A Russian ISP confirms Roskomnadzor’s Twitter-blocking blooper

By | March 11, 2021

Last night, a confidential source at a Russian ISP contacted Ars with confirmation of the titanic mistake Roskomnadzor—Russia’s Federal Service for Supervision of Communications, Information Technology, and Mass Media—made when attempting to punitively throttle Twitter’s link-shortening service t.co.

Our source tells us that Roskomnadzor distributes to all Russian ISPs a hardware package that must be connected just behind that ISP’s BGP core router. At their small ISP, Roskomnadzor’s package includes an EcoFilter 4080 deep package inspection system, a pair of Russian-made 10Gbps aggregation switches, and two Huawei servers. According to our source, this hardware is “massive overkill” for its necessary function and their experienced traffic level—possibly because “at some point in time, government planned to capture all the traffic there is.”

Currently, the Roskomnadzor package does basic filtration for the list of banned resources—and, as of this week, has begun on-the-fly modifications of DNS requests as well. The DNS mangling also caused problems when first enabled—according to our source, YouTube DNS requests were broken for most of a day. Roskomnadzor eventually plans to require all Russian ISPs to replace the real root DNS servers with its own, but that project has met with resistance and difficulties.

The throttling Roskomnadzor applied yesterday could better be described as a tarpit—as seen in screenshots above, it caused downloads from all affected domains to crawl along at only a few kilobytes per second. This renders affected domains effectively unusable, but it could also be considered an attack against the servers on those domains. Maintaining TCP/IP connections consumes memory and CPU resources on connected servers, which are often in shorter supply than raw bandwidth, and it seems likely that Roskomnadzor hoped for a negative impact on Twitter itself, as well as its own citizens.

As reported yesterday and confirmed by our source above, however, the tarpit attack did not only affect Twitter’s t.co domain as intended—it affected all domains that included the substring t.co, for example microsoft.com and Russian state-operated news site rt.com. As you can see in the screenshots, a sample document that normally downloaded from Microsoft in a quarter of a second required well over ten minutes to download from behind the Roskomnadzor filtering apparatus.

According to our source, the mistaken block string was finally corrected with proper match limiting at around 4 am Eastern time today—Twitter’s t.co is still affected as intended, but Microsoft, Russia Today, and other “collateral damage” sites can once again be browsed at full speed.

Listing image by Roskomnadzor