Code lesson: Russia has increased control over users' IP addresses
Roskomnadzor fined 85 telecom operators for not providing data on subscribers' IP addresses, the agency told Izvestia. This information is needed to prevent DDoS attacks, they noted. But it also allows users to identify a working VPN and block it promptly, experts say. According to the law, the agency should be informed about the change of IP addresses during the day, and in special cases - within an hour. According to experts, the fulfillment of these requirements entails an increase in the costs of signallers.
What data are signallers required to provide to Roskomnadzor?
Operators who do not provide information about subscribers' IP addresses to the authorities have begun to face sanctions. As of May 21, Roskomnadzor had brought 85 telecom companies to justice, the supervisory authority told Izvestia. The service clarified that companies are required to provide information about IP addresses after receiving the appropriate notification. In March 2026, such notices were sent to 1,359 telecom operators.
—Informing operators is carried out as part of the implementation of Roskomnadzor's powers to monitor compliance with the requirements of the Law on Communications, which obliges operators to provide information about IP addresses to counter threats to the security of the Russian segment of the Internet and to counter computer attacks, including DDoS attacks," Roskomnadzor said.
In a situation where Russian companies and government organizations are regularly subjected to cyber attacks, monitoring of IP addresses is simply necessary, said Denis Kuskov, CEO of TelecomDaily. Knowing about their changes, experts can identify and localize the source of malicious traffic. This information is also important for countering spam, the expert added.
Rostelecom told Izvestia that they were aware of the mailing list and had carried out the necessary improvements on their network. The editors also sent requests to other major operators.
The procedure for providing such information is specified by the order of Roskomnadzor, issued in 2025. Companies must transmit IP addresses, data on the places where they are used with reference to the municipality, and the identifiers of the technical means of countering threats (TSPS) through which the traffic passes. Information about all changes should be transmitted within one day (and if there is a request from Roskomnadzor to certain specific addresses, within an hour).
In the latter case, operators must also transmit data about users to whom IP addresses are allocated for the simultaneous use of IPv4 and IPv6 protocols (they allow the use of extended 32-bit and 128-bit IP addresses), explained Yaroslav Shitsle, Head of It& Ip Dispute Resolution at Rustam Kurmaev & Partners. For such a category of connections, companies are required to transmit a structured record containing the IPv6 address, IPv4 address, type of operation (start/end/extension of the session), timestamp, TTL of the session, and TSPU numbers, he listed.
This data is necessary for effective traffic filtering and responding to DDoS attacks, in which attackers systematically use network address substitution, said Oleg Yablokov, an NTI expert on wireless communications. In addition, they allow you to determine whether a user has a VPN or not, a source close to one of the operators added.
IPv6 addressing is mainly supported by paid VPNs, Leonid Konik, a partner at ComNews Research, told Izvestia.
— The lock bypass program, which uses a dual stack configuration, makes it possible to connect over both IPv4 and IPv6. This ensures uninterrupted communication over both protocols," he explained.
According to Yaroslav Shitsle, failure to comply with the requirements of the order may fall under several types of administrative offenses at once, depending on the nature of the violation and the circumstances of the case. He specified that the fine for the first failure to provide information can reach 500 thousand rubles. For repeated violations, the sanctions are increased to 1 million.
— Additionally, Article 14.1 of Part 3 of the Administrative Code of the Russian Federation may apply — conducting business in violation of the license terms. Violation entails a warning or a fine for legal entities in the amount of up to 40 thousand rubles," the lawyer added.
What additional burden is placed on companies
The special equipment needed to promptly inform about changes in IP addresses is very expensive, Leonid Konik noted. Signalmen confirm the increase in costs associated with meeting the requirements of the supervisory authority. To fulfill them, it is necessary to hire additional staff, a source close to one of the telecom companies told Izvestia: in this case, we are talking about about 20 employees. A source close to another telecom company is also talking about the expansion of the staff. According to him, such a burden is becoming especially financially sensitive for small operators.
Meeting the requirements for transmitting IP address change data and the associated costs may affect tariffs, Leonid Konik believes. For subscribers with dynamic addressing, which is the vast majority of home and mobile users, changing IP addresses is a regular and regular event, Oleg Yablokov added.
— The address changes with each reconnection to the network, when the subscriber moves between cellular base stations, as well as during the planned management of the address space by the provider itself. According to industry research, from 25% to almost 60% of IP addresses regularly change key parameters, and this makes them unstable identifiers at the moment. A large federal operator can have hundreds of thousands of such events per day," he explained.
From a technical point of view, the requirements are feasible, but the operational and financial burden, especially for small and medium-sized providers, is significant, the expert added. For signalmen with millions of dynamic sessions, this actually means the need to implement fully automated online interaction systems. The involvement of specialized integrators and the purchase of server equipment for small regional providers is becoming a critical item of unplanned expenses, Oleg Yablokov pointed out.
— With tens of millions of users and regular dynamic changes in their external network addresses (even after turning off the Wi-Fi router overnight), operators will have to allocate a considerable staff of employees who will endlessly report to Roskomnadzor about changes in IP addresses. Many now probably lack information systems capable of tracking such changes in real time. This means that additional investments are needed in the development and implementation of such solutions," Leonid Konik believes.
Roskomnadzor requires providers to provide information not only about the subject of the federation, but also about a specific municipal district or city district where certain IP addresses are used. However, unlike geographically linked phone numbers, the IP addresses of telecom operators do not have such a link. According to him, the same network address can be used today, for example, in Novosibirsk, and the next day in Petrozavodsk. The expert believes that collecting such a large-scale and rapidly changing array of data can lead to additional costs for operators, as well as create a new potential vulnerability point. In the event of a leak of such a database, the consequences may be sensitive, he concluded.
Переведено сервисом «Яндекс Переводчик»