<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
@ Danny - One of AAPT's technical punters, Robert Tozer, hangs
around the list...<br>
<br>
@ Robert - Can you provide any further information ?<br>
<br>
<br>
T.<br>
<br>
<div class="moz-cite-prefix">On 11/04/13 3:53 PM, Danny O'Brien
wrote:<br>
</div>
<blockquote
cite="mid:CAAkY2sfuX50iJp27cZ8J-UnckO13zrbMmRFnaYbU7OWr3FX93A@mail.gmail.com"
type="cite">
<div dir="ltr">Hi AusNOG,<br>
<br>
Apologies for the interruption -- I work for the Electronic
Frontier Foundation in the US, and usually lurk on the NANOG
lists, asking the occasional curious question about once a
decade (Including "Where did Egypt just go?" <a
moz-do-not-send="true"
href="http://seclists.org/nanog/2011/Jan/1416">http://seclists.org/nanog/2011/Jan/1416</a>
and "What happens when Ripe.net doesn't pay their domain fees?"
<a moz-do-not-send="true"
href="http://seclists.org/nanog/1998/Apr/50">http://seclists.org/nanog/1998/Apr/50</a>
).<br>
<br>
My question to this even more distinguished audience is a little
narrower: <br>
<br>
We got a message from Melbourne Free University yesterday, whose
site hosted at 198.136.54.104 in the US was unavailable from
Optus and Telstra consumer users.<br>
<br>
It looks to me that this specific IP is being patchily
blackholed, mostly from Australian addresses. My working
assumption is that this is due to DDOS mitigation. <br>
<br>
The reason why Melbourne Free University got in touch with us,
though, was that when they contacted their own broadband service
provider., Exetel, to complain, their support eventually told
them that upstream, AAPT, was blocking it due to an Australian
government request, and could say no more about it. (The ticket
is below.)<br>
<br>
MFU is understandably a bit disturbed by such a statement from
their ISP, as are we. I *am* at this stage assuming
miscommunication rather than government action. I've reached out
to AAPT and Exetel, and been banging on BGP looking glasses and
traceroutes all day, and not getting much response, so I thought
I'd broaden out the query and ask you all:<br>
<br>
1) Is anyone here blackholing 198.136.54.104 or the /20 (though
I've seen people being able to reach .103 and .105 fine, but
lose 104) for DDOS or other operational reasons?<br>
<br>
2) Hypothetically, can anyone suggest a Federal court order or
government process that would lead to such a blackhole for
*non*-operational reasons?<br>
<br>
Thank you for your attention -- I hope your curiousity is as
piqued as mine was.<br>
<br>
d.<br>
<br>
> Please note that we regret to inform that the IP
address has been blocked<br>
> by Australian authority for undisclosed reasons.<br>
><br>
> As per our supplier, due to the legal department our
supplier is unable to<br>
> share any information regarding the blocking of the IP
address. Therefore<br>
> we are not able to provide the details regarding who
has blocked the IP or<br>
> why because the supplier wont provide these info.<br>
><br>
> Also note that our supplier is unable to have this IP
unblocked.<br>
><br>
> Level 1 - Network Support Engineer<br>
> Exetel Pty Ltd<br>
<br>
<br>
Here is the route taken by an Exetel consumer subscriber using
the AAPT network attempting to access the site.<br>
<br>
> $ traceroute <a moz-do-not-send="true"
href="http://www.melbournefreeuniversity.org">www.melbournefreeuniversity.org</a><br>
> traceroute to <a moz-do-not-send="true"
href="http://melbournefreeuniversity.org">melbournefreeuniversity.org</a>
(198.136.54.104), 64 hops max, 40<br>
> byte packets<br>
> 1 XXXXXXXXXXXXX (192.168.1.254) 1 ms 1 ms 1 ms<br>
> 2 <a moz-do-not-send="true"
href="http://XXX.XXX.96.58.static.exetel.com.au">XXX.XXX.96.58.static.exetel.com.au</a>
(58.96.XXX.XXX) 18 ms 19 ms 18 ms<br>
> 3 <a moz-do-not-send="true"
href="http://33.2.96.58.static.exetel.com.au">33.2.96.58.static.exetel.com.au</a>
(58.96.2.33) 19 ms 18 ms 19 ms<br>
> 4 <a moz-do-not-send="true"
href="http://pe-5017370-mburninte01.gw.aapt.com.au">pe-5017370-mburninte01.gw.aapt.com.au</a>
(203.174.186.73) 24 ms 20 ms<br>
> 20 ms<br>
> 5 <a moz-do-not-send="true"
href="http://te3-3.mburndist01.aapt.net.au">te3-3.mburndist01.aapt.net.au</a>
(203.131.61.30) [MPLS: Label 190 Exp 1]<br>
> 35 ms 35 ms 31 ms<br>
> 6 <a moz-do-not-send="true"
href="http://te0-3-4-0.mburncore01.aapt.net.au">te0-3-4-0.mburncore01.aapt.net.au</a>
(202.10.12.15) [MPLS: Label 17412 Exp<br>
> 7 <a moz-do-not-send="true"
href="http://bu2.sclarcore01.aapt.net.au">bu2.sclarcore01.aapt.net.au</a>
(202.10.10.74) [MPLS: Label 16702 Exp 1]<br>
> More labels 49 ms More labels 32 ms More labels 31
ms<br>
> 8 <a moz-do-not-send="true"
href="http://te2-2.sclardist01.aapt.net.au">te2-2.sclardist01.aapt.net.au</a>
(202.10.12.2) [MPLS: Label 895 Exp 1] 31<br>
> ms 32 ms 33 ms<br>
> 9 * <a moz-do-not-send="true"
href="http://po6.sclarbrdr01.aapt.net.au">po6.sclarbrdr01.aapt.net.au</a>
(202.10.14.3) 30 ms *<br>
> 10 * * *<br>
> 11 * * *<br>
<br>
Here is the route taken by a Telstra subscriber in Brisbane.<br>
<br>
> $ traceroute to <a moz-do-not-send="true"
href="http://www.melbournefreeuniversity.org">www.melbournefreeuniversity.org</a>
<<a moz-do-not-send="true"
href="http://www.melbournefreeuniversity.org">http://www.melbournefreeuniversity.org</a>>
(198.136.54.104), 30 hops max, 60 byte packets<br>
> 1 10.205.XX.XX (10.205.XX.XX) 8.936 ms 8.989 ms
8.977 ms<br>
> 2 58.160.XX.XX (58.160.XX.XX) 9.349 ms 9.425 ms
9.482 ms<br>
> 3 58.160.XX.XX (58.160.XX.XX) 9.705 ms 9.765 ms
9.753 ms<br>
> 4 172.18.241.105 (172.18.241.105) 12.691 ms
12.817 ms 12.705 ms<br>
> 5 <a moz-do-not-send="true"
href="http://bundle-ether10-woo10.brisbane.telstra.net">bundle-ether10-woo10.brisbane.telstra.net</a>
(110.142.226.13) 15.426 ms 15.482 ms 14.644 ms<br>
> 6 <a moz-do-not-send="true"
href="http://bundle-ether3.woo-core1.brisbane.telstra.net">bundle-ether3.woo-core1.brisbane.telstra.net</a>
(203.50.11.52) 17.872 ms 12.953 ms 13.940 ms<br>
> 7 <a moz-do-not-send="true"
href="http://bundle-ether11.chw-core2.sydney.telstra.net">bundle-ether11.chw-core2.sydney.telstra.net</a>
(203.50.11.70) 25.653 ms 26.135 ms 26.054 ms<br>
> 8 <a moz-do-not-send="true"
href="http://bundle-ether1.pad-gw1.sydney.telstra.net">bundle-ether1.pad-gw1.sydney.telstra.net</a>
(203.50.6.25) 27.017 ms 27.078 ms 27.072 ms<br>
> 9 <a moz-do-not-send="true"
href="http://gigabitethernet0-2.pad-service2.sydney.telstra.net">gigabitethernet0-2.pad-service2.sydney.telstra.net</a>
(203.50.6.70) 24.064 ms 24.129 ms 24.111 ms<br>
> 10 * *<br>
> 11 *<br>
> 12 *<br>
> 13 *<br>
<br>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</body>
</html>