Another development in the long-running conflict between Ukraine and Russia occurred in May of this year when Ukrainian President Petro Poroshenko enacted a ban on Russia’s four most prominent internet companies in the name of national security. The ban included the two most widely used social media websites, VKontakte (often referred to as the “Russian Facebook“) and Odnoklassniki (“Classmates” in Russian), as well as email service provider Mail.ru and Russian search engine Yandex.
And now it appears that this ban has spilled out into the global routing table. On 27 July 2017, Ukrainian ISP UARNet (AS3255) began announcing several new BGP routes that were hijacks of the IP address space of these Russian internet companies. On this day, AS3255 briefly announced more-specific hijacks of each of these four Russian internet companies including 22.214.171.124/24 (Mail.ru), 126.96.36.199/23 (Yandex), 188.8.131.52/24 (Vkontakte) and 184.108.40.206/24 (Odnoklassniki). While most of these routes were short-lived, AS3255’s announcement of 220.127.116.11/21 (Odnoklassniki), a more-specific of 18.104.22.168/20 announced by AS47764 (Mail.ru), has continued and is still in circulation at the time of this writing (pictured below).
This development is reminiscent of an incident involving Iran in January, which we reported here. In that case, an Iranian company leaked BGP routes intended to blackhole traffic to pornographic websites frustrating internet users around the world. For Ukraine, it is likely that UARNet was simply attempting to implement the ban handed down from the Poroshenko government in their BGP tables and the routes leaked out – and continue to leak for 22.214.171.124/21.
Additionally, we observed a significant drop in Ukrainian peering for some of these Russian internet companies early on May 20th – very likely another outcome of President Poroshenko’s ban. (Although last fall, Mail.Ru announced it would stop delivering traffic to Ukrainian internet exchange points citing cost.) Regardless of the underlying reason, below is a visualization depicting the performance impact of switching from peering to transit for one of our measurement servers in Ukraine.
As we have reported in the past, the internet in Ukraine continues to be shaped by events on the ground. In January, gunmen seized the branch office of Ukrainian ISP Vega in Donetsk in eastern Ukraine (or the Donetsk People’s Republic, depending on who you ask).
This event was observable on the internet as the BGP routes for Vega service in Donetsk went dark at 09:26:42 UTC (12:26:42 local) on 23 January 2017 for 30 prefixes originated by AS6703 (Vega) including the following:
More recently in Crimea, ISPs have reportedly stopped using connectivity across the land bridge to mainland Ukraine. Despite the construction of a submarine cable to mainland Russia across the Kerch Strait in 2014, ISPs on the disputed peninsula continued to make use of connectivity across the land bridge to mainland Ukraine. However, according to recent reports, the Ukrainian security services shut off this fiber optic cable pushing everything through Russian providers Rostelecom and its Crimean agent Miranda-Media as depicted below in our measurements to Crimean ISP CRELCOM.
These days, nearly every major geopolitical development has an internet component to it whether it be a shutdown or an activation. The internet doesn’t exist inside a vacuum and, whether it be in Cuba, Syria, or Ukraine, it is ultimately shaped by the events around it. However, in instances like with UARNet above (or Iran or China) when a leak occurs, what was intended to be a domestic measure can be sent abroad in unexpected ways. The internet truly is the global commons.
About the Author
Doug Madory is a Director of Internet Analysis at Dyn where he works on Internet infrastructure analysis projects. Doug has a special interest in mapping the logical Internet to the physical lines that connect it together, with a special interest on submarine cables.Follow on Twitter More Content by Doug Madory