[tor-relays] Verizon AS701 blocking Tor consensus server tor26 (86.59.21.38)

Shawn Webb shawn.webb at hardenedbsd.org
Wed May 16 01:17:34 UTC 2018 

On Tue, May 15, 2018 at 08:12:50PM -0400, Neel Chauhan wrote:
> Hi tor-relays mailing list,
> 
> I have noticed that the Tor consensus server tor26 (https://metrics.torproject.org/rs.html#details/847B1F850344D7876491A54892F904934E4EB85D)
> is blocked on Verizon's UUNET (AS701) backbone, and therefore, Verizon's
> retail services like FiOS and Wireless. I can confirm this on FiOS, but I
> don't use Verizon Wireless (my smartphone uses Sprint) so I can't test it
> there.
> 
> A traceroute to tor26's IP address 86.59.21.38 from a Brooklyn apartment
> shows this is filtered on Verizon's backbone:
> 
> neel at xb2:~ % traceroute 86.59.21.38
> traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets
>  1  unknown (192.168.1.1)  1.128 ms  0.780 ms  0.613 ms
>  2  lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1)  1.001 ms  3.632
> ms  0.900 ms
>  3  B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96)  2.291 ms
>     B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94)  3.172 ms  4.046 ms
>  4  * * *
>  5  * * *
>  6  * * *
>  7  * * *
>  8  * * *
>  9  * * *
> ^C
> neel at xb2:~ %
> 
> In a normal traceroute, you will see ALTER.NET at hop 5. Also, the subnet
> 86.59.21.0/24 is not filtered on UUNET. A traceroute to 86.59.21.1 works:
> 
> neel at xb2:~ % traceroute 86.59.21.1
> traceroute to 86.59.21.1 (86.59.21.1), 64 hops max, 40 byte packets
>  1  unknown (192.168.1.1)  0.863 ms  0.757 ms  0.579 ms
>  2  lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1)  1.010 ms  1.545
> ms  1.034 ms
>  3  B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96)  3.616 ms
>     B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94)  5.696 ms  10.062 ms
>  4  * * *
>  5  0.et-5-1-5.BR3.NYC4.ALTER.NET (140.222.2.127)  3.492 ms  3.506 ms  2.996
> ms
>  6  204.255.168.118 (204.255.168.118)  8.462 ms  7.479 ms  7.252 ms
>  7  144.232.4.84 (144.232.4.84)  5.041 ms  4.688 ms
>     sl-crs3-lon-0-6-3-0.sprintlink.net (144.232.9.165)  71.865 ms
>  8  sl-crs2-lon-0-0-3-0.sprintlink.net (213.206.128.181)  72.214 ms  73.579
> ms  72.339 ms
>  9  213.206.129.142 (213.206.129.142)  81.390 ms
>     sl-crs4-ams-0-7-0-3.sprintlink.net (213.206.129.139)  85.854 ms  93.238
> ms
> 10  217.149.47.46 (217.149.47.46)  79.004 ms  85.669 ms  79.392 ms
> 11  ams5-core-1.bundle-ether1.tele2.net (130.244.82.54)  86.507 ms  78.374
> ms  77.740 ms
> 12  ams-core-2.bundle-ether9.tele2.net (130.244.82.57)  79.642 ms  77.926 ms
> 81.515 ms
> 13  wen3-core-2.bundle-ether15.tele2.net (130.244.71.47)  105.400 ms
> 105.089 ms  109.751 ms
> 14  tele2at-bundle2-vie3.net.uta.at (212.152.189.65)  122.716 ms  110.820 ms
> 114.354 ms
> 15  86.59.21.1 (86.59.21.1)  106.389 ms *  105.379 ms
> neel at xb2:~ %
> 
> I got in contact with Peter Palfrader and he says he couldn't help, and also
> with Verizon FiOS support and they said the filtering 'isn't on Verizon's
> network' (read: isn't on Verizon's internal FiOS network but still on
> Verizon's AS701 which I have to go to to get anywhere on the Internet here).
> 
> I know that this IP could have been blackholed, and you may think that if
> Verizon is blocking it, then isn't Level 3 or Cogent? Well, Cogent doesn't
> block tor26:
> 
> traceroute to 86.59.21.38 (86.59.21.38), 30 hops max, 60 byte packets
>  1  gi0-1-1-19.5.agr21.jfk02.atlas.cogentco.com (66.28.3.113)  0.727 ms
> 0.727 ms
>  2  be2605.ccr41.jfk02.atlas.cogentco.com (154.54.1.153)  2.177 ms
> be2606.ccr42.jfk02.atlas.cogentco.com (154.54.2.29)  0.734 ms
>  3  be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86)  68.557 ms
> be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186)  70.829 ms
>  4  be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42)  74.570 ms
> be12194.ccr41.ams03.atlas.cogentco.com (154.54.56.94)  76.767 ms
>  5  be2434.agr21.ams03.atlas.cogentco.com (130.117.2.241)  74.515 ms  74.612
> ms
>  6  149.6.129.250 (149.6.129.250)  80.758 ms  74.625 ms
>  7  ams5-core-1.bundle-ether1.tele2.net (130.244.82.54)  75.421 ms  75.425
> ms
>  8  ams-core-2.bundle-ether9.tele2.net (130.244.82.57)  74.516 ms  74.558 ms
>  9  wen3-core-2.bundle-ether15.tele2.net (130.244.71.47)  97.605 ms  95.470
> ms
> 10  tele2at-bundle2-vie3.net.uta.at (212.152.189.65)  100.314 ms  97.947 ms
> 11  86.59.118.145 (86.59.118.145)  96.918 ms  98.620 ms
> 12  tor.noreply.org (86.59.21.38)  97.853 ms  98.110 ms
> 
> (Source: http://www.cogentco.com/en/network/looking-glass)
> 
> It could be possible that other Tier 1 networks formerly blocked tor26, and
> also unblocked, but Verizon was sloppy not to do so.
> 
> It's also possible that Verizon could be doing it because the FCC repealed
> Net Neturality, and wants to discourage use of Tor to mine FiOS/VZW
> customers' browsing habits. But despite a NN repeal I can still access Tor
> on FiOS, and also run a relay (I do both) because other consensus relays are
> still unblocked.
> 
> But if Verizon didn't unblock tor26, could it actually mean that Verizon
> wants to discourage Tor (and VPN/proxy) use to try to mine information of
> their customers (and sell ads/information) and direct users to VZ-owned AOL
> and Yahoo? Well, I hope they were just sloppy and don't mean to wage war on
> Tor.
> 
> While I'm not saying you should avoid using anything Verizon at all costs (I
> certainly wouldn't want to go to the local cable company), I just want to
> point out a blocked consensus server.

I'm seeing the same thing from the greater Baltimore, MD area:

traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets
 1  172.16.3.1 (172.16.3.1)  0.172 ms  0.162 ms  0.115 ms
 2  lo0-100.BLTMMD-VFTTP-323.verizon-gni.net (100.16.216.1)  23.228 ms  7.782 ms  2.901 ms
 3  B3323.BLTMMD-LCR-22.verizon-gni.net (100.41.222.240)  2.982 ms
    B3323.BLTMMD-LCR-21.verizon-gni.net (100.41.222.238)  1.702 ms
    B3323.BLTMMD-LCR-22.verizon-gni.net (100.41.222.240)  7.756 ms
 4  * * *

100.41.222.240 is AS19262.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera at is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180515/8eeab120/attachment.sig>

More information about the tor-relays mailing list