/kc
Strange indeed.. but they forgot to ban it on IPv6 - maybe they're trying to push IPv6 adoption!
Banning any Cloudflare hosted sites by IP is particularly ineffective because it doesn't really matter which cloudflare IP you connect to as long as you present the right SNI name and HTTP Host header.. basically just add www.thepiratebay.org to your hosts file and point it at any other cloudflare IP.. like they banned 104.31.18.30 so change it to 104.31.18.31 and ban evaded.
Rob
Internet Backbone Provider Cogent Blocks Pirate Bay and other "Pirate" Sites * TorrentFreak
blocks-pirate-bay-and-other-pirate-sites-170209//kc
Strange indeed.. but they forgot to ban it on IPv6 - maybe they're trying
to push IPv6 adoption!
ha, you are hilarious.
Banning any Cloudflare hosted sites by IP is particularly ineffective
because it doesn't really matter which cloudflare IP you connect to as long
as you present the right SNI name and HTTP Host header.. basically just add
www.thepiratebay.org to your hosts file and point it at any other
cloudflare IP.. like they banned 104.31.18.30 so change it to 104.31.18.31
and ban evaded.
isn't any 'copyright driven' censorship move really just a half-a$$ed move
anyway? it's all about knocking out 90% of the users? ALL of these
restrictions can be avoided if you can encap around, or
fix-your-local-resolver, or ... which 90% of the people just won't do...
Funny. Someone else got back:
"Abuse cannot not provide you a list of websites that may be encountering reduced visibility via Cogent"
I almost wish I had a Cogent circuit just to bring this up with an account rep. Almost.
I'd very much so view this as a contractual violation on Cogent's part.
Cogent keeps contacting me every year wanting to sell me service. This will be a good one to bring up when they call me next time.
Have we determined that this is intentional vs. some screw up?
This looks pretty intentional to me. From
http://www.cogentco.com/en/network/looking-glass:
BGP routing table entry for 104.31.18.30/32, version 611495773
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Local
10.255.255.255 (metric 10177050) from 154.54.66.21 (154.54.66.21)
Origin IGP, metric 0, localpref 150, valid, internal, best
Community: 174:990 174:20912 174:21001
Originator: 66.28.1.228, Cluster list: 154.54.66.21, 66.28.1.9
BGP routing table entry for 104.31.19.30/32, version 611495772
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Local
10.255.255.255 (metric 10177050) from 154.54.66.21 (154.54.66.21)
Origin IGP, metric 0, localpref 150, valid, internal, best
Community: 174:990 174:20912 174:21001
Originator: 66.28.1.228, Cluster list: 154.54.66.21, 66.28.1.9
Call it a "hunch" but I doubt 10.255.255.255 is a valid next-hop router.
Never attribute to malice that which is adequately explained by stupidity?
"Abuse cannot not provide you a list of websites that may be encountering
>reduced visibility via Cogent"
They could, if they kept a list of forward lookups they had done to get IPs
that ended up in their blacklists. But just having the IPs it's impossible to
get the whole list of possible hostnames that point at it (reverse records are
singular, and often missing).
Nonetheless, it'd be nice to know how a single IP got onto the list - and what
Cogent's doing about situations where multiple other hostnames map onto the
same ip.
I have clietns that are Cogent customers, I'd just like to get informed before
I bring the hammer down.
/kc
Cogent also have a blackhole route-server that they will provide to you to
announce /32's for blackholing.
The address for this is 66.28.1.228 which is the originator for the
104.31.19.30/3 <http://104.31.19.30/32>2 and 104.31.18.30/32 routes.
Have we determined that this is intentional vs. some screw up?
if you look at the cogent LG it's pretty clear that the announce
reachability for the /20 that includes the tpb /32.. and that the /32 is
particularly routed elsewhere, and that the 'elsewhere' is coming form a
bgp speaker who's DNS says something along the lines of: "blackhole"...
so... err, either someone fat-fingered OR intentionally entered a /32 into
the config management system 
And because they're continuing to announce the /20, we run into their
blackhole unless we manually filter that /20. This is going to become
unworkable in short order once a bigger chunk of the internet starts doing
this.
/kc
And because they're continuing to announce the /20, we run into their
blackhole unless we manually filter that /20. This is going to become
unworkable in short order once a bigger chunk of the internet starts doing
this.
I bet an answer from cogent here is: "you can always TE around 174"
that's hard for end-users, but the direct customer can certainly do this...
and yea, sucks
>"Abuse cannot not provide you a list of websites that may be
encountering
>reduced visibility via Cogent"They could, if they kept a list of forward lookups they had done to get IPs
i think you mean passive-dns .. which is a thing, and exists.
(mumble (passive total|farsight|deteque|....) mumble)
that ended up in their blacklists. But just having the IPs it's impossible
to
get the whole list of possible hostnames that point at it (reverse records
are
singular, and often missing).Nonetheless, it'd be nice to know how a single IP got onto the list - and
what
Cogent's doing about situations where multiple other hostnames map onto the
same ip.
it's totally possible that the list here is really just a court-order
addition, right? I can't imagine that there is a cogent employee just evily
twiddling pens and adding random ips to blacklists...
I have clietns that are Cogent customers, I'd just like to get informed
before
I bring the hammer down.
it's worth noting that fairly much every service provider has a provision
like cogent's 'force majaure' clause which includes: '...any law, order,
regulation...'
so it seems safe to assume that there's some court order cogent reacted to
we should fight that problem upstream.
If its not just cogent then we have an even larger issue -- that
theres asymetric application of rulings. So we should just assume
that if we can't get to something via cogent then all backbones
within the same jurisdiction(*) should or will also have the same sites/ips
blocked soon? And that it wasnt a fat finger/typo/someone forgot to
remove a block? So we're all just waiting for Level 3 to block TPB
too, and we still havent seen a legal ruling/order anywhere?
* for various values of 'jurisdiction', in a world where all network
operators seeing a technical issue can immediately use their law degrees
to guess at which jurisdiction where, when and for how long, installed the
ban. (FAICT the ban on TPB @cogent is worldwide.)
/kc
>it's totally possible that the list here is really just a court-order
>addition, right? I can't imagine that there is a cogent employee just evily
>twiddling pens and adding random ips to blacklists...
[...]
my experience (admittedly dated a bit) is that the people making the
request really don't know 
they target who they think will fix their
problem... sorta.
good luck fellow travelers!
Since 104.31.19.30 is an anycast IP, is it possible that this isn't
related to PirateBay but more related to Cogent having a dispute with
Cloudfare ?
It is counter intuitive for a transit provider to refuse
business/traffic, but then again, Cogent has been involved in counter
intuituve disputes in the past.
I note that this has been going on since last night (at least).
It hasn't been resolved, nor has Cogent issued a statement about it (or
has it ?)
Yup, they do indeed. And for fun, I black-listed one of our IPs, and sure enough, the next-hop shows up as 10.255.255.255, and the communities are the same aside from what appear to be regional things.
Cogent confirmed on the phone that they are the ones who put the blackhole
in place. This is after they closed our ticket twice without response.
Purposely didn't mention a website in the ticket yet they asked on the
phone if it was regarding thepiratebay so they are very aware of this...
So... i doubt CloudFlare allocates one ip per domain served... which means
Cogent customers will be unable to access other CloudFlare proxied site,
served by this same IP, for a particular geographic zone?
Cogent's best friend to the rescue: http://bgp.he.net/ip/104.31.18.30#_dns
Looks like mostly proxy/torrent sites on that IP address.