Ask HN: Wikileaks is available from Tor. Who's blocking it?

[alex_marchant]

EDIT: Doesn't look like US ISP's (TimeWarner & Comcast) are blocking. Problems seem to arise at Swedish IPs (seems consistent with DDoS). Anyone have any idea why Tor and some VPN still get through?

It looks like the DDoS isn't the main culprit here. I assume that if the site is available from Tor, then someone must be blocking the site.

Can ISP's block Wikileaks? What is their justification if so?

[beedogs]

I can get to it fine from a VPS in Chicago but it's unreachable from anywhere else.

    ~/> telnet wikileaks.ch 80
    Trying 88.80.2.31...
    Connected to wikileaks.ch.
    Escape character is '^]'.
    .
    HTTP/1.1 503 Not allowed.
    Server: Varnish
    Content-Type: text/html; charset=utf-8
    Content-Length: 526
    Accept-Ranges: bytes
    Date: Mon, 13 Aug 2012 13:28:18 GMT
    Connection: close

        <?xml version="1.0" encoding="utf-8"?>
        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
            "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
        <html>
            <head>
                <title>WikiLeaks</title>
            </head>
            <body>
                <h1>We are sorry, but the request could not be completed.</h1>
                <h2>Please try again in few minutes.</h2>
                <!-- status: 405 Not allowed. -->
            </body>
        </html>


        Connection closed by foreign host.

[A1kmm]

It seems to be inaccessible for much of the Internet, but perhaps there is a Tor exit node that is hosted close to Wikileak's ISP.

wikileaks.ch seems to have two IPs: 88.80.2.31 and 88.80.16.63, both of which are inaccessable from my NZ ISP.

Using route-views it appears to be routeable:

  $ telnet route-views.routeviews.org
  Trying 2001:468:d01:33::80df:3367...
  Connected to route-views.routeviews.org.
  ...
  route-views>show bgp ipv4 unicast 88.80.2.31
  BGP routing table entry for 88.80.0.0/19, version 3495795015
  Paths: (35 available, best #12, table Default-IP-Routing-Table)
  Not advertised to any peer
  101 101 11164 3549 42708 50683 50989 33837
    209.124.176.223 from 209.124.176.223 (209.124.176.223)
      Origin IGP, localpref 100, valid, external
      Community: 101:20100 101:20120 101:22100 3549:4819 3549:31752 11164:1110 11164:7880 42708:400
      Extended Community: RT:101:22100
  3277 3267 50683 50989 33837
    194.85.102.33 from 194.85.102.33 (194.85.4.4)
      Origin IGP, localpref 100, valid, external
      Community: 3277:3267 3277:65100 3277:65320 3277:65326 3277:65330
  3333 50683 50989 33837
    193.0.0.56 from 193.0.0.56 (193.0.0.56)
      Origin IGP, localpref 100, valid, external
  ...
  16150 50989 33837
    217.75.96.60 from 217.75.96.60 (217.75.96.60)
      Origin IGP, metric 0, localpref 100, valid, external, best
      Community: 16150:63392 16150:65213
  ...

When I ping either address, I get destination host unreachable from 213.248.89.150. Assuming that it isn't being spoofed by an intermediate router (and it seems unlikely any ISP would really want to do that), that is from AS1299, TeliaSonera, which is not the final hop but a backbone provider several hops away from any direct route. It could be that they were asked to block traffic to that IP to help with the DDoS.

[guns]

That's interesting. I can't reach wikileaks.ch from my home connection, or from one linode instance, but it is available through a second linode instance (in Dallas):

https://www.refheap.com/paste/4309

These are the servers that are failing to relay packets, all of which respond to ping:

    po-10.sto1.se.portlane.net (80.67.4.128)
    te-4-4-gblx.sto1.se.portlane.net (209.130.172.178)
    149.11.24.18 (149.11.24.18)

Notice these are all Swedish IPs.

The admins of these servers may be working with Wikileaks to stop the deluge of packets from the IP blocks with the most attackers, or they are simply dropping the packets to conserve resources.

[alex_marchant]

Ya i'm getting the same thing at te-4-4-gblx.sto1.se.portlane.net (209.130.172.178) every time.

[alex_marchant]

So maybe it is the DDoS. And the VPN and Tor networks are routing differently, ie reaching a server under less strain? Is that a possible explanation?

[slackito]

I'm getting the same from 149.11.24.18 (home Internet connection, Spain) and te-4-4-gblx.sto1.se.portlane.net (from a US-based VPS).

[Udo]

Can you give a little more context?

Wikileaks.org loads just fine using my standard ISP here in Germany. I once worked for a project that scraped WL periodically for content, so I can tell you from experience that Wikileaks uptime is not exactly stellar - that's why they have a million mirror sites.

[Skalman]

Wikileaks has been having DDoS issues for quite a few days now[1], and wikileaks.org (88.80.2.33) is not available with my ISP in Sweden.

[1] http://www.technolog.msnbc.msn.com/technology/technolog/wiki...

[alex_marchant]

Why would it be available so consistently in the Tor browser though?

[Skalman]

I have no clue. It does seem like it's blocked selectively as guns seems to have it working from linode.

Edit: It also seems to work from an Amazon instance that I have access to.

Edit 2: It seems like it works from my university (Lund in Sweden).

[alex_marchant]

I'm in the US. If it doesn't load in any browser, and http://www.downforeveryoneorjustme.com/ says its down, but then loads instantly in Tor... I assume something is preventing me from seeing it.

[jamesjguthrie]

Inaccessible in the UK for me on the Virgin Media ISP.

[jamesjguthrie]

Though I can access it just fine from my T-Mobile phone.