antisocial security

from a stateside host

psg.com:/usr/home/randy> dig ssa.gov. ns

; <<>> DiG 9.4.3-P2 <<>> ssa.gov. ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37734
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;ssa.gov. IN NS

;; ANSWER SECTION:
ssa.gov. 24370 IN NS dns1.ssa.gov.
ssa.gov. 24370 IN NS dns6.ssa.gov.
ssa.gov. 24370 IN NS dns5.ssa.gov.
ssa.gov. 24370 IN NS dns2.ssa.gov.

;; ADDITIONAL SECTION:
dns1.ssa.gov. 34072 IN A 199.173.231.82
dns2.ssa.gov. 34073 IN A 199.173.231.83
dns5.ssa.gov. 34073 IN A 137.200.4.30
dns6.ssa.gov. 34074 IN A 137.200.4.31

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Feb 2 03:45:15 2012
;; MSG SIZE rcvd: 165

psg.com:/usr/home/randy> dig +short @199.173.231.82 www.ssa.gov. any
www.socialsecurity.gov.
CNAME 7 3 60 20120224201936 20120125195419 21905 ssa.gov. XSnBe3L3rTcD2FO778x43NOJaVf2OeMoSN8hBOSJFqfUfXAyH9qE5X1Q +tuRgigLs4qE7Fr40GI7SANxkltYdICJbEfvYikKMDW/hi8wp8mKHYQP SmXRGZz3ZizUaLb1DNTTWePIJDCrwEkZ5oVSEqoaV5xjDnWQ0twwILve I3Q=
psg.com:/usr/home/randy> dig +short @199.173.231.83 www.ssa.gov. any
www.socialsecurity.gov.
CNAME 7 3 60 20120224201936 20120125195419 21905 ssa.gov. XSnBe3L3rTcD2FO778x43NOJaVf2OeMoSN8hBOSJFqfUfXAyH9qE5X1Q +tuRgigLs4qE7Fr40GI7SANxkltYdICJbEfvYikKMDW/hi8wp8mKHYQP SmXRGZz3ZizUaLb1DNTTWePIJDCrwEkZ5oVSEqoaV5xjDnWQ0twwILve I3Q=
psg.com:/usr/home/randy> dig +short @137.200.4.30 www.ssa.gov. any
www.socialsecurity.gov.
CNAME 7 3 60 20120224201936 20120125195419 21905 ssa.gov. XSnBe3L3rTcD2FO778x43NOJaVf2OeMoSN8hBOSJFqfUfXAyH9qE5X1Q +tuRgigLs4qE7Fr40GI7SANxkltYdICJbEfvYikKMDW/hi8wp8mKHYQP SmXRGZz3ZizUaLb1DNTTWePIJDCrwEkZ5oVSEqoaV5xjDnWQ0twwILve I3Q=
psg.com:/usr/home/randy> dig +short @137.200.4.31 www.ssa.gov. any
www.socialsecurity.gov.
CNAME 7 3 60 20120224201936 20120125195419 21905 ssa.gov. XSnBe3L3rTcD2FO778x43NOJaVf2OeMoSN8hBOSJFqfUfXAyH9qE5X1Q +tuRgigLs4qE7Fr40GI7SANxkltYdICJbEfvYikKMDW/hi8wp8mKHYQP SmXRGZz3ZizUaLb1DNTTWePIJDCrwEkZ5oVSEqoaV5xjDnWQ0twwILve I3Q=

psg.com:/usr/home/randy> traceroute 199.173.231.82
traceroute to 199.173.231.82 (199.173.231.82), 64 hops max, 40 byte packets
1 r0.sea.rg.net (147.28.0.4) 0.314 ms 1.224 ms 0.202 ms
2 r1.sea.rg.net (147.28.0.5) 0.340 ms 0.306 ms 0.349 ms
3 sl-gw20-sea-3-2-1.sprintlink.net (144.232.9.61) 0.355 ms 0.305 ms 0.228 ms
4 144.232.3.126 (144.232.3.126) 0.352 ms 0.379 ms 0.353 ms
5 0.xe-11-3-0.BR2.SEA7.ALTER.NET (204.255.168.217) 14.365 ms 1.081 ms 1.075 ms
6 0.ge-2-3-0.XT2.SEA7.ALTER.NET (152.63.104.21) 1.097 ms 1.127 ms 1.082 ms
7 0.ge-1-2-0.XT2.DCA6.ALTER.NET (152.63.40.46) 73.575 ms 73.635 ms 73.528 ms
8 GigabitEthernet7-0-0.GW8.DCA6.ALTER.NET (152.63.40.81) 75.535 ms 75.595 ms 75.545 ms
9 ssa-gw.customer.alter.net (152.179.9.34) 76.652 ms 76.522 ms 76.671 ms
10 * *^C
psg.com:/usr/home/randy> traceroute 137.200.4.30
traceroute to 137.200.4.30 (137.200.4.30), 64 hops max, 40 byte packets
1 r0.sea.rg.net (147.28.0.4) 0.378 ms 0.253 ms 0.332 ms
2 r1.sea.rg.net (147.28.0.5) 0.340 ms 0.394 ms 0.339 ms
3 sl-gw20-sea-3-2-1.sprintlink.net (144.232.9.61) 0.348 ms 0.263 ms 0.214 ms
4 144.232.3.126 (144.232.3.126) 66.830 ms 0.345 ms 0.323 ms
5 0.xe-11-3-0.BR2.SEA7.ALTER.NET (204.255.168.217) 0.977 ms 1.006 ms 1.100 ms
6 0.ge-2-3-0.XT2.SEA7.ALTER.NET (152.63.104.21) 26.587 ms 1.173 ms 1.086 ms
7 0.ge-7-0-0.XL2.RDU1.ALTER.NET (152.63.33.38) 86.052 ms 86.084 ms 86.024 ms
8 POS7-0.GW5.RDU1.ALTER.NET (152.63.35.177) 83.282 ms 83.371 ms 83.145 ms
9 157.130.212.98 (157.130.212.98) 85.254 ms 84.998 ms 85.170 ms
10 137.200.1.123 (137.200.1.123) 92.646 ms 92.727 ms 92.762 ms
11 *^C

so they have a firewall, but i can get there.

but from tokyo

rair.psg.com:/Users/randy> dig +short @199.173.231.82 www.ssa.gov. any
;; connection timed out; no servers could be reached
rair.psg.com:/Users/randy> dig +short @199.173.231.83 www.ssa.gov. any
;; connection timed out; no servers could be reached
rair.psg.com:/Users/randy> dig +short @137.200.4.30 www.ssa.gov. any
;; connection timed out; no servers could be reached
rair.psg.com:/Users/randy> dig +short @137.200.4.31 www.ssa.gov. any
;; connection timed out; no servers could be reached

rair.psg.com:/Users/randy> traceroute 199.173.231.82
traceroute to 199.173.231.82 (199.173.231.82), 64 hops max, 52 byte packets
1 192.168.0.1 (192.168.0.1) 5.528 ms 2.325 ms 2.504 ms
2 tokyo10-f01.flets.2iij.net (210.149.34.66) 6.912 ms 9.912 ms 11.519 ms
3 tokyo10-ntteast1.flets.2iij.net (210.149.34.113) 5.684 ms 5.820 ms 5.621 ms
4 tky001lip21.iij.net (210.149.34.101) 8.553 ms 6.054 ms 6.600 ms
5 tky001bb10.iij.net (58.138.100.217) 5.350 ms 5.412 ms 5.058 ms
6 tky001bf00.iij.net (58.138.80.1) 11.748 ms
    tky001bf01.iij.net (58.138.80.5) 5.268 ms 7.389 ms
7 sjc002bf01.iij.net (216.98.96.62) 104.972 ms
    sjc002bf02.iij.net (206.132.169.109) 106.686 ms
    sjc002bf01.iij.net (216.98.96.62) 105.618 ms
8 sjc002bb10.iij.net (206.132.169.2) 126.691 ms
    sjc002bb10.iij.net (206.132.169.6) 134.246 ms
    sjc002bb10.iij.net (206.132.169.10) 108.460 ms
9 gigabitethernet1-1.gw2.sjc7.alter.net (152.179.48.1) 110.772 ms 109.116 ms 114.488 ms
10 0.so-0-0-1.xl4.sjc7.alter.net (152.63.51.50) 102.308 ms 106.149 ms 109.410 ms
11 0.so-7-3-0.xt2.dca6.alter.net (152.63.0.245) 187.469 ms 183.993 ms 194.484 ms
12 gigabitethernet7-0-0.gw8.dca6.alter.net (152.63.40.81) 259.830 ms 234.873 ms 186.634 ms
13 * * *
^C
rair.psg.com:/Users/randy> traceroute 137.200.4.30
traceroute to 137.200.4.30 (137.200.4.30), 64 hops max, 52 byte packets
1 192.168.0.1 (192.168.0.1) 10.197 ms 1.979 ms 4.218 ms
2 tokyo10-f01.flets.2iij.net (210.149.34.66) 9.268 ms 6.284 ms 6.184 ms
3 tokyo10-ntteast1.flets.2iij.net (210.149.34.113) 5.913 ms 10.127 ms 6.532 ms
4 tky001lip21.iij.net (210.149.34.101) 7.983 ms 6.036 ms 6.199 ms
5 tky001bb10.iij.net (58.138.100.217) 5.774 ms 21.691 ms 7.265 ms
6 tky001bf01.iij.net (58.138.80.5) 9.906 ms
    tky008bf00.iij.net (58.138.80.9) 8.371 ms
    tky001bf01.iij.net (58.138.80.5) 5.930 ms
7 sjc002bf00.iij.net (216.98.96.186) 117.184 ms 113.652 ms
    sjc002bf01.iij.net (216.98.96.62) 104.728 ms
8 sjc002bb10.iij.net (206.132.169.10) 114.864 ms
    sjc002bb10.iij.net (206.132.169.6) 111.701 ms
    sjc002bb10.iij.net (206.132.169.10) 142.274 ms
9 gigabitethernet1-1.gw2.sjc7.alter.net (152.179.48.1) 123.611 ms 115.159 ms 112.298 ms
10 0.so-0-0-1.xl4.sjc7.alter.net (152.63.51.50) 111.010 ms 104.429 ms 108.738 ms
11 0.so-1-2-0.xl2.rdu1.alter.net (152.63.27.38) 349.150 ms 209.448 ms 207.871 ms
12 pos7-0.gw5.rdu1.alter.net (152.63.35.177) 222.413 ms 208.135 ms 269.150 ms
13 * *^C

and, i noticed the problem because i can not get to the web site at
http://www.ssa.gov/ from tokyo.

randy

It's not uncommon (although I would agree it is ill advised) practice for some
web sites that think they cater only to an audience in a particular geography
to block access outside of that geography. I ran across this when my credit
union would not let me connect to their web server from S. Korea.

However, I took it up with the credit union rather than NANOG. Is there a
reason you bring this up here instead of with the SSA?

Owen

and, i noticed the problem because i can not get to the web site at
    http://www.ssa.gov/ from tokyo.
    
Lot's of .gov web sites are not available outside (at least what
somebody thinks is outside) the US.

  jaap

Lot's of .gov web sites are not available outside (at least what
somebody thinks is outside) the US.

it turns out to be local to my net segment ip space, we think. it is
reachable from other networks in japan and even at least two other
segments in iij.

still debugging

randy

Just tested:
Lebanon, Greece, Saudi Arabia, Netherlands, Germany - all is fine

> and, i noticed the problem because i can not get to the web site at
> http://www.ssa.gov/ from tokyo.
>
> Lot's of .gov web sites are not available outside (at least what
> somebody thinks is outside) the US.
>
> jaap
Just tested:
Lebanon, Greece, Saudi Arabia, Netherlands, Germany - all is fine

As is Australia. I suspect it is just a "normal" snafu.

most likely this is a case of someone on the same /24 (or larger
supernet) where randy's machine lives at home 'hacked' (or port
scanned, or was used in a synflood or .... you get the point) one of
several US .gov assets 'eventually' that supernet should be removed
from filters.

-chris
weeee!