DDoS or Russian Firewall?

Author: -

By Ameet Naik, Technical Marketing Manager, ThousandEyes

Last month Russia announced plans to build an isolation switch for the internet. Today we learned that the proposed law passed a key second reading in parliament and is on its way to becoming the law of the land by November 1, 2019.

What does this mean for companies doing business in Russia?

This law – which sets to ensure the independence of Russian internet (Runet) by disconnecting from the global internet – creates a framework whereby ISPs will be required to funnel all internet traffic in and out of the country through well-known choke points (internet exchanges).

This would make it easier for the authorities to expand internet censorship, and isolate the nation from the global internet under times of conflict. However, this would also force internet traffic through suboptimal paths, and through performance-limiting filtering gateways. This would most likely degrade the user experience for Russian users browsing sites and apps outside the country, and provide an advantage to services hosted within the country, as we’ve seen happen in China.

Yandex is the Russian version of Google — a large technology conglomerate with a popular search engine at its core. Over the past few weeks, Yandex has been the target of many high-profile DDoS attacks that were designed to cripple the internet filtering infrastructure already in place. Over the past week, we have noticed interesting packet loss events affecting Yandex.ru. The first one happened on April 2 at approximately 10pm PT.

Figure one: Packet loss at Yandex’s peering point at an Internet exchange in Amsterdam affecting reachability from Sweden and France.

This packet loss continued intermittently over the next several hours and then stabilised. The next day, on April 3 at about 5pm PT, we noticed another packet loss event. This event was very short-lived but much more severe than the previous event.

Figure two: Packet loss at Yandex’s peering point in Frankfurt, Germany affecting reachability from Poland, Israel and Korea.

Figure three: Packet loss from multiple vantage points around the globe attempting to reach yandex.ru.

These incidents have the signature of one of two things. They were either a massive DDoS attack targeted at yandex.ru from around the globe, or they were a test of a new filtering infrastructure designed to create well-defined choke points into Yandex’s network, in preparation for the new regulations.

What’s also interesting here is that Russian technology companies have investments in internet exchange points outside of Russia. What will happen to these investments after the new regulations come into effect is unclear.

Figure four: Russian ISPs aren’t just in Russia.

What is clear is that Russia seems firmly committed to the path of internet sovereignty. This is likely to create a challenging operating environment for global technology companies in the near term.