ProHoster > Blog > Administration > How blocking access to pages that distribute prohibited content works (now the RKN also checks search engines)

How blocking access to pages that distribute prohibited content works (now the RKN also checks search engines)

How blocking access to pages that distribute prohibited content works (now the RKN also checks search engines)

Before proceeding to the description of the system that is responsible for filtering access by telecom operators, we note that now Roskomnadzor will also control the work of search engines.

At the beginning of the year, a control procedure and a list of measures were approved to ensure that search engine operators comply with the requirements to stop issuing information about Internet resources, access to which is restricted on the territory of the Russian Federation.

Corresponding order Roskomnadzor dated November 7, 2017 No. 229 is registered with the Ministry of Justice of Russia.

The Order was adopted as part of the implementation of the provisions of Article 15.8 of Federal Law No. 27.07.2006-FZ dated July 149, XNUMX “On Information, Information Technologies and Information Protection”, which defines obligations for owners of VPN services, "anonymizers" and operators of search engines to restrict access to information, the distribution of which is prohibited in Russia.

Control measures are carried out at the location of the control body without interaction with search engine operators.

How blocking access to pages that distribute prohibited content works (now the RKN also checks search engines)
An information system is understood as the FSIS of information resources of information and telecommunication networks, access to which is limited.

Based on the results of the event, an act is drawn up, which indicates, in particular, information about the software used to establish these facts, as well as information confirming that a specific page (pages) of the site at the time of control was in the information system for more than a day.

The act is sent to the search engine operator through the information system. In case of disagreement with the act, the operator has the right to submit objections to Roskomnadzor within three working days, which considers objections also within three working days. Based on the results of consideration of the operator's objections, the head of the control body or his deputy decides to initiate a case on an administrative offense.

How is the access filtering system for telecom operators now arranged?

There are a number of laws in Russia that oblige telecom operators to filter access to pages that distribute prohibited content:

  • Federal Law 126 "On Communications", an amendment to Art. 46 - on the obligation of the operator to restrict access to information (FSEM).
  • "Unified Register" - Decree of the Government of the Russian Federation of October 26, 2012 N 1101 "On a unified automated information system" Unified register of domain names, page indexes of sites in the information and telecommunications network "Internet" and network addresses that allow identifying sites in the information and telecommunications network Internet networks containing information, the dissemination of which is prohibited in the Russian Federation”
  • Federal Law 436 “On the protection of children…”, categorization of available information.
  • Federal Law No. 3 "On the Police", Article 13, paragraph 12 - on the elimination of causes and conditions that contribute to the implementation of threats to the safety of citizens and public safety.
  • Federal Law No. 187 “On Amendments to Certain Legislative Acts of the Russian Federation on the Protection of Intellectual Rights in Information and Telecommunication Networks” (“anti-piracy law”).
  • Implementation of decisions of the courts and orders of the prosecutor's office.
  • Federal Law No. 28.07.2012-FZ of July 139, XNUMX “On Amendments to the Federal Law “On the Protection of Children from Information Harmful to Their Health and Development” and Certain Legislative Acts of the Russian Federation”.
  • Federal Law of July 27, 2006 No. 149-FZ "On Information, Information Technologies and Information Protection".

Requests from Roskomnadzor to block carry an updated list of requirements for the provider, each entry from such a request contains:

  • the type of registry under which the restriction is made;
  • the moment of time from which there is a need to restrict access;
  • type of response urgency (normal urgency - within XNUMX hours, high urgency - immediate response);
  • type of registry entry blocking (by URL or by domain name);
  • hash code of the registry entry (changes with any change in the contents of the entry);
  • details of the decision on the need to restrict access;
  • one or more indexes of pages of sites, access to which should be limited (optional);
  • one or more domain names (optional);
  • one or more network addresses (optional);
  • one or more ip subnets (optional).

To effectively communicate information to operators, the Information System for Interaction between Roskomnadzor and Telecom Operators was created. It is located along with regulations, instructions and memos for operators on a specialized portal:

vigruzki.rkn.gov.ru

For its part, to check telecom operators, Roskomnadzor began to extradite the client AS "Auditor". Below is a little about the functionality of the agent.

Algorithm for checking the availability of each URL by the Agent. When checking, the Agent must:

  • determine the IP addresses to which the network name of the checked site (domain) is resolved or use IP addresses provided in the download;
  • for each IP address received from DNS servers, make an HTTP request for the URL to be checked. In case of receiving an HTTP redirect from the checked site, the Agent must check the URL to which the redirect is being made. At least 5 consecutive HTTP redirects are supported;
  • if it is impossible to make an HTTP request (no TCP connection is established), the Agent must conclude that the entire IP address is blocked;
  • in case of a successful HTTP request, the Agent must check the received response of the checked site by the HTTP response code, by HTTP headers, by HTTP content (first received data up to 10 kb in size). If the response received coincides with the stub page templates created in the CC it should be concluded that there is a blocking of the checked URL;
  • when checking the URL, the Agent must check the establishment of an encrypted connection and mark the resource;
  • if the data received by the Agent does not match the templates of stub pages or trusted redirect pages informing about the blocking of the resource, the Agent must conclude that there is no blocking of the URL on the carrier's DTN. In this case, information about the data (HTTP response) received by the Agent is recorded in a report (check log file). The system administrator has the ability to generate a template for a new stub page from this entry in order to prevent subsequent false conclusions about the lack of blocking.

List of what the Agent must provide

  • communication with the CC for a complete list of URLs and blocking modes that need to be tested;
  • communication with the control center to obtain data on the test modes. Supported modes: full one-time check, full periodic check with a specified interval, selective one-time with a user-defined list of URLs, periodic check with a given interval of a list of URLs (of a certain type of EP records);
  • continuing to perform the specified verification procedures against the existing URL list, if it is impossible to obtain a list of URLs from the CC, and storing the obtained results of the checks with subsequent transmission to the CC;
  • full execution of the specified verification procedures according to the available URL lists, if it is impossible to obtain information about the verification modes from the CC, and store the obtained verification results with subsequent transmission to the CC;
  • verification of blocking results in accordance with the established regime;
  • sending a report on the performed check to the CC (check log file);
  • the ability to check the operability of the SPD of the telecom operator, i.e. checking the availability of a list of known sites;
  • the ability to check blocking results using a proxy server;
  • the possibility of remote software updates;
  • the ability to perform diagnostic procedures on the STN (response time, packet path, speed of downloading files from an external resource, determining IP addresses for domain names, the value of the speed of obtaining information in the reverse link in wired access networks, packet loss coefficient, average transmission delay time packages);
  • check performance of at least 10 URLs per second, provided that the bandwidth of the communication channel is sufficient;
  • the ability of the agent to repeatedly access the resource (up to 20 times), with a variable frequency from 1 time per second to 1 time per minute;
  • the ability to create a random order of list entries transmitted for testing and setting a priority for a specific page of the site on the Internet.

In general, the structure looks like this:

How blocking access to pages that distribute prohibited content works (now the RKN also checks search engines)
Software and software and hardware solutions for Internet traffic filtering (DPI solutions) allow operators to block traffic from users to sites from the ILV list. Whether they are blocked or not, this is checked by the AS Auditor client. According to the list from the RKN, it automatically checks the availability of the site.

An example monitoring protocol is available here to register:.

Last year, Roskomnadzor began testing blocking solutions that an operator can use to implement this scheme by an operator. Here is a quote from the results of such testing:

“The specialized software solutions UBIC, EcoFilter, SKAT DPI, Tiksen-Blocking, SkyDNS Zapret ISP and Carbon Reductor DPI received positive conclusions from Roskomnadzor.

Also, a conclusion from Roskomnadzor was received, confirming the possibility of using ZapretService software by telecom operators as a means of restricting access to prohibited resources on the Internet. The test results showed that when installed according to the manufacturer's recommended “in-break” connection scheme and correctly configured the telecom operator's network, the number of detected violations according to the Unified Register of Prohibited Information does not exceed 0,02%.

Thus, telecom operators are given the opportunity to choose the most suitable solution for them to restrict access to prohibited resources, including from the list of software products that have received a positive opinion from Roskomnadzor.

However, during testing of the IdecoSelecta ISP software product, due to the lengthy deployment and configuration procedure, some operators were unable to start testing on time. For more than half of the telecom operators participating in the testing, the period of test operation of Ideco Selecta ISP did not exceed a week. Given the small amount of statistical data received and the small number of test participants, Roskomnadzor in an official opinion pointed out the impossibility of obtaining unambiguous conclusions about the effectiveness of the Ideco Selecta ISP product as a means of restricting access to prohibited resources on the Internet.

I will add that up to 27 telecom operators with a different number of subscribers from different federal districts of the Russian Federation took part in testing each software product.

The official conclusions on the test results can be found here. There is practically zero technical information in these conclusions. You can read about the Ideco Selecta ISP product to know how not to do it.

This year, testing will continue and at the moment, judging by the news from Roskomnadzor, one product has already been taken and 2 more are in the near future.

What if the blocking happened by mistake?

In conclusion, I would like to recall that Roskomnadzor is “not mistaken”, which is confirmed by the Constitutional Court.

The resolution, which actually removes responsibility from Roskomnadzor for the erroneous blocking of sites, was adopted as part of the consideration of a complaint to the Constitutional Court by the director of the Association of Internet Publishers Vladimir Kharitonov. It said that in December 2012, Roskomnadzor mistakenly blocked his online library digital-books.ru. As Mr. Kharitonov explained, his resource was located on the same IP address as the rastamantales(.)ru portal (now rastamantales(.)com), which was the initial object of blocking. Vladimir Kharitonov tried to challenge the decision of Roskomnadzor in court, but in June 2013 the Tagansky District Court recognized the blocking as legal, and in September 2013 the Moscow City Court upheld this decision.

From there:

Roskomnadzor told Kommersant that they were satisfied with the decision of the Constitutional Court. “The Constitutional Court confirmed that Roskomnadzor is complying with the law. If the operator does not have the technical ability to restrict access to a separate page of the site, and not to its network address, then this is the responsibility of the operator, ”a spokesman for the agency told Kommersant.

This question is also relevant for cloud providers and hosting companies, as similar incidents have happened to them as well. In June 2016, the Amazon S3 cloud service was blocked in Russia, although only the page of the 888poker poker room located on its platform was entered into the register at the request of the Federal Tax Service. The blocking of the entire resource was due precisely to the fact that Amazon S3 uses the secure https protocol, which does not allow blocking individual pages. Only after Amazon itself removed the page, which had claims from the Russian authorities, the resource was removed from the register.

Source: habr.com

Add a comment