When access to the messaging app Telegram was interrupted in Russia on June 3, for the second time in less than a week, some worried that the app had been blocked by state authorities. Telegram has been under pressure from Roskomnadzor, the state censor, to comply with a law requiring online services to turn over user data and register with the government for many months.
But for once, Rozkomnadzor was not the culprit. Instead, Telegram was the victim of a guerrilla campaign launched by dymoff.space, a domain that is blocked in Russia. Thanks to a flaw in Roskomnadzor’s registry of blocked websites, dymoff.space was able to alter its technical settings and pass off other websites’ IP addresses as its own.
So when Internet service providers (ISPs) added dymoff.space’s IP addresses to their block list, they unknowingly blocked Telegram and several other websites in Russia.
Roskomnadzor was aware of this loophole before the attack and had instructed providers to take websites’ IP addresses directly from its registry of blocked sites, rather than from websites themselves. Recently, however, ISPs have reverted to manually checking blocked websites’ IP addresses, resulting in multiple major websites — and even a program run by Roskomnadzor itself — being blocked.
These attacks call to mind rogue efforts to undermine the state censor in the wake of its decision to block Alexey Navalny’s blog in 2014. RuNet Echo’s Andrey Tselikov summarized the efforts at the time:
Because Roskomnadzor requires ISPs to constantly check if a resource is trying to circumvent a ban by changing its IP address, blocked resources can introduce code that redirects some of these IP queries to a different website. Eventually, goes the theory, ISPs will pick up on this redirect and block the secondary website as well. So if a blocked site is savvy enough to redirect to a government site, say Kremlin.ru, ISPs will ultimately block Kremlin.ru, a block that obviously can’t stay in place for long.