How we fulfilled the requirement of Roskomnadzor with benefit for business

The other day we received a letter from Roskomnadzor. It was said there that they even got their hands on our company.

"In order to assess the possible need of technical means of control, I ask you to inform by the date of March 20, 2015 the number of filtering nodes that restrict access from your access networks to individuals and legal entities to Internet sites containing information the distribution of which is prohibited in the Russian Federation ".
Excerpt from the official letter from Roskomnadzor .

So, the essence of the message is to enable the RKN to count all our traffic filtering points and make sure that they are controlled by the “great switch” - the law 139 . If someone does not know what they are talking about, then under the spoiler there is a brief help on the topic of locks.

On the technical side, the law requires the telecom operator (to some extent, IT-GRAD, being a cloud provider , is also a telecom operator) to implement on its own the blocking of all kinds of content prohibited for distribution in the territory of the Russian Federation. Of course, a simple “yes, a clerk, we'll do everything!” Roskomnadzor is not enough - they also install separate devices for checking the performance of the operator.
')
A couple of years ago, after the adoption of Law 139 FZ, such a requirement was a toothache for any Internet service provider, because many even had no normal DPI, where you could simply add blocking functionality. Then we were just engaged in the study of the services of DDoS protection and DPI filtering for users of our cloud, so that we knew the main players in the market for protection and blocking. I will not bore you with a long and painful history of choosing a specific solution, but simply give you a comparative table of the capabilities of the filtering systems popular in the market. Price was also not the last factor, but here we omit this parameter.

	Skydns	Carbon	Perimeter-F	Scat
The ability to download the registry from the site of the ILV EDS	+	+	+	+
Ability to add lists with regional locks	+	+	-	+
The scheme of implementation of the solution on the equipment provider	+	+	+	+
Add. individual client filtering services and billing integration, whitelisting	+	+	-	+
Monitoring scheme	-	+	-	+

But according to the law, blocking interested us all the same in the second place. Therefore, we were looking not just for “big scissors”, but for some kind of multifunctional device. His fragile silicon shoulders had to bear the heavy burden of DdoS filtering and speed control of the channel. By comparing the specifications and testing in the fields, we selected the product SCAT from VAS Experts . By the way, the piece of hardware (or rather, the hardware-software complex) turned out to be quite interesting:

• filtering by the registry of prohibited sites;
• collection and analysis of statistics on protocols and directions;
• traffic prioritization depending on the protocol;
• distribution of the access channel between subscribers with notifications;
• protection against DOS and DDOS attacks;
• Lawful interception - traffic interception;
• write http requests;
• SORM prefilter.

What and how to block

Technical aspects of locks have already been discussed on Habré more than once, and they all revolve around DPI- and IP-locks. I hope schors do not mind if I copy his picture:



You can block sites according to state lists in different ways ( here was a useful article with an overview of possible ways to block sites), and here the selected piece of hardware pleased with the support of such options:

• HTTP proxy filtering, including Opera Mini;
• the ability to take into account or not take into account the port number (i.e., block www.example.com and www.example.com : 8080 together or separately);
• no dependence on the change of the site IP address;
• Encapsulation of VLAN, QinQ, MPLS is supported;
• asymmetric traffic routes can be used, including processing only outgoing;
• works with mirrored traffic.

Of course, the easiest option would be to take the path of blocking all traffic for an unwanted IP. That is, we take the URL from the registry, convert the name to IP and redirect to the page with the “letter of happiness.”

But we decided to be more humane, besides the piece of hardware with DPI has already arrived at the warehouse. Thus, at both exchange points there is a server-filter with DPI, which automatically loads up-to-date lists from the RKN and scans all passing packets for the forbidden address. If hit - forward the client to the page with an explanation of what and why.

Here, by the way, there is a nuance with HTTPS. The encrypted packet can not be so easy to "open" and view the content, so this traffic has to be blocked by a bunch of IP-port, regardless of the real URL. Rough method, but there is no better solution yet. The blessing in the registry still appear mainly HTTP-addresses.

But what is useful?

You remember that the goal was not just blocking sites, but also the DDoS protection feature useful for customers.

For DdoS attacks, the attacker prepares a large network of remotely controlled computers (BOTNET) and he does not need to hide the IP address of each of them. You can simply simulate the actions of legitimate users of the site, but due to the large number of participants, even such actions will cause a greater load on the site and lead to a denial of service.

Usually, the most resource-intensive requests are selected to minimize the number of computers involved in the attack - after all, their IP addresses will be exposed after the action.

To protect against DDoS attacks, various behavioral strategies are commonly used that determine abnormalities in the user's normal behavior. In the established DPI, the simple and effective, like a bayonet, approach is used instead: the use of a captcha page, on which a person must prove that he is not a robot, it is determined whether the user of the system is a person or a computer.

Taking all this into account, we connected “SCAT” in the recommended bypass mode, as in the picture.



A separate web cluster in our own cloud was used as a check on the “humanity” of suspicious users.

Protection works as follows:

1. When the threshold value is exceeded (comfortable for the site, the number of requests per second) protection is activated.
2. Only users from the white list are allowed to work with the site. All the others are redirected to the “humanity” check page. This page is located on a separate server on the Internet capable of withstanding any size BOTNET load.
3. Users who have passed the test are added to the white list, and then nothing limits them.
4. The “bots” that have not passed the test (or the poor) will not advance further than the detecting page without any load on the attacked site.

What is the result

The result was a rare example of catching both birds with one stone at a time, since the option to protect against DDoS is expectedly popular with our customers.

As they say in one wise quotation, “if you cannot defeat an enemy, make him your friend.” If we, as an operator, cannot avoid the installation of a “great switch”, we would like to do it with minimal costs and a headache. In addition, Russian software manufacturers offer quite workable solutions with DPI for reasonable money. Import substitution in action - there is even a choice.