Why Russia’s state censor is full of baloney when it blames ‘DDoS attacks’ for widespread disruptions to social network access

Access to a whole host of popular online services, including the messengers WhatsApp and Telegram, suddenly crashed in Russia on Wednesday, August 21. The federal government’s media regulator, Roskomnadzor, immediately commented on the outage, claiming that the cause was a massive distributed denial-of-service attack, but Internet experts aren’t impressed with the agency’s explanation. This is at least the third major disruption to Russians’ Telegram access since the start of the month, following similar outages reported on August 12 and 19. Then as now, experts argue that the state authorities are likely testing their capacity to block Telegram. Meduza spoke to a member of the Internet freedom project Roskomsvoboda (on the condition of anonymity) to find out what could be behind Russians’ increasingly wobbly Internet access.

The two best explanations for Russia’s recurring, widespread social media outages 

1. State officials are blocking specific IP addresses, targeting a range that belongs to content delivery networks: Online platforms like Slack, Telegram, and WhatsApp that rely on cloud-computing services from companies like Cloudflare, Amazon Web Services, and Microsoft Azure can become unavailable if their IP addresses are blocked. (When the Russian government tried to block Telegram between 2018 and 2020, the censor’s attempts sometimes knocked out access to popular cloud services and caused significant collateral damage.)
2. Like in Iran, Russian state officials are blocking encrypted, “unidentified traffic”: The state censor is likely experimenting with tools to filter out the traffic it can’t identify, but using particular “blocking patterns” to cut off such traffic also knocks out access to domestic services and apps that never fully complied with the “sovereign Internet” law adopted in 2019 requiring all major companies to move their infrastructures to servers inside Russia.

In other words, the federal censor probably either blocked the IP addresses used by many major online services in Russia or blocked a certain traffic pattern that much of the RuNet uses.

Meduza’s source at Roskomsvoboda says it’s no surprise that the Russian authorities would try again to block Telegram. The federal censor is already blocking Signal and throttling YouTube for distributing content beyond the authorities’ control. In the current Internet service outages, Telegram — not WhatsApp — seems to be the likeliest target, given that access to Telegram crashed at exactly midnight, Moscow time, on August 19. “This suggests that drills might be happening on how to block Telegram,” Meduza’s source speculates. 

Some observers have suggested that targeting Telegram is unexpected in light of the network’s past decisions to limit access to bots and channels associated with the anti-Kremlin opposition while pro-government material flourishes on the network, but Meduza’s Roskomsvoboda source says most cases in which Telegram blocks content involve “automatic filtration” where enough complaints filed with the network trigger a suspension that is later lifted (such as anti-Israeli posts that contributed to pogroms in Dagestan last October and protest information that circulated in Ufa this January). 

“Is it possible that Telegram acts maliciously, that FSB agents call [founder Pavel] Durov and ask him, ‘Hey, could you block this group for us for the next three days?’ No, it looks more like Telegram’s [automated] support just works like it does,” said Meduza’s Roskomsvoboda source, adding that he doesn’t believe rumors that Durov cooperates with Russia’s Federal Security Service.

Why the Russian authorities’ claim that a DDoS attack caused Wednesday’s disruptions is outlandish and doesn’t explain what actually happened

Meduza’s source at Roskomsvoboda says the only way a DDoS attack can cause widespread Internet outages in Russia is “if someone knows where the control panel for the state’s TSPU [Technical Means of Counteracting Threats] equipment is located.” (Russian telecom operators are required by law to install TSPU hardware, which is how the federal censor monitors, filters, and blocks Internet traffic.) “You could launch an attack on the TSPU, but then either everything would stop working, or the TSPU itself would go down. But in this case, there wouldn’t be selective blocks, where Telegram and WhatsApp are down, but Viber is not. That doesn’t happen,” Meduza’s source explained.