LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

The Nuclear Network Option: Isolating Russia

UkraineAccording to Rolling Stone (paywall’d now), Ukraine has asked ICANN to disconnect Russia from the Internet.  This is not something ICANN is capable of doing.

The reporting by RS was not entirely clear, and it’s worth pointing out that Ukrainian leaders are literally in a life-or-death struggle so these are not suggestions that have gone through a careful and thoughtful review process during a symposium.  These ideas were voiced in desperation while bombs rain down, so some allowance for technical misunderstandings is understandable.

However, the core idea was to remove the .ru root domain, which will not isolate Russia from the Internet.  As discussed on LowEndTalk, removing .ru would simply mean that no one could get to .ru-hosted domains.  More likely, it means that no one outside Russia could get to them, as the Russians could hijack DNS requests inside their own country and provide their own .ru hosting.

Russians would still be able to get to whatever they can get to now, and while there undoubtedly would be some .ru businesses that would suffer, this is hardly a “nuclear option” regarding Russia and the Internet.

Isolating Russia from the Internet is possible – anything is possible given enough resources and will.  But it is is not practical.

To really do this, you’d have to stop peering all the Russian AS networks, or at least throttle them, which has never been tried and would require a ton of work.  There is not just one “Russian traffic on/off” switch but rather thousands or tens of thousands of Russian AS blocks that would have to be de-peered.  It would be whack-a-mole for a while because I’m sure some Russian AS blocks are outside of RIPE and they could play lots of games to squat on unused blocks and who knows what else.  We’re assuming that the many routers that would process this radical increase in filtering are up to the task.

Even if you had a perfect list and could implement it perfectly, it would be impossible to prevent some leakage through obliging friends (Belarus, perhaps China, etc.), especially given that you’re dealing with a very computer-savvy and capable nation (Russia).

You could got down to the physical layer and start unhooking and cutting cables, but there are many diverse methods of transit these days (satellites, etc.)  It’s not even clear that all the nations required to do this would participate, or how things would work – for example, what if the only path to a third world country passed through Russia?  Again, given unlimited time and resources these things could be changed but it’s not practical.

And of course, there is the larger question of whether this is good strategy or not.  First, even if you could do it, so what?  You’re not gaining new economic pressure.  If we were talking about America instead, for example, if this was a practical threat, then network isolation would be potent leverage given how much the American economy depends on the Internet.  The Russian economy does not to even remotely the same extent.  Russia would certainly maintain an internal network and would become a more extreme form of China from a network perspective, so the actual pain felt by the Putin regime would be minor.

Also, from a policy perspective you have to consider if you would be eliminating needed outside voices and the ability to bring information to the outside world.  Putin might love being isolated from the Internet because you would essentially be creating an echo chamber for Russian propaganda.  North Korea is not network-isolated but self-isolates, and I don’t think anyone argues it has benefitted its people or caused their leadership to reform their aggressive policies.

Again, in the heat of battle, many ideas are put on the table and this, like many other options, are worth talking through, but ultimately this crisis cannot be solved at the network layer.

raindog308

8 Comments

  1. ValdikSS:

    Please note that .ua domains of Russian companies, such as mail.ua and yandex.ua, does not resolve already.
    It seems that the domain information of these domains has been removed from the .ua zone authority servers, however whois still returns status: ok for the domains.

    $ dig ns mail.ua @in1.ns.ua.
    ;; QUESTION SECTION:
    ;mail.ua. IN NS

    ;; AUTHORITY SECTION:
    ua. 3535 IN SOA in1.ns.ua. domain-master.cctld.ua. 2022030124 3636 3600 3024000 3535

    March 2, 2022 @ 3:07 am | Reply
    • ValdikSS:

      Turns out jwhois has incorrect whois server, these domains are now on clientHold.

      March 2, 2022 @ 3:29 am | Reply
  2. ValdikSS:

    >More likely, it means that no one outside Russia could get to them, as the Russians could hijack DNS requests inside their own country and provide their own .ru hosting.

    Yes, that what was probably going to happen, using regular means though, not through hijacking.
    In Russia, there’s a mirror of .ru zone, additional authoritive NS, and a government-controlled DNS resolvers which could be used.

    March 2, 2022 @ 3:19 am | Reply
  3. sleepy joe:

    what s joke. can you disconnect usa as he bomed syria? got balls?

    March 3, 2022 @ 4:45 am | Reply
    • umggc:

      great idea. they bombed yugoslavia too

      March 8, 2022 @ 7:22 am | Reply
  4. ffffff:

    fuck ukraine

    March 7, 2022 @ 1:44 pm | Reply
  5. miu:

    Thank God, they have more sense in ICANN than the LEB staff, because they immediately rejected this demented proposal of Ukrainian idiots (who have a great deal of credit for this war).

    April 17, 2022 @ 10:31 am | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *