Anyone else having trouble reaching thepiratebay.se? AS39138
Phil Bedard
bedard.phil at gmail.com
Thu Nov 27 20:30:46 UTC 2014
It looks like they use different upstream providers for each prefix,
probably hosted in different locations.
The 194.71.107.0/24 prefix on my network was withdrawn by Ataro, and is
now reachable via this path:
194.71.107.0/24 *[BGP/170] 00:04:34
AS path: 3356 3320 3320 24961 24961 24961 24961
39138 22351 131279 51040 I, validation-state: unverified
The 4 minutes isn't really a good thing.
This is the other prefix, via RETN who we also peer with.
194.14.56.0/24 *[BGP/170] 1d 07:15:42, MED 0
AS path: 9002 197595 51040 I
AS 24961 is myLoc.de who could be their hosting provider and may have had
issues with Atrato, who is now Hibernia. Who knows it looks like normal
BGP/Internet issues to me, if you are looking for some kind of conspiracy
nothing is going on.
Phil
From: Javier J <javier at advancedmachines.us>
Date: Thursday, November 27, 2014 at 2:16 PM
To: Phil B <bedard.phil at gmail.com>
Cc: Courtney Smith <courtneysmith at comcast.net>, "nanog at nanog.org"
<nanog at nanog.org>
Subject: Re: Anyone else having trouble reaching thepiratebay.se? AS39138
It was working for me a few hours ago, and now dead at hop 3 on FIOS again.
If they have 2 prefixes being advertised from AS51040
http://bgp.he.net/AS51040#_prefixes Why can I traceroute to 1 but not the
other?
[root at tor-proxy network-scripts]# mtr --report -c 5 194.14.56.1
HOST: tor-proxy.home Loss% Snt Last Avg Best Wrst
StDev
1. pfsense.home 0.0% 5 0.5 1.0 0.4 2.7
1.0
2. L100.NWRKNJ-VFTTP-134.verizo 0.0% 5 1.3 6.0 1.3 20.6
8.3
3. G0-5-3-4.NWRKNJ-LCR-22.veriz 0.0% 5 3.2 4.6 3.2 6.7
1.4
4. ae0-0.NWRK-BB-RTR2.verizon-g 0.0% 5 5.9 8.4 4.9 20.7
6.8
5. ??? 100.0 5 0.0 0.0 0.0 0.0
0.0
6. 0.ae2.BR3.NYC4.ALTER.NET 0.0% 5 6.8 6.7 6.6 6.9
0.1
7. 204.255.169.234 0.0% 5 5.4 5.7 5.2 7.1
0.8
8. ae-2.r23.nycmny01.us.bb.gin. 0.0% 5 6.2 7.1 5.9 11.0
2.2
9. ae-6.r21.frnkge03.de.bb.gin. 60.0% 5 94.5 92.6 90.7 94.5
2.7
10. ae-1.r02.frnkge03.de.bb.gin. 0.0% 5 95.2 94.3 93.1 95.6
1.1
11. 213.198.77.214 0.0% 5 92.7 93.4 92.7 94.1
0.5
12. et030-4.RT.TC1.STO.SE.retn.n 0.0% 5 109.2 109.4 109.0 110.9
0.8
13. GW-ObeNetwork.retn.net 0.0% 5 116.0 190.0 111.1 341.8
100.4
14. moria-cr-3.piratpartiet.se 20.0% 5 110.1 111.6 109.9 116.1
2.9
[root at tor-proxy network-scripts]# mtr --report -c 5 194.71.107.27
HOST: tor-proxy.home Loss% Snt Last Avg Best Wrst
StDev
1. pfsense.home 0.0% 5 0.6 0.4 0.3 0.6
0.1
2. L100.NWRKNJ-VFTTP-134.verizo 0.0% 5 1.4 7.1 1.4 29.1
12.3
3. ??? 100.0 5 0.0 0.0 0.0 0.0
0.0
The site works 100 % fine over vpn or proxy. So I don't think this is
related to any DDOS attack.
On Thu, Nov 27, 2014 at 2:06 PM, Phil Bedard <bedard.phil at gmail.com> wrote:
In the post you quoted it says:
"In my last post I pointed out the do not announce to peers
community AS5580 was sending to Cogent, Level3 and who knows who else. So
any ASN that is not a customer of Cogent or Level3 wont learn the 5580 path
from them."
Verizon, ATT, and the rest of those networks are Tier-1 networks meaning
if 5580 was tagging the route with do-not-advertise to their transit
providers (Level3 & Cogent) the other Tier-1s wouldn't have another route
to it. Looking at routing updates there were a lot of them yesterday for
that prefix, for whatever reason. The lack of reachability was completely
due to Atrato, had nothing to do with the ISPs in the US.
It was reachable for me yesterday on our network, but we peer directly
with Atrato.
It's possible they did it to stop a DDoS, some other kind of attack, or
any number of reasons.
Phil
On 11/27/14, 2:47 PM, "Javier J" <javier at advancedmachines.us> wrote:
>Looks like its working now (on FIOS anyway)
>
>Curious to know why the major networks stopped seeing it yesterday as
>well.
>
>On Thu, Nov 27, 2014 at 12:45 AM, Courtney Smith
><courtneysmith at comcast.net>
>wrote:
>
>>
>> > No problem here in Los Angeles either, but seeing a lone route through
>> Atrato only.
>> >
>> > flags destination gateway lpref med aspath origin
>> > *> 194.71.107.0/24 <> 100 0 3491 5580 39138 22351
>>2.207
>> 51040 i
>> > * 194.71.107.0/24 <> 100 0 174 5580 39138 22351
>> 2.207 51040 i
>> >
>> >
>> > On 11/27/2014 午前 11:24, Tony Wicks wrote:
>> >>
>> >> No problem here in New Zealand
>> >>
>> >> tonyw at vrhost1-w> show route 194.71.107.0/24
>> >>
>> >> icore1-w.inet.0: 519451 destinations, 525214 routes (519437 active,
>>14
>> >> holddown, 0 hidden)
>> >> + = Active Route, - = Last Active, * = Both
>> >>
>> >> 194.71.107.0/24 *[BGP/170] 10:25:44, MED 0, localpref 90
>> >> AS path: 4826 5580 39138 22351 131279 51040 I,
>> >> validation-state: unverified
>> >> > to 175.45.102.9 via ae1.526
>> >>
>>
>> Hopefully the body cones thru this time. The issue isn't city or
>>country
>> based. In my last post I pointed out the do not announce to peers
>> community AS5580 was sending to Cogent, Level3 and who knows who else.
>> So
>> any ASN that is not a customer of Cogent or Level3 wont learn the 5580
>>path
>> from them.
>>
>> When I checked a few hours ago, Comcast, Centurylink, AT&T, TATA, and
>> possibly Sprint were not seeing the /24 based on their public looking
>> glasses or route servers. Have not had time to run bgplay to see if
>> routeviews data shows how they previously saw the /24 in past 30 days.
>> Finding the ASN(s) they used to see from would shed light on why they
>> stopped seeing. Checking bgplay and contacting AS51040 to reach out to
>> their upstreams is my suggestion.
More information about the NANOG
mailing list