<div dir="ltr">A quick final update to this mystery from last month.<div><br></div><div>The office of the Communications Minister confirmed last night that this IP was blackholed (by AAPT and perhaps others) after the Australian Securities and Investment Commission sent a notice under Section 313 for "an IP address that was linked to a fraud website". </div>
<div><br></div><div>"Melbourne Free University’s website was hosted at the same IP address as the fraud website, and was unintentionally blocked. Once ASIC were made aware of what had happened, they lifted the original blocking request."</div>
<div><br></div><div style>(See <a href="http://delimiter.com.au/2013/05/15/interpol-filter-scope-creep-asic-ordering-unilateral-website-blocks/">http://delimiter.com.au/2013/05/15/interpol-filter-scope-creep-asic-ordering-unilateral-website-blocks/</a> for more details)</div>
<div><br></div><div style>I'll try and keep this note as operational as I can: ISPs should be aware that more than one government regulator are now claiming to have the legal ability to demand Australian ISPs block upstream IPs. There's no defined limit under 313 on who might place these requests.</div>
<div style><br></div><div style>ISPs obeying these notices also appear to believe that they cannot report on these blocks (even when the regulator in question puts out its own press releases declaring their intentions: <a href="http://www.asic.gov.au/asic/asic.nsf/byheadline/13-061MR+ASIC+warns+consumers+about+Global+Capital+Wealth?openDocument">http://www.asic.gov.au/asic/asic.nsf/byheadline/13-061MR+ASIC+warns+consumers+about+Global+Capital+Wealth?openDocument</a> ).<br>
</div><div style><br></div><div style>I don't currently see any judicial oversight of this system, transparency, or possibility of redress either for ISPs or for their customers. The only reason ASIC were "made aware" that they were blocking innocent Australians was because MFU reached out to numerous groups to find out what was going on, and were refused details by both ISPs and government. The only reason Conroy's office made a statement now, it appears, is because Renai Lemay and others essentially forced the issue.</div>
<div style><br></div><div style>And unlike the recent vigorous discussions over the ACMA blacklist, where ISPs and Australians were given the opportunity to discuss the pros and cons, there has been no public debate. No-one, including it seems many ISPs, were aware that IP blocking through BGP blackholes was a government power.<br>
</div><div style><div><br></div><div style>I'd like to thank everyone who helped get to the bottom of this -- especially those in the networking community that told us that ASIC might be the cause.</div><div style><br>
</div><div style>If you'd like to talk with me at the Electronic Frontier Foundation or the folks at the Electronic Frontiers Australia about pushing back against these expansions of government power over ISPs, do get in touch on my work address, which is <a href="mailto:danny@eff.org">danny@eff.org</a>.<br>
</div><div style><br></div><div style>From historic experience, accepting these orders without protest is going to encourage more parts of government to seek their own censorship powers, and unless you join others in pushing back, I fear network operators are going to find themselves complicit in doing the very opposite of what they promise their users, which is still providing great connectivity with the rest of the Net.<br>
</div><div style><br></div><div style>Thanks again for your time,</div><div style><br></div><div style>d.</div><div style>International Director, EFF.</div></div><div><div class="gmail_extra"><br><div class="gmail_quote">
On Thu, Apr 11, 2013 at 7:53 AM, Danny O'Brien <span dir="ltr"><<a href="mailto:danny@spesh.com" target="_blank">danny@spesh.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">Hi AusNOG,<br><br>Apologies for the interruption -- I work for the Electronic Frontier Foundation in the US, and usually lurk on the NANOG lists, asking the occasional curious question about once a decade (Including "Where did Egypt just go?" <a href="http://seclists.org/nanog/2011/Jan/1416" target="_blank">http://seclists.org/nanog/2011/Jan/1416</a> and "What happens when Ripe.net doesn't pay their domain fees?" <a href="http://seclists.org/nanog/1998/Apr/50" target="_blank">http://seclists.org/nanog/1998/Apr/50</a> ).<br>
<br>My question to this even more distinguished audience is a little narrower: <br><br>We got a message from Melbourne Free University yesterday, whose site hosted at 198.136.54.104 in the US was unavailable from Optus and Telstra consumer users.<br>
<br>It looks to me that this specific IP is being patchily blackholed, mostly from Australian addresses. My working assumption is that this is due to DDOS mitigation. <br><br>The reason why Melbourne Free University got in touch with us, though, was that when they contacted their own broadband service provider., Exetel, to complain, their support eventually told them that upstream, AAPT, was blocking it due to an Australian government request, and could say no more about it. (The ticket is below.)<br>
<br>MFU is understandably a bit disturbed by such a statement from their ISP, as are we. I *am* at this stage assuming miscommunication rather than government action. I've reached out to AAPT and Exetel, and been banging on BGP looking glasses and traceroutes all day, and not getting much response, so I thought I'd broaden out the query and ask you all:<br>
<br>1) Is anyone here blackholing 198.136.54.104 or the /20 (though I've seen people being able to reach .103 and .105 fine, but lose 104) for DDOS or other operational reasons?<br><br>2) Hypothetically, can anyone suggest a Federal court order or government process that would lead to such a blackhole for *non*-operational reasons?<br>
<br>Thank you for your attention -- I hope your curiousity is as piqued as mine was.<br><br>d.<br><br>> Please note that we regret to inform that the IP address has been blocked<br>> by Australian authority for undisclosed reasons.<br>
><br>> As per our supplier, due to the legal department our supplier is unable to<br>> share any information regarding the blocking of the IP address. Therefore<br>> we are not able to provide the details regarding who has blocked the IP or<br>
> why because the supplier wont provide these info.<br>><br>> Also note that our supplier is unable to have this IP unblocked.<br>><br>> Level 1 - Network Support Engineer<br>> Exetel Pty Ltd<br>
<br><br> Here is the route taken by an Exetel consumer subscriber using the AAPT network attempting to access the site.<br> <br> > $ traceroute <a href="http://www.melbournefreeuniversity.org" target="_blank">www.melbournefreeuniversity.org</a><br>
> traceroute to <a href="http://melbournefreeuniversity.org" target="_blank">melbournefreeuniversity.org</a> (198.136.54.104), 64 hops max, 40<br> > byte packets<br> > 1 XXXXXXXXXXXXX (192.168.1.254) 1 ms 1 ms 1 ms<br>
> 2 <a href="http://XXX.XXX.96.58.static.exetel.com.au" target="_blank">XXX.XXX.96.58.static.exetel.com.au</a> (58.96.XXX.XXX) 18 ms 19 ms 18 ms<br> > 3 <a href="http://33.2.96.58.static.exetel.com.au" target="_blank">33.2.96.58.static.exetel.com.au</a> (58.96.2.33) 19 ms 18 ms 19 ms<br>
> 4 <a href="http://pe-5017370-mburninte01.gw.aapt.com.au" target="_blank">pe-5017370-mburninte01.gw.aapt.com.au</a> (203.174.186.73) 24 ms 20 ms<br> > 20 ms<br> > 5 <a href="http://te3-3.mburndist01.aapt.net.au" target="_blank">te3-3.mburndist01.aapt.net.au</a> (203.131.61.30) [MPLS: Label 190 Exp 1]<br>
> 35 ms 35 ms 31 ms<br> > 6 <a href="http://te0-3-4-0.mburncore01.aapt.net.au" target="_blank">te0-3-4-0.mburncore01.aapt.net.au</a> (202.10.12.15) [MPLS: Label 17412 Exp<br> > 7 <a href="http://bu2.sclarcore01.aapt.net.au" target="_blank">bu2.sclarcore01.aapt.net.au</a> (202.10.10.74) [MPLS: Label 16702 Exp 1]<br>
> More labels 49 ms More labels 32 ms More labels 31 ms<br> > 8 <a href="http://te2-2.sclardist01.aapt.net.au" target="_blank">te2-2.sclardist01.aapt.net.au</a> (202.10.12.2) [MPLS: Label 895 Exp 1] 31<br>
> ms 32 ms 33 ms<br>
> 9 * <a href="http://po6.sclarbrdr01.aapt.net.au" target="_blank">po6.sclarbrdr01.aapt.net.au</a> (202.10.14.3) 30 ms *<br> > 10 * * *<br> > 11 * * *<br> <br> Here is the route taken by a Telstra subscriber in Brisbane.<br>
<br> > $ traceroute to <a href="http://www.melbournefreeuniversity.org" target="_blank">www.melbournefreeuniversity.org</a> <<a href="http://www.melbournefreeuniversity.org" target="_blank">http://www.melbournefreeuniversity.org</a>> (198.136.54.104), 30 hops max, 60 byte packets<br>
> 1 10.205.XX.XX (10.205.XX.XX) 8.936 ms 8.989 ms 8.977 ms<br> > 2 58.160.XX.XX (58.160.XX.XX) 9.349 ms 9.425 ms 9.482 ms<br> > 3 58.160.XX.XX (58.160.XX.XX) 9.705 ms 9.765 ms 9.753 ms<br>
> 4 172.18.241.105 (172.18.241.105) 12.691 ms 12.817 ms 12.705 ms<br> > 5 <a href="http://bundle-ether10-woo10.brisbane.telstra.net" target="_blank">bundle-ether10-woo10.brisbane.telstra.net</a> (110.142.226.13) 15.426 ms 15.482 ms 14.644 ms<br>
> 6 <a href="http://bundle-ether3.woo-core1.brisbane.telstra.net" target="_blank">bundle-ether3.woo-core1.brisbane.telstra.net</a> (203.50.11.52) 17.872 ms 12.953 ms 13.940 ms<br> > 7 <a href="http://bundle-ether11.chw-core2.sydney.telstra.net" target="_blank">bundle-ether11.chw-core2.sydney.telstra.net</a> (203.50.11.70) 25.653 ms 26.135 ms 26.054 ms<br>
> 8 <a href="http://bundle-ether1.pad-gw1.sydney.telstra.net" target="_blank">bundle-ether1.pad-gw1.sydney.telstra.net</a> (203.50.6.25) 27.017 ms 27.078 ms 27.072 ms<br> > 9 <a href="http://gigabitethernet0-2.pad-service2.sydney.telstra.net" target="_blank">gigabitethernet0-2.pad-service2.sydney.telstra.net</a> (203.50.6.70) 24.064 ms 24.129 ms 24.111 ms<br>
> 10 * *<br> > 11 *<br> > 12 *<br> > 13 *<br><br><br></div>
</blockquote></div><br></div></div></div>