In recent months, the number of Russian servers that could be tracked from the outside using Shodan, Censys, and similar search engines that display both websites and devices and services available through open ports has decreased on the Web. This was noticed by Jan Kopriva, a well-known European security expert, who shared his observations on the Internet Storm Center platform.
Kopriva notes that for outside observers, "a significant part of the Russian Internet is now disappearing." Since "it is unlikely that a large number of servers of various types were suddenly removed from the Internet," he believes that the reason is most likely new network traffic filtering technologies that Russia has begun to use.
My theory was that this [decrease in the number of server types that the Shodan service showed in Russia to Kopriva since August] could have been caused by the introduction of new features in the Internet filtering technology that Russia uses to censor Internet traffic and block access to various external services, which began to interfere with Shodan's work. And although I still think this could be the case, judging by the data now, when the number of Russian servers has remained more or less stable for about 6 weeks, it seems that the reason for the decrease was at least partially different.
The decrease was recorded for almost all types of services and ports (that is, the number of available HTTP/S servers, SSH servers, DNS servers, etc. decreased significantly), and, apparently, there is some general filtering affecting Shodan, there was one port on which the decrease was much more significant than on any other. This port was TCP /7547.
The port that Kopriva is talking about is associated with the CWMP management protocol based on HTTP, which allows Internet providers to remotely manage and configure routers and other devices that provide customers with direct access to the Internet. It is used by many Internet providers around the world and is considered secure, although it has sometimes been used for cyberattacks.
Nevertheless, it seems that Russian Internet providers have either suddenly decided to stop using it, or — which is much more likely — decided to severely restrict access to the corresponding port. This is most noticeable in the IP address ranges that are part of AS12389, owned by the national Russian Internet provider Rostelecom.
Earlier it became known that Roskomnadzor will conduct exercises to "turn off the international Internet" in some regions of Russia in December this year. According to the agency, the exercises will not affect ordinary users of the Russian Internet.
Read materials on the topic:
Government agencies may be allowed to respond to letters only from Russian email addresses
The State Duma proposed to impose fines for repeated personal data leaks
The State Duma called for disconnecting important accounts from Google services
