Vulnerability in the system of blocking sites Roskomnadzor allows you to close access to any site in the Russian Federation

Users from Russia complain about the inaccessibility of the Telegram messenger

Yesterday, some users of the Russian-speaking segment of the Internet found the Telegram inaccessible, Kommersant writes . A little later, information appeared on the Web about other sites, access to which was somehow blocked, although these resources were never included in the “black list” of Roskomnadzor. After experts began to understand the problem, it turned out that the reason for everything was the vulnerability in the site blocking system used by Roskomnadzor.

The fact is that an entry in the registry of a department’s office consists of three elements: a domain, a URL, and an IP address. Roskomnadzor only puts any site on the list of prohibited sites, and providers should already block access to such resources. But due to the lack of regulations on how to restrict access to sites, providers choose the blocking method themselves, mainly by IP from the registry or by the current IP from DNS.

The fact that such a system is imperfect and fraught with troubles has been repeatedly reported to Roskomnadzor by information security specialists. However, the blocking method was left unchanged, which led to current problems.
')

List of IPs added to the DNS domain dymoff.space

The point is that the owner of the domain domain dymoff.space blocked in the Russian Federation has entered into the DNS IP-addresses of many third-party resources. Others include IP addresses of Telegram servers. As a result, resources with these IPs were inaccessible for some Russian users, as if they too were blocked. The IP addresses entered by the owner of the blocked domain belong not only to Telegram, but also to other services and sites:

• 1tv.ru
• badoo.com
• pikabu.ru
• ok.ru
• nic.ru
• rzd.ru
• atlas ripe
• ocsp.comodoca.ru (CA OCSP Responder)
• rtcomm.nag.ru
• mail.ru
• rbc.ru
• booking.com
• skbkontur.ru
• vasexperts.ru
• ntv.ru
• vk.com
• office 365
• facebook.com
• reg.ru
• sipnet.ru
• rfc-revizor.ru

Now cybersecurity experts warn of the possibility of a repetition of the incident. The fact is that some of the domains previously blocked by Roskomnadzor are freely available and can be registered (though most have already been registered after it became known about DNS manipulations). If after this, the A-records are modified accordingly in a zone that is controlled by the owner of the blocked domain, this can cause problems with access of Runet users to much more resources. It has been suggested that soon blocked domains will even be sold, because, as it turned out, this is quite a powerful tool that allows you to close access to almost any resources.

“This is an excellent illustration of how an unsuccessful design of the blocking system can be exploited [...],” said Alexander Lyamin, CEO of Qrator, which deals with protection from DDoS attacks.



According to the statistics of the service “Every failure”, from 13:00 to 22:00 on June 4, some users could not get to such sites as Yandex, VKontakte, Wikipedia, “Classmates” and other resources.