Received: from mail-40134.protonmail.ch (mail-40134.protonmail.ch [185.70.40.134]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 33AF8781901 for <~alpine/infra@lists.alpinelinux.org>; Mon, 2 Mar 2020 23:11:41 +0000 (UTC) Date: Mon, 02 Mar 2020 23:11:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remexre.xyz; s=protonmail; t=1583190700; bh=aTrI70YgCJ7KtmejfR0tJ2huBRJkAHWebuZEyRfHjL8=; h=Date:To:From:Reply-To:Subject:Feedback-ID:From; b=rxXDYgw8mEXHe/6prt/3pEK3mz6wGmxHvhl7IYqYD7DCMgFexyvex/3V7Clmoub/d LA4vtM/WmZf3WVFT/s+EeobamJHCxXmIGDx2BEzyMGv7ehwDH5W/HWKjIv4fNa+BTI Ibwz76lrV81glFSKqWqZ93fKkh/oCvYON9kh0l9M= To: "~alpine/infra@lists.alpinelinux.org" <~alpine/infra@lists.alpinelinux.org> From: remexre Reply-To: remexre Subject: Comcast blocks Alpine CDN Message-ID: Feedback-ID: 79Rapa0j15PPAPbHAOm8huJBsHT7ICMZgVQdrckxjbOiloEW9eSZkPmtcuEAo94pqR47CmVSrydx2xr2ujXNtg==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=2.0 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FROM_SUSPICIOUS_NTLD, FROM_SUSPICIOUS_NTLD_FP,PDS_OTHER_BAD_TLD shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mail.protonmail.ch Initial problem: curl http://dl-cdn.alpinelinux.org/ gets different results inside our Comcast business-class network from anywhere else (tried geographically near and far, on Comcast and other ISPs). Everywhere else on the planet: $ dig +short dl-cdn.alpinelinux.org dualstack.global.prod.fastly.net. 151.101.0.249 151.101.64.249 151.101.128.249 151.101.192.249 Inside our network: $ dig +short dl-cdn.alpinelinux.org 74.121.125.9 74.121.125.8 $ dig +short @1.1.1.1 dl-cdn.alpinelinux.org # !!! 74.121.125.9 74.121.125.8 $ dig +short @8.8.8.8 dl-cdn.alpinelinux.org # !!! 74.121.125.9 74.121.125.8 DoH makes this a non-issue, so it's not a Cloudflare / DNS-based load balancing thing: $ cloudflared proxy-dns --port 12345 & $ dig @127.0.0.1 +short -p 12345 dl-cdn.alpinelinux.org dualstack.global.prod.fastly.net. 151.101.0.249 151.101.64.249 151.101.128.249 151.101.192.249 Seems likely to be "Comcast SecurityEdge," which we got around the same time as the symptoms were noticed. Per [0], Akamai's "SPS Secure Business" [1] is (at least part of) what's powering it. This is backed up by the whois results for the hijacking IPs: $ whois 74.121.125.8 | grep Organization Organization: Akamai Technologies, Inc. (AKAMAI) $ whois 74.121.125.9 | grep Organization Organization: Akamai Technologies, Inc. (AKAMAI) curling that IP from offsite also gets 403's with the same content, and Shodan results [2, 3] show that they're not (really) running HTTPS, which (assuming competent configuration, I suppose) reinforces the idea that this is intended for MITM'd traffic. Also of note: the ISP Shodan assigns to those IPs is SKYE, which appears to be an "Intelligent DNS" product from Nominum [4], which Akamai acquired [5]. BGP records back this up [6]. [0]: http://archive.today/fASxW [1]: http://archive.today/2aLcy [2]: http://archive.today/ZMH6O [3]: http://archive.today/1R18c [4]: http://archive.today/gi21b [5]: http://archive.today/hlH1S [6]: http://archive.today/9rCOj