I went to a Russian website and all I got was this lousy teapot


Russian cyberwarfare attacks on Ukraine constantly make headlines. Although you don’t hear so much about Internet-based attacks to Russia, this cyberwar is not a one-sided affair. Important Russian military sites have been the target of distributed denial of service (DDoS) attacks, as have major Russian banks. Defenders of Russia’s internet infrastructure have taken steps to fend off these attacks, and one of those steps has resulted in some rather strange error messages. First, a little background.

What is a DDoS attack?

Denial of service is a simple concept and works both in real life and online. A schoolboy might prank the local deli by calling over and over again with bizarre requests. A smart salami slicer could block the caller’s number or simply ignore calls from that number. And a smart kid could continue the prank by asking friends to call, so the phone never stops ringing. This clever kid just invented the distributed denial of service attack.

In Internet terms, a denial of service attack is not much different. The attacker hammers a server with requests, usually using message types that require some processing by the server. The server’s logical response is to block the attacker’s IP address. One way to circumvent this defense is to install bot-like malware on thousands of unsuspecting computers. When the bot army is ready, the bot-herder releases these infected computers onto the target server, bombarding it with requests for data from a myriad of sources. This type of attack is much harder to block.

DDoS Arts Defense

The poor beleaguered deli owner might get some relief by setting the phone to ring only for known customers, even if that would put a damper on new business. New customers are not a problem for Russian internet users. They simply configure the servers to reject requests from outside Russia’s sphere of influence. This technique is sometimes called geofencing, not to be confused with geofencing parental control software that alerts parents when children wander.

Geofencing works. DDoS attacks against the prominent mil.ru website collide with it and simply fail. It is true that by using a VPN, attackers could give the impression of being in Russia, but this is not practical. First, Russia constantly tries to block technologies that evade censorship, such as the TOR network and VPNs. And most VPN companies do not dare to maintain servers in Russia. Second, attackers cannot install and configure a VPN client on all PCs infected by their bots.

Does the bear have a sense of humor?

Assuming Russia maintains its geofencing defenses, you can see them for yourself by trying to visit mil.ru. You will receive a warning that “This page is not working” with error code 418.

If you’ve spent a lot of time surfing the web, you’ve probably encountered quite a few errors. The 404 Not Found error is probably the most common, enough that it has spawned endless memes. 403 Forbidden is less common, but quite abundant. But who has heard of the 418 error?

Recommended by our editors

This error turns out to be a joke, an April Fool’s Day prank from 1998. Its full name is “Error 418 – I’m a teapot”. The error is part of the fictitious Hypertext Coffee Maker Control Protocol, and is supposed to be returned when an internet-connected teapot receives an HTCPCP request to brew coffee. The protocol specifies that “the resulting entity body ‘may be short and robust’. According to Mozilla Web Documentation“Some websites use this response for requests they don’t want to process.”

Who decided to use the 418 error instead of the more logical (and less fun) 403 Forbidden? We’ll probably never know, but I imagine a technician somewhere laughing over a good glass of чай с желе (tea with jelly). Anonymity is for the best – it is not entirely clear that the upper echelons of the Russian administration would approve. For now, it’s just a little bit of humor in a totally non-humorous situation.

Security Watch newsletter for our top privacy and security stories delivered right to your inbox.","first_published_at":"2021-09-30T21:22:09.000000Z","published_at":"2021-09-30T21:22:09.000000Z","last_published_at":"2021-09-30T21:22:03.000000Z","created_at":null,"updated_at":"2021-09-30T21:22:09.000000Z"})" x-show="showEmailSignUp()" class="rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs">
Do you like what you read ?

Sign up for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.

This newsletter may contain advertisements, offers or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of use and Privacy Policy. You can unsubscribe from newsletters at any time.


Comments are closed.