The auditor the Control system of blocking of the websites in Russia

Product

Developers:	Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor, RKN), MFI Soft
Date of the premiere of the system:	2015
Last Release Date:	2017
Branches:	Government and social institutions

Content

2018
- As in Russia put provider out of action, having blocked one million IP addresses
2017
2016: 95% of telecom operators of Russia under Auditor
2015: Creation of a control system of blocking of the websites for 100 million rubles
See Also

"Auditor" monitors blocking by providers of the prohibited resources on the Internet. For non-execution of obligations for blocking operators are threatened by penalties which amount since March 24, 2017 increases from 30-40 thousand rubles to 50-100 thousand.

2018

As in Russia put provider out of action, having blocked one million IP addresses

Failure in network of Transtelecom

In the evening on March 14, 2018 users of Transtelecom had problems with Internet access. The press service of the company reported that because of short-term failure in some cities users providers experienced decline in quality of service, but problems was quickly corrected^[1].

At the same time the reason of failure is represented very interesting. On the basis of data exchange between the staff of Internet service providers in professional Telegram chat Nag_public, the CEO of Deep forest hosting provider Philip Kulin came to a conclusion that it is about new like the attacks through the Register of the prohibited websites.

Communication with the Register of the prohibited websites

A register of the prohibited websites is maintained by Roskomnadzor. Concerning the resources entered to it the IP address, the domain and the address of the specific page with illegal information by default are specified.

Providers should block access to all resources from this Register. At the same time the provider can select what type of blocking to use: to the IP address or on URL. Blocking on URL is more preferable as it allows to avoid blocking of the third-party websites. For implementation of this type of blocking the provider should have a DPI system. Besides, the websites using enciphering can be blocked only to the IP address or the domain.

At the same time, since 2015 Roskomnadzor began to install the equipment of the Auditor system which automatically checks execution of requirements about blocking of the websites at Internet service providers. In case of identification of violations Roskomnadzor makes administrative reports about imposing of penalties. Such approach forced many providers to define the IP addresses of the blocked websites independently.

How to attack provider through the Register of the prohibited websites

According to Philippa Culina, malefactors decided to seize this moment and to begin "attack" through the Register of the prohibited websites. For this purpose they got access to domains of two resources – tlpp.biz and piek.biz - the drugs blocked earlier for distribution.

Further on two above-mentioned domains it was created the 296th subdomain of the third level. Then in the DNS system (is responsible for compliance of domains and the IP addresses) to each of these subdomains it was added on several thousands of the IP addresses. Let's note that the owner of the domain can attribute in the DNS system to it any including the IP address which is not used by it.

Thus, malefactors attributed more than 1 million IP addresses to the domains, Kulin counted. It also caused technical issues on network of Transtelecom as the equipment of provider automatically determined all these addresses

2017

White list of the websites from Roskomnadzor

On June 7 it became known that Roskomnadzor created "white list" of the websites where the state resources and social networks entered. In the list the *.google mask was specified. *, allowing to bypass blocking of any domains.

The author of Telegram channel "IT criminal cases of SORM a rossiyushka" Vladimir Zdolnikov laid out the copy of the letter which is allegedly sent by regional governments of Roskomnadzor to Internet service providers. The file ([1] the document Excel saved on the CNews file server) with the list of 2 thousand domains which Roskomnadzor recommends not to block is enclosed letter ^[2].

What the foreign websites is valued by Russian authorities

Some kind of "white list" included the most popular Russian and foreign Internet resources: "Yandex", Google, Facebook, VKontakte, Odnoklassniki, Lenta.ru, Twitter, Instagram, YouTube. Also the list included the websites gstatic.com (Google for operation of CDN servers is used), Github (a repository with source codes softwares) and domains of root servers of the Internet (provide functioning of the DNS system which is responsible for compliance of domains and the IP addresses).

Big part of the list - the address of the websites of federal and regional authorities: President of Russia, Government, Ministry of Internal Affairs, FSB, Ministry of Defence, Ministry of Telecom and Mass Communications, Roskomnadzor, large number of resources of regional authorities, etc.

Besides, in White list there were websites regulation.gov.ru (a resource for public discussion of drafts of regulations), ROI (a petition resource for public petitions) and a resource of Roskomnadzor on which "black list" of the prohibited websites is placed.

On June 13 Roskomnadzor sent to providers the document in which cancelled "white lists". The press secretary of department Ampelonsky Vadim explained that it is about canceling of own recommendations by regional divisions "not to perform DNS резолвинг" after the hotline with Vladimir Putin.

In September, 2017 Roskomnadzor withdrew "white" lists of the websites which operators should not have blocked under no circumstances, Izvestia tells. According to the head of department of control and supervision in the field of electronic communications of Roskomnadzor Evgeny Zaytsev, department found a technical method to avoid their blocking.

As the deputy head of department Oleg Ivanov explained, now Roskomnadzor monitors the DNS attacks at which administrators of the blocked websites can substitute the IP addresses and include them in the register of prohibited. According to Ivanov, operators will be quickly notified on such blocking.

Ivanov at the same time did not exclude that "white lists" will be necessary in the future. At the same time according to him there are no criteria for introduction or not entering of the website into the list today.

Vulnerabilities of an interlocking system

Due to the obligatory installation of the hardware and software system "Auditor" by operators which automatically checks access to the prohibited websites from network of provider attacks on law-abiding resources became frequent. T. to the Auditor device developed by MFI Soft it is still deprived of human flexibility, it touches the IP addresses differently that gives to malefactors the chance to attack any resource.

In an interval between 11 a.m. and 11:15 a.m. Moscow time on June 7, 2017 malefactors set in a domain name system compliance between the name ww21.leonbet.me and several IP addresses of ivi. After updating of DNS the IP addresses of ivi began to get to blocking at telecom operators that resulted in partial unavailability of the ivi resources to users in the territory of the Russian Federation. Problems with access arose at all users using services of at least one of operators of the big three.

As a result a number of the telecom operators using a control system of blocking of the websites "Auditor" limited access to Internet resources of provider without the bases, legal on that. Selectel also fell a victim of vulnerability of Auditor. Earlier the official site of the Russian President, the Telegram messenger, several popular social networks and news resources already faced a similar problem.

Malevanov Kirill, technical director of Selectel: "Owing to substitution of the IP addresses in DNS records of one of the websites which was included in the register of prohibited the website and the Selectel control panel were partially unavailable. Now we know of two telecom operators which limited traffic of end users to our IP addresses. One of operators — large trunk. Our specialists continue monitoring to estimate the actual scale of a problem. At the same time we are extremely concerned by the fact that well known "hole" in a system is not closed by all that regularly leads to emergencies in Runet".

In the evening on Wednesday, June 7, 2017 Roskomnadzor issued the statement in which recognized a problem with blocking of not prohibited resources. According to department, it is caused by the fact that some providers independently identify the IP addresses of the prohibited websites by their domains ("rezolvit DNS") therefore blocked there are resources which Roskomnadzor did not include in the Register of the prohibited websites.

With respect thereto the head of Roskomnadzor Alexander Zharov signed technical recommendations to Internet service providers on implementation of blocking. The providers having the DPI systems should perform blocking of the specific addresses of pages with the prohibited information. In the absence of the DPI system the provider should redirect traffic of users on the special server for implementation of filtering to the IP addresses. In case the prohibited website works on the protected https protocol, then it should be blocked on domain name.

Problem of blocking of the law-abiding websites, whose IP address was "tied" to the blocked domain, concerns only the telecom operators performing "rough" blocking to the IP address. Such operators in Russia there are 50-55%. Large telecommunication companies with serious technology base have an opportunity to block the illegal websites using DPI. This technology allows to perform blocking to the URL address or a name of the domain (15-20%). Another 30% of operators are attached to owners of DPI and receive the traffic which is already filtered from the prohibited content.

As solution the head of the regulator sees amending the legislation which would define an obligatory order and a method of blocking.

On June 27, 2017 Roskomnadzor published new rules of access restriction to the prohibited websites. Now providers should not calculate independently the IP addresses accidentally not to block those websites which are not in the register of prohibited. Instead providers will have to or filter traffic (on the special equipment of DPI) and to block the domain (but not the IP address), or to use those IP addresses which are provided by Roskomnadzor. If the provider has no equipment for DPI, then to it recommend to limit DNS queries — that the user's computer "did not learn" to what address there is a prohibited website, and could not be connected to it. Operators can also agree about joint blocking: when one provider receives traffic at another and that already blocked the website, in addition it does not need to be filtered.

Why the website blocked according to requirements of Roskomnadzor "put" Telegram

Sergey Nikulin, the CEO of RDP.RU, about the reasons of blocking of many popular Internet resources which the Russian users at the beginning of June, 2017 faced. Publication>>

Telecom operators prepare the document against the Auditor system

In March it became known that the non-profit association "Oblteleset" is going to prepare the document which "Auditor" will help to protect operators from unreasonable penalties in connection with malformed data of a system ^[3]. It is supposed that the universal document with justification will be sent to Roskomnadzor if the regulator will write out to provider an unreasonable penalty.

"During the day from the moment of inclusion in the register of the network address allowing to identify the website on the Internet containing information which dissemination to the Russian Federation is forbidden the telecom operator rendering services in providing access to an information and telecommunications network the Internet it is obliged to limit access to such website on the Internet", - the representative of Oblteleseti Pavel Polyakov noted. According to the edition, it is about the network address, but not domain name or the pointer of pages.

"Therefore, network address also should be provided first of all to the telecom operator for implementation of blocking of the resources containing information prohibited to distribution", - representatives of Oblteleseti comment.

Respectively, according to association, requirements to perform blocking on the basis of pointers of pages and domain names, are illegal.

"On council the decision on creating a single system which would give to all operators of association the chance to resist to this action - unreasonable invoicing of penalties from Roskomnadzor was made", - the chairman of the board of Oblteleseti Natalya Sukonkina told.

The association tried to resolve an issue directly with Department of the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications for the Northwestern Federal District, however the regulator reported that the claim to the Auditor system needs to be sent to arbitration court. Made the decision "to Oblteleset" "on each penalty which is written out by Roskomnadzor to sign the petition that do not agree with punishment, and to put a denial which was taken as a basis".

2016: 95% of telecom operators of Russia under Auditor

Roskomnadzor reported at the beginning of 2017 that 3684 telecom operators (95%) are under control of an automated system Auditor who was implemented on December 1, 2016. As notes the regulator, the share of the prohibited resources which are not blocked by telecom operators falling on one operator – from 0.49% during this time decreased to 0.07%. The percentage indicator of the not blocked resources entered in the Unified register for extremism promotion also decreased – from 0.14% to 0.09%. In 2016 478 proceedings on administrative offenses on which it is accepted the 409th judgments on the satisfaction of claim requirements of Roskomnadzor were initiated.

2015: Creation of a control system of blocking of the websites for 100 million rubles

On September 24, 2015 the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) announced plans to start a control system of blocking of the websites in Russia. The project will receive the name "Auditor".

According to TASS with reference to the head of Roskomnadzor Alexander Zharov, will take place on September 29, 2015 tender at the choice of the developer of the Auditor program by means of which it is going to control in real time observance by telecom operators of requirements for blocking of the prohibited content on the Internet.

Roskomnadzor will create a control system of blocking of the websites for 100 million rubles

"An essence of operation of the probe or the program in what it as the normal user, but quicker than the ordinary user, sends a large number of requests according to all list of the prohibited resources and by the number of answers is capable to tell the inspector of Roskomnadzor whether the website is blocked" — Zharov explained.

At first on lines of the main telecom operators 700 probes will be installed. Then their number will grow. By September 24, 2015 the list of websites banned in the Russian Federation includes about 12 thousand resources.

Roskomnadzor is going to spend about 100 million rubles for creation of a control system of blocking of the websites. Four companies will take part in tender on its development, and the winner will be determined first of all by such criteria as cost of project implementation and "optimality of the solution", the head of Roskomnadzor reported. He did not call an implementation time of Auditor, as well as names of the applying contractors.^[4]