Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Australian Networks Block Community University Website

timothy posted about a year and a half ago | from the you-cannot-read-this-error-message dept.

Censorship 97

Peter Eckersley writes "At the EFF we were recently contacted by the organisers of the Melbourne Free University (MFU), an Australian community education group, whose website had been unreachable from a number of Australian ISPs since the 4th of April. It turns out that the IP address of MFU's virtual host has been black-holed by several Australian networks; there is suggestive but not conclusive evidence that this is a result of some sort of government request or order. It is possible that MFU and 1200 other sites that use that IP address are the victims of a block that was put in place for some other reason. Further technical analysis and commentary is in our blog post."

Sorry! There are no comments related to the filter you selected.

Pedo terrorists (0, Troll)

Anonymous Coward | about a year and a half ago | (#43425801)

Probably a bunch of pedo terrorists. Fuck 'em!

Seems legit (0)

Anonymous Coward | about a year and a half ago | (#43425835)

If there are 1200 other sites using that IP, and they are blocking by IP, it would make sense that one of them got whatever your DMCA takedowns are called.

Re:Seems legit (4, Insightful)

DeathToBill (601486) | about a year and a half ago | (#43426127)

I love the assumption that the whole world has a DMCA just because you do...

Re:Seems legit (2, Insightful)

Anonymous Coward | about a year and a half ago | (#43426217)

I love the assumption that the whole world has a DMCA just because you do...

With the US exporting these laws and forcing trade partners to adopt them it's getting there.

This was exported to Australia years ago. America has been doing this for some time, and with lots of other countries, essentially over-riding the citizens in favor of their interests.

Do you even pay attention to the stories around here?

Re:Seems legit (2)

jimmetry (1801872) | about a year and a half ago | (#43426949)

Australian checking in. Yes, they raid our universities to find kids breaching copyright, so we have US DMCA influence. What better way to deal with crime than to make studying even more difficult to afford...

Maybe (1)

turkeyfish (950384) | about a year and a half ago | (#43429063)

this has more to do with politicians finding out that they have the following kind of lectures online and simply want to shut this kind of thing down before students actually get educated:

"Aurélien Mondon, Do people really want what politicians are offering?, The National Times, 8 July 2010,[6]"

Re:Seems legit (1)

ItsJustAPseudonym (1259172) | about a year and a half ago | (#43429629)

U.S. fan of Australia, here. WTF happened to you guys? You've got the OUTBACK for gosh sakes! You've got VB and Castlemain 4X! Noooo!

Rats!

Re:Seems legit (1)

jimmetry (1801872) | about a year and a half ago | (#43439547)

Bogans. Lots and lots of bogans.

Re:Seems legit (4, Insightful)

SteveFoerster (136027) | about a year and a half ago | (#43428465)

With the US exporting these laws

Well, something had to replace manufacturing!

Re:Seems legit (0)

Anonymous Coward | about a year and a half ago | (#43430215)

Yep, Australia adopted the US DMCA as official legislation as part of the deal to get our Free Trade Agreement with the USA. Ironic, isn't it?

Re:Seems legit (1)

hughbar (579555) | about a year and a half ago | (#43431049)

Yes agree, we seem have US influenced laws in the UK too, either as part of our highly asymmetric 'special relationship', some the recent deportations and deportation attempts, for example, or via the WTO [wealthy terrorist organisation]. We need to wake up to this and see what we can do to push back via boycott etc.

Re:Seems legit (3, Informative)

SuricouRaven (1897204) | about a year and a half ago | (#43427041)

Actually, it more-or-less does, at least in where Title 1 is concerned. The DMCA itsself is just the US's implementation of requirements agreed to internationally in a 1996 WIPO treaty, in which signatories agreed to pass laws criminalising circumvention of copyright protection technology. Similar laws exist in Europe (Via national implementations of the European Union Copyright Directive), Canada, Australia, and much of the rest of the world. WIPO is a big organisation.

The notice-and-takedown provisions (Title 2) were not, AFAIK, required by any WIPO agreement and as such are not so universal outside of the US.

Re:Seems legit (4, Informative)

GumphMaster (772693) | about a year and a half ago | (#43427807)

They are present in the US-Australia Free Trade Agreement, Article 17.11 [dfat.gov.au] . Curious how much of that document is about restrictions and not freedom.

Re:Seems legit (1)

wisty (1335733) | about a year and a half ago | (#43429907)

This is how IP laws keep growing.

Every time 2 countries decide to "rationalize" their IP laws, they add their restrictions together, instead of compromising. You tend to end up with the longest term, the lowest bar, and the heaviest penalties.

Re:Seems legit (1)

TWiTfan (2887093) | about a year and a half ago | (#43431221)

I love the assumption that the whole world has a DMCA just because you do...

The DMCA was just the U.S. enactment of the WIPO Copyright Treaty [wikipedia.org] , which was also enacted in Australia in 2007. So, yes, the world DOES, in fact, have a DMCA (or at least a good portion [wipo.int] of the world).

Butts and cocks (-1)

Anonymous Coward | about a year and a half ago | (#43425871)

Eat my asshole, Slashtard faggots!

Re:Butts and cocks (1)

DeathToBill (601486) | about a year and a half ago | (#43426139)

Julia? Is that you?

ham radios! they're back (-1)

Anonymous Coward | about a year and a half ago | (#43425873)

and not the little two meter repeaters

Did anyone believe this law would not be abused? (2)

kawabago (551139) | about a year and a half ago | (#43425875)

Next will be political web sites. What government wouldn't exercise the power to remove a critical opposition web site from the internet just before an election?

Re:Did anyone believe this law would not be abused (-1)

Anonymous Coward | about a year and a half ago | (#43425915)

Do you love gagging down dog cocks or do you just do it for pay?

Re:Did anyone believe this law would not be abused (0)

Anonymous Coward | about a year and a half ago | (#43426077)

Ok, yes, he was talking about politics, so gagging down dog cocks is kind of on topic, but its a far reach.

Also, its great when you can make a job out of your hobby.

Re:Did anyone believe this law would not be abused (5, Insightful)

gstoddart (321705) | about a year and a half ago | (#43426047)

Sadly, it doesn't even need to be maliciously abused ... just incompetently written and ineptly applied.

Like all laws applying to technology, the people writing them are usually incapable of understanding all of the side effects. So they get passed, and applied as written, which has the unfortunate effect of breaking lots of legitimate things.

If there's 1200 sites sharing that IP address, but they block all of them based on a single complaint, these fall into the category of collateral damage.

Sadly, I'm betting someone made an effort to point this potential out to them and got ignored.

Re:Did anyone believe this law would not be abused (4, Insightful)

kasperd (592156) | about a year and a half ago | (#43426279)

If there's 1200 sites sharing that IP address, but they block all of them based on a single complaint, these fall into the category of collateral damage.

I guess a major part of the problem might be, that there is no penalty for blocking too much. If there is a penalty for blocking too little but none for blocking too much, then there is little incentive to do accurate filtering. A discussion about whether blocking would have been appropriate in this case, had it been more accurately targeted, seems pointless, since we don't even know what content triggered the blocking. And that may actually be the largest problem with this sort of blocking.

Some do see it as a benefit though. How often have some country blocked the worlds largest sites on the excuse that one page on each site is offending their religion. The more coarse grained your filtering is, the easier it is to conceal what you were really aiming to censor and the easier it is to find a plausible excuse for applying the filter in the first place. A civilized country shouldn't accept censorship, and especially not when it comes with such collateral damage. I don't believe there exist a problem in this world, for which censorship is the best solution.

Re:Did anyone believe this law would not be abused (1)

Obfuscant (592200) | about a year and a half ago | (#43427413)

I guess a major part of the problem might be, that there is no penalty for blocking too much.

Did you miss that this block is on one IP address? That there are 1215 virtual hosts running at this one address? How can you block less than one IP address at a router? You'd have to do deep enough packet inspection to look at the virtual hostname header in any HTTP request, and the RCPT TO in any SMTP transaction. Should there be packet filtering at that level?

since we don't even know what content triggered the blocking. And that may actually be the largest problem with this sort of blocking.

That's right, we don't know which of the 1215 domain names hosted the content that justified the block. But we can know that the fact that YOU personally don't know what the content was isn't really the largest problem with blocking things.

Re:Did anyone believe this law would not be abused (1)

Dragonslicer (991472) | about a year and a half ago | (#43427541)

Is it just me, or does this sound like the perfect motivation for governments to encourage IPv6 adoption?

Re:Did anyone believe this law would not be abused (1)

HiThere (15173) | about a year and a half ago | (#43428517)

I don't know if it's just you, but to me it sounds like a reason for governments to discourage IPv6. The way it is now they don't need to reveal which of those sites they really wanted to block, which means any fabricated story will work.

Re:Did anyone believe this law would not be abused (1)

Dragonslicer (991472) | about a year and a half ago | (#43428725)

Good point. I was thinking that they could block sites without nearly as much backlash if there weren't many other sites blocked as collateral damage.

Re:Did anyone believe this law would not be abused (1)

kasperd (592156) | about a year and a half ago | (#43430751)

does this sound like the perfect motivation for governments to encourage IPv6 adoption?

I for one never liked name based vhosts. I have started moving my own domains to IP based vhosts on IPv6. I still have one IPv4 address with name based vhosts for those users who don't have IPv6 yet. Configuring a vhost such that it was name based when accessed over IPv4 and IP based when accessed over IPv6 was slightly tricky. But I got it working.

I do like the idea of using this as an argument for deploying IPv6. Even though there are plenty of arguments for IPv6 already that doesn't stop some people from denying there is any need at all. So to me every argument I can find for deploying IPv6 is seen as a good thing. The more arguments we have, the harder it gets to deny the need for IPv6.

So the way it would have worked would be as follows. Hosting provider has one IPv4 address shared between many vhosts, but each vhost has their own IPv6 address. If one vhost is to be blocked for hosting illegal content, one IPv4 address and one IPv6 address can be blocked. If a user tries IPv4 first and gets a connection reset, their browser would switch to IPv6.

Then we can turn the story around and say MFU should have hosted on dual stack, then they wouldn't have been blocked. The opponents of IPv6 deployment will have many arguments to pull up, but I have an answer ready for each of them. They say: "But the users don't have IPv6, so they won't be able to reach the site anyway", and I say: "If those users had choosen an ISP with IPv6 support, they would have been able to reach the site". They say: "But there isn't any ISP with IPv6 support in that area", and I say: "If the ISP hasn't deployed IPv6, then they cannot justify IP based blocking, and they must instead route traffic to that IP through a router capable of doing DPI to only block the forbidden host-name".

Of course none of this is truly great arguments, because it is sort of accepting censorship. Even if you can target only a single domain, it is still censorship. And in case a domain contains both legal and illegal pages, and the domain uses https, then blocking without collateral damage is not technically possible.

Re:Did anyone believe this law would not be abused (0)

tibit (1762298) | about a year and a half ago | (#43427831)

Should there be packet filtering at that level?

Hell yes. It's not that hard.

Re:Did anyone believe this law would not be abused (1)

kasperd (592156) | about a year and a half ago | (#43430709)

Did you miss that this block is on one IP address?

No.

Should there be packet filtering at that level?

No.

If you can implement blocking which only blocks content found to be illegal by a court of law, then that is fine. But accepting any collateral damage and accepting any blocking without the content being found illegal by a court of law is just wrong. What I am saying is, stop doing filtering, and go for the root of the problem.

But we can know that the fact that YOU personally don't know what the content was isn't really the largest problem with blocking things.

What makes you think I am special? There are billions of people who don't know either. If all of them just assume it must have been bad enough to justify this amount of collateral damage, then that is a free pass for those who want to apply censorship.

I don't believe that there could exist content so bad, that simply seeing it could be worse than living in a society of censorship.

Re:Did anyone believe this law would not be abused (1)

bruce_the_loon (856617) | about a year and a half ago | (#43431173)

As a firewall administrator, unless I am being attacked from a specific IP, I will block hostname in preference to IP precisely because of this sort of problem.

Re:Did anyone believe this law would not be abused (1)

kasperd (592156) | about a year and a half ago | (#43508575)

As a firewall administrator, unless I am being attacked from a specific IP, I will block hostname in preference to IP precisely because of this sort of problem.

That statement makes no sense to me. The only sort of attack mentioned in the story is the DoS attack performed by another network blocking legitimate packets. There is no additional blocking that the server administrator could perform to solve that. And even if the server was under some other kind of attack (such as flooding), the only hostnames potentially involved are those assigned to the server itself. Blocking those hostnames, just means you are DoSing your own server. The attacker doesn't have a hostname, you can block them on.

Re:Did anyone believe this law would not be abused (1)

tqk (413719) | about a year and a half ago | (#43431809)

That's right, we don't know which of the 1215 domain names hosted the content that justified the block.

Which, really, is irrelevant. I see 1214 domains ripe for a class action lawsuit, possibly with slander/libel/restraint of trade/... mixed in. If each (or just a lot) of them ponied up $100 down payment (plus kickstarter?), that'd keep a lawyer going for a while.

Re:Did anyone believe this law would not be abused (3, Interesting)

plover (150551) | about a year and a half ago | (#43427959)

Completely off-topic question regarding your sig:

Do you care about the security of your wireless mouse?

Did you ever solve your mousey dilemma? If not, Bluetooth v2.1 solves it by default (if you're careful about avoiding interception during the pairing process.) The bigger question is how you determine which version of Bluetooth stack a vendor's mouse supports?

Re:Did anyone believe this law would not be abused (1)

kasperd (592156) | about a year and a half ago | (#43430773)

Did you ever solve your mousey dilemma?

On my desktop computer I got a keyboard with a USB hub. A cable between keyboard and mouse is slightly less annoying than a cable from the mouse to the computer. On my laptop I am just using a trackpad. With training I have gotten more used to trackpads, and when I am travelling with my laptop, I often use it without access to a flat surface where I can put the mouse.

I'd still like a wireless mouse with strong cryptography and key exchange while it is charging. I think it would be feasible to use a one-time pad along with a provably secure message authentication code.

Re:Did anyone believe this law would not be abused (1)

plover (150551) | about a year and a half ago | (#43482773)

Bluetooth v2.1 security is likely more than adequate for your requirements.

The risk of key interception occurs only once, during pairing, and you can mitigate that by pairing the devices in a Faraday cage or in a remote field, and never pairing them again without taking similar precautions. The E0 algorithm used as the stream cipher to carry the data has a couple of published weaknesses, all of which require substantially more data than is allowed in a single Bluetooth session, so decryption is still not possible.

And all of this desire for security is based on your suspicion that an eavesdropper could glean information that would harm you from just your mouse movements, with no other context like what screens or windows you might be clicking on. Part of building a secure system is to look at the whole threat picture rationally. Who would perform such surveillance? What could they gain? What could you lose?

In this case, the most likely information an attacker would be able to gather is traffic analysis - your mouse is communicating, therefore you must be physically present and using your computer. And they would get that info from any wireless mouse, regardless of how strong the cryptography is. So the rational question is Boolean: should you own a wireless device that transmits when you are physically using your computer? Leave crypto out of that decision. If the answer is yes then Bluetooth meets your other requirements.

Re:Did anyone believe this law would not be abused (1)

kasperd (592156) | about a year and a half ago | (#43496219)

And all of this desire for security is based on your suspicion that an eavesdropper could glean information that would harm you from just your mouse movements

You are assuming cryptography is all about protecting the confidentiality of data. That is a common mistake to make. But in this particular case I did point out in my initial post, that authenticity is also important. In fact in most cases authenticity and integrity of the data is more important than confidentiality.

Instead of asking what you can learn from observing mouse movements, consider what you can do if you control mouse movements. Most UIs have buttons located in predictable positions. Click on some of those to take control over the computer. All you need to be able to do is to navigate a browser to a malicious website and click yes on a few confirmations that you want to download some executable and run it. Sounds like a quite feasible task to achieve using a mouse.

Next ask if the receiving end of the wireless connection actually cares if it is a mouse or a keyboard. If it accepts keyboard input as well, then the attack is much easier to carry out, even if I didn't use any wireless keyboard myself.

As for the confidentiality, mouse movements used to be the primary source of randomness for use in cryptographic protocols. That certainly adds to the risk from somebody being able to observe all mouse movements.

Re:Did anyone believe this law would not be abused (1)

whoever57 (658626) | about a year and a half ago | (#43426391)

Sadly, it doesn't even need to be maliciously abused ... just incompetently written and ineptly applied.

And this kind of application is just what is needed to bring the issue to the attention of the public at large.

Re:Did anyone believe this law would not be abused (0)

Anonymous Coward | about a year and a half ago | (#43429643)

so the question is..

what's the really good site that was the target here?

Re:Did anyone believe this law would not be abused (0)

Anonymous Coward | about a year and a half ago | (#43426339)

What law? There is no legal mechanism for the government to block websites in Australia...

Re:Did anyone believe this law would not be abused (2, Informative)

cas2000 (148703) | about a year and a half ago | (#43428147)

yes, there is. the ACMA maintains a (secret) black-list of domain names and IP addresses which contains "prohibited content" which is used in filtering software. Some ISPs voluntarily use that list to block access.

The ACMA's secret blacklist has leaked on at least one occasion in the past.

In Nov last year, the Australian Federal Police started sending mandatory block notices to ISPs.

more info here:

http://www.acma.gov.au/scripts/nc.dll?WEB/STANDARD/1001/pc=PC_90102 [acma.gov.au]

http://en.wikipedia.org/wiki/Internet_censorship_in_Australia [wikipedia.org]

Re:Did anyone believe this law would not be abused (0)

Anonymous Coward | about a year and a half ago | (#43429071)

In this case it can't be a mandatory government block, because the site is still accessable from iiNet (an Australian ISP), for example. It's only blocked by "some" Australian ISPs.

Re:Did anyone believe this law would not be abused (1)

samson13 (1311981) | about a year and a half ago | (#43428183)

I don't think the internet filter laws got passed. I thought the ISPs jumped in and said they would voluntarily use the Interpol Worst of list [interpol.int] . I think the compromise seems reasonable. If the list is abused then it can be voluntarily not used. To be on the list you need to host porn of kids that are under 13 and this needs to be verified by multiple member countries.

I'm guessing that this has been implemented as a BGP blackhole list from TFA. An easy way for the ISP to go. They will already be running black lists for things like bogons and performance impact will be low.

The obvious fault with this is that when some kiddie porn domain gets blacklisted the domain becomes useless so the domain admin points their A record at some popular hosting company and takes them off line as well. If your going down take somebody with you.

Being on a black list sucks if there is no way to get off. Many years ago the company I worked for was on a net block that was on an outdated bogon list used by the US military. The military is really bad at keeping things maintained, something gets installed, the person who did it gets posted elsewhere every few years so all knowledge about what, how and why it was done is lost. The military don't update their contact information so even if your email server wasn't black holed you couldn't contact them anyway. Frustrating when there were treaties requiring this communication.

Re (-1)

Anonymous Coward | about a year and a half ago | (#43426007)

Alexandra. I can see what your saying... Glenn`s comment is something, last tuesday I got a new Ariel Atom since I been earnin $4511 this past 5 weeks and-more than, ten-grand this past month. with-out any doubt it's the best-work I've ever done. I started this 7-months ago and almost immediately brought home over $84, per-hr. I use the details on this website,, BIC5.COM

Synopsis: Arms Waving In The Air (2, Insightful)

Anonymous Coward | about a year and a half ago | (#43426013)

A site is blocked by various ISPs. Nobody knows for sure why. Some would like to pose the situation as a government conspiracy, or at least an example of why new regulations requiring ISPs to block certain sites is bad.

No one really knows what's going on, least of all the author. There's lots of hand waving and half hearted finger pointing.

Rabble unite?

Re:Synopsis: Arms Waving In The Air (1)

DeathToBill (601486) | about a year and a half ago | (#43426157)

Oh, stop being boring.

Re:Synopsis: Arms Waving In The Air (1)

jimmetry (1801872) | about a year and a half ago | (#43426973)

My DNS had been shit too lately. Bloody feds. *shakes fist*

Re:Synopsis: Arms Waving In The Air (1)

crutchy (1949900) | about a year and a half ago | (#43427689)

primary: 8.8.8.8
secondary: 8.8.4.4

Re:Synopsis: Arms Waving In The Air (1)

crutchy (1949900) | about a year and a half ago | (#43427739)

google also has dns servers in australia as of early 2012, so the problem of stuffing up akamai download efficiency is now mostly moot in australia

Re:Synopsis: Arms Waving In The Air (0)

Anonymous Coward | about a year and a half ago | (#43429043)

it can however mess up quota-free content if you use non-isp provided dns entries

Re:Synopsis: Arms Waving In The Air (0)

Anonymous Coward | about a year and a half ago | (#43431129)

the problem of stuffing up akamai download efficiency is now mostly moot in australia

Not if you're on Exetel. If you use Google public DNS on an Exetel connection then for some reason your Akamai traffic comes from NTT (Tokyo, Japan) complete with high latency and high packet loss. Change your DNS settings to Exetel's own and lo-and-behold there is an Akamai mirror inside Exetel's network.

Re:Synopsis: Arms Waving In The Air (1)

crutchy (1949900) | about a year and a half ago | (#43439129)

well, mostly moot

Re:Synopsis: Arms Waving In The Air (2)

SuricouRaven (1897204) | about a year and a half ago | (#43427075)

If it's blocked by one ISP, you can blame a mistake. If it's blocked by many ISPs, then the directive must have come from somewhere. I can only see three classes of organisation that could have the power to issue a block order:
1. Government.
2. Whatever organisation supplies Australian ISPs with the list of child porn sites to block. Wouldn't be the first time - remember when all major ISPs in the UK filtered Wikipedia, because our national blocklist provider decided an album cover was child porn?
3. A copyright enforcement contractor that mass-mails block requests to all ISPs.

Three seems unlikely, because this isn't common practice in Australia - some ISP should have kicked up a fuss. Which means either 1 or 2 are possibilities.

Re:Synopsis: Arms Waving In The Air (1)

Zaelath (2588189) | about a year and a half ago | (#43427181)

If it's blocked by one ISP, you can blame a mistake. If it's blocked by many ISPs, then the directive must have come from somewhere

Yeah, like BGP maybe?

No issue getting to the site from my Australian ISP..

Re:Synopsis: Arms Waving In The Air (1)

Tacticus.v1 (1102137) | about a year and a half ago | (#43428359)

You're on internode or iinet i take it?

They really don't want a filter and refused to implement one.

Re:Synopsis: Arms Waving In The Air (1)

Zaelath (2588189) | about a year and a half ago | (#43428425)

Oh yeah, I'd forgotten Telstra and Optus had opted to voluntarily take a list of child abuse websites and block them.

If that's what it's about, then IP is the only way to be sure. You can't expect paedos to be stopped by DNS/name filtering.

Re:Synopsis: Arms Waving In The Air (1)

TranquilVoid (2444228) | about a year and a half ago | (#43429085)

My work is through Optus, can access the MFU site fine at this time.

Re:Synopsis: Arms Waving In The Air (0)

Anonymous Coward | about a year and a half ago | (#43429089)

So they most likely the have an objection to one of the 1200 sites on that address, but the site is presumably legal under US laws so they can't just ask the US government to shut it down.

Re:Synopsis: Arms Waving In The Air (1)

PuZZleDucK (2478702) | about a year and a half ago | (#43430001)

You're on internode or iinet i take it?

They really don't want a filter and refused to implement one.

That's why I switched :D (that and sending my browsing history to a US company)... burn in hell Telstra!

Re:Synopsis: Arms Waving In The Air (1)

Tacticus.v1 (1102137) | about a year and a half ago | (#43430033)

burn in hell Telstra!

I don't think they would make it through customs.
Some things are just too much for hell

Re:Synopsis: Arms Waving In The Air (0)

Anonymous Coward | about a year and a half ago | (#43431089)

I'm on Telstra and it works for me. This is a non-story, just a BGP glitch.

Re:Synopsis: Arms Waving In The Air (0)

Anonymous Coward | about a year and a half ago | (#43428409)

Which is...... You know it would help if you said WHAT FUCKING ISP YOUR USING!

I can't access the site - Via Optus (Au).

Hmmm... which one is more likely? (5, Interesting)

sirwired (27582) | about a year and a half ago | (#43426079)

Hmmm... which is more likely? An utterly inoffensive group providing free education materials on the internet is the victim of a shadowy government conspiracy, or that one of the 1,200 other sites on the same IP did something sufficiently stupid as to attract govt. attention.

I know that the summary and the article both mention that the latter is a possibility, but the headline, summary, and article, are all written as if the most likely possibility was that MFU was targeted directly.

I suspect that the ISP got a request from somebody about one of the hosted sites doing something very naughty, and the person who's job it was to pay attention to such requests didn't get them or ignored them, so an IP block was the next step.

Re:Hmmm... which one is more likely? (4, Informative)

Bacon Bits (926911) | about a year and a half ago | (#43426171)

That's what I was thinking, too.

1,200 websites on one IP address? Looking at the list, I see things that are obviously gambling websites. The IP is held by a US-based hosting company (DimeNOC). I understand that yes, this is suspicious, but with 1,199 other potential causes for black holing an IP address, I'm not convinced that MFU caused government to impost a black hole request on an arbitrary (and, if summary is to be believed, incomplete) set of ISPs.

Re:Hmmm... which one is more likely? (4, Informative)

Zocalo (252965) | about a year and a half ago | (#43426437)

The IP is held by a US-based hosting company (DimeNOC).

Well, there you go then; they didn't do their homework or were so desperate to save a buck or two they didn't care about their ISP's reputation. If you chose a cheap hosting deal on an ISP with a reputation for hosting spam, botnet controllers and other such sites while exercising an exceeding lax attitude to abuse reports, you can expect to have the odd issue like this. You get what you pay for applies to ISPs too - big surprise!

FWIW, DimeNOC is null routed here too, has been for sometime, and is unlikely to be unblocked anytime soon. No conspiracy required; the only traffic we ever saw coming from their IP space was spam, malicious or both, so dropping it at the border was a no brainer.

www.ahlualhaq.net also hosted on same IP (0)

Anonymous Coward | about a year and a half ago | (#43426303)

What's the betting some paranoid national security types reckon that's a "jihadi forum"?

Re:www.ahlualhaq.net also hosted on same IP (1)

crutchy (1949900) | about a year and a half ago | (#43427769)

jihadi

What's the bet that both of our IP addresses have now been added to a US national security blacklist and our posts recorded in the Utah data center.

Re:Hmmm... which one is more likely? (1)

Bill_the_Engineer (772575) | about a year and a half ago | (#43427145)

Hmmm... which is more likely? An utterly inoffensive group providing free education materials on the internet is the victim of a shadowy government conspiracy, or that one of the 1,200 other sites on the same IP did something sufficiently stupid as to attract govt. attention.

Dont forget that if it's like most community colleges the IP address was probably blacklisted due to DDOS attacks originating from infected campus computers.

I know I had to deal with DDOS attacks from computer labs at my university. My university ultimately fixed the problem by overwriting all the lab computers hard drives with a fresh image every other night at 3 am. Labs are open 24/7 and the students liked to test downloads out on lab computers before installing it on their own machine. I wouldn't be surprised that a small community college experienced the same problems but lacked the IT staff of a much larger institution.

Re:Hmmm... which one is more likely? (1)

Pav (4298) | about a year and a half ago | (#43429133)

NOTE: This list is in no way purposed to protect Australia from DDOS's etc... It's a censorship blacklist.

Yay Australia (0, Troll)

DeathToBill (601486) | about a year and a half ago | (#43426105)

Aren't I glad I left you.

Re:Yay Australia (1)

Anonymous Coward | about a year and a half ago | (#43426297)

Don't come back you cock-gobbling twat.

-Australia

Re:Yay Australia (1)

DeathToBill (601486) | about a year and a half ago | (#43426611)

Julia? Is that you?

What, slashdot? This exact comment has already been posted? Kind of the point...

Re:Yay Australia (0)

Anonymous Coward | about a year and a half ago | (#43426841)

No, I'm not your transexual girlfriend.

Re:Yay Australia (1)

crutchy (1949900) | about a year and a half ago | (#43427781)

so you're not tony abbott then

Re:Yay Australia (1)

aiht (1017790) | about a year and a half ago | (#43429235)

What, you think Tony Abbott has learned how to bang together two fingers and a keyboard?

Re:Yay Australia (1)

crutchy (1949900) | about a year and a half ago | (#43430487)

you are no doubt correct, but i'm sure he could use his taxpayer funded secretary to do it for him

Re:Yay Australia (0)

Anonymous Coward | about a year and a half ago | (#43428613)

Me too. The place is run by criminals.

Thank me (2, Informative)

Anonymous Coward | about a year and a half ago | (#43426413)

Hi. Stephen Conroy here. Labor party member. You morons need to know that when we, the government, block sites, its for your own good. Sure, we don't tell you about it, and we've probably blocked things like a dentists website, but really, what about the children?

IP Blocking is like... (0)

Anonymous Coward | about a year and a half ago | (#43426569)

One person from your town committed a crime so let's throw the whole town in jail

Never attribute to malice what can be explained (0)

Anonymous Coward | about a year and a half ago | (#43427053)

by incompetence.

Censorship Unlocked (0)

Anonymous Coward | about a year and a half ago | (#43427285)

How sweet it is for governments around the world that can't legally censor opposing views that with the consequences of virtual hosting all they have to do is find some alleged infringing site somewhere in the stack of sites hosted at the same IP as some news or political site they want to shut down. Hell, they could set up the site themselves and then order that IP blocked. Legal censorship unlocked and all they have to do is say, "whoops, we didn't mean to do that."

No worries (0)

tumutbound (549414) | about a year and a half ago | (#43427425)

Site is working OK for me

IPv6? (1)

Kaenneth (82978) | about a year and a half ago | (#43427449)

I'm guessing IPv6 eliminates any need to share IP addresses? or is there remaining technical reasons to do so? (I'm guessing a server class physical machine host 1200 unrelated IPv6 addresses)

Re:IPv6? (0)

Anonymous Coward | about a year and a half ago | (#43428621)

It looks like HTTP 2.0 will require a unique IP address for each domain name.

This will make IPv6 necessary to adopt HTTP 2.0. There aren't enough IPv4 addresses to have unique addresses.

Re:IPv6? (1)

kasperd (592156) | about a year and a half ago | (#43508671)

It looks like HTTP 2.0 will require a unique IP address for each domain name.

I hope this will be true. I dislike all the workarounds applied to stretch the supply of IPv4 addresses, and I dislike name based vhosts. I'd like to see HTTP 2.0 make both of those go away, and replace it with proper IPv6 setups.

Re:IPv6? (1)

kasperd (592156) | about a year and a half ago | (#43508663)

I'm guessing IPv6 eliminates any need to share IP addresses? or is there remaining technical reasons to do so?

There are technical reasons why you might want to share an IPv6 address between multiple websites. But those technical reasons can be addressed.

If we assume a webserver is hosting 1200 domains, what would happen if it was assigned a different IPv6 address for each of those domains? The answer depend on which technical solution you choose in order to do that.

The typical approach is that all of those IPv6 addresses are assigned out of the prefix on the link between the webserver and the router. Being on link, that means the router needs to perform neighbor discovery separately for each of those IPv6 addresses. The extra neighbor discovery traffic caused by this is not really a big deal, neither is the 0.1ms of extra latency when establishing a connection. But the router needs to store those entries in the neighbor table. If that table is implemented using CAM hardware for faster forwarding, it may have limited capacity.

So consuming CAM resources on the router is one possible technical reason why you might want to avoid having so many addresses.

There is a simple solution to that problem. Just use a routed prefix instead of the link prefix. If you route a prefix to the webserver, then the router just needs one routing table entry for that server instead of 1200 neighbor entries. Though a routing table entry may be more costly than one neighbor table entry, it is still cheaper than 100s of neighbor table entries.

I know of VPS providers, which don't want to assign routed prefixes to their customers. They might not yet have realized, that assigning routed prefixes can help saving resources for the provider.

Would assigning a separate routed /64 to every VPS be wasting too many IPv6 addresses? Not really, there is no way we are going to run out of /64s to assign from, as long as we are constrained to one solar system. If you really wanted to, you could make the link prefix /124 and only use a /64 for the routed prefix.

With the routed prefix in place for the webserver, the only place there could still be reasons for wanting to share an IPv6 address among multiple domains, would be in the software running on the server itself.

First of all, you'd typically need to tell the IPv6 stack in your kernel about each and every IPv6 address you want to use as a local IPv6 address of the server itself. If you wanted to use separate IPv6 addresses for each domain, you'd much rather be able to tell the kernel that you want it to treat an entire prefix like a /116 as local addresses for the server, and then allow the webserver to tell the kernel it want to bind a socket to say a /117 prefix rather than individual IPv6 addresses. I have no doubt those are features we will see in the future, if they haven't already been implemented by some kernels.

The lack of those features don't prevent you from actually assigning multiple addresses to your webserver. But the algorithms used by the kernel might not be tuned for this sort of usage. I wouldn't be surprised to hear about kernels, where CPU consumption is linear in the number of IPv6 addresses you have assigned. That could mean that the time it takes for the kernel to find out if a packet is meant for this machine goes up by a factor of 1200, potentially slowing your system to a crawl. And just configuring those addresses in the first place could take a while, as by each address you assign the CPU time needed to verify if it is new, goes up.

But a proper configuration with a routed prefix is possible today and will allow this to be done without wasting router resources, and after that it is just a minor tweak of the kernel on the server to support it efficiently. With those two in place, there are benefits to be had from assigning separate IPv6 addresses to each domain.

Australian network blocked, but... (0)

Anonymous Coward | about a year and a half ago | (#43427651)

Yair, my ISP runs through Telstra and it doesn't load. It's no problem, though - I just switched my proxy on and viewed it through Tor. I don't know why they bother.

The blocking by IP address can cause real problems (0)

Anonymous Coward | about a year and a half ago | (#43428339)

For example a couple of local restaraunts have there web sites at a site that McAfee chooses to block, because apparently it things the address is a dangerous one. The web sites in question just display menus and hours and the like.

Anti-DoS measure (0)

Anonymous Coward | about a year and a half ago | (#43428347)

It's nothing to do with censorship, it's the usual anti-DoS behaviour implemented by some US backbones and pretty much all Australian ISPs.

Dark clouds on the horizon (1)

dbIII (701233) | about a year and a half ago | (#43428985)

If you don't even get your own IP address it's not much of a surprise that somebody else's actions can turn your little bit of the cloud dark.
Bring on IPv6.

Re:Dark clouds on the horizon (1)

Anonymous Coward | about a year and a half ago | (#43429573)

^this. We made the decision this week to simply blanket block most cloud providers IP address ranges from accessing any of our hosted sites due to the constant scans, attacks and crawling of our sites from services people run up in their clouds.We are positive this will block some legimate traffic and sites, but really we think that is the lesser of two evils at this stage. These cloud providers are turning into festering rats nests of scammers, phishing sites, sites hosting malware and botnets etc etc. If they don't start cleaning the dogshit off their lawn more and more of the hosting providers are going to find they start losing access to critical services.

Other sites on that IP (1)

hugheseyau (2222722) | about a year and a half ago | (#43429117)

You can see all the sites on the IP address on one page here - http://viewdns.info/reverseip/?host=198.136.54.104&t=1 [viewdns.info] Easier than sameid.net.

Re:Other sites on that IP (1)

Wild Wizard (309461) | about a year and a half ago | (#43430621)

Well that is handy the number of .au sites is quite surprising surely other site owners would have noticed this block as well.

Optus looks fine, AAPT probably not (1)

Boltronics (180064) | about a year and a half ago | (#43429523)

I'm using Exetel which is a small ISP that relies on some of the much larger ISPs for infrastructure. My particular plan routes data via Optus, whereas the Exetel example given by the EEF blog post is by someone using a plan routed via AAPT. I can access the website without issue. iiNet at work is also fine.

I suspect this is not a request by the government to ISPs to block a particular site, mainly because I've read that Optus was happy to voluntarily block content - and they're not doing it. Not yet, at least.

Cool. (0)

Anonymous Coward | about a year and a half ago | (#43437857)

Cool Cool Cool ...mate.

Internet freedom (0)

Anonymous Coward | about a year and a half ago | (#43438285)

gosgog: That's me!
I was given to understand, the origin of the internet, was for various universities, colleges, etc., to freely communicate & exchange ideas and that this eventually (fairly rapidly) became open to the public world!
Now, it seems that as life progresses, Gov'ts have decided that they should have rules about it. This is theoretically being disputed, but in practical terms, various countries, the U.S., included, have put into effect some rules and have others being discussed and pending. NOW, GOV'TS ARE RUN BY POLITICIANS....THE VAST MAJORITY OF WHOM THE WORLD WOULD BE BETTER OFF NOT HAVING, AND WHO FOR THE MOST PART MAKE RULES WE COULD WELL LIVE WITHOUT.

annoucement (0)

Anonymous Coward | about a year and a half ago | (#43439013)

hi i am salma mir.
i have a blog today i updated it. visit my blog maybe you like it :0
if you like my work for appreciation like my posts. if any one want to know about my blog and any query you can contact me through my blog :)
http://kmasoftware.blogspot.com/

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?