[liberationtech] 31.170.160.0/22 filtered on ATT? (was Re: Website censorship in the US)

Andy Isaacson adi at hexapodia.org
Wed Dec 18 12:24:06 PST 2013 

CCing NANOG, since this might be of interest there.  Please keep the
discussion focused on technical routing issues rather than politics
or conspiracy theories.

On Wed, Dec 18, 2013 at 11:16:28AM -0500, Tom Ritter wrote:
> I just had the guy next to me with a AT&T phone try to access it and
> indeed he was unable.

Folks, please be clear what IP you're seeing as the destination, and
whaqt IP you're coming from.  AFAICS nobody's even posted the *hostname*
in this thread.

The host dee.su resolves to 31.170.163.154 in AS47583 which appears to
be routed to Atlanta and is almost certainly physically located there;
from here in SF I get transit via Charter to Immedion (AS15085).  The
end of my traceroute looks like

 Host            Loss%   Snt   Last   Avg  Best  Wrst StDev

14. 96.34.78.93   0.0%     2   67.5  68.8  67.5  70.2   1.7
15. 75.131.187.34 0.0%     2   95.9  84.7  73.5  95.9  15.8
16. 67.23.161.143 0.0%     2   85.4  81.6  77.7  85.4   5.5
17. 67.23.161.129 0.0%     2   78.8  79.2  78.8  79.5   0.0
18. 208.69.231.10 0.0%     2   81.2  80.1  78.9  81.2   1.4

By contrast route-server.ip.att.net cannot traceroute to 31.170.161.101,
even though it has a valid BGP route:

31.170.160.0/22 *[BGP/170] 6d 10:15:09, localpref 100, from 12.123.33.249
                   AS path: 7018 1299 20115 15085 15085 15085 47583 I
                 > to 12.0.1.1 via em0.0

but traceroute loses after the first hop:

rviews at route-server.ip.att.net> traceroute 31.170.163.154
traceroute to 31.170.163.154 (31.170.163.154), 30 hops max, 40 byte packets
 1  gateway.cbbtier3.att.net (12.0.1.202)  2.201 ms  1.483 ms  3.829 ms
 2  * * *

OTOH traceroute to the last-hop router goes through just fine (though
this is not ironclad since 31.170.160.0/22 obviously can get service from
elsewhere):

rviews at route-server.ip.att.net> traceroute 208.69.231.10    
traceroute to 208.69.231.10 (208.69.231.10), 30 hops max, 40 byte packets
 1  gateway.cbbtier3.att.net (12.0.1.202)  3.180 ms  4.803 ms  2.946 ms
 2  n54ny401me3-cbbtier3 (12.89.5.13)  3.583 ms  2.701 ms  2.761 ms
 3  cr1.n54ny.ip.att.net (12.122.131.170)  4.567 ms  5.156 ms  7.189 ms
...
12  IMMEDION-LL.edge5.Atlanta2.Level3.net (4.71.254.78)  23.512 ms  23.458 ms  23.828 ms
13  67.23.161.143 (67.23.161.143)  29.701 ms  29.711 ms  29.667 ms
14  67.23.161.143 (67.23.161.143)  29.648 ms !H^C


So, this doesn't appear to be a simple routing fuckup (although it could
still be a more baroque fuckup), but rather, seems more likely to be an
administrative action on ATT's part.  It appears that 12.0.1.202 or
12.89.5.13 (and by extension, ATT's core router network) has a different
blacklist or BGP table than the publicly visible BGP table on
route-server.

The stated reason for this block is quite likely to be "malware" or
similar.

-andy

More information about the liberationtech mailing list