Someone on Reddit highlighted that the block seems to key off of the SSL SNI header, regardless of which IP you try to connect to. There must be some Deep Packet Inspection going on here, then?
We started seeing more sophisticated DPI capabilities after the Feb '14 internet regulations[0] that required ISPs to block by URL and content strings
IMO blocking so many sites so broadly is a sign that their DPI is failing, because their preference seems to be to block as narrowly as possible because of negative economic effects.
Snort is now owned by Cisco (the company is formerly known as Sourcefire). It makes money via hardware integrated with snort. I think a single 3U box pushes 60Gbps. Though that number is highly dependent on the tuning for stream5 and other preprocessors. You don't need to reconstruct the entire stream, just enough to know what the connection is doing. Normally it's only a few packets per stream.
Stream fragmentation has its own entire configuration in snort as it is a known attack method to bypass detection.
Last I remember that top end box was 2x 12 or 16 core Xeon CPUs with 256GB ram.
https://www.reddit.com/r/europe/comments/56h0s3/they_just_bl...
Is the blocking able to handle stuff like fragrouter where the TCP stream is broken down into 1byte payload packets?