
Can’t get there from here - dominicgs
http://www.mckeay.net/2014/01/24/cant-get-there-from-here/
======
bdb
This is a route leak, plain and simple. Don't forget to apply Occam's Razor.
All of those sites which are "coincidentally" misbehaving are located in the
same /24.

This is what is actually happening. Virgin Media peers with Cogent. Virgin
prefers routes from peers over transit. Cogent is turrible at provisioning and
filtering, and is a large international transit provider.

Let's look at the route from Cogent's perspective:

    
    
      BGP routing table entry for 199.58.210.0/24, version 2031309347
      Paths: (1 available, best #1, table Default-IP-Routing-Table)
        54098 11557 4436 40015 54876
          38.122.66.186 (metric 10105011) from 154.54.66.76 (154.54.66.76)
            Origin incomplete, metric 0, localpref 130, valid, internal, best
            Community: 174:3092 174:10031 174:20999 174:21001 174:22013
    

If Cogent was competent at filtering, they'd never learn a route transiting
4436 via a customer port in the first place, but most likely someone at
Lionlink (54098) is leaking from one of their transit providers (Sidera,
11557) to another (Cogent, 174).

Also, traffic passing through Switzerland is a red herring -- the poster is
using a geoip database to look up where a Cogent router is. GeoIP databases
are typically populated by user activity, e.g., mobile devices phoning home to
get wifi-based location, credit card txns, etc. None of this traffic comes
from a ptp interface address on a core router. GeoIP databases tend to have a
resolution of about a /24, whereas infrastructure netblocks tend to be chopped
up into /30s or /31s for ptp links and /32s for loopbacks, so two adjacent
/32s could physically be located in wildly different parts of the world. More
than likely, that IP address was previously assigned to a customer. The more
accurate source of information would be the router's hostname, which clearly
indicates that it is in London. The handoff between Virgin and Cogent almost
certainly happens at Telehouse in the Docklands.

If someone were, in fact, trying to intercept your traffic, they could almost
certainly do so without you noticing (at least at layer 3.)

~~~
TeMPOraL
> _If someone were, in fact, trying to intercept your traffic, they could
> almost certainly do so without you noticing (at least at layer 3.)_

Then again, doing it like here would give them plausible deniability ("what?
we? tracking? no, someone misconfigured a router."). Or maybe, given how those
sites visibly disappear, it is an example of Zersetzung[0]?.

Welcome to post-Snowden world. We just cut ourselves with Ockham's razor and
now are bleeding paranoid.

[0] -
[http://en.wikipedia.org/wiki/Stasi#Zersetzung](http://en.wikipedia.org/wiki/Stasi#Zersetzung)

------
drakaal
Would be interesting to know if you can get to
[https://conference.hitb.org/check-status/](https://conference.hitb.org/check-
status/)

Partly because it is HTTPS and partly because hack only appears in a url on
the page.

This might answer if it is the result of the site, or the site content. Like
for some reason LionLink is filtering based on the content on the page.

~~~
rlongstaff
I'm on Virgin Media in the UK and it starts loading the page in Firefox (the
title changes to the title of the page) but never actually completes, so I get
a blank page.

------
msantos
Both websites hitb.org (199.58.210.36) and thc.org (199.58.210.16) have A
records part of the Rokabear's CIDR 199.58.208.0/21 and some IPs in that block
are responding as expected i.e. 199.58.208.36 and 199.58.215.36

However not a single IP in the range 199.58.210.0/24 responds to ICMP or TCP
probes. My only guess is this is more likely a faulty or misconfig router.

    
    
        # Dirty TCP check
        nmap -v -Pn -p 80 199.58.210.0/24
    
        # Dirty ICMP check (1 means failure, 0 means success)
        for i in {1..254}; do echo -n "199.58.210.$i "; ping -c2 "199.58.210.$i" >/dev/null 2>/dev/null; echo " $?";  done

------
dreen
Cant access any of those sites either, they just time out. Virgin Media UK.
Trace for THC:
[http://pastebin.com/raw.php?i=qmv3cYse](http://pastebin.com/raw.php?i=qmv3cYse)

------
fendale
Quite a while ago now, there was a period where you couldn't get to
Stackoverflow on Virgin media. There were some quite long threads in Virgins
forums about it, and apparently not all virgin customers were affected! It did
eventually resolve itself, but it was very frustrating!

[http://community.virginmedia.com/t5/Up-to-120Mb-Setup-
Equipm...](http://community.virginmedia.com/t5/Up-to-120Mb-Setup-
Equipment/stackoverflow-com/td-p/1722156/page/16)

------
skywhopper
Interesting. Are any groups attempting to track odd routings like this? Seems
like it would make for a good research project that would garner plenty of
publicity.

~~~
thatthatis
When such a group crops up it will inevitably also have its website blocked

------
morgante
Thus we see the inevitable result of a culture which encourages internet
filters: full on censorship of divergent, but legal, views.

~~~
ikawe
This doesn't strike me as an effective demographic to "full on censor" in this
way. Generally speaking, people interested in hacker conferences know how to
proxy around a net nanny.

Could this be a botched poor-mans wiretap?: i.e. traffic sent to black-listed
domain get's transparently routed to an adversarial middle host, who is
intended to eventually forwarded it on to the original destination, but in
this case someone misconfigured the wiretap, causing traffic to get lost.
(/tinfoil hat)

I'd like to see the tracert for other hosts near the same destination.

------
NoodleIncident
Well that would be pretty serious.

He should run that 45 min internet scan through his home network and diff with
his work network, get a list of all the sites that have this behavior.
Alternatively he could write a script to ping his bookmarks or browser
history, that would probably take less time.

------
spacefight
We know that routing sometimes takes strange hops - it doesn't always mean
malicious intent. He says he also can't acccess the site of the hosting
provider - so my take is, that it might be just a fucked up route somewhere.
Happens all the time.

------
ericnelson
The IP that you're trying to reach belongs to a US hosting company, so routing
to the US should not be a surprise.

