Verizon AS701 blocking Tor consensus server tor26 (86.59.21.38)
Hi tor-relays mailing list, I have noticed that the Tor consensus server tor26 (https://metrics.torproject.org/rs.html#details/847B1F850344D7876491A54892F90...) is blocked on Verizon's UUNET (AS701) backbone, and therefore, Verizon's retail services like FiOS and Wireless. I can confirm this on FiOS, but I don't use Verizon Wireless (my smartphone uses Sprint) so I can't test it there. A traceroute to tor26's IP address 86.59.21.38 from a Brooklyn apartment shows this is filtered on Verizon's backbone: neel@xb2:~ % traceroute 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 1.128 ms 0.780 ms 0.613 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.001 ms 3.632 ms 0.900 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 2.291 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 3.172 ms 4.046 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * ^C neel@xb2:~ % In a normal traceroute, you will see ALTER.NET at hop 5. Also, the subnet 86.59.21.0/24 is not filtered on UUNET. A traceroute to 86.59.21.1 works: neel@xb2:~ % traceroute 86.59.21.1 traceroute to 86.59.21.1 (86.59.21.1), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 0.863 ms 0.757 ms 0.579 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.010 ms 1.545 ms 1.034 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 3.616 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 5.696 ms 10.062 ms 4 * * * 5 0.et-5-1-5.BR3.NYC4.ALTER.NET (140.222.2.127) 3.492 ms 3.506 ms 2.996 ms 6 204.255.168.118 (204.255.168.118) 8.462 ms 7.479 ms 7.252 ms 7 144.232.4.84 (144.232.4.84) 5.041 ms 4.688 ms sl-crs3-lon-0-6-3-0.sprintlink.net (144.232.9.165) 71.865 ms 8 sl-crs2-lon-0-0-3-0.sprintlink.net (213.206.128.181) 72.214 ms 73.579 ms 72.339 ms 9 213.206.129.142 (213.206.129.142) 81.390 ms sl-crs4-ams-0-7-0-3.sprintlink.net (213.206.129.139) 85.854 ms 93.238 ms 10 217.149.47.46 (217.149.47.46) 79.004 ms 85.669 ms 79.392 ms 11 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 86.507 ms 78.374 ms 77.740 ms 12 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 79.642 ms 77.926 ms 81.515 ms 13 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 105.400 ms 105.089 ms 109.751 ms 14 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 122.716 ms 110.820 ms 114.354 ms 15 86.59.21.1 (86.59.21.1) 106.389 ms * 105.379 ms neel@xb2:~ % I got in contact with Peter Palfrader and he says he couldn't help, and also with Verizon FiOS support and they said the filtering 'isn't on Verizon's network' (read: isn't on Verizon's internal FiOS network but still on Verizon's AS701 which I have to go to to get anywhere on the Internet here). I know that this IP could have been blackholed, and you may think that if Verizon is blocking it, then isn't Level 3 or Cogent? Well, Cogent doesn't block tor26: traceroute to 86.59.21.38 (86.59.21.38), 30 hops max, 60 byte packets 1 gi0-1-1-19.5.agr21.jfk02.atlas.cogentco.com (66.28.3.113) 0.727 ms 0.727 ms 2 be2605.ccr41.jfk02.atlas.cogentco.com (154.54.1.153) 2.177 ms be2606.ccr42.jfk02.atlas.cogentco.com (154.54.2.29) 0.734 ms 3 be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86) 68.557 ms be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186) 70.829 ms 4 be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42) 74.570 ms be12194.ccr41.ams03.atlas.cogentco.com (154.54.56.94) 76.767 ms 5 be2434.agr21.ams03.atlas.cogentco.com (130.117.2.241) 74.515 ms 74.612 ms 6 149.6.129.250 (149.6.129.250) 80.758 ms 74.625 ms 7 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 75.421 ms 75.425 ms 8 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 74.516 ms 74.558 ms 9 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 97.605 ms 95.470 ms 10 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 100.314 ms 97.947 ms 11 86.59.118.145 (86.59.118.145) 96.918 ms 98.620 ms 12 tor.noreply.org (86.59.21.38) 97.853 ms 98.110 ms (Source: http://www.cogentco.com/en/network/looking-glass) It could be possible that other Tier 1 networks formerly blocked tor26, and also unblocked, but Verizon was sloppy not to do so. It's also possible that Verizon could be doing it because the FCC repealed Net Neturality, and wants to discourage use of Tor to mine FiOS/VZW customers' browsing habits. But despite a NN repeal I can still access Tor on FiOS, and also run a relay (I do both) because other consensus relays are still unblocked. But if Verizon didn't unblock tor26, could it actually mean that Verizon wants to discourage Tor (and VPN/proxy) use to try to mine information of their customers (and sell ads/information) and direct users to VZ-owned AOL and Yahoo? Well, I hope they were just sloppy and don't mean to wage war on Tor. While I'm not saying you should avoid using anything Verizon at all costs (I certainly wouldn't want to go to the local cable company), I just want to point out a blocked consensus server. Thank You, Neel Chauhan === https://www.neelc.org/
On Tue, May 15, 2018 at 08:12:50PM -0400, Neel Chauhan wrote:
Hi tor-relays mailing list,
I have noticed that the Tor consensus server tor26 (https://metrics.torproject.org/rs.html#details/847B1F850344D7876491A54892F90...) is blocked on Verizon's UUNET (AS701) backbone, and therefore, Verizon's retail services like FiOS and Wireless. I can confirm this on FiOS, but I don't use Verizon Wireless (my smartphone uses Sprint) so I can't test it there.
A traceroute to tor26's IP address 86.59.21.38 from a Brooklyn apartment shows this is filtered on Verizon's backbone:
Interesting, thanks for noticing this and investigating.
From an Optimum Online connection I can reach tor26:
$ traceroute -n 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 30 hops max, 60 byte packets [...] 9 * * * 10 4.69.203.210 87.969 ms 93.582 ms 90.246 ms 11 4.68.110.66 91.896 ms 89.551 ms 87.997 ms 12 130.244.38.232 89.958 ms 94.470 ms 95.286 ms 13 130.244.71.47 132.933 ms 131.108 ms 131.941 ms 14 212.152.189.65 132.910 ms 128.954 ms 149.351 ms 15 86.59.118.145 110.832 ms 111.453 ms 112.767 ms 16 86.59.21.38 116.790 ms 117.539 ms 117.448 ms
In a normal traceroute, you will see ALTER.NET at hop 5. Also, the subnet 86.59.21.0/24 is not filtered on UUNET. A traceroute to 86.59.21.1 works:
I also receive a response from the IP address immediate below tor26's: $ traceroute -n 86.59.21.37 traceroute to 86.59.21.37 (86.59.21.37), 30 hops max, 60 byte packets [...] 9 * * * 10 4.69.203.210 88.174 ms 92.438 ms 92.715 ms 11 4.68.110.66 90.381 ms 89.487 ms 89.491 ms 12 130.244.38.232 92.294 ms 91.150 ms 93.985 ms 13 130.244.71.47 131.010 ms 131.173 ms 131.000 ms 14 212.152.189.65 131.932 ms 130.328 ms 136.155 ms 15 86.59.118.145 261.323 ms 261.824 ms 261.783 ms 16 86.59.21.37 122.162 ms 121.369 ms 118.289 ms
I got in contact with Peter Palfrader and he says he couldn't help, and also with Verizon FiOS support and they said the filtering 'isn't on Verizon's network' (read: isn't on Verizon's internal FiOS network but still on Verizon's AS701 which I have to go to to get anywhere on the Internet here).
Unfortunately, no surprises there. Peter won't have any control over this, and FiOS won't take the blame for this.
But if Verizon didn't unblock tor26, could it actually mean that Verizon wants to discourage Tor (and VPN/proxy) use to try to mine information of their customers (and sell ads/information) and direct users to VZ-owned AOL and Yahoo? Well, I hope they were just sloppy and don't mean to wage war on Tor.
Yeah, either they don't understand how Tor works, or they blocked tor26's IP address for another reason (not because it's a directory authority).
While I'm not saying you should avoid using anything Verizon at all costs (I certainly wouldn't want to go to the local cable company), I just want to point out a blocked consensus server.
It's absolutely something we should keep an eye on, especially in the US as ISPs begin testing the FCC's (reinstated) laissez faire policy. Thanks.
Here is a traceroute from *Verizon Wireless*: $ traceroute 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 52 byte packets 1 * * * 2 9.sub-66-174-32.myvzw.com (66.174.32.9) 329.758 ms 57.492 ms 24.798 ms 3 130.sub-69-83-185.myvzw.com (69.83.185.130) 39.733 ms 39.718 ms 37.786 ms 4 50.sub-69-83-184.myvzw.com (69.83.184.50) 39.368 ms 40.511 ms 40.054 ms 5 154.sub-69-83-185.myvzw.com (69.83.185.154) 44.532 ms 34.662 ms 40.481 ms 6 128.sub-69-83-176.myvzw.com (69.83.176.128) 30.812 ms 39.507 ms 37.513 ms 7 240.sub-69-83-163.myvzw.com (69.83.163.240) 44.676 ms 40.649 ms 38.747 ms 8 240.sub-69-83-163.myvzw.com (69.83.163.240) 42.064 ms 38.522 ms 39.267 ms 9 217.sub-66-174-32.myvzw.com (66.174.32.217) 35.631 ms 39.501 ms 40.307 ms 10 * * * I can't get past 66.174.32.217 which is: AS6167 66.174.0.0/16 Cellco Partnership DBA Verizon Wireless --Sina On Tue, May 15, 2018 at 6:01 PM, Matthew Finkel <matthew.finkel@gmail.com> wrote:
On Tue, May 15, 2018 at 08:12:50PM -0400, Neel Chauhan wrote:
Hi tor-relays mailing list,
I have noticed that the Tor consensus server tor26 (
https://metrics.torproject.org/rs.html#details/847B1F850344D7876491A54892F90... )
is blocked on Verizon's UUNET (AS701) backbone, and therefore, Verizon's retail services like FiOS and Wireless. I can confirm this on FiOS, but I don't use Verizon Wireless (my smartphone uses Sprint) so I can't test it there.
A traceroute to tor26's IP address 86.59.21.38 from a Brooklyn apartment shows this is filtered on Verizon's backbone:
Interesting, thanks for noticing this and investigating.
From an Optimum Online connection I can reach tor26:
$ traceroute -n 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 30 hops max, 60 byte packets [...] 9 * * * 10 4.69.203.210 87.969 ms 93.582 ms 90.246 ms 11 4.68.110.66 91.896 ms 89.551 ms 87.997 ms 12 130.244.38.232 89.958 ms 94.470 ms 95.286 ms 13 130.244.71.47 132.933 ms 131.108 ms 131.941 ms 14 212.152.189.65 132.910 ms 128.954 ms 149.351 ms 15 86.59.118.145 110.832 ms 111.453 ms 112.767 ms 16 86.59.21.38 116.790 ms 117.539 ms 117.448 ms
In a normal traceroute, you will see ALTER.NET at hop 5. Also, the subnet 86.59.21.0/24 is not filtered on UUNET. A traceroute to 86.59.21.1 works:
I also receive a response from the IP address immediate below tor26's:
$ traceroute -n 86.59.21.37 traceroute to 86.59.21.37 (86.59.21.37), 30 hops max, 60 byte packets [...] 9 * * * 10 4.69.203.210 88.174 ms 92.438 ms 92.715 ms 11 4.68.110.66 90.381 ms 89.487 ms 89.491 ms 12 130.244.38.232 92.294 ms 91.150 ms 93.985 ms 13 130.244.71.47 131.010 ms 131.173 ms 131.000 ms 14 212.152.189.65 131.932 ms 130.328 ms 136.155 ms 15 86.59.118.145 261.323 ms 261.824 ms 261.783 ms 16 86.59.21.37 122.162 ms 121.369 ms 118.289 ms
I got in contact with Peter Palfrader and he says he couldn't help, and also with Verizon FiOS support and they said the filtering 'isn't on Verizon's network' (read: isn't on Verizon's internal FiOS network but still on Verizon's AS701 which I have to go to to get anywhere on the Internet here).
Unfortunately, no surprises there. Peter won't have any control over this, and FiOS won't take the blame for this.
But if Verizon didn't unblock tor26, could it actually mean that Verizon wants to discourage Tor (and VPN/proxy) use to try to mine information of their customers (and sell ads/information) and direct users to VZ-owned AOL and Yahoo? Well, I hope they were just sloppy and don't mean to wage war on Tor.
Yeah, either they don't understand how Tor works, or they blocked tor26's IP address for another reason (not because it's a directory authority).
While I'm not saying you should avoid using anything Verizon at all
costs (I
certainly wouldn't want to go to the local cable company), I just want to point out a blocked consensus server.
It's absolutely something we should keep an eye on, especially in the US as ISPs begin testing the FCC's (reinstated) laissez faire policy.
Thanks. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tue, May 15, 2018 at 08:12:50PM -0400, Neel Chauhan wrote:
Hi tor-relays mailing list,
I have noticed that the Tor consensus server tor26 (https://metrics.torproject.org/rs.html#details/847B1F850344D7876491A54892F90...) is blocked on Verizon's UUNET (AS701) backbone, and therefore, Verizon's retail services like FiOS and Wireless. I can confirm this on FiOS, but I don't use Verizon Wireless (my smartphone uses Sprint) so I can't test it there.
A traceroute to tor26's IP address 86.59.21.38 from a Brooklyn apartment shows this is filtered on Verizon's backbone:
neel@xb2:~ % traceroute 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 1.128 ms 0.780 ms 0.613 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.001 ms 3.632 ms 0.900 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 2.291 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 3.172 ms 4.046 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * ^C neel@xb2:~ %
In a normal traceroute, you will see ALTER.NET at hop 5. Also, the subnet 86.59.21.0/24 is not filtered on UUNET. A traceroute to 86.59.21.1 works:
neel@xb2:~ % traceroute 86.59.21.1 traceroute to 86.59.21.1 (86.59.21.1), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 0.863 ms 0.757 ms 0.579 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.010 ms 1.545 ms 1.034 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 3.616 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 5.696 ms 10.062 ms 4 * * * 5 0.et-5-1-5.BR3.NYC4.ALTER.NET (140.222.2.127) 3.492 ms 3.506 ms 2.996 ms 6 204.255.168.118 (204.255.168.118) 8.462 ms 7.479 ms 7.252 ms 7 144.232.4.84 (144.232.4.84) 5.041 ms 4.688 ms sl-crs3-lon-0-6-3-0.sprintlink.net (144.232.9.165) 71.865 ms 8 sl-crs2-lon-0-0-3-0.sprintlink.net (213.206.128.181) 72.214 ms 73.579 ms 72.339 ms 9 213.206.129.142 (213.206.129.142) 81.390 ms sl-crs4-ams-0-7-0-3.sprintlink.net (213.206.129.139) 85.854 ms 93.238 ms 10 217.149.47.46 (217.149.47.46) 79.004 ms 85.669 ms 79.392 ms 11 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 86.507 ms 78.374 ms 77.740 ms 12 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 79.642 ms 77.926 ms 81.515 ms 13 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 105.400 ms 105.089 ms 109.751 ms 14 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 122.716 ms 110.820 ms 114.354 ms 15 86.59.21.1 (86.59.21.1) 106.389 ms * 105.379 ms neel@xb2:~ %
I got in contact with Peter Palfrader and he says he couldn't help, and also with Verizon FiOS support and they said the filtering 'isn't on Verizon's network' (read: isn't on Verizon's internal FiOS network but still on Verizon's AS701 which I have to go to to get anywhere on the Internet here).
I know that this IP could have been blackholed, and you may think that if Verizon is blocking it, then isn't Level 3 or Cogent? Well, Cogent doesn't block tor26:
traceroute to 86.59.21.38 (86.59.21.38), 30 hops max, 60 byte packets 1 gi0-1-1-19.5.agr21.jfk02.atlas.cogentco.com (66.28.3.113) 0.727 ms 0.727 ms 2 be2605.ccr41.jfk02.atlas.cogentco.com (154.54.1.153) 2.177 ms be2606.ccr42.jfk02.atlas.cogentco.com (154.54.2.29) 0.734 ms 3 be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86) 68.557 ms be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186) 70.829 ms 4 be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42) 74.570 ms be12194.ccr41.ams03.atlas.cogentco.com (154.54.56.94) 76.767 ms 5 be2434.agr21.ams03.atlas.cogentco.com (130.117.2.241) 74.515 ms 74.612 ms 6 149.6.129.250 (149.6.129.250) 80.758 ms 74.625 ms 7 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 75.421 ms 75.425 ms 8 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 74.516 ms 74.558 ms 9 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 97.605 ms 95.470 ms 10 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 100.314 ms 97.947 ms 11 86.59.118.145 (86.59.118.145) 96.918 ms 98.620 ms 12 tor.noreply.org (86.59.21.38) 97.853 ms 98.110 ms
(Source: http://www.cogentco.com/en/network/looking-glass)
It could be possible that other Tier 1 networks formerly blocked tor26, and also unblocked, but Verizon was sloppy not to do so.
It's also possible that Verizon could be doing it because the FCC repealed Net Neturality, and wants to discourage use of Tor to mine FiOS/VZW customers' browsing habits. But despite a NN repeal I can still access Tor on FiOS, and also run a relay (I do both) because other consensus relays are still unblocked.
But if Verizon didn't unblock tor26, could it actually mean that Verizon wants to discourage Tor (and VPN/proxy) use to try to mine information of their customers (and sell ads/information) and direct users to VZ-owned AOL and Yahoo? Well, I hope they were just sloppy and don't mean to wage war on Tor.
While I'm not saying you should avoid using anything Verizon at all costs (I certainly wouldn't want to go to the local cable company), I just want to point out a blocked consensus server.
I'm seeing the same thing from the greater Baltimore, MD area: traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets 1 172.16.3.1 (172.16.3.1) 0.172 ms 0.162 ms 0.115 ms 2 lo0-100.BLTMMD-VFTTP-323.verizon-gni.net (100.16.216.1) 23.228 ms 7.782 ms 2.901 ms 3 B3323.BLTMMD-LCR-22.verizon-gni.net (100.41.222.240) 2.982 ms B3323.BLTMMD-LCR-21.verizon-gni.net (100.41.222.238) 1.702 ms B3323.BLTMMD-LCR-22.verizon-gni.net (100.41.222.240) 7.756 ms 4 * * * 100.41.222.240 is AS19262. Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
My relay exhibits the same results on AS701, MCI Communications Services, Inc. d/b/a Verizon Business https://metrics.torproject.org/rs.html#details/924B24AFA7F075D059E8EEB284CC4... matthew@freedom:~$ traceroute 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 30 hops max, 60 byte packets 1 lo0-100.RCMDVA-VFTTP-307.verizon-gni.net (96.253.78.1) 4.340 ms 4.297 ms 4.273 ms 2 B3307.RCMDVA-LCR-22.verizon-gni.net (130.81.24.74) 3.854 ms 4.156 ms 8.609 ms 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * On Tue, May 15, 2018 at 9:18 PM Shawn Webb <shawn.webb@hardenedbsd.org> wrote:
On Tue, May 15, 2018 at 08:12:50PM -0400, Neel Chauhan wrote:
Hi tor-relays mailing list,
I have noticed that the Tor consensus server tor26 ( https://metrics.torproject.org/rs.html#details/847B1F850344D7876491A54892F90... ) is blocked on Verizon's UUNET (AS701) backbone, and therefore, Verizon's retail services like FiOS and Wireless. I can confirm this on FiOS, but I don't use Verizon Wireless (my smartphone uses Sprint) so I can't test it there.
A traceroute to tor26's IP address 86.59.21.38 from a Brooklyn apartment shows this is filtered on Verizon's backbone:
neel@xb2:~ % traceroute 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 1.128 ms 0.780 ms 0.613 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.001 ms 3.632 ms 0.900 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 2.291 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 3.172 ms 4.046 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * ^C neel@xb2:~ %
In a normal traceroute, you will see ALTER.NET at hop 5. Also, the subnet 86.59.21.0/24 is not filtered on UUNET. A traceroute to 86.59.21.1 works:
neel@xb2:~ % traceroute 86.59.21.1 traceroute to 86.59.21.1 (86.59.21.1), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 0.863 ms 0.757 ms 0.579 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.010 ms 1.545 ms 1.034 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 3.616 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 5.696 ms 10.062 ms 4 * * * 5 0.et-5-1-5.BR3.NYC4.ALTER.NET (140.222.2.127) 3.492 ms 3.506 ms 2.996 ms 6 204.255.168.118 (204.255.168.118) 8.462 ms 7.479 ms 7.252 ms 7 144.232.4.84 (144.232.4.84) 5.041 ms 4.688 ms sl-crs3-lon-0-6-3-0.sprintlink.net (144.232.9.165) 71.865 ms 8 sl-crs2-lon-0-0-3-0.sprintlink.net (213.206.128.181) 72.214 ms 73.579 ms 72.339 ms 9 213.206.129.142 (213.206.129.142) 81.390 ms sl-crs4-ams-0-7-0-3.sprintlink.net (213.206.129.139) 85.854 ms 93.238 ms 10 217.149.47.46 (217.149.47.46) 79.004 ms 85.669 ms 79.392 ms 11 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 86.507 ms 78.374 ms 77.740 ms 12 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 79.642 ms 77.926 ms 81.515 ms 13 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 105.400 ms 105.089 ms 109.751 ms 14 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 122.716 ms 110.820 ms 114.354 ms 15 86.59.21.1 (86.59.21.1) 106.389 ms * 105.379 ms neel@xb2:~ %
I got in contact with Peter Palfrader and he says he couldn't help, and also with Verizon FiOS support and they said the filtering 'isn't on Verizon's network' (read: isn't on Verizon's internal FiOS network but still on Verizon's AS701 which I have to go to to get anywhere on the Internet here).
I know that this IP could have been blackholed, and you may think that if Verizon is blocking it, then isn't Level 3 or Cogent? Well, Cogent doesn't block tor26:
traceroute to 86.59.21.38 (86.59.21.38), 30 hops max, 60 byte packets 1 gi0-1-1-19.5.agr21.jfk02.atlas.cogentco.com (66.28.3.113) 0.727 ms 0.727 ms 2 be2605.ccr41.jfk02.atlas.cogentco.com (154.54.1.153) 2.177 ms be2606.ccr42.jfk02.atlas.cogentco.com (154.54.2.29) 0.734 ms 3 be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86) 68.557 ms be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186) 70.829 ms 4 be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42) 74.570 ms be12194.ccr41.ams03.atlas.cogentco.com (154.54.56.94) 76.767 ms 5 be2434.agr21.ams03.atlas.cogentco.com (130.117.2.241) 74.515 ms 74.612 ms 6 149.6.129.250 (149.6.129.250) 80.758 ms 74.625 ms 7 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 75.421 ms 75.425 ms 8 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 74.516 ms 74.558 ms 9 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 97.605 ms 95.470 ms 10 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 100.314 ms 97.947 ms 11 86.59.118.145 (86.59.118.145) 96.918 ms 98.620 ms 12 tor.noreply.org (86.59.21.38) 97.853 ms 98.110 ms
(Source: http://www.cogentco.com/en/network/looking-glass)
It could be possible that other Tier 1 networks formerly blocked tor26, and also unblocked, but Verizon was sloppy not to do so.
It's also possible that Verizon could be doing it because the FCC repealed Net Neturality, and wants to discourage use of Tor to mine FiOS/VZW customers' browsing habits. But despite a NN repeal I can still access Tor on FiOS, and also run a relay (I do both) because other consensus relays are still unblocked.
But if Verizon didn't unblock tor26, could it actually mean that Verizon wants to discourage Tor (and VPN/proxy) use to try to mine information of their customers (and sell ads/information) and direct users to VZ-owned AOL and Yahoo? Well, I hope they were just sloppy and don't mean to wage war on Tor.
While I'm not saying you should avoid using anything Verizon at all costs (I certainly wouldn't want to go to the local cable company), I just want to point out a blocked consensus server.
I'm seeing the same thing from the greater Baltimore, MD area:
traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets 1 172.16.3.1 (172.16.3.1) 0.172 ms 0.162 ms 0.115 ms 2 lo0-100.BLTMMD-VFTTP-323.verizon-gni.net (100.16.216.1) 23.228 ms 7.782 ms 2.901 ms 3 B3323.BLTMMD-LCR-22.verizon-gni.net (100.41.222.240) 2.982 ms B3323.BLTMMD-LCR-21.verizon-gni.net (100.41.222.238) 1.702 ms B3323.BLTMMD-LCR-22.verizon-gni.net (100.41.222.240) 7.756 ms 4 * * *
100.41.222.240 is AS19262.
Thanks,
-- Shawn Webb Cofounder and Security Engineer HardenedBSD
Tor-ified Signal: +1 443-546-8752 <(443)%20546-8752> Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Matthew Glennon matthew@glennon.online PGP Signing Available Upon Request https://keybase.io/crazysane
The Verizon Wireless network seems to be the same. https://imgur.com/a/fw6X9ZY On Wed, May 16, 2018 at 8:17 AM Matthew Glennon <matthew@glennon.online> wrote:
My relay exhibits the same results on AS701, MCI Communications Services, Inc. d/b/a Verizon Business
https://metrics.torproject.org/rs.html#details/924B24AFA7F075D059E8EEB284CC4...
matthew@freedom:~$ traceroute 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 30 hops max, 60 byte packets 1 lo0-100.RCMDVA-VFTTP-307.verizon-gni.net (96.253.78.1) 4.340 ms 4.297 ms 4.273 ms 2 B3307.RCMDVA-LCR-22.verizon-gni.net (130.81.24.74) 3.854 ms 4.156 ms 8.609 ms 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *
On Tue, May 15, 2018 at 9:18 PM Shawn Webb <shawn.webb@hardenedbsd.org> wrote:
On Tue, May 15, 2018 at 08:12:50PM -0400, Neel Chauhan wrote:
Hi tor-relays mailing list,
I have noticed that the Tor consensus server tor26 ( https://metrics.torproject.org/rs.html#details/847B1F850344D7876491A54892F90... ) is blocked on Verizon's UUNET (AS701) backbone, and therefore, Verizon's retail services like FiOS and Wireless. I can confirm this on FiOS, but I don't use Verizon Wireless (my smartphone uses Sprint) so I can't test it there.
A traceroute to tor26's IP address 86.59.21.38 from a Brooklyn apartment shows this is filtered on Verizon's backbone:
neel@xb2:~ % traceroute 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 1.128 ms 0.780 ms 0.613 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.001 ms 3.632 ms 0.900 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 2.291 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 3.172 ms 4.046 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * ^C neel@xb2:~ %
In a normal traceroute, you will see ALTER.NET at hop 5. Also, the subnet 86.59.21.0/24 is not filtered on UUNET. A traceroute to 86.59.21.1 works:
neel@xb2:~ % traceroute 86.59.21.1 traceroute to 86.59.21.1 (86.59.21.1), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 0.863 ms 0.757 ms 0.579 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.010 ms 1.545 ms 1.034 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 3.616 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 5.696 ms 10.062 ms 4 * * * 5 0.et-5-1-5.BR3.NYC4.ALTER.NET (140.222.2.127) 3.492 ms 3.506 ms 2.996 ms 6 204.255.168.118 (204.255.168.118) 8.462 ms 7.479 ms 7.252 ms 7 144.232.4.84 (144.232.4.84) 5.041 ms 4.688 ms sl-crs3-lon-0-6-3-0.sprintlink.net (144.232.9.165) 71.865 ms 8 sl-crs2-lon-0-0-3-0.sprintlink.net (213.206.128.181) 72.214 ms 73.579 ms 72.339 ms 9 213.206.129.142 (213.206.129.142) 81.390 ms sl-crs4-ams-0-7-0-3.sprintlink.net (213.206.129.139) 85.854 ms 93.238 ms 10 217.149.47.46 (217.149.47.46) 79.004 ms 85.669 ms 79.392 ms 11 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 86.507 ms 78.374 ms 77.740 ms 12 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 79.642 ms 77.926 ms 81.515 ms 13 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 105.400 ms 105.089 ms 109.751 ms 14 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 122.716 ms 110.820 ms 114.354 ms 15 86.59.21.1 (86.59.21.1) 106.389 ms * 105.379 ms neel@xb2:~ %
I got in contact with Peter Palfrader and he says he couldn't help, and also with Verizon FiOS support and they said the filtering 'isn't on Verizon's network' (read: isn't on Verizon's internal FiOS network but still on Verizon's AS701 which I have to go to to get anywhere on the Internet here).
I know that this IP could have been blackholed, and you may think that if Verizon is blocking it, then isn't Level 3 or Cogent? Well, Cogent doesn't block tor26:
traceroute to 86.59.21.38 (86.59.21.38), 30 hops max, 60 byte packets 1 gi0-1-1-19.5.agr21.jfk02.atlas.cogentco.com (66.28.3.113) 0.727 ms 0.727 ms 2 be2605.ccr41.jfk02.atlas.cogentco.com (154.54.1.153) 2.177 ms be2606.ccr42.jfk02.atlas.cogentco.com (154.54.2.29) 0.734 ms 3 be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86) 68.557 ms be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186) 70.829 ms 4 be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42) 74.570 ms be12194.ccr41.ams03.atlas.cogentco.com (154.54.56.94) 76.767 ms 5 be2434.agr21.ams03.atlas.cogentco.com (130.117.2.241) 74.515 ms 74.612 ms 6 149.6.129.250 (149.6.129.250) 80.758 ms 74.625 ms 7 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 75.421 ms 75.425 ms 8 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 74.516 ms 74.558 ms 9 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 97.605 ms 95.470 ms 10 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 100.314 ms 97.947 ms 11 86.59.118.145 (86.59.118.145) 96.918 ms 98.620 ms 12 tor.noreply.org (86.59.21.38) 97.853 ms 98.110 ms
(Source: http://www.cogentco.com/en/network/looking-glass)
It could be possible that other Tier 1 networks formerly blocked tor26, and also unblocked, but Verizon was sloppy not to do so.
It's also possible that Verizon could be doing it because the FCC repealed Net Neturality, and wants to discourage use of Tor to mine FiOS/VZW customers' browsing habits. But despite a NN repeal I can still access Tor on FiOS, and also run a relay (I do both) because other consensus relays are still unblocked.
But if Verizon didn't unblock tor26, could it actually mean that Verizon wants to discourage Tor (and VPN/proxy) use to try to mine information of their customers (and sell ads/information) and direct users to VZ-owned AOL and Yahoo? Well, I hope they were just sloppy and don't mean to wage war on Tor.
While I'm not saying you should avoid using anything Verizon at all costs (I certainly wouldn't want to go to the local cable company), I just want to point out a blocked consensus server.
I'm seeing the same thing from the greater Baltimore, MD area:
traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets 1 172.16.3.1 (172.16.3.1) 0.172 ms 0.162 ms 0.115 ms 2 lo0-100.BLTMMD-VFTTP-323.verizon-gni.net (100.16.216.1) 23.228 ms 7.782 ms 2.901 ms 3 B3323.BLTMMD-LCR-22.verizon-gni.net (100.41.222.240) 2.982 ms B3323.BLTMMD-LCR-21.verizon-gni.net (100.41.222.238) 1.702 ms B3323.BLTMMD-LCR-22.verizon-gni.net (100.41.222.240) 7.756 ms 4 * * *
100.41.222.240 is AS19262.
Thanks,
-- Shawn Webb Cofounder and Security Engineer HardenedBSD
Tor-ified Signal: +1 443-546-8752 <(443)%20546-8752> Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Matthew Glennon matthew@glennon.online PGP Signing Available Upon Request https://keybase.io/crazysane
-- Matthew Glennon matthew@glennon.online PGP Signing Available Upon Request https://keybase.io/crazysane
On Tue, May 15, 2018 at 08:12:50PM -0400, Neel Chauhan wrote:
Hi tor-relays mailing list,
I have noticed that the Tor consensus server tor26 (https://metrics.torproject.org/rs.html#details/847B1F850344D7876491A54892F90...) is blocked on Verizon's UUNET (AS701) backbone, and therefore, Verizon's retail services like FiOS and Wireless.
I've been assuming the reason is something like wannacry: the wannacry malware shipped with a Tor client, which means if you watch its behavior, one of its early steps is to bootstrap into the Tor network. So my bet is that some Verizon analysis person watched it bootstrap, and saw the connection to tor26, and decided to blacklist tor26 network-wide in order to protect their customers from wannacry... and then of course they moved on to something else and they never realized (still don't realize) that their block rule had anything to do with Tor. This reminds me of the Australian dentist website story, where the dentist website ended up on the nationwide censorship list, presumably because the website was compromised and serving malware at the time they made the list -- but then once they'd cleaned up the website, it turned out there was no mechanism for being removed from the blocklist, because nobody had ever thought of that side of the issue. The fix (if my theory is right) would be to reach whatever engineer made this leap, and teach them about Tor. But it will be extra challenging because they don't even know that there's something they need to learn. --Roger
Quoting Roger Dingledine (2018-05-16 15:05:29)
The fix (if my theory is right) would be to reach whatever engineer made this leap, and teach them about Tor. But it will be extra challenging because they don't even know that there's something they need to learn.
like the fact that malware can have more than one C&C server? :/
If Verizon is suddenly worried about malware, why not block at the DNS level with something like Quad9 where it’s managed by more competent professionals? (Of course still allowing alternate DNS Servers) Does Tor bootstrap by IP Address directly? Sent from my iPhone
On May 16, 2018, at 11:32 AM, Alex Xu <alex_y_xu@yahoo.ca> wrote:
Quoting Roger Dingledine (2018-05-16 15:05:29)
The fix (if my theory is right) would be to reach whatever engineer made this leap, and teach them about Tor. But it will be extra challenging because they don't even know that there's something they need to learn.
like the fact that malware can have more than one C&C server? :/ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Wed, May 16, 2018 at 11:36:58AM -0400, Nathaniel Suchy (Lunorian) wrote:
If Verizon is suddenly worried about malware, why not block at the DNS level with something like Quad9 where it’s managed by more competent professionals? (Of course still allowing alternate DNS Servers)
They probably do this, too.
Does Tor bootstrap by IP Address directly?
Yes
Sent from my iPhone
On May 16, 2018, at 11:32 AM, Alex Xu <alex_y_xu@yahoo.ca> wrote:
Quoting Roger Dingledine (2018-05-16 15:05:29)
The fix (if my theory is right) would be to reach whatever engineer made this leap, and teach them about Tor. But it will be extra challenging because they don't even know that there's something they need to learn.
like the fact that malware can have more than one C&C server? :/ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
So just letting Quad9 wouldn’t solve things if Verizon needs to block a specific IP Address. It’s good to hear blocking that one server doesn’t cripple the Tor network. I hope this gets resolved. Sent from my iPhone
On May 16, 2018, at 11:45 AM, Matthew Finkel <matthew.finkel@gmail.com> wrote:
On Wed, May 16, 2018 at 11:36:58AM -0400, Nathaniel Suchy (Lunorian) wrote: If Verizon is suddenly worried about malware, why not block at the DNS level with something like Quad9 where it’s managed by more competent professionals? (Of course still allowing alternate DNS Servers)
They probably do this, too.
Does Tor bootstrap by IP Address directly?
Yes
Sent from my iPhone
On May 16, 2018, at 11:32 AM, Alex Xu <alex_y_xu@yahoo.ca> wrote:
Quoting Roger Dingledine (2018-05-16 15:05:29)
The fix (if my theory is right) would be to reach whatever engineer made this leap, and teach them about Tor. But it will be extra challenging because they don't even know that there's something they need to learn.
like the fact that malware can have more than one C&C server? :/ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Can you still use Tor on Verizon with bridges? Sent from my iPhone
On May 16, 2018, at 11:05 AM, Roger Dingledine <arma@mit.edu> wrote:
On Tue, May 15, 2018 at 08:12:50PM -0400, Neel Chauhan wrote: Hi tor-relays mailing list,
I have noticed that the Tor consensus server tor26 (https://metrics.torproject.org/rs.html#details/847B1F850344D7876491A54892F90...) is blocked on Verizon's UUNET (AS701) backbone, and therefore, Verizon's retail services like FiOS and Wireless.
I've been assuming the reason is something like wannacry: the wannacry malware shipped with a Tor client, which means if you watch its behavior, one of its early steps is to bootstrap into the Tor network. So my bet is that some Verizon analysis person watched it bootstrap, and saw the connection to tor26, and decided to blacklist tor26 network-wide in order to protect their customers from wannacry... and then of course they moved on to something else and they never realized (still don't realize) that their block rule had anything to do with Tor.
This reminds me of the Australian dentist website story, where the dentist website ended up on the nationwide censorship list, presumably because the website was compromised and serving malware at the time they made the list -- but then once they'd cleaned up the website, it turned out there was no mechanism for being removed from the blocklist, because nobody had ever thought of that side of the issue.
The fix (if my theory is right) would be to reach whatever engineer made this leap, and teach them about Tor. But it will be extra challenging because they don't even know that there's something they need to learn.
--Roger
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi tor-relays mailing list, Good news! Verizon unblocked tor26 (86.59.21.38). I posted something similar on NANOG (with modifications for network people) here: https://mailman.nanog.org/pipermail/nanog/2018-May/095386.html Someone nice at Verizon must have read NANOG (VZ NOC people probably do read NANOG) and unblocked tor26. Here is a (successful) traceroute: neel@flex:~ % traceroute 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 0.886 ms 0.567 ms 0.460 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 2.437 ms 2.129 ms 1.127 ms 3 B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 3.957 ms 5.827 ms B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 5.022 ms 4 * * * 5 0.et-11-1-5.BR3.NYC4.ALTER.NET (140.222.2.131) 3.527 ms 0.et-5-0-2.BR3.NYC4.ALTER.NET (140.222.239.37) 4.578 ms 0.et-11-1-5.BR3.NYC4.ALTER.NET (140.222.2.131) 18.629 ms 6 204.255.168.118 (204.255.168.118) 4.764 ms 8.144 ms 7.132 ms 7 sl-crs3-lon-0-6-3-0.sprintlink.net (144.232.9.165) 70.718 ms sl-crs1-lon-0-6-2-0.sprintlink.net (144.232.13.44) 79.200 ms 144.232.13.112 (144.232.13.112) 78.583 ms 8 144.232.13.108 (144.232.13.108) 83.652 ms 213.206.129.100 (213.206.129.100) 86.477 ms 83.988 ms 9 217.149.32.65 (217.149.32.65) 100.367 ms 95.808 ms sl-crs4-ams-0-7-0-3.sprintlink.net (213.206.129.139) 85.614 ms 10 217.149.47.46 (217.149.47.46) 84.036 ms 84.193 ms 83.651 ms 11 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 79.584 ms 79.037 ms 78.659 ms 12 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 91.635 ms 94.684 ms 93.261 ms 13 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 105.583 ms 105.421 ms 105.308 ms 14 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 112.490 ms 105.685 ms 111.003 ms 15 86.59.118.145 (86.59.118.145) 130.001 ms 138.869 ms 106.799 ms 16 tor.noreply.org (86.59.21.38) 106.681 ms 105.468 ms 105.891 ms neel@flex:~ % (it's on a different laptop, my 'xb2' refuses to charge now, still same connection however). Now no consensus relays are blocked on FiOS! Although **most** Verizon NOC people probably don't read tor-relays (unlike NANOG's mailing lists), but to the person who read my NANOG post and unblocked tor26 (86.59.21.38), thank you so much! Thank You, Neel Chauhan === https://www.neelc.org/ On 2018-05-15 20:12, Neel Chauhan wrote:
Hi tor-relays mailing list,
I have noticed that the Tor consensus server tor26 (https://metrics.torproject.org/rs.html#details/847B1F850344D7876491A54892F90...) is blocked on Verizon's UUNET (AS701) backbone, and therefore, Verizon's retail services like FiOS and Wireless. I can confirm this on FiOS, but I don't use Verizon Wireless (my smartphone uses Sprint) so I can't test it there.
A traceroute to tor26's IP address 86.59.21.38 from a Brooklyn apartment shows this is filtered on Verizon's backbone:
neel@xb2:~ % traceroute 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 1.128 ms 0.780 ms 0.613 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.001 ms 3.632 ms 0.900 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 2.291 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 3.172 ms 4.046 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * ^C neel@xb2:~ %
In a normal traceroute, you will see ALTER.NET at hop 5. Also, the subnet 86.59.21.0/24 is not filtered on UUNET. A traceroute to 86.59.21.1 works:
neel@xb2:~ % traceroute 86.59.21.1 traceroute to 86.59.21.1 (86.59.21.1), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 0.863 ms 0.757 ms 0.579 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.010 ms 1.545 ms 1.034 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 3.616 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 5.696 ms 10.062 ms 4 * * * 5 0.et-5-1-5.BR3.NYC4.ALTER.NET (140.222.2.127) 3.492 ms 3.506 ms 2.996 ms 6 204.255.168.118 (204.255.168.118) 8.462 ms 7.479 ms 7.252 ms 7 144.232.4.84 (144.232.4.84) 5.041 ms 4.688 ms sl-crs3-lon-0-6-3-0.sprintlink.net (144.232.9.165) 71.865 ms 8 sl-crs2-lon-0-0-3-0.sprintlink.net (213.206.128.181) 72.214 ms 73.579 ms 72.339 ms 9 213.206.129.142 (213.206.129.142) 81.390 ms sl-crs4-ams-0-7-0-3.sprintlink.net (213.206.129.139) 85.854 ms 93.238 ms 10 217.149.47.46 (217.149.47.46) 79.004 ms 85.669 ms 79.392 ms 11 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 86.507 ms 78.374 ms 77.740 ms 12 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 79.642 ms 77.926 ms 81.515 ms 13 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 105.400 ms 105.089 ms 109.751 ms 14 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 122.716 ms 110.820 ms 114.354 ms 15 86.59.21.1 (86.59.21.1) 106.389 ms * 105.379 ms neel@xb2:~ %
I got in contact with Peter Palfrader and he says he couldn't help, and also with Verizon FiOS support and they said the filtering 'isn't on Verizon's network' (read: isn't on Verizon's internal FiOS network but still on Verizon's AS701 which I have to go to to get anywhere on the Internet here).
I know that this IP could have been blackholed, and you may think that if Verizon is blocking it, then isn't Level 3 or Cogent? Well, Cogent doesn't block tor26:
traceroute to 86.59.21.38 (86.59.21.38), 30 hops max, 60 byte packets 1 gi0-1-1-19.5.agr21.jfk02.atlas.cogentco.com (66.28.3.113) 0.727 ms 0.727 ms 2 be2605.ccr41.jfk02.atlas.cogentco.com (154.54.1.153) 2.177 ms be2606.ccr42.jfk02.atlas.cogentco.com (154.54.2.29) 0.734 ms 3 be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86) 68.557 ms be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186) 70.829 ms 4 be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42) 74.570 ms be12194.ccr41.ams03.atlas.cogentco.com (154.54.56.94) 76.767 ms 5 be2434.agr21.ams03.atlas.cogentco.com (130.117.2.241) 74.515 ms 74.612 ms 6 149.6.129.250 (149.6.129.250) 80.758 ms 74.625 ms 7 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 75.421 ms 75.425 ms 8 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 74.516 ms 74.558 ms 9 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 97.605 ms 95.470 ms 10 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 100.314 ms 97.947 ms 11 86.59.118.145 (86.59.118.145) 96.918 ms 98.620 ms 12 tor.noreply.org (86.59.21.38) 97.853 ms 98.110 ms
(Source: http://www.cogentco.com/en/network/looking-glass)
It could be possible that other Tier 1 networks formerly blocked tor26, and also unblocked, but Verizon was sloppy not to do so.
It's also possible that Verizon could be doing it because the FCC repealed Net Neturality, and wants to discourage use of Tor to mine FiOS/VZW customers' browsing habits. But despite a NN repeal I can still access Tor on FiOS, and also run a relay (I do both) because other consensus relays are still unblocked.
But if Verizon didn't unblock tor26, could it actually mean that Verizon wants to discourage Tor (and VPN/proxy) use to try to mine information of their customers (and sell ads/information) and direct users to VZ-owned AOL and Yahoo? Well, I hope they were just sloppy and don't mean to wage war on Tor.
While I'm not saying you should avoid using anything Verizon at all costs (I certainly wouldn't want to go to the local cable company), I just want to point out a blocked consensus server.
Thank You,
Neel Chauhan
===
https://www.neelc.org/ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (8)
-
Alex Xu -
Matthew Finkel -
Matthew Glennon -
Nathaniel Suchy (Lunorian) -
Neel Chauhan -
Roger Dingledine -
Shawn Webb -
Sina Rabbani