Roskomnadzor expands blocking of block bypass

For the first time, the updated list of blocking VPN services by Roskomnadzor included the Shadowsocks protocol, created in China to bypass blocking. The agency intends to block it using technical threat countermeasures (TCTM) on cross-border connections. The protocol is most often used by citizens for private VPNs and white hat hackers in the field of cybersecurity. Moreover, it disguises its traffic as other resources, and blocking can disrupt the operation of a significant number of legal services.

Kommersant has read the letter from the Ministry of Transport to 381 organizations in the transport industry dated November 10. It follows from it that Roskomnadzor can block VPN services through centralized management of the public network (using TSPU, which are installed on the networks of telecom operators according to the law “On Sovereign RuNet”), and to ensure the operation of information systems that can use VPN for secure connections and remote access, you must provide information about the services and protocols used by November 15. The Telegram channel “ZaTelecom” was the first to draw attention to the document. Roskomnadzor declined to comment. The Ministry of Transport did not answer Kommersant.

As follows from the document, it is planned to block 49 types of services and protocols. Among them, in particular, Shadowsocks (an open-source data encryption protocol created in China to bypass the blocking systems of local Internet providers). It is supposed to be blocked at cross-border communication centers. Also on the list is ItHelper, a Russian developer called “Soft Program”, a service for speeding up the operation of devices with built-in VPN. A subscription to it is sold at M.Video-Eldorado. M.Video-Eldorado and Soft Program did not provide comments.

To avoid problems with blocking of corporate networks using VPN, Roskomnadzor requests information from various industries about what services they use, “so-called white lists are created,” explains Kommersant’s interlocutor in the market. Massive problems with the operation of VPN services in the Russian Federation began at the end of May and beginning of June 2022. Then Roskomnadzor began experimenting with blocking specific protocols (see Kommersant, June 2, 2022). In August, users also reported problems with VPN services running using the OpenVPN and WireGuard and Terona protocols (see Kommersant on August 7). The department did not comment on this.

At first, Roskomnadzor blocked VPNs by IP addresses, but they can change, and the register has to be regularly updated, Kommersant’s interlocutor says. Therefore, the department is now blocking the protocols themselves, on the basis of which various VPN services are developed.

“OpenVPN and WireGuard are quite common protocols, they are often used to build secure company connections. They differ from Shadowsocks in that they do not mask traffic during a connection (obfuscation technology – masking VPN traffic as traffic from popular sites or applications, making it difficult to detect and blocking), since they were not originally created to bypass censorship and blocking,” explains Kommersant’s source. Therefore, he clarifies, they, unlike Shadowsocks, are easier to block using TSPU means.

According to Kommersant’s interlocutor, Shadowsocks are most often used by private individuals to bypass blocking. It is also used in cybersecurity by pentesters (white hat hackers who check company networks for security), he explains. But there are also broader risks. “Blocking Shadowsocks through traffic analysis will be very difficult due to obsfuscation – there is a high risk of affecting other, completely legal services,” another Kommersant source clarifies. That is why, he believes, Roskomnadzor is only testing this type of blocking.

According to the head of the Association of Small Telecom Operators (which unites 100 providers), Dmitry Galushko, mass blocking of VPNs that use the obfuscation function “inevitably risks the unavailability of a number of legal services, and can also create a load on operator networks.” In addition, adds DBA and Partners lawyer Ekaterina Abashina, blockings through TSPU “are not publicly recorded and notifications are not provided for owners of online services.”

Yulia Tishina