Comcast blocks Alpine CDN

Message ID
DKIM signature
Download raw message
Initial problem: curl http://dl-cdn.alpinelinux.org/ gets different
results inside our Comcast business-class network from anywhere else
(tried geographically near and far, on Comcast and other ISPs).

Everywhere else on the planet:

    $ dig +short dl-cdn.alpinelinux.org

Inside our network:

    $ dig +short dl-cdn.alpinelinux.org
    $ dig +short @ dl-cdn.alpinelinux.org # !!!
    $ dig +short @ dl-cdn.alpinelinux.org # !!!

DoH makes this a non-issue, so it's not a Cloudflare / DNS-based load
balancing thing:

    $ cloudflared proxy-dns --port 12345 &
    $ dig @ +short -p 12345 dl-cdn.alpinelinux.org

Seems likely to be "Comcast SecurityEdge," which we got around the same
time as the symptoms were noticed. Per [0], Akamai's "SPS Secure
Business" [1] is (at least part of) what's powering it. This is backed
up by the whois results for the hijacking IPs:

    $ whois | grep Organization
    Organization:   Akamai Technologies, Inc. (AKAMAI)

    $ whois | grep Organization
    Organization:   Akamai Technologies, Inc. (AKAMAI)

curling that IP from offsite also gets 403's with the same content, and
Shodan results [2, 3] show that they're not (really) running HTTPS,
which (assuming competent configuration, I suppose) reinforces the idea
that this is intended for MITM'd traffic. Also of note: the ISP Shodan
assigns to those IPs is SKYE, which appears to be an "Intelligent DNS"
product from Nominum [4], which Akamai acquired [5]. BGP records back
this up [6].

[0]: http://archive.today/fASxW
[1]: http://archive.today/2aLcy
[2]: http://archive.today/ZMH6O
[3]: http://archive.today/1R18c
[4]: http://archive.today/gi21b
[5]: http://archive.today/hlH1S
[6]: http://archive.today/9rCOj
Reply to thread Export thread (mbox)