Peter Eckersley's homepage

Australian Networks Censor Community Education Website

By Danny O'Brien, Eva Galperin, and Peter Eckersley
Published on 2013-04-11, on the EFF blog.

UPDATE 2013-04-12: Apparently as a result of this blog post, social media attention, and questions from the Australian Greens to the Australian Federal Attorney General's Department, the block has been lifted. But there has not yet been any explanation of why these 1,200 sites were blocked in the first place.

EFF has long opposed Australia's Internet censorship schemes, warning that even the voluntary filtering that has been implemented by Australia's largest ISPs, Telstra and Optus, lacks transparency and accountability, and could lead to collateral damageaccidental censorship of websites that are not violating the law in any way. A dramatic example of such collateral damage appears to be occuring at the moment.

EFF was recently contacted by the organisers of a community group called the Melbourne Free University (MFU) because their site appears to have been blocked or censored by Australian network operators, possibly at the request of the Australian government. Users from some (but not all) Australian ISPs have been unable to reach the Melbourne Free University site since Thursday the 4th of April. An employee of one of the affected ISPs told MFU by email that the site was blocked as a result of an order from the Australian government, but was unable to say more. Research by EFF and MFU, and discussion amongst Australian network operators, confirms that the IP address has been black holed by a number of Australian ISPs, preventing access to more than 1,200 websites including the Melbourne Free University (multiple websites sharing a single IP address is common due to virtual hosting).

The causes for the block are currently unknown. Speculation by the Australian networking community has included criminal investigations, action by ASIC, or DDOS mitigation. Unusually, a representative of one of the blackholing ISPs, AAPT, would only state that "in regard to this issue, this IP address has been blocked". Under conditions where the cause was to protect the functioning of the Internet, such as to combat a denial-of-service attack, one would expect the ISP to clearly describe the reasons for the temporary filter to better assist other network operators. It would be surprising if the cause was Australia's nascent Internet censorship system as that is reported to operate with DNS rather than IP blocks.

Whatever the reason for the IP black hole, it is extremely unlikely that they justify the reckless censorship of 1,200 sites for Australian Internet users, and very disturbing that the true reasons have not been made public after many days of requests from the affected parties. Decisions that affect the global connectivity of the Internet should be made transparently, whether they are made in the offices of ISPs, or in the courts and corridors of government.

In the mean time, Australian Internet users who are affected by it can install Tor to access affected websites.

Some Technical Info on the Black Hole

A typical traceroute from an affected ISP looks like this:

> $ traceroute www.melbournefreeuniversity.org
> traceroute to melbournefreeuniversity.org (198.136.54.104), 64 hops max, 40
> byte packets
>  1  XXXXXXXXXXXXX (192.168.1.254)  1 ms  1 ms  1 ms
>  2  XXX.XXX.96.58.static.exetel.com.au (58.96.XXX.XXX)  18 ms  19 ms  18 ms
>  3  33.2.96.58.static.exetel.com.au (58.96.2.33)  19 ms  18 ms  19 ms
>  4  pe-5017370-mburninte01.gw.aapt.com.au (203.174.186.73)  24 ms  20 ms
> 20 ms
>  5  te3-3.mburndist01.aapt.net.au (203.131.61.30) [MPLS: Label 190 Exp 1]
> 35 ms  35 ms  31 ms
>  6  te0-3-4-0.mburncore01.aapt.net.au (202.10.12.15) [MPLS: Label 17412 Exp
> 1] More labels  31 ms More labels  31 ms More labels  30 ms
>  7  bu2.sclarcore01.aapt.net.au (202.10.10.74) [MPLS: Label 16702 Exp 1]
> More labels  49 ms More labels  32 ms More labels  31 ms
>  8  te2-2.sclardist01.aapt.net.au (202.10.12.2) [MPLS: Label 895 Exp 1]  31
> ms  32 ms  33 ms
>  9  * po6.sclarbrdr01.aapt.net.au (202.10.14.3)  30 ms *
> 10  * * *
> 11  * * *

Packets for the MFU website, which is hosted in the US, never make it out of Australian networks. For comparison, a traceroute from an Australian university where censorship is not present looks like this:

$ traceroute www.melbournefreeuniversity.org
traceroute to www.melbournefreeuniversity.org (198.136.54.104), 30 hops
max, 60 byte packets
 1  128.250.XXX.XXX (128.250.XXX.XXX)  0.731 ms  0.825 ms *
 2  172.18.XXX.XXX (172.18.XXX.XXX)  0.731 ms  0.713 ms  0.694 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  ge-7-1-0.bb1.a.syd.aarnet.net.au (202.158.194.242)  12.984 ms  13.037
ms  13.030 ms
 9  xe-0-0-0.bb1.b.sea.aarnet.net.au (202.158.194.121)  155.554 ms  155.514
ms  155.491 ms
10  * * *
11  * * *
12  ae-32-52.ebr2.Seattle1.Level3.net (4.69.147.182)  240.518 ms * *
13  * * *
14  * * *
15  ae-2-2.ebr2.Dallas1.Level3.net (4.69.132.106)  238.357 ms  238.176 ms
 238.409 ms
16  ae-92-92.csw4.Dallas1.Level3.net (4.69.151.165)  255.044 ms
ae-62-62.csw1.Dallas1.Level3.net (4.69.151.129)  242.661 ms
ae-82-82.csw3.Dallas1.Level3.net (4.69.151.153)  241.341 ms
17  ae-73-73.ebr3.Dallas1.Level3.net (4.69.151.146)  240.255 ms
ae-63-63.ebr3.Dallas1.Level3.net (4.69.151.134)  238.899 ms
ae-83-83.ebr3.Dallas1.Level3.net (4.69.151.158)  236.614 ms
18  ae-7-7.ebr3.Atlanta2.Level3.net (4.69.134.22)  240.434 ms  239.945 ms
 241.744 ms
19  ae-63-63.ebr1.Atlanta2.Level3.net (4.69.148.242)  241.140 ms  241.238
ms  241.278 ms
20  ae-1-8.bar1.Orlando1.Level3.net (4.69.137.149)  238.578 ms  238.914 ms
 238.484 ms
21  ten-7-4.edge1.level3.mco01.hostdime.com (67.30.140.198)  243.929 ms
 244.469 ms  243.938 ms
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

$ sudo traceroute -T -p 80 www.melbournefreeuniversity.org
traceroute to www.melbournefreeuniversity.org (198.136.54.104), 30 hops
max, 44 byte packets
1 128.250.XXX.XXX (128.250.XXX.XXX) 0.476 ms 0.585 ms 0.581 ms
2 172.18.XXX.XXX (172.18.XXX.XXX) 0.729 ms 0.734 ms *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 so-0-1-0.bb1.a.syd.aarnet.net.au (202.158.194.34) 14.958 ms 14.951 ms
14.998 ms
9 xe-0-0-0.bb1.b.sea.aarnet.net.au (202.158.194.121) 156.501 ms 156.522
ms 156.499 ms
10 * * *
11 * * *
12 * * *
13 ae-2-2.ebr2.Denver1.Level3.net (4.69.132.54) 240.604 ms * *
14 * * ae-1-100.ebr1.Denver1.Level3.net (4.69.151.181) 238.874 ms
15 * ae-2-2.ebr2.Dallas1.Level3.net (4.69.132.106) 239.695 ms 239.757 ms
16 ae-72-72.csw2.Dallas1.Level3.net (4.69.151.141) 238.391 ms
ae-62-62.csw1.Dallas1.Level3.net (4.69.151.129) 243.191 ms
ae-92-92.csw4.Dallas1.Level3.net (4.69.151.165) 240.982 ms
17 ae-83-83.ebr3.Dallas1.Level3.net (4.69.151.158) 239.423 ms
ae-63-63.ebr3.Dallas1.Level3.net (4.69.151.134) 240.658 ms
ae-93-93.ebr3.Dallas1.Level3.net (4.69.151.170) 242.555 ms
18 ae-7-7.ebr3.Atlanta2.Level3.net (4.69.134.22) 242.528 ms 242.706 ms
242.316 ms
19 ae-63-63.ebr1.Atlanta2.Level3.net (4.69.148.242) 243.530 ms 243.745
ms 237.970 ms
20 ae-1-8.bar1.Orlando1.Level3.net (4.69.137.149) 243.341 ms 245.715 ms
236.782 ms
21 ten-7-4.edge1.level3.mco01.hostdime.com (67.30.140.198) 239.822 ms
241.864 ms 238.934 ms
22 active.host-care.com (198.136.54.104) 240.094 ms 240.135 ms 240.132
ms

Other websites using the same IP address ( including karenleefield.com, moneysaveuk.com , fmachennai.org , smartandfrank.com, and kohchangpoolvillas.com) demonstrate similar behavior.

A BGP query to looking glass server at an affected Australian backbone ISP shows the black hole as an abnormal route to the destination IP:

 Router: Sydney
Command: show ip bgp 198.136.54.104 255.255.255.0 longer

BGP table version is 146982471, local router ID is 203.63.80.155
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 198.136.54.104/32
192.0.2.1 0 101 32768 ?

← Home