Decrease in Server Visibility Detected in Russia
/ 3 min read
Quick take - A monitoring script developed in August to track public IP address changes has detected a significant decrease in server visibility in Russia, particularly related to the CPE WAN Management Protocol, suggesting potential increased filtering of network traffic by ISPs, notably Rostelecom, and possibly reflecting broader governmental initiatives towards a “sovereign internet.”
Fast Facts
- A monitoring script was developed in August to track public IP address changes using Shodan data, alerting users to significant fluctuations.
- Alerts were triggered by a notable decrease in accessible servers in Russia, particularly affecting TCP port 7547, associated with the CWMP protocol.
- Analysis indicated a significant reduction in server visibility across various services, especially within Rostelecom’s IP address ranges.
- Experts suggest the decrease is due to increased filtering of network traffic by Russian ISPs rather than a removal of servers.
- This trend may reflect broader governmental initiatives, including efforts to establish a “sovereign internet” in Russia, impacting internet accessibility and regulation.
Monitoring Script Tracks Public IP Address Changes
In early August, a monitoring script was developed to track changes in the number of public IP addresses with various services enabled. The script utilizes data from the Shodan search engine and is designed to alert users to significant fluctuations.
Significant Fluctuations Detected
These fluctuations include a more than 10% increase in HTTPS servers within a week and a more than 20% decrease in email servers over a month. Recently, the script began issuing alerts regarding a notable decrease in the number of accessible servers detected in Russia, prompting further investigation. The alerts persisted over several days and weeks, revealing a significant reduction in server visibility across various types of services within the country.
Focus on TCP Port 7547
A particular focus was placed on a substantial drop in activity on TCP port 7547, which is associated with the CPE WAN Management Protocol (CWMP), also known as TR-069. CWMP is primarily used by Internet Service Providers (ISPs) for the remote management and provisioning of routers and other devices. Although CWMP has historically been scrutinized for vulnerabilities, it is generally viewed as secure.
The data suggests that Russian ISPs may have either ceased the use of CWMP or significantly restricted access to port 7547. The most pronounced changes were noted in the IP address ranges belonging to Rostelecom, a major ISP in Russia.
Implications of Decreased Server Visibility
Experts believe that the decrease in server visibility is likely attributable to increased filtering of network traffic rather than a sudden removal of servers from the network. This trend may also be reflective of broader governmental initiatives, particularly ongoing efforts by Russian authorities to establish a “sovereign internet.” This could have implications for internet accessibility and regulation within the country.
Original Source: Read the Full Article Here
