Hi, On Wed, Mar 26, 2003 at 08:43:03PM +0100, Christian Storch wrote: > I've tried to trace 64.106.198.16 and than 64.106.198.15, > 64.106.198.17, 64.106.198.18 etc. I can't believe that: Only .16 is > blocked some AS'es before 14492! All the others are stopping first > within DataPipe. Probably a local anti-DDOS measure, I see the same at XS4ALL for part of 217.26.192.0/23, especially around 217.26.193.15 (aljns1sa.nav-link.net) which is another nameserver for aljazeera.net. Currently, I get two nameservers for aljazeera.net, 217.26.193.15 and 213.30.180.218: $ dnsqr ns aljazeera.net 2 aljazeera.net: 81 bytes, 1+2+0+0 records, response, noerror query: 2 aljazeera.net answer: aljazeera.net 172800 NS aljns1sa.nav-link.net answer: aljazeera.net 172800 NS ns3.aljazeera.net $ dnsqr a aljns1sa.nav-link.net 1 aljns1sa.nav-link.net: 55 bytes, 1+1+0+0 records, response, noerror query: 1 aljns1sa.nav-link.net answer: aljns1sa.nav-link.net 172791 A 217.26.193.15 $ dnsqr a ns3.aljazeera.net 1 ns3.aljazeera.net: 51 bytes, 1+1+0+0 records, response, noerror query: 1 ns3.aljazeera.net answer: ns3.aljazeera.net 172785 A 213.30.180.218 The first one, 217.26.193.15 is part of a route 217.26.192.0/23 which originates from AS16046 (Navlink), the second one, 213.30.180.218 is part of 213.30.128.0/18 which originates from AS12670 (Completel). The Navlink AS is a stub AS which is connected only to Completel and AS3215 (France Telecom), both of which are of course well connected. Both IP addresses are unreachable: $ traceroute 217.26.193.15 traceroute to 217.26.193.15 (217.26.193.15), 30 hops max, 38 byte packets 1 195.190.242.242 (195.190.242.242) 10.850 ms 11.992 ms 12.689 ms 2 32.ge-0-0-0.xr2.pbw.xs4all.net (194.109.5.201) 17.024 ms 15.192 ms 13.152 ms 3 * * * 4 * * * As you can see, that one is blocked /very/ early by XS4ALL. Perhaps they've taken measures because of DDOS zombies they saw on their network. 216.26.192.1 which is part of the same route traces all the way to FT. $ traceroute 213.30.180.218 traceroute to 213.30.180.218 (213.30.180.218), 30 hops max, 38 byte packets 1 195.190.242.242 (195.190.242.242) 11.747 ms 11.567 ms 12.752 ms 2 32.ge-0-0-0.xr2.pbw.xs4all.net (194.109.5.201) 13.809 ms 15.718 ms 17.280 ms 3 0.ge-1-3-0.xr1.tc2.xs4all.net (194.109.5.6) 15.333 ms 13.463 ms 13.235 ms 4 adm-b1-geth3-1.telia.net (213.248.72.145) 13.023 ms 13.040 ms 12.755 ms 5 adm-bb1-pos1-0-0.telia.net (213.248.72.137) 15.937 ms 14.864 ms 16.329 ms 6 ldn-bb1-pos1-1-0.telia.net (213.248.64.114) 22.696 ms 23.418 ms 23.302 ms 7 prs-bb1-pos1-1-0.telia.net (213.248.64.158) 28.624 ms 28.315 ms 27.075 ms 8 prs-b3-pos5-0.telia.net (213.248.65.62) 29.297 ms 29.276 ms 33.421 ms 9 competel-01748-prs-b3.c.telia.net (213.248.71.130) 27.839 ms 28.264 ms 29.228 ms 10 213.30.128.94 (213.30.128.94) 130.076 ms 83.677 ms 272.106 ms 11 * * * The last hop's IP is already part of AS12670 (Completel), but as you can see, the ping time is suddenly not exactly stellar. I can reach other addresses originating from AS12670 fine though, such as 195.167.224.38 (Completel's website), which takes the same AS path and gives excellent ping times, The problem with the nameserver that's not blocked here seems local to Completel's network; AMS-IX's BGP looking glass shows no longer prefix for 213.30.180.218 than the 213.30.128.0/18 route, and more than enough paths for that. So, anyone from Completel subscribed who wants to comment? (Slim chance, but hey). Cheers, Emile. -- E-Advies - Emile van Bergen emile@e-advies.nl tel. +31 (0)70 3906153 http://www.e-advies.nl
Attachment:
pgpIn5ScXW_zb.pgp
Description: PGP signature