When access to the messaging app Telegram was interrupted in Russia on June 3, for the second time in less than a week, some worried that the app had been blocked by state authorities. Telegram has been under pressure from Roskomnadzor, the state censor, to comply with a law requiring online services to turn over user data and register with the government for many months.
But for once, Rozkomnadzor was not the culprit. Instead, Telegram was the victim of a guerrilla campaign launched by dymoff.space, a domain that is blocked in Russia. Thanks to a flaw in Roskomnadzor’s registry of blocked websites, dymoff.space was able to alter its technical settings and pass off other websites’ IP addresses as its own.
So when Internet service providers (ISPs) added dymoff.space’s IP addresses to their block list, they unknowingly blocked Telegram and several other websites in Russia.
Roskomnadzor was aware of this loophole before the attack and had instructed providers to take websites’ IP addresses directly from its registry of blocked sites, rather than from websites themselves. Recently, however, ISPs have reverted to manually checking blocked websites’ IP addresses, resulting in multiple major websites — and even a program run by Roskomnadzor itself — being blocked.
These attacks call to mind rogue efforts to undermine the state censor in the wake of its decision to block Alexey Navalny’s blog in 2014. RuNet Echo’s Andrey Tselikov summarized the efforts at the time:
Because Roskomnadzor requires ISPs to constantly check if a resource is trying to circumvent a ban by changing its IP address, blocked resources can introduce code that redirects some of these IP queries to a different website. Eventually, goes the theory, ISPs will pick up on this redirect and block the secondary website as well. So if a blocked site is savvy enough to redirect to a government site, say Kremlin.ru, ISPs will ultimately block Kremlin.ru, a block that obviously can’t stay in place for long.
When Roskomnadzor established its registry in 2012, it recorded the domain names and IP addresses of every blacklisted website and handed this list to ISPs, so that they could block the sites on the list. Since 2015, Roskomnadzor has used an “Inspector” that automatically checks access to blacklisted websites to make sure they are actually being blocked, threatening providers with administrative fines if websites fall through the cracks.
In response, several providers have begun double checking IP addresses manually to avoid punishment. According to Filipp Kulin, the general director of the host diphost.ru, this manual check caused providers to add erroneous IP addresses to their block lists.
A string of attacks
In this most recent attack, dymoff.space included IP addresses for Russia’s state-run Channel One website, the social media websites Odnoklassniki and VKontakte, NTV.ru, Booking.com, Facebook, Russian Railways, Mail.ru, and a number of other websites in its DNS settings, though access to most websites was not entirely interrupted because they use a large number of IP addresses.
However, users were completely unable to access one website that dymoff.space included in its troll: nag.ru, a website that provides analytical information about Russian ISPs.
Leonid Volkov of opposition leader Alexei Navalny’s Anti-Corruption Foundation summed up the event in a lengthy post on his personal Telegram channel:
What happened was exactly what could have been expected: the owner of one of the resources that had been blocked exploited an obvious mistake in the blocking system and made it such that providers, fulfilling Roskomnadzor’s decision to ban his resource, simultaneously blocked many other sites, from “Channel One” to Telegram, from nag.ru to “SKB Kontur” (dude, hands off Nag.Ru and “SKB Kontur!”).
People had been telling Roskomnadzor over and over for many years that there was this hole, this problem in their system, but Roskomnadzor couldn’t see it…they’re terribly smart over there.
Dymoff.space is not the only blocked website to fight back recently. On Thursday, Dmitry Khomak, the founder of Lurkmore, a “satirical Wikipedia,” tweeted an image of a letter from Roskomnadzor to ISPs requesting that IP addresses belonging to VKontakte and Yandex be removed from provider blacklists. Their IP addresses, it seems, were also added by domains that had been recently blocked by Roskomnadzor.
Некий И.П. Рак (реально, такой есть в РКН) запрещает провайдерам России блокировать IP-адреса Вконтача и Яндекса. pic.twitter.com/7RGoNSAOF9
— David Homak (@aalien) 1 июня 2017 г.
This is hysterical: this I.P. cancer (really, such a thing exists in Roskomnadzor), forbids providers in Russia from blocking the IP addresses of Vkontakte and Yandex.
Similarly, in mid-May, the owner of the domain ncsmedia.ru secretly added the IP address of Roskomnadzor’s Inspector to its DNS page. In response, Roskomnadzor sent the following letter to providers asking that the Inspector’s IP addresses be removed from their blacklists.