Anyone else having trouble reaching thepiratebay.se? AS39138

Phil Bedard bedard.phil at gmail.com
Thu Nov 27 20:30:46 UTC 2014


It looks like they use different upstream providers for each prefix, 
probably hosted in different locations.  

The 194.71.107.0/24 prefix on my network was withdrawn by Ataro, and is 
now reachable via this path:  

194.71.107.0/24    *[BGP/170] 00:04:34
                      AS path: 3356 3320 3320 24961 24961 24961 24961 
39138 22351 131279 51040 I, validation-state: unverified

The 4 minutes isn't really a good thing.  

This is the other prefix, via RETN who we also peer with.  

194.14.56.0/24     *[BGP/170] 1d 07:15:42, MED 0
                      AS path: 9002 197595 51040 I

AS 24961 is myLoc.de who could be their hosting provider and may have had 
issues with Atrato, who is now Hibernia.   Who knows it looks like normal 
BGP/Internet issues to me, if you are looking for some kind of conspiracy 
nothing is going on.  


Phil 

From:  Javier J <javier at advancedmachines.us>
Date:  Thursday, November 27, 2014 at 2:16 PM
To:  Phil B <bedard.phil at gmail.com>
Cc:  Courtney Smith <courtneysmith at comcast.net>, "nanog at nanog.org" 
<nanog at nanog.org>
Subject:  Re: Anyone else having trouble reaching thepiratebay.se? AS39138

It was working for me a few hours ago, and now dead at hop 3 on FIOS again.

If they have 2 prefixes being advertised from AS51040  
http://bgp.he.net/AS51040#_prefixes  Why can I traceroute to 1 but not the 
other?

[root at tor-proxy network-scripts]# mtr --report -c 5 194.14.56.1
HOST: tor-proxy.home              Loss%   Snt   Last   Avg  Best  Wrst 
StDev
  1. pfsense.home                  0.0%     5    0.5   1.0   0.4   2.7   
1.0
  2. L100.NWRKNJ-VFTTP-134.verizo  0.0%     5    1.3   6.0   1.3  20.6   
8.3
  3. G0-5-3-4.NWRKNJ-LCR-22.veriz  0.0%     5    3.2   4.6   3.2   6.7   
1.4
  4. ae0-0.NWRK-BB-RTR2.verizon-g  0.0%     5    5.9   8.4   4.9  20.7   
6.8
  5. ???                          100.0     5    0.0   0.0   0.0   0.0   
0.0
  6. 0.ae2.BR3.NYC4.ALTER.NET      0.0%     5    6.8   6.7   6.6   6.9   
0.1
  7. 204.255.169.234               0.0%     5    5.4   5.7   5.2   7.1   
0.8
  8. ae-2.r23.nycmny01.us.bb.gin.  0.0%     5    6.2   7.1   5.9  11.0   
2.2
  9. ae-6.r21.frnkge03.de.bb.gin. 60.0%     5   94.5  92.6  90.7  94.5   
2.7
 10. ae-1.r02.frnkge03.de.bb.gin.  0.0%     5   95.2  94.3  93.1  95.6   
1.1
 11. 213.198.77.214                0.0%     5   92.7  93.4  92.7  94.1   
0.5
 12. et030-4.RT.TC1.STO.SE.retn.n  0.0%     5  109.2 109.4 109.0 110.9   
0.8
 13. GW-ObeNetwork.retn.net        0.0%     5  116.0 190.0 111.1 341.8 
100.4
 14. moria-cr-3.piratpartiet.se   20.0%     5  110.1 111.6 109.9 116.1   
2.9


[root at tor-proxy network-scripts]# mtr --report -c 5 194.71.107.27
HOST: tor-proxy.home              Loss%   Snt   Last   Avg  Best  Wrst 
StDev
  1. pfsense.home                  0.0%     5    0.6   0.4   0.3   0.6   
0.1
  2. L100.NWRKNJ-VFTTP-134.verizo  0.0%     5    1.4   7.1   1.4  29.1  
12.3
  3. ???                          100.0     5    0.0   0.0   0.0   0.0   
0.0


The site works 100 % fine over vpn or proxy. So I don't think this is 
related to any DDOS attack.




On Thu, Nov 27, 2014 at 2:06 PM, Phil Bedard <bedard.phil at gmail.com> wrote:
In the post you quoted it says:

"In my last post I pointed out the do not announce to peers
community AS5580 was sending to Cogent, Level3 and who knows who else. So
any ASN that is not a customer of Cogent or Level3 wont learn the 5580 path
from them."

Verizon, ATT, and the rest of those networks are Tier-1 networks meaning
if 5580 was tagging the route with do-not-advertise to their transit
providers (Level3 & Cogent) the other Tier-1s wouldn't have another route
to it.  Looking at routing updates there were a lot of them yesterday for
that prefix, for whatever reason.  The lack of reachability was completely
due to Atrato, had nothing to do with the ISPs in the US.

It was reachable for me yesterday on our network, but we peer directly
with Atrato.

It's possible they did it to stop a DDoS, some other kind of attack, or
any number of reasons.

Phil






On 11/27/14, 2:47 PM, "Javier J" <javier at advancedmachines.us> wrote:

>Looks like its working now (on FIOS anyway)
>
>Curious to know why the major networks stopped seeing it yesterday as
>well.
>
>On Thu, Nov 27, 2014 at 12:45 AM, Courtney Smith
><courtneysmith at comcast.net>
>wrote:
>
>>
>> > No problem here in Los Angeles either, but seeing a lone route through
>> Atrato only.
>> >
>> > flags destination          gateway          lpref   med aspath origin
>> > *>    194.71.107.0/24      <>     100     0 3491 5580 39138 22351
>>2.207
>> 51040 i
>> > *     194.71.107.0/24      <>       100     0 174 5580 39138 22351
>> 2.207 51040 i
>> >
>> >
>> > On 11/27/2014 午前 11:24, Tony Wicks wrote:
>> >>
>> >> No problem here in New Zealand
>> >>
>> >> tonyw at vrhost1-w> show route 194.71.107.0/24
>> >>
>> >> icore1-w.inet.0: 519451 destinations, 525214 routes (519437 active,
>>14
>> >> holddown, 0 hidden)
>> >> + = Active Route, - = Last Active, * = Both
>> >>
>> >> 194.71.107.0/24    *[BGP/170] 10:25:44, MED 0, localpref 90
>> >>                        AS path: 4826 5580 39138 22351 131279 51040 I,
>> >> validation-state: unverified
>> >>                      > to 175.45.102.9 via ae1.526
>> >>
>>
>> Hopefully the body cones thru this time.  The issue isn't city or
>>country
>> based.  In my last post I pointed out the do not announce to peers
>> community AS5580 was sending to Cogent, Level3 and who knows who else.
>> So
>> any ASN that is not a customer of Cogent or Level3 wont learn the 5580
>>path
>> from them.
>>
>> When I checked a few hours ago, Comcast, Centurylink, AT&T, TATA, and
>> possibly Sprint were not seeing the /24 based on their public looking
>> glasses or route servers.  Have not had time to run bgplay  to see if
>> routeviews data shows how they previously saw the /24 in past 30 days.
>> Finding the ASN(s) they used to see from would shed light on why they
>> stopped seeing.   Checking bgplay and contacting AS51040 to reach out to
>> their upstreams is my suggestion.





More information about the NANOG mailing list