antisocial security

Owen DeLong owen at delong.com
Thu Feb 2 04:54:17 UTC 2012


It's not uncommon (although I would agree it is ill advised) practice for some
web sites that think they cater only to an audience in a particular geography
to block access outside of that geography. I ran across this when my credit
union would not let me connect to their web server from S. Korea.

However, I took it up with the credit union rather than NANOG. Is there a
reason you bring this up here instead of with the SSA?

Owen

On Feb 1, 2012, at 7:53 PM, Randy Bush wrote:

> from a stateside host
> 
> psg.com:/usr/home/randy> dig ssa.gov. ns
> 
> ; <<>> DiG 9.4.3-P2 <<>> ssa.gov. ns
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37734
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
> 
> ;; QUESTION SECTION:
> ;ssa.gov.                       IN      NS
> 
> ;; ANSWER SECTION:
> ssa.gov.                24370   IN      NS      dns1.ssa.gov.
> ssa.gov.                24370   IN      NS      dns6.ssa.gov.
> ssa.gov.                24370   IN      NS      dns5.ssa.gov.
> ssa.gov.                24370   IN      NS      dns2.ssa.gov.
> 
> ;; ADDITIONAL SECTION:
> dns1.ssa.gov.           34072   IN      A       199.173.231.82
> dns2.ssa.gov.           34073   IN      A       199.173.231.83
> dns5.ssa.gov.           34073   IN      A       137.200.4.30
> dns6.ssa.gov.           34074   IN      A       137.200.4.31
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Feb  2 03:45:15 2012
> ;; MSG SIZE  rcvd: 165
> 
> psg.com:/usr/home/randy> dig +short @199.173.231.82 www.ssa.gov. any
> www.socialsecurity.gov.
> CNAME 7 3 60 20120224201936 20120125195419 21905 ssa.gov. XSnBe3L3rTcD2FO778x43NOJaVf2OeMoSN8hBOSJFqfUfXAyH9qE5X1Q +tuRgigLs4qE7Fr40GI7SANxkltYdICJbEfvYikKMDW/hi8wp8mKHYQP SmXRGZz3ZizUaLb1DNTTWePIJDCrwEkZ5oVSEqoaV5xjDnWQ0twwILve I3Q=
> psg.com:/usr/home/randy> dig +short @199.173.231.83 www.ssa.gov. any
> www.socialsecurity.gov.
> CNAME 7 3 60 20120224201936 20120125195419 21905 ssa.gov. XSnBe3L3rTcD2FO778x43NOJaVf2OeMoSN8hBOSJFqfUfXAyH9qE5X1Q +tuRgigLs4qE7Fr40GI7SANxkltYdICJbEfvYikKMDW/hi8wp8mKHYQP SmXRGZz3ZizUaLb1DNTTWePIJDCrwEkZ5oVSEqoaV5xjDnWQ0twwILve I3Q=
> psg.com:/usr/home/randy> dig +short @137.200.4.30 www.ssa.gov. any
> www.socialsecurity.gov.
> CNAME 7 3 60 20120224201936 20120125195419 21905 ssa.gov. XSnBe3L3rTcD2FO778x43NOJaVf2OeMoSN8hBOSJFqfUfXAyH9qE5X1Q +tuRgigLs4qE7Fr40GI7SANxkltYdICJbEfvYikKMDW/hi8wp8mKHYQP SmXRGZz3ZizUaLb1DNTTWePIJDCrwEkZ5oVSEqoaV5xjDnWQ0twwILve I3Q=
> psg.com:/usr/home/randy> dig +short @137.200.4.31 www.ssa.gov. any
> www.socialsecurity.gov.
> CNAME 7 3 60 20120224201936 20120125195419 21905 ssa.gov. XSnBe3L3rTcD2FO778x43NOJaVf2OeMoSN8hBOSJFqfUfXAyH9qE5X1Q +tuRgigLs4qE7Fr40GI7SANxkltYdICJbEfvYikKMDW/hi8wp8mKHYQP SmXRGZz3ZizUaLb1DNTTWePIJDCrwEkZ5oVSEqoaV5xjDnWQ0twwILve I3Q=
> 
> psg.com:/usr/home/randy> traceroute 199.173.231.82
> traceroute to 199.173.231.82 (199.173.231.82), 64 hops max, 40 byte packets
> 1  r0.sea.rg.net (147.28.0.4)  0.314 ms  1.224 ms  0.202 ms
> 2  r1.sea.rg.net (147.28.0.5)  0.340 ms  0.306 ms  0.349 ms
> 3  sl-gw20-sea-3-2-1.sprintlink.net (144.232.9.61)  0.355 ms  0.305 ms  0.228 ms
> 4  144.232.3.126 (144.232.3.126)  0.352 ms  0.379 ms  0.353 ms
> 5  0.xe-11-3-0.BR2.SEA7.ALTER.NET (204.255.168.217)  14.365 ms  1.081 ms  1.075 ms
> 6  0.ge-2-3-0.XT2.SEA7.ALTER.NET (152.63.104.21)  1.097 ms  1.127 ms  1.082 ms
> 7  0.ge-1-2-0.XT2.DCA6.ALTER.NET (152.63.40.46)  73.575 ms  73.635 ms  73.528 ms
> 8  GigabitEthernet7-0-0.GW8.DCA6.ALTER.NET (152.63.40.81)  75.535 ms  75.595 ms  75.545 ms
> 9  ssa-gw.customer.alter.net (152.179.9.34)  76.652 ms  76.522 ms  76.671 ms
> 10  * *^C
> psg.com:/usr/home/randy> traceroute 137.200.4.30
> traceroute to 137.200.4.30 (137.200.4.30), 64 hops max, 40 byte packets
> 1  r0.sea.rg.net (147.28.0.4)  0.378 ms  0.253 ms  0.332 ms
> 2  r1.sea.rg.net (147.28.0.5)  0.340 ms  0.394 ms  0.339 ms
> 3  sl-gw20-sea-3-2-1.sprintlink.net (144.232.9.61)  0.348 ms  0.263 ms  0.214 ms
> 4  144.232.3.126 (144.232.3.126)  66.830 ms  0.345 ms  0.323 ms
> 5  0.xe-11-3-0.BR2.SEA7.ALTER.NET (204.255.168.217)  0.977 ms  1.006 ms  1.100 ms
> 6  0.ge-2-3-0.XT2.SEA7.ALTER.NET (152.63.104.21)  26.587 ms  1.173 ms  1.086 ms
> 7  0.ge-7-0-0.XL2.RDU1.ALTER.NET (152.63.33.38)  86.052 ms  86.084 ms  86.024 ms
> 8  POS7-0.GW5.RDU1.ALTER.NET (152.63.35.177)  83.282 ms  83.371 ms  83.145 ms
> 9  157.130.212.98 (157.130.212.98)  85.254 ms  84.998 ms  85.170 ms
> 10  137.200.1.123 (137.200.1.123)  92.646 ms  92.727 ms  92.762 ms
> 11  *^C
> 
> so they have a firewall, but i can get there.
> 
> but from tokyo
> 
> rair.psg.com:/Users/randy> dig +short @199.173.231.82 www.ssa.gov. any
> ;; connection timed out; no servers could be reached
> rair.psg.com:/Users/randy> dig +short @199.173.231.83 www.ssa.gov. any
> ;; connection timed out; no servers could be reached
> rair.psg.com:/Users/randy> dig +short @137.200.4.30 www.ssa.gov. any
> ;; connection timed out; no servers could be reached
> rair.psg.com:/Users/randy> dig +short @137.200.4.31 www.ssa.gov. any
> ;; connection timed out; no servers could be reached
> 
> 
> rair.psg.com:/Users/randy> traceroute 199.173.231.82
> traceroute to 199.173.231.82 (199.173.231.82), 64 hops max, 52 byte packets
> 1  192.168.0.1 (192.168.0.1)  5.528 ms  2.325 ms  2.504 ms
> 2  tokyo10-f01.flets.2iij.net (210.149.34.66)  6.912 ms  9.912 ms  11.519 ms
> 3  tokyo10-ntteast1.flets.2iij.net (210.149.34.113)  5.684 ms  5.820 ms  5.621 ms
> 4  tky001lip21.iij.net (210.149.34.101)  8.553 ms  6.054 ms  6.600 ms
> 5  tky001bb10.iij.net (58.138.100.217)  5.350 ms  5.412 ms  5.058 ms
> 6  tky001bf00.iij.net (58.138.80.1)  11.748 ms
>    tky001bf01.iij.net (58.138.80.5)  5.268 ms  7.389 ms
> 7  sjc002bf01.iij.net (216.98.96.62)  104.972 ms
>    sjc002bf02.iij.net (206.132.169.109)  106.686 ms
>    sjc002bf01.iij.net (216.98.96.62)  105.618 ms
> 8  sjc002bb10.iij.net (206.132.169.2)  126.691 ms
>    sjc002bb10.iij.net (206.132.169.6)  134.246 ms
>    sjc002bb10.iij.net (206.132.169.10)  108.460 ms
> 9  gigabitethernet1-1.gw2.sjc7.alter.net (152.179.48.1)  110.772 ms  109.116 ms  114.488 ms
> 10  0.so-0-0-1.xl4.sjc7.alter.net (152.63.51.50)  102.308 ms  106.149 ms  109.410 ms
> 11  0.so-7-3-0.xt2.dca6.alter.net (152.63.0.245)  187.469 ms  183.993 ms  194.484 ms
> 12  gigabitethernet7-0-0.gw8.dca6.alter.net (152.63.40.81)  259.830 ms  234.873 ms  186.634 ms
> 13  * * *
> ^C
> rair.psg.com:/Users/randy> traceroute 137.200.4.30
> traceroute to 137.200.4.30 (137.200.4.30), 64 hops max, 52 byte packets
> 1  192.168.0.1 (192.168.0.1)  10.197 ms  1.979 ms  4.218 ms
> 2  tokyo10-f01.flets.2iij.net (210.149.34.66)  9.268 ms  6.284 ms  6.184 ms
> 3  tokyo10-ntteast1.flets.2iij.net (210.149.34.113)  5.913 ms  10.127 ms  6.532 ms
> 4  tky001lip21.iij.net (210.149.34.101)  7.983 ms  6.036 ms  6.199 ms
> 5  tky001bb10.iij.net (58.138.100.217)  5.774 ms  21.691 ms  7.265 ms
> 6  tky001bf01.iij.net (58.138.80.5)  9.906 ms
>    tky008bf00.iij.net (58.138.80.9)  8.371 ms
>    tky001bf01.iij.net (58.138.80.5)  5.930 ms
> 7  sjc002bf00.iij.net (216.98.96.186)  117.184 ms  113.652 ms
>    sjc002bf01.iij.net (216.98.96.62)  104.728 ms
> 8  sjc002bb10.iij.net (206.132.169.10)  114.864 ms
>    sjc002bb10.iij.net (206.132.169.6)  111.701 ms
>    sjc002bb10.iij.net (206.132.169.10)  142.274 ms
> 9  gigabitethernet1-1.gw2.sjc7.alter.net (152.179.48.1)  123.611 ms  115.159 ms  112.298 ms
> 10  0.so-0-0-1.xl4.sjc7.alter.net (152.63.51.50)  111.010 ms  104.429 ms  108.738 ms
> 11  0.so-1-2-0.xl2.rdu1.alter.net (152.63.27.38)  349.150 ms  209.448 ms  207.871 ms
> 12  pos7-0.gw5.rdu1.alter.net (152.63.35.177)  222.413 ms  208.135 ms  269.150 ms
> 13  * *^C
> 
> and, i noticed the problem because i can not get to the web site at
> http://www.ssa.gov/ from tokyo.
> 
> randy





More information about the NANOG mailing list