This man is your FRIEND. He fights for FREEDOM. Be like him.

  “Does the whole structure cause an ‘iciness, a sickening of the heart, a dreariness of thought’?”
  “Mr. Bigelow, it’s worth every penny! My God, it’s beautiful!”

Monitoring of the Roskomnadzors Register of Prohibited sites

A furore Roskomnadzoris libera nos, Domine

I am monitoring Roskomnadzor dump (part of blacklist, which is distributed to Russian internet providers) in realtime and count the IP-address entries, including subnets, if any. Resulting graphs show totally blacklisted IP addresses (as per Roscomnadzor demand). This type of block, the IP blacklisting (as opposed to URL blacklisting) is used by Roscomnadzor to block Telegram and Zello apps in Russia.
... Roskomnadzor does not comment on rumors ...

Roscomnadzor added 329 IPs of WhatsApp, 180 IPs of Akamai and some IPs of Russian hosters to the blocklist at 17 May 2018, 14:14 MSK. The "mistake" was corrected at 17 May 2018, 15:19 MSK.

The situation was similar to that which occurred on the night of April 27th. I'd also like to highlight that making the blocking system dependent on untrusted external data source is probably the favorite Roscomnadzor trouble.

Roscomnadzor denies everything:
Caedite eos. Novit enim Dominus qui sunt eius

28 Apr 2018, 13:27 MSK, 3 subnets are removed from the dump: 2.192.0.0/11 (Amazon), 54.160.0.0/12 (Amazon), 91.121.0.0/16 (OVH). They contain slightly over 3 million addresses.

As part of the enforcement of the court decision on Telegram, the Russian Federal Service for Supervision of Communications (Roscomnadzor) unblocks three subnets belonging to foreign hosting providers, in order to avoid access issues related to law-abiding resources. The Telegram IP addresses withing these subnets, however, have been deteсted and remain blocked

So I took a look how many addresses have been detected and remained unblocked - and it's 18 of 3 millions. They kept 3 million IPs blocked to restrict just 18 of them. Here they are: 52.213.9.239, 54.165.90.185, 54.174.213.153, 52.204.174.82, 52.207.227.151, 52.221.241.122, 91.121.67.146, 91.121.117.21, 52.213.9.239, 52.192.131.204, 52.199.159.6, 52.221.190.123, 52.221.241.122, 52.201.243.124, 52.204.174.82, 54.165.90.185, 54.169.62.158, 54.174.213.153. Currently, a total of over 14 million IPs remain blocked.

08 May 2018, 14:36 MSK 6 subnets are removed from the dump: 35.208.0.0/12 (Google Cloud), 35.224.0.0/12 (Google Cloud), 35.184.0.0/13 (Google Cloud), 139.59.0.0/16 (Digital Ocean), 23.251.128.0/19 (Google Cloud). They contain slightly over 3.7 million addresses.

As part of the enforcement of the court decision on Telegram, the Russian Federal Service for Supervision of Communications (Roscomnadzor) unblocks six subnets belonging to Google (more than 3.7 million addresses). The Telegram IP addresses withing these subnets, however, have been deteсted and remain blocked.

So I took a look how many addresses have been detected and remained unblocked. It's 354 of 3.7 millions - there are 14 addresses from DigitalOcean subnet and 340 from Google. They kept 3.7 million IPs blocked to restrict just 354 of them. Currently, a total of over 10 million IPs remain blocked.

Nota bene, the latest introduction of Google IP subnets to the blocklist happened on the 27th of April. Latest DigitalOcean subnets were introduced on the 2nd of May. So, Roskomnadzor got no new data, there was no visible work done to make detection itself more precise than before. It's obvious to me, those large subnets were blocked as "hostages".

... not sent to ISPs for filtering

Roscomnadzor added some IPs of Yandex, VKontakte and MSK-IX to the blocklist at midnight of the 27th of April. The "mistake" was corrected at 02:00.

The short-lived presence of some of social network IP addresses in the registry is caused by implementation details. Those IP addresses were not sent to ISPs for filtering.

I want to disappoint Roscomnadzor — there is no telepathy. We know those IP addresses from the dump that was sent to ISPs for filtering. Implementation detail of the system is that the system works in an automatic mode and is based on external datasource. So, malicious actor can "poison" the system in some cases, pushing fake data via the datasource he can control. I've pointed that out in early April of 2018 RU. I'd also like to highlight that making the blocking system dependent on untrusted external data source is probably the favorite Roscomnadzor trouble.

Roscomnadzor partly blocks some of Google websites
8 May 2018 all Google websites bans was removed from the dump. The maximum number was 53.
15 May 2018 two IPs of Google websites were banned again.
18 May 2018 all Google websites bans was removed from the dump again.

I try to reverse-engineer Google's load balancing based on client subnets to get IP addresses used for frontends serving Russian traffic for pre-defined list of Google websites. I compare those scraped IP addresses with IP addresses in the blacklist dump and add the matches to the list of websites.

There are at least ... IP addresses in the dump out of ... IP serving following websites: ... (get IPs)

Roscomnadzor denies everything
«Telegram went down by 77%»
The amount of Telegram impressions went down by 76,5% as of the 23th of April compared to the 16th according to «Medialogiya» company. The 16th was the day when blocking actually started.
The published statistics is incorrectly collected (in the best case) or is consciously manipulated to get nice numbers (in the worst one). There is no reason to discuss Medialogiya publishing alike data or Roscomnadzor citing the data in a few hours after the publication. Let's just look at the numbers, let's be objective.
Combot.click — the largest Telegram-marketing company in Russian segment

You can also read quite conservative analysis written by Meduza RU.

I'd like to add that Combot is, probably, absolute leader in Telegram groups & channel statistics collection at least within Russian market segment. I'd prefer to avoid commenting that Roscomnadzor's statement.

«... it's the responsibility that's not OK»
This information does not match with the reality. It's just like «someone called me and told me — so that's the truth». I can say for sure that 99.9% of the cases show no, saying technically, FUBAR incidents with anything besides Telegram itself.

My colleague Leonid Evdokimov counted amount of domains within .RU, .РФ and .SU domain zones pointing to blocked networks using "A" DNS resource record. Thanks to Alexey from awesome beget for available domain statistics!

We understand that there are TLD besides those three, there are abandoned domains, parked domains and mirrors. But we still consider that it's correct to estimate the shape and volume of the Runet tragedy using those zones. Here are underestimated numbers of affected domains according to the blacklist dump dated 2018-04-20 11:13:00 +0000:

  • RU: 31440
  • РФ: 1856
  • SU: 560
  • Total: 33856

2018.04.24 ROCIT informs that it got 2250 complains regarding carpet IP-blocking within 15 hours of hotline operation RU.

Up-to-date list of domain names, pointing to blocked subnets.

I continuously resolve all domains from the dump (part of the blacklist, which is distributed to Russian internet providers). The full survey takes about 5-6 minutes. The graph shows the total number of unique IPv4 addresses received as a result of resolving. In other words, these are actual IPv4 addresses from the real world (in opposition to the frozen addresses in the blacklist) for domains from the dump. These measurements would indicate routing table overflow and possible Internet service disruption.
Here I want to say "hi" to Roskomnadzor. As of April 24 2018 Registry of Prohibited sites lists 5136 domains open for registration.
It took my greetings a year to reach Roscomnadzor. Roskomnadzor have started updating domain-related information in the register on the 23th of April, 2018. As of May 10 2018 Registry of Prohibited sites lists 2254 domains open for registration.