediately after its drop), TSPU sends its own packets to the target server IP.
3. Response Analysis: The probe might simulate a regular client request. The goal is to provoke the server into a response that reveals its true nature.

According to research, the delay between the user’s request and the arrival of an active probe from the system in 2025 is only 200–500 ms, making this process practically invisible.

Chapter 4. Transition to Behavioral ML-Analysis (Machine Learning)

By late 2025, the “one signature — one restriction” paradigm finally gave way to multi-factor analysis. Massive investments in TSPU modernization allowed for the deployment of ML clusters capable of processing terabits of traffic per second, identifying hidden patterns without the need for content decryption.

4.1 Analysis of Entropy and Statistical Profiles

One of the fundamental characteristics of any tunneled traffic is the high entropy (degree of randomness) of the data. The difference that TSPU ML models learned to see in 2025 lies in the statistical profile of the session.

Classification Features:

• Session Structure: Regular web surfing is an alternation of short requests and bursts of responses. A persistent tunnel is characterized by a long session with monotonically high entropy.
• Bidirectional Symmetry: ML models analyze the ratio of incoming and outgoing traffic. Specialized communication channels often have a more symmetrical ratio than classic HTTP traffic.

4.2 Timing Attacks and Temporal Fingerprinting

By late 2025, TSPU began actively using Temporal Fingerprinting. Intervals between packets (Inter-Packet Arrival times) reveal the nature of the application.

Temporal Analysis Methods:

• Interactivity Detection: Sessions used for console work have a specific packet rhythm corresponding to human typing.
• Heartbeat Signals: Many protocols send packets to maintain the connection (Keep-alive) at strictly defined intervals. ML models find this cyclicality in the general data stream.

4.3 Packet Size Distribution

A key analysis factor in 2025 is the payload size distribution. TSPU builds packet length histograms for every connection in real-time.

If all packets in a session have sizes characteristic of specific protocols, or display abnormal uniformity (due to fixed padding), the ML model flags this as an anomaly. Modern analysis methods allow distinguishing natural network noise from software attempts to mask traffic structure.

Chapter 5. Geography and the Architecture of “Filtering Islands”

By late 2025, an architecture of “filtering islands” has formed, where the technical capabilities of network access depend on the user’s geographical location and provider.

5.1 Regional Proving Grounds

Analysis of 2025 monitoring data shows that new filtering methods are tested on specific regions before a federal launch.

• North Caucasus: A region with strict policies, often used for testing significant UDP traffic restrictions.
• Volga Region: A proving ground for ML analyzers, training on dense urban traffic.
• Siberia and Far East: The “13 KB” anomaly is frequent here due to cross-border channel specifics and harsh TSPU settings for foreign AS.
• Moscow and Saint Petersburg: Feature extensive “white lists” for business infrastructure, though mobile networks are filtered as strictly as in regions.

5.2 Policy Fragmentation by Provider: Mobile vs. Fixed

Mobile Networks: Mobile operators moved to a model where unidentified encrypted traffic may be preemptively slowed down. This is where resource-intensive behavioral analysis models are tested.

Fixed Internet: Classical SNI and IP filtering, supplemented by the “13 KB limit,” are more common here. Providers are forced to leave more exceptions for corporate software.

Chapter 6. Evolution of Application Solutions.

The technological dominance of TSPU in 2025 has forced the development of network solutions that mimic the legitimate behavior of browsers or microservices. The main task of such systems is to create a load on the DPI that is economically disadvantageous for the system to process.

Conclusion: Results of Predictive Traffic Analysis Systems Deployment.

By the end of 2025, the Russian traffic filtering system completed its transformation from a static “black list” model to a dynamic, predictive ecosystem.

Key Conclusions of 2025:

1. Behavioral Analysis instead of Signatures: ML and active probing now play the leading role. The system looks for “atypical traffic behavior.”
2. Network Fragmentation: Resource availability can vary between regions depending on local TSPU node settings.
3. Technical Costs: Aggressive filtering sometimes leads to false positives, affecting banking APIs and corporate services.
4. Network Quality Degradation: Constant packet inspection has led to increased latency (RTT) on several routes, a technological price for deep analysis systems.

In 2026, the boundary between specialized network traffic and normal web service operation is expected to blur further.