It's actually worse.<div><br></div><div>If a user on your corporate network tries to visit a site that the Chinese Govt thinks is "bad (tm)", your entire corporate Internet link has all connections on it reset, and it takes anything up to a few minutes for you to get *any* connectivity back.</div>
<div><br></div><div>It's a bloody nightmare. I imagine it's even more fun if you're trying to run an ISP there...</div><div><br><div class="gmail_quote">On 15 May 2013 23:55, Phillip Grasso <span dir="ltr"><<a href="mailto:phillip.grasso@gmail.com" target="_blank">phillip.grasso@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">knock knock, <div>who's there.</div><div><br></div><div>its <censored></div></div><div class="HOEnZb">
<div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, May 15, 2013 at 11:45 PM, Robert Hudson <span dir="ltr"><<a href="mailto:hudrob@gmail.com" target="_blank">hudrob@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Unless you've actually operated behind the Great Firewall of China, don't even joke...<div><div>
<br><br><div class="gmail_quote">On 15 May 2013 22:49, Joshua D'Alton <span dir="ltr"><<a href="mailto:joshua@railgun.com.au" target="_blank">joshua@railgun.com.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Great firewall of china here we come.</div><div class="gmail_extra"><br><br><div class="gmail_quote"><div>
<div>On Wed, May 15, 2013 at 10:33 PM, Danny O'Brien <span dir="ltr"><<a href="mailto:danny@spesh.com" target="_blank">danny@spesh.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">A quick final update to this mystery from last month.<div><br></div><div>
The office of the Communications Minister confirmed last night that this IP was blackholed (by AAPT and perhaps others) after the Australian Securities and Investment Commission sent a notice under Section 313 for "an IP address that was linked to a fraud website". </div>
<div><br></div><div>"Melbourne Free University’s website was hosted at the same IP address as the fraud website, and was unintentionally blocked. Once ASIC were made aware of what had happened, they lifted the original blocking request."</div>
<div><br></div><div>(See <a href="http://delimiter.com.au/2013/05/15/interpol-filter-scope-creep-asic-ordering-unilateral-website-blocks/" target="_blank">http://delimiter.com.au/2013/05/15/interpol-filter-scope-creep-asic-ordering-unilateral-website-blocks/</a> for more details)</div>
<div><br></div><div>I'll try and keep this note as operational as I can: ISPs should be aware that more than one government regulator are now claiming to have the legal ability to demand Australian ISPs block upstream IPs. There's no defined limit under 313 on who might place these requests.</div>
<div><br></div><div>ISPs obeying these notices also appear to believe that they cannot report on these blocks (even when the regulator in question puts out its own press releases declaring their intentions: <a href="http://www.asic.gov.au/asic/asic.nsf/byheadline/13-061MR+ASIC+warns+consumers+about+Global+Capital+Wealth?openDocument" target="_blank">http://www.asic.gov.au/asic/asic.nsf/byheadline/13-061MR+ASIC+warns+consumers+about+Global+Capital+Wealth?openDocument</a> ).<br>
</div><div><br></div><div>I don't currently see any judicial oversight of this system, transparency, or possibility of redress either for ISPs or for their customers. The only reason ASIC were "made aware" that they were blocking innocent Australians was because MFU reached out to numerous groups to find out what was going on, and were refused details by both ISPs and government. The only reason Conroy's office made a statement now, it appears, is because Renai Lemay and others essentially forced the issue.</div>
<div><br></div><div>And unlike the recent vigorous discussions over the ACMA blacklist, where ISPs and Australians were given the opportunity to discuss the pros and cons, there has been no public debate. No-one, including it seems many ISPs, were aware that IP blocking through BGP blackholes was a government power.<br>
</div><div><div><br></div><div>I'd like to thank everyone who helped get to the bottom of this -- especially those in the networking community that told us that ASIC might be the cause.</div><div><br>
</div><div>If you'd like to talk with me at the Electronic Frontier Foundation or the folks at the Electronic Frontiers Australia about pushing back against these expansions of government power over ISPs, do get in touch on my work address, which is <a href="mailto:danny@eff.org" target="_blank">danny@eff.org</a>.<br>
</div><div><br></div><div>From historic experience, accepting these orders without protest is going to encourage more parts of government to seek their own censorship powers, and unless you join others in pushing back, I fear network operators are going to find themselves complicit in doing the very opposite of what they promise their users, which is still providing great connectivity with the rest of the Net.<br>
</div><div><br></div><div>Thanks again for your time,</div><div><br></div><div>d.</div><div>International Director, EFF.</div></div><div><div class="gmail_extra"><br><div class="gmail_quote">
On Thu, Apr 11, 2013 at 7:53 AM, Danny O'Brien <span dir="ltr"><<a href="mailto:danny@spesh.com" target="_blank">danny@spesh.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">Hi AusNOG,<br><br>Apologies for the interruption -- I work for the Electronic Frontier Foundation in the US, and usually lurk on the NANOG lists, asking the occasional curious question about once a decade (Including "Where did Egypt just go?" <a href="http://seclists.org/nanog/2011/Jan/1416" target="_blank">http://seclists.org/nanog/2011/Jan/1416</a> and "What happens when Ripe.net doesn't pay their domain fees?" <a href="http://seclists.org/nanog/1998/Apr/50" target="_blank">http://seclists.org/nanog/1998/Apr/50</a> ).<br>
<br>My question to this even more distinguished audience is a little narrower: <br><br>We got a message from Melbourne Free University yesterday, whose site hosted at 198.136.54.104 in the US was unavailable from Optus and Telstra consumer users.<br>
<br>It looks to me that this specific IP is being patchily blackholed, mostly from Australian addresses. My working assumption is that this is due to DDOS mitigation. <br><br>The reason why Melbourne Free University got in touch with us, though, was that when they contacted their own broadband service provider., Exetel, to complain, their support eventually told them that upstream, AAPT, was blocking it due to an Australian government request, and could say no more about it. (The ticket is below.)<br>
<br>MFU is understandably a bit disturbed by such a statement from their ISP, as are we. I *am* at this stage assuming miscommunication rather than government action. I've reached out to AAPT and Exetel, and been banging on BGP looking glasses and traceroutes all day, and not getting much response, so I thought I'd broaden out the query and ask you all:<br>
<br>1) Is anyone here blackholing 198.136.54.104 or the /20 (though I've seen people being able to reach .103 and .105 fine, but lose 104) for DDOS or other operational reasons?<br><br>2) Hypothetically, can anyone suggest a Federal court order or government process that would lead to such a blackhole for *non*-operational reasons?<br>
<br>Thank you for your attention -- I hope your curiousity is as piqued as mine was.<br><br>d.<br><br>> Please note that we regret to inform that the IP address has been blocked<br>> by Australian authority for undisclosed reasons.<br>
><br>> As per our supplier, due to the legal department our supplier is unable to<br>> share any information regarding the blocking of the IP address. Therefore<br>> we are not able to provide the details regarding who has blocked the IP or<br>
> why because the supplier wont provide these info.<br>><br>> Also note that our supplier is unable to have this IP unblocked.<br>><br>> Level 1 - Network Support Engineer<br>> Exetel Pty Ltd<br>
<br><br> Here is the route taken by an Exetel consumer subscriber using the AAPT network attempting to access the site.<br> <br> > $ traceroute <a href="http://www.melbournefreeuniversity.org" target="_blank">www.melbournefreeuniversity.org</a><br>
> traceroute to <a href="http://melbournefreeuniversity.org" target="_blank">melbournefreeuniversity.org</a> (198.136.54.104), 64 hops max, 40<br> > byte packets<br> > 1 XXXXXXXXXXXXX (192.168.1.254) 1 ms 1 ms 1 ms<br>
> 2 <a href="http://XXX.XXX.96.58.static.exetel.com.au" target="_blank">XXX.XXX.96.58.static.exetel.com.au</a> (58.96.XXX.XXX) 18 ms 19 ms 18 ms<br> > 3 <a href="http://33.2.96.58.static.exetel.com.au" target="_blank">33.2.96.58.static.exetel.com.au</a> (58.96.2.33) 19 ms 18 ms 19 ms<br>
> 4 <a href="http://pe-5017370-mburninte01.gw.aapt.com.au" target="_blank">pe-5017370-mburninte01.gw.aapt.com.au</a> (203.174.186.73) 24 ms 20 ms<br> > 20 ms<br> > 5 <a href="http://te3-3.mburndist01.aapt.net.au" target="_blank">te3-3.mburndist01.aapt.net.au</a> (203.131.61.30) [MPLS: Label 190 Exp 1]<br>
> 35 ms 35 ms 31 ms<br> > 6 <a href="http://te0-3-4-0.mburncore01.aapt.net.au" target="_blank">te0-3-4-0.mburncore01.aapt.net.au</a> (202.10.12.15) [MPLS: Label 17412 Exp<br> > 7 <a href="http://bu2.sclarcore01.aapt.net.au" target="_blank">bu2.sclarcore01.aapt.net.au</a> (202.10.10.74) [MPLS: Label 16702 Exp 1]<br>
> More labels 49 ms More labels 32 ms More labels 31 ms<br> > 8 <a href="http://te2-2.sclardist01.aapt.net.au" target="_blank">te2-2.sclardist01.aapt.net.au</a> (202.10.12.2) [MPLS: Label 895 Exp 1] 31<br>
> ms 32 ms 33 ms<br>
> 9 * <a href="http://po6.sclarbrdr01.aapt.net.au" target="_blank">po6.sclarbrdr01.aapt.net.au</a> (202.10.14.3) 30 ms *<br> > 10 * * *<br> > 11 * * *<br> <br> Here is the route taken by a Telstra subscriber in Brisbane.<br>
<br> > $ traceroute to <a href="http://www.melbournefreeuniversity.org" target="_blank">www.melbournefreeuniversity.org</a> <<a href="http://www.melbournefreeuniversity.org" target="_blank">http://www.melbournefreeuniversity.org</a>> (198.136.54.104), 30 hops max, 60 byte packets<br>
> 1 10.205.XX.XX (10.205.XX.XX) 8.936 ms 8.989 ms 8.977 ms<br> > 2 58.160.XX.XX (58.160.XX.XX) 9.349 ms 9.425 ms 9.482 ms<br> > 3 58.160.XX.XX (58.160.XX.XX) 9.705 ms 9.765 ms 9.753 ms<br>
> 4 172.18.241.105 (172.18.241.105) 12.691 ms 12.817 ms 12.705 ms<br> > 5 <a href="http://bundle-ether10-woo10.brisbane.telstra.net" target="_blank">bundle-ether10-woo10.brisbane.telstra.net</a> (110.142.226.13) 15.426 ms 15.482 ms 14.644 ms<br>
> 6 <a href="http://bundle-ether3.woo-core1.brisbane.telstra.net" target="_blank">bundle-ether3.woo-core1.brisbane.telstra.net</a> (203.50.11.52) 17.872 ms 12.953 ms 13.940 ms<br> > 7 <a href="http://bundle-ether11.chw-core2.sydney.telstra.net" target="_blank">bundle-ether11.chw-core2.sydney.telstra.net</a> (203.50.11.70) 25.653 ms 26.135 ms 26.054 ms<br>
> 8 <a href="http://bundle-ether1.pad-gw1.sydney.telstra.net" target="_blank">bundle-ether1.pad-gw1.sydney.telstra.net</a> (203.50.6.25) 27.017 ms 27.078 ms 27.072 ms<br> > 9 <a href="http://gigabitethernet0-2.pad-service2.sydney.telstra.net" target="_blank">gigabitethernet0-2.pad-service2.sydney.telstra.net</a> (203.50.6.70) 24.064 ms 24.129 ms 24.111 ms<br>
> 10 * *<br> > 11 *<br> > 12 *<br> > 13 *<br><br><br></div>
</blockquote></div><br></div></div></div>
<br></div></div>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br>
</div></div><br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>