Yandex and some media sites suffered from a DNS attack from Roskomnadzor
Experts are well aware that the blocking mechanism has a serious vulnerability, which allows the introduction of blocking of arbitrary IP addresses in the registry. To carry out the attack, you need to enter in the DNS records of any blocked domain target IP-addresses that you want to "block". This is easy to do because many blocked domains are released for new registrations. Qrator Labs CEO Alexander Lyamin says that on the darknet, domains from the registry even go under a special product category, especially for conducting similar DNS attacks. These domains are pretty cheap.
Over the past five years, this vulnerability has been repeatedly exploited, especially a large wave of attacks took place in 2017, and the topic was then discussed at Habré .
Despite the rather trivial nature of the attack, Roskomnadzor has not yet closed the vulnerability. Another victim of false locks was “Yandex”, it became known to RBC.
A spokesman for Yandex confirmed the incident and said that any company could suffer from such actions: “This [was] the exploitation of the existing flaws in the mechanism for applying the block list”.
')
Yandex technicians reflected the attack for several days, RBC writes: “Blocking sites was avoided, but the attack did not go unnoticed - active users of the company's services noticed a decrease in the speed of access to them,” said a source in the company.
Roskomnadzor enters a site in the registry, and an entry in the registry consists of three elements: a domain, a URL, and an IP address. Further, each provider decides how to block access to it, while there is no regulation here. For example, providers can block a resource by its IP address specified in the DNS record.
Now this is what happened: a number of small operators blocked access to some IP addresses of Yandex, and large operators using DPI systems to block content were forced to pass all traffic to Yandex services through them, which significantly reduced the speed of access to resources for users.
In addition to Yandex, the sites of several major media outlets, including RBC, suffered: “There were problems with the network accessibility of RBC sites, the speed of access to the company's sites for a portion of the audience decreased. The attackers, as in 2017, took advantage of the vulnerability, which allows to assign the IP address of any other respectable resource to the domain from the registry of prohibited sites, and thus tried to block it. Blockings were avoided, as large providers now use more intelligent content blocking systems, in particular DPI, but we believe that passing packets from users to the site through these systems affects access speed to it, ”explained Digital Director B2C of RBC direction Kirill Titov.
Over the past five years, this vulnerability has been repeatedly exploited, especially a large wave of attacks took place in 2017, and the topic was then discussed at Habré .
Despite the rather trivial nature of the attack, Roskomnadzor has not yet closed the vulnerability. Another victim of false locks was “Yandex”, it became known to RBC.
A spokesman for Yandex confirmed the incident and said that any company could suffer from such actions: “This [was] the exploitation of the existing flaws in the mechanism for applying the block list”.
')
Yandex technicians reflected the attack for several days, RBC writes: “Blocking sites was avoided, but the attack did not go unnoticed - active users of the company's services noticed a decrease in the speed of access to them,” said a source in the company.
Roskomnadzor enters a site in the registry, and an entry in the registry consists of three elements: a domain, a URL, and an IP address. Further, each provider decides how to block access to it, while there is no regulation here. For example, providers can block a resource by its IP address specified in the DNS record.
Now this is what happened: a number of small operators blocked access to some IP addresses of Yandex, and large operators using DPI systems to block content were forced to pass all traffic to Yandex services through them, which significantly reduced the speed of access to resources for users.
In addition to Yandex, the sites of several major media outlets, including RBC, suffered: “There were problems with the network accessibility of RBC sites, the speed of access to the company's sites for a portion of the audience decreased. The attackers, as in 2017, took advantage of the vulnerability, which allows to assign the IP address of any other respectable resource to the domain from the registry of prohibited sites, and thus tried to block it. Blockings were avoided, as large providers now use more intelligent content blocking systems, in particular DPI, but we believe that passing packets from users to the site through these systems affects access speed to it, ”explained Digital Director B2C of RBC direction Kirill Titov.
Source: https://habr.com/ru/post/443712/
All Articles