[AusNOG] Confirmation of govt blackholing. Was: Re: Understanding lack of Aus connectivity to melbournefreeuniversity.org.

Danny O'Brien danny at spesh.com
Wed May 15 22:33:28 EST 2013


A quick final update to this mystery from last month.

The office of the Communications Minister confirmed last night that this IP
was blackholed (by AAPT and perhaps others) after the Australian Securities
and Investment Commission sent a notice under Section 313 for "an IP
address that was linked to a fraud website".

"Melbourne Free University’s website was hosted at the same IP address as
the fraud website, and was unintentionally blocked. Once ASIC were made
aware of what had happened, they lifted the original blocking request."

(See
http://delimiter.com.au/2013/05/15/interpol-filter-scope-creep-asic-ordering-unilateral-website-blocks/
for
more details)

I'll try and keep this note as operational as I can: ISPs should be aware
that more than one government regulator are now claiming to have the legal
ability to demand Australian ISPs block upstream IPs. There's no defined
limit under 313 on who might place these requests.

ISPs obeying these notices also appear to believe that they cannot report
on these blocks (even when the regulator in question puts out its own press
releases declaring their intentions:
http://www.asic.gov.au/asic/asic.nsf/byheadline/13-061MR+ASIC+warns+consumers+about+Global+Capital+Wealth?openDocument
 ).

I don't currently see any judicial oversight of this system, transparency,
or possibility of redress either for ISPs or for their customers. The only
reason ASIC were "made aware" that they were blocking innocent Australians
was because MFU reached out to numerous groups to find out what was going
on, and were refused details by both ISPs and government. The only reason
Conroy's office made a statement now, it appears, is because Renai Lemay
and others essentially forced the issue.

And unlike the recent vigorous discussions over the ACMA blacklist, where
ISPs and Australians were given the opportunity to discuss the pros and
cons, there has been no public debate. No-one, including it seems many
ISPs, were aware that IP blocking through BGP blackholes was a government
power.

I'd like to thank everyone who helped get to the bottom of this --
especially those in the networking community that told us that ASIC might
be the cause.

If you'd like to talk with me at the Electronic Frontier Foundation or the
folks at the Electronic Frontiers Australia about pushing back against
these expansions of government power over ISPs, do get in touch on my work
address, which is danny at eff.org.

>From historic experience, accepting these orders without protest is going
to encourage more parts of government to seek their own censorship powers,
and unless you join others in pushing back, I fear network operators are
going to find themselves complicit in doing the very opposite of what they
promise their users, which is still providing great connectivity with the
rest of the Net.

Thanks again for your time,

d.
International Director, EFF.

On Thu, Apr 11, 2013 at 7:53 AM, Danny O'Brien <danny at spesh.com> wrote:

> Hi AusNOG,
>
> Apologies for the interruption -- I work for the Electronic Frontier
> Foundation in the US, and usually lurk on the NANOG lists, asking the
> occasional curious question about once a decade (Including "Where did Egypt
> just go?" http://seclists.org/nanog/2011/Jan/1416 and "What happens when
> Ripe.net doesn't pay their domain fees?"
> http://seclists.org/nanog/1998/Apr/50 ).
>
> My question to this even more distinguished audience is a little narrower:
>
> We got a message from Melbourne Free University yesterday, whose site
> hosted at 198.136.54.104 in the US was unavailable from Optus and Telstra
> consumer users.
>
> It looks to me that this specific IP is being patchily blackholed, mostly
> from Australian addresses. My working assumption is that this is due to
> DDOS mitigation.
>
> The reason why Melbourne Free University got in touch with us, though, was
> that when they contacted their own broadband service provider., Exetel, to
> complain, their support eventually told them that upstream, AAPT, was
> blocking it due to an Australian government request, and could say no more
> about it. (The ticket is below.)
>
> MFU is understandably a bit disturbed by such a statement from their ISP,
> as are we. I *am* at this stage assuming miscommunication rather than
> government action. I've reached out to AAPT and Exetel, and been banging on
> BGP looking glasses and traceroutes all day, and not getting much response,
> so I thought I'd broaden out the query and ask you all:
>
> 1) Is anyone here blackholing 198.136.54.104 or the /20 (though I've seen
> people being able to reach .103 and .105 fine, but lose 104) for DDOS or
> other operational reasons?
>
> 2) Hypothetically, can anyone suggest a Federal court order or government
> process that would lead to such a blackhole for *non*-operational reasons?
>
> Thank you for your attention -- I hope your curiousity is as piqued as
> mine was.
>
> d.
>
> >     Please note that we regret to inform that the IP address has been
> blocked
> >     by Australian authority for undisclosed reasons.
> >
> >     As per our supplier, due to the legal department our supplier is
> unable to
> >     share any information regarding the blocking of the IP address.
> Therefore
> >     we are not able to provide the details regarding who has blocked the
> IP or
> >     why because the supplier wont provide these info.
> >
> >     Also note that our supplier is unable to have this IP unblocked.
> >
> >     Level 1 - Network Support Engineer
> >     Exetel Pty Ltd
>
>
>  Here is the route taken by an Exetel consumer subscriber using the AAPT
> network attempting to access the site.
>
>       > $ traceroute www.melbournefreeuniversity.org
>       > traceroute to melbournefreeuniversity.org (198.136.54.104), 64
> hops max, 40
>       > byte packets
>       >  1  XXXXXXXXXXXXX (192.168.1.254)  1 ms  1 ms  1 ms
>       >  2  XXX.XXX.96.58.static.exetel.com.au (58.96.XXX.XXX)  18 ms  19
> ms  18 ms
>       >  3  33.2.96.58.static.exetel.com.au (58.96.2.33)  19 ms  18 ms
> 19 ms
>       >  4  pe-5017370-mburninte01.gw.aapt.com.au (203.174.186.73)  24
> ms  20 ms
>       > 20 ms
>       >  5  te3-3.mburndist01.aapt.net.au (203.131.61.30) [MPLS: Label
> 190 Exp 1]
>       > 35 ms  35 ms  31 ms
>       >  6  te0-3-4-0.mburncore01.aapt.net.au (202.10.12.15) [MPLS: Label
> 17412 Exp
>       >  7  bu2.sclarcore01.aapt.net.au (202.10.10.74) [MPLS: Label 16702
> Exp 1]
>       > More labels  49 ms More labels  32 ms More labels  31 ms
>       >  8  te2-2.sclardist01.aapt.net.au (202.10.12.2) [MPLS: Label 895
> Exp 1]  31
>       > ms  32 ms  33 ms
>       >  9  * po6.sclarbrdr01.aapt.net.au (202.10.14.3)  30 ms *
>       > 10  * * *
>       > 11  * * *
>
>   Here is the route taken by a Telstra subscriber in Brisbane.
>
>       >  $ traceroute to www.melbournefreeuniversity.org <
> http://www.melbournefreeuniversity.org> (198.136.54.104), 30 hops max, 60
> byte packets
>       >  1  10.205.XX.XX (10.205.XX.XX)  8.936 ms  8.989 ms  8.977 ms
>       >  2  58.160.XX.XX (58.160.XX.XX)  9.349 ms  9.425 ms  9.482 ms
>       >  3  58.160.XX.XX (58.160.XX.XX)  9.705 ms  9.765 ms  9.753 ms
>       >  4  172.18.241.105 (172.18.241.105)  12.691 ms  12.817 ms  12.705
> ms
>       >  5  bundle-ether10-woo10.brisbane.telstra.net (110.142.226.13)
> 15.426 ms  15.482 ms  14.644 ms
>       >  6  bundle-ether3.woo-core1.brisbane.telstra.net (203.50.11.52)
> 17.872 ms  12.953 ms  13.940 ms
>       >  7  bundle-ether11.chw-core2.sydney.telstra.net (203.50.11.70)
> 25.653 ms  26.135 ms  26.054 ms
>       >  8  bundle-ether1.pad-gw1.sydney.telstra.net (203.50.6.25)
> 27.017 ms  27.078 ms  27.072 ms
>       >  9  gigabitethernet0-2.pad-service2.sydney.telstra.net(203.50.6.70)  24.064 ms  24.129 ms  24.111 ms
>       > 10  * *
>       > 11   *
>       > 12   *
>       > 13   *
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130515/e1053eae/attachment.html>


More information about the AusNOG mailing list