As the attacked Internet holdings in Russia.

“Yandex” and a number of other Internet holding companies were subjected to a powerful network attack, found RBC.

Involved in technology threat that exploits a vulnerability in the system the blocking of sites of Roskomnadzor.

As attacked online holdings?

A few days ago, the attackers had carried out a DNS attack (spoofing records in Domain Name System the domain name system) for a number of major Russian resources, one of the main victims was the “Yandex”. About it told RBC a source in one of the industry associations, technical specialist at a large Telecom operator and the Internet-holding.

“This [was] the operation of the existing gaps in the application block list. To suffer from such actions, every company and every site is not only “Yandex”, — told RBC representative of the press service of “Yandex”, confirming the incident .

A DNS attack is to use the vulnerabilities in the existing Russian system of website blocking, which oversees Roskomnadzor. During the attack the attacker who owns the domain name included in the register of the forbidden sites, you may associate it with the IP address any other site, and thus, to achieve lock.

The recent attack a number of small operators have blocked access to certain IP addresses “Yandex”, and large companies using for content locking system of deep traffic filtering (Deep Packet Inspection, DPI), were forced to pass all traffic to the service “Yandex” through them, greatly reducing the speed of access to resources for users, a source explained to the operator and confirmed a source in “Yandex”. DPI delivers in-depth analysis of all passing through this system of packet traffic that allows you to determine whether a particular web app or website and, if necessary, to prohibit access to them.

According to one of interlocutors of RBC, technical specialists of “Yandex” reflect the attack for several days. “The blocking of sites has been avoided, but the attack has not gone unnoticed — the active users of the services of the company noticed a decrease in speed of access to them”, — said a source in the company.

Technical specialist for a large Telecom operator claims that the attack was also aimed at some of the media, in particular — RBC. Digital Director B2C directions RBC Kirill Titov confirmed that the company recorded this attack on 11 March: “there was a problem with the network availability of the sites RBC, decreased speed of access to the sites of the company for part of the audience. Criminals like in 2017, took advantage of the vulnerability, allowing to ascribe the domain from the registry of banned sites IP address any other good resource, and thus try to block it. Locks managed to avoid, as major ISPs now use a more intelligent system of blocking content, in particular the DPI, however, we believe that the passage of packets from the user to the site via these systems affects the speed of access to it”.

How dangerous is a DNS attack?

The vulnerability in the system blocking sites Roskomnadzor became known in June 2017: the attackers with it for several days periodically blocked access to the sites of major Russian banks. Since then, during these attacks was not reported.

Market participants say that over the past two years, Roskomnadzor did not eliminate the vulnerability in the system blocking of restricted resources in Russia. “On the contrary, there is almost an underground market of domains from the register of banned sites that you can buy specifically for the DNS attacks, spoofing IP addresses for those domains is performed manually and not automated by the attackers”, — said one of the sources of RBC.

This information was confirmed by CEO of Qrator Labs Alexander Lyamin. “The domain names included in the registry of banned sites Roskomnadzor, recently can easily be bought on the darknet (a closed segment of the Internet. — RBC), in particular for the conduct of DNS attacks. They’re practically worthless, for any other purpose is useless and practically inexhaustible. Accordingly, the allocation of resources for carrying out this attack need very small”, — said Lyamin.

The Deputy head of the Center incident response cyber security company Group-IB Yaroslav Kargali noted that starting in 2017 the demand for purchase of blocked domains was quite high, including deliberately for political purposes. In addition, according to him, users posted a list of free domains that are in the register of banned sites.

The representative of the press service of “Yandex” says that Roskomnadzor has already developed several tools for the protection of companies, including “Yandex”, from accidentally getting into such a situation: the Agency has proposed the use of “white lists” — a list of sites that under no circumstances it is impossible to block. “This is the right approach, but not enough. It is necessary to make mandatory the use of “white lists” all operators in the list of resources to block,” — said the representative of “Yandex”.

In addition, to avoid blocking of sites during the last attack helped the large communications providers systems DPI, however, according to experts, installation of such systems for the entire channel and the analysis of absolutely all traffic are expensive and also slow down users ‘ access to sites.

“It is theoretically possible to pass all traffic via DPI equipment, but the cost is space, and the abnormal loads can still cause various delays. I say that just to analyze absolutely all the passing traffic can’t afford anyone right now. All major operators now analyzed using DPI only part of the traffic that they considered potentially dangerous. In addition, future possible network attack is already on DPI” — says CEO of the provider Diphost Philip cooking.. According to him, to large Telecom operators to install DPI, and even a partial analysis of the traffic will cost billions of rubles, and the analysis of absolutely all traffic will cost even more.

If the attack is a political subtext?

Who could be behind the attack, the representative of “Yandex” are not reported. Two of the interlocutor of RBC in the operators draw attention to the fact that this attack coincided with a rally against the isolation of Runet, which was held in Moscow on March 10.

Two sources of RBC argue that the operators and representatives of Internet companies recently discussed the attack at a private meeting in the Federation Council, devoted to the draft law on sovereign Runet, the stated purpose of which is to ensure stable operation of the Russian segment of the Internet in case of disconnection from the infrastructure of the global Network.

According to two interlocutors who participated in the meeting, market players tried to convey to the authors of the bill that proposed to transfer powers to manage the Runet Roskomnadzor in the event of any critical situation is in doubt. As an example, they cited the fact that for several years the Agency could not resolve the vulnerability on the system of website blocking and to solve the problem arising from it to network attacks.

In addition, the participants of the meeting criticized the work of systems in DPI, noting that the pass through of large volumes of traffic significantly slows down access to sites, which is demonstrated on the example of services of “Yandex” in the past, network attacks, told RBK two participants of the meeting. However, the installation of such systems filter traffic on the networks of all operators are also provided in the text of the bill on sovereign Runet.

Roskomnadzor had not responded to a request to RBC, representatives of MTS and “VympelCom” have refused comments. The representative of “MegaFon” reported that the company “did not record any attacks and problems for the subscribers for these reasons”.