According to FBK’s IT consultant, Roskomnadzor uses the IP addresses of hacked devices.
Why does Roskomnadzor fight proxy servers
The proxy server allows you to change the location of the user, replacing all the information about him, including the IP address. Using a proxy server, Telegram users can use it in Russia – the request will be redirected to another country and from there to the messenger servers. For example, such a scheme is used by the TgVPN bot built into Telegram, whose servers are located in Amsterdam, Frankfurt, Luxembourg, New York, San Francisco and Singapore.
Initially, Roskomnadzor did not fight proxy servers. The agency tried to block access to Telegram by blocking millions of IP addresses. Because of this , the addresses of third-party companies got into the registry of prohibited resources – in Russia there were problems with access to Google, Viber, many media and other sites. Soon the ministry began to unblock addresses and changed tactics.
In January 2019, Roskomnadzor resumed blocking proxy servers that are used to access Telegram. Back in April 2018, the ministry warned proxy server and VPN owners about upcoming blockages. The regulator’s actions were complicated by two factors: first, the proxy server is not prohibited by law and there is nothing to block them for, secondly, it is almost impossible to understand which address Telegram uses and which other company uses. The first problem was partially solved due to the requirement of Roskomnadzor to the proxy owners to connect to the registry and close access to the prohibited resources: those who refuse can be blocked. To solve the second problem, the department ordered development of an automatic monitoring system for VPN and proxy servers.
The new method allows Roskomnadzor to point-block Telegram addresses.
FBK IT-consultant and author of the Telegram channel “IT criminal cases of SORM Russian” Vladislav Zdolnikov discovered a new tracking and blocking system for Telegram proxy servers. According to him, the department calculates the IP-address of the messenger through the hacked devices, without notifying the users. In a conversation with , he explained in more detail how the new Roskomnadzor method works.
- Roskomnadzor is looking for proxy servers through public lists that are publicly available on runet. At such a request on Google, there are several collections for bypassing locks in Russia. Similar lists can also be obtained for money from the owners of VPN-services.
- Roskomnadzor uses public proxy servers to send requests to Telegram IP addresses. In fact, the office at random checks which proxy servers are used by the messenger, and which ones are not related to it;
- Zdolnikov published a document with addresses of several public proxy servers that the agency uses. Some of them actually work from Russia from different devices, for example, in Krasnodar;
- According to IT-consultant, he drove these addresses through the service Shodan, which finds the source of the request. Regarding cases, it comes from MikroTik routers: the first and second examples. Zdolnikov noted that these routers are used for DDoS attacks or setting up proxy servers without informing the owners. Because of this, he suggested that Roskomnadzor acts in the same way;
- Zdolnikov checked the work of Roskomnadzor on its own proxy server, which was previously blocked. He tracked that before blocking each of the IP-addresses they received requests from user subnets of different Russian providers. Some of them come from “hacked” proxy servers.
What can harm the new method of Roskomnadzor
According to Zdolnikov, Roskomnadzor uses public proxy servers secretly from their owners, which is why they can work slower and worse to let traffic through.
I am sure that none of those on whose devices running proxies do not even know about it. Well, except that they have slowed down the Internet due to the fact that the bandwidth and CPU performance consumes a proxy server.Vladislav Zdolnikovthe author of the Telegram channel “IT criminal cases SORM Russian”
In his opinion, Roskomnadzor acts hypocritically when it uses proxy servers, which it blocks itself: “The state body uses hacked devices of unsuspecting owners for their own purposes, and also for the purpose of blocking other resources.”
The actions of Roskomnadzor theoretically fall under article 272 of the Criminal Code of the Russian Federation (Illegal access to computer information). It has a clause on the prohibition of unauthorized access to legally protected information from mercenary interest – a fine of up to 300,000 rubles is threatened for this.