Initial problem: curl http://dl-cdn.alpinelinux.org/ gets different
results inside our Comcast business-class network from anywhere else
(tried geographically near and far, on Comcast and other ISPs).
Everywhere else on the planet:
$ dig +short dl-cdn.alpinelinux.org
dualstack.global.prod.fastly.net.
151.101.0.249
151.101.64.249
151.101.128.249
151.101.192.249
Inside our network:
$ dig +short dl-cdn.alpinelinux.org
74.121.125.9
74.121.125.8
$ dig +short @1.1.1.1 dl-cdn.alpinelinux.org # !!!
74.121.125.9
74.121.125.8
$ dig +short @8.8.8.8 dl-cdn.alpinelinux.org # !!!
74.121.125.9
74.121.125.8
DoH makes this a non-issue, so it's not a Cloudflare / DNS-based load
balancing thing:
$ cloudflared proxy-dns --port 12345 &
$ dig @127.0.0.1 +short -p 12345 dl-cdn.alpinelinux.org
dualstack.global.prod.fastly.net.
151.101.0.249
151.101.64.249
151.101.128.249
151.101.192.249
Seems likely to be "Comcast SecurityEdge," which we got around the same
time as the symptoms were noticed. Per [0], Akamai's "SPS Secure
Business" [1] is (at least part of) what's powering it. This is backed
up by the whois results for the hijacking IPs:
$ whois 74.121.125.8 | grep Organization
Organization: Akamai Technologies, Inc. (AKAMAI)
$ whois 74.121.125.9 | grep Organization
Organization: Akamai Technologies, Inc. (AKAMAI)
curling that IP from offsite also gets 403's with the same content, and
Shodan results [2, 3] show that they're not (really) running HTTPS,
which (assuming competent configuration, I suppose) reinforces the idea
that this is intended for MITM'd traffic. Also of note: the ISP Shodan
assigns to those IPs is SKYE, which appears to be an "Intelligent DNS"
product from Nominum [4], which Akamai acquired [5]. BGP records back
this up [6].
[0]: http://archive.today/fASxW
[1]: http://archive.today/2aLcy
[2]: http://archive.today/ZMH6O
[3]: http://archive.today/1R18c
[4]: http://archive.today/gi21b
[5]: http://archive.today/hlH1S
[6]: http://archive.today/9rCOj