In this article, Doug Madory uncovers the little-known “Russification” of Ukrainian IP addresses — a phenomenon that complicates the task of internet measurement and impacts Ukrainians connecting to the internet using IP addresses suddenly considered Russian.
Last summer we teamed up with the New York Times to analyze the re-routing of internet service to Kherson, a region in southern Ukraine that was, at the time, under Russian occupation. In my accompanying blog post, I described how that development mirrored what took place following Russia’s annexation of Crimea in 2014.
Along with the Russian-held parts of eastern Ukraine, these regions have experienced a type of Russification, an assimilation where the Ukrainian residents of these regions have been forced to adopt all things Russian: language, currency, telephone numbers, and, of course, internet service.
Using a novel utility made available by RIPE NCC, we have identified dozens of changes to registrations, revealing another target of this Russification effort: the geolocation of Ukrainian IP addresses.
Russifying occupied Donbas
Internet service in the Russian-held parts of eastern Ukraine has primarily been going through Russian transit providers for many years, but there appears to have been a concerted effort in the past year to make internet resources in Russian-occupied Donetsk and Luhansk appear to the world as if they were, in fact, Russian.
Using RIPE NCC’s historical query functionality, we can see for ourselves how, in recent months, the registrations of IP ranges located in these contested parts of Ukraine had their geolocation fields changed from Ukraine to Russia.
Take, for example, the IP address range 188.8.131.52/18. This prefix has been continuously announced out of Donetsk, Ukraine, for many years and has the following versions of RIPE registrations:
$ whois --list-versions 184.108.40.206 - 220.127.116.11 % Version history for INETNUM object "18.104.22.168 - 22.214.171.124" % You can use "--show-version rev#" to get an exact version of the object. rev# Date Op. 1 2010-11-18T10:59:18Z ADD/UPD 2 2014-07-11T13:12:56Z ADD/UPD 3 2014-07-16T16:53:24Z ADD/UPD 4 2014-07-16T17:24:45Z ADD/UPD 5 2015-03-04T16:47:14Z ADD/UPD 6 2015-05-05T01:39:50Z ADD/UPD 7 2016-04-12T09:42:35Z ADD/UPD 8 2016-04-14T10:43:56Z ADD/UPD 9 2016-06-02T10:21:40Z ADD/UPD 10 2022-07-21T12:58:43Z ADD/UPD
This registration was most recently modified last July, five months after Russia invaded Ukraine. With the command below, we can do a “diff” on versions 9 and 10 to see exactly what was changed last summer:
$ whois --diff-versions 9:10 126.96.36.199 - 188.8.131.52 % Difference between version 9 and 10 of object "184.108.40.206 - 220.127.116.11" @@ -2,3 +2,3 @@ netname: ISP-EAST-NET -country: UA +country: RU org: ORG-EL88-RIPE @@ -10,3 +10,3 @@ created: 2010-11-18T10:59:18Z -last-modified: 2016-04-14T10:43:56Z +last-modified: 2022-07-21T12:58:43Z source: RIPE
The highlighted portion reveals that this registration had its country field changed from UA (Ukraine) to RU (Russia) last July, but it wasn’t the only one. In fact, dozens of registrations for IP address ranges originated by networks in Donetsk and Luhansk changed their countries from Ukraine to Russia in the past year.
For another example, take 18.104.22.168/20, which is originated by Online Technologies LTD (AS45025) in the Donetsk region. A change, highlighted below, on July 18th last year updated the country field from Ukraine to Russia.
$ whois --diff-versions 3:4 22.214.171.124 - 126.96.36.199 % Difference between version 3 and 4 of object "188.8.131.52 - 184.108.40.206" @@ -3,3 +3,3 @@ descr: Online Technologies LTD -country: UA +country: RU geoloc: 48.045955739960114 37.96531677246094 @@ -10,3 +10,3 @@ created: 2012-01-05T13:39:09Z -last-modified: 2018-12-10T12:06:53Z +last-modified: 2022-07-18T12:09:23Z source: RIPE
In case there was any doubt about where this network is purportedly located, this registration entry helpfully contains lat/long coordinates which point to an address in Makiivka, just to the east of the city of Donetsk and the site of a deadly missile strike on New Year’s Eve.
Similar changes have been taking place in Russian-held Luhansk (also spelled Lugansk). 220.127.116.11/20 is originated by AS197129 in the Russian-held part of the region and also changed its country field from Ukraine to Russia on July 18, 2022.
$ whois --diff-versions 11:12 18.104.22.168 - 22.214.171.124 % Difference between version 11 and 12 of object "126.96.36.199 - 188.8.131.52" @@ -2,3 +2,3 @@ netname: VRLINE-NET -country: UA +country: RU org: ORG-KOPI1-RIPE @@ -10,3 +10,3 @@ created: 2010-06-18T06:52:49Z -last-modified: 2016-04-14T10:29:32Z +last-modified: 2022-07-18T09:13:53Z source: RIPE
Not all country changes occurred in July last year. The prefixes originated by Luganet (AS39728) changed their country codes from Ukraine to Russia in September, just before their controversial referendum for independence. The registration diff for AS39728’s 184.108.40.206/22 is shown below:
$ whois --diff-versions 3:4 220.127.116.11 - 18.104.22.168 % Difference between version 3 and 4 of object "22.214.171.124 - 126.96.36.199" @@ -2,3 +2,3 @@ netname: RU-OMEGA-20181128 -country: UA +country: RU geoloc: 48.5335 -39.2783 @@ -9,3 +9,3 @@ created: 2018-11-28T10:49:57Z -last-modified: 2019-11-25T13:11:22Z +last-modified: 2022-09-07T13:45:55Z source: RIPE
And finally consider 188.8.131.52/24, originated by Optima-East (AS48882) in Krasnodon in the Luhansk region along the Russian border. Its registration record changed from Ukraine to Russia on November 2, 2022.
$ whois --diff-versions 12:13 184.108.40.206 - 220.127.116.11 % Difference between version 12 and 13 of object "18.104.22.168 - 22.214.171.124" @@ -2,3 +2,3 @@ netname: NET-IPCOM -country: UA +country: RU org: ORG-JCI3-RIPE @@ -10,3 +10,3 @@ created: 2009-02-17T13:32:28Z -last-modified: 2016-04-14T10:42:15Z +last-modified: 2022-11-02T07:40:20Z source: RIPE
Russification of Crimea
It is important to note that the Russification of Ukrainian RIPE registrations didn’t start in the past year. In fact, the RIPE NCC historical query allows us to also identify registration changes taking place in Crimea following the Russian annexation in March 2014.
The country field of 126.96.36.199/24, originated by CrimeaCom (AS28761), was changed on December 12, 2014, from Ukraine to Russia.
$ whois --diff-versions 8:9 188.8.131.52 - 184.108.40.206 % Difference between version 8 and 9 of object "220.127.116.11 - 18.104.22.168" @@ -1,5 +1,5 @@ inetnum: 22.214.171.124 - 126.96.36.199 -netname: SINET-NET -descr: CrimeaCom LLC -country: UA +netname: CrimeaCom-Network +descr: CrimeaCom South LLC +country: RU org: ORG-CL205-RIPE
In fact, one Crimean provider wasted no time to change the country field of its IP addresses. Based in Sevastopol, Lancom’s IP registrations were changed from Ukraine to Russia on March 18th, 2014, the exact same day Russia signed the Treaty of Accession of the Republic of Crimea to Russia.
$ whois --diff-versions 1:2 188.8.131.52 - 184.108.40.206 % Difference between version 1 and 2 of object "220.127.116.11 - 18.104.22.168" @@ -3,3 +3,3 @@ descr: Lancom Ltd. -country: ua +country: ru org: ORG-LL42-RIPE
So what’s the upshot of all of this?
Registrations allow internet resource owners the ability to communicate to the internet their intentions of how — or more appropriately, in this case, where — the resource (i.e., an IP address range) will be used.
There is no requirement that the resource is actually used in the location listed in its registration — there are plenty of misgeolocations out there that demonstrate that. But there are some practical implications of changing all of these IP address ranges to being registered in Russia.
Geolocation service providers take most geolocation information found in registration data at face value. With very few exceptions, changing the registered country of an IP address will cause these services to change the geolocation they report to their customers. Below is the reported geolocation for the first IP range mentioned at the top of the blog post:
Take Crimea, for example, which has been under Russian control since 2014. Today you can find Crimean providers announcing IP ranges registered as Ukrainian and others announcing ranges registered as Russian. Pick your favorite geolocation service provider, and you will see an impossible mix of country-level geo for things in a region that can only be in a single country. One is left to maintain personal lists of prefixes and ASNs belonging to networks that are known to operate in these regions.
Aside from complicating the task of internet measurement, perhaps the biggest practical impact may be to the Ukrainians having to connect to the internet using IP addresses that are suddenly considered to be Russian. These users may encounter problems accessing services that have been blocked to Russian IP addresses, requiring them to use a VPN or other means to sidestep geoblocking.
While these changes are perhaps intended to be symbolic, they can have subtle and unintended consequences on connectivity. The Russian government wants the world to believe these internet service providers are operating on Russian soil. Changing the registrations of these IP ranges to reflect that worldview is part of a wider effort of the Russification of captured Ukrainian territories.