routing - What can I do about my site being blocked by a particular server?

06
2014-04
  • Mark

    One of my websites is inaccessible via certain ISPs. I ran a trace route and I can see where it stops. Looks like it's owned by the ISP. Is there anything I can do about this? Can the hosting provider do anything? Do I have to call the ISP and ask if they can/will do anything about it?

    • Answers
  • davidgo

    There is, unfortunately no easy answer to the problem, and the answer is very much "it depends" - basically it depends on your ISP, the provider thats blocking the traffic and the reason for the block.

    A good first step is to communicate reasonable detailed information to both your ISP and your hosting provider - Your hosting provider is paying for a service (and you are paying them), so they have some leverage and probably SLA's and the like. Of-course, the more budget the host the less this helps you.

    You do want to try and do "traceroutes" in both directions to see whats going on and provide them to the provider - this is the minimum information they need. Using MTR is generally a better solution as it shows packet loss as well.

    That said, it may be easier just to migrate the site to a different ISP - or get another IP address from your current provider which is not blocked - beware of "bad neighbourhoods" though.

    Another "work-arround" (which may defeat the purpose) might be to put in a reverse proxy at another site and then pointing the DNS to it and proxying to the real provider. Its probably overkill though, but could be useful if you need to move the site, or to circumvent certain reachability issues.


    • Related Question

    networking - How to block/avoid a particular IP when connecting to websites?
  • Mark

    I'm having trouble connecting to a particular website. I can view it through a proxy, but not from home. So I ran a traceroute:

    Tracing route to fvringette.com [76.74.225.90]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  <snip>
  2     *        *        *     Request timed out.
  3     9 ms     7 ms    27 ms  rd2bb-ge2-0-0-22.vc.shawcable.net [64.59.146.226]
  4     8 ms     7 ms     7 ms  rc2bb-tge0-9-2-0.vc.shawcable.net [66.163.69.41]
  5    10 ms     9 ms     9 ms  rc2wh-tge0-0-1-0.vc.shawcable.net [66.163.69.65]
  6    27 ms    23 ms    22 ms  ge-gi0-2.pix.van.peer1.net [206.223.127.1]
  7    18 ms    18 ms    20 ms  10ge.xe-0-2-0.van-spenc-dis-1.peer1.net [216.187.89.206]
  8     9 ms    11 ms    10 ms  64.69.91.245
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
...

    Looks like this "64.69.91.245" is somehow blocking me. Can I tell my computer to avoid/bypass that IP when trying to connect?


    • Related Answers
  • squircle

    For one, I can load the site fine. See the route:

    0 04:35:23pm ~ $ mtr -4 --report fvringette.com
HOST: Defcon.local                Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. woodcrest.local               0.0%    10    0.6   0.5   0.4   0.8   0.1
  2. bas1-oakville30_lo0_SYMP.net  0.0%    10   14.0  16.1  13.1  31.2   5.4
  3. core1-hamilton14_10-0-3_150.  0.0%    10   13.3  12.8  11.6  15.7   1.1
  4. newcore1-chicago23_so2-0-0.n  0.0%    10   23.6  31.4  23.6  66.3  16.0
  5. bx5-chicagodt_xe-0-0-3_0.net  0.0%    10   24.7  24.6  23.2  28.5   1.6
  6. ge-3-2-4.chi10.ip4.tinet.net  0.0%    10   26.7  26.9  26.3  28.0   0.5
  7. xe-2-0-0.sea11.ip4.tinet.net  0.0%    10  107.0 106.8 106.0 107.5   0.4
  8. peer1-gw.ip4.tinet.net        0.0%    10   83.9  83.9  83.6  84.6   0.3
  9. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
 10. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
 11. 64.69.91.245                  0.0%    10   88.6  87.9  87.1  88.6   0.6
 12. van-hc21e-cs1.wappyzappy.net 10.0%    10   88.7  88.0  87.4  88.7   0.5

    It would appear that (somehow) the two nodes, 9 & 10 in my route, are either blocking ICMP packets or have some other form of network voodoo implemented. It could be that when you were accessing the site through the proxy, you were accessing some cached version when the website was really down, who knows. The fact that there is 100% packet loss in nodes 9 & 10 is odd, but since I can (obviously) reach the site, it doesn't appear that 64.69.91.245 (Peer1 Internet Bandwidth & Server Co-Location Facilities, 2155-500 West Hastings St., Vancouver) is doing anything to block any traffic (in all likelihood, they are just ignoring ICMP packets).

    To more directly answer your question, it's pretty much impossible to define your own route to a site. Since (I would assume) all packets would pass through that address at one point or another to get to the actual host (as it's the external IP of the datacentre the servers are hosted in), there would be no route around it. Once your packet gets outside of your router, it's up to Shaw what route your packet takes; you have no control whatsoever. Hope that helps a bit!

  • raw_noob

    I think you can do this by forcing a particular IP routing using the route add command at the command prompt, but it will take a better man than I am to explain exactly how. You might do a search on 'add a static IP route' or 'force IP routing' to get some idea. I don't know if you can block a specific node, but I wouldn't be surprised if you can. Forcing a specific route that avoids the node would be the alternative.

  • Blackbeagle

    Are you going to a site that is somehow geographically restricted? There are sites that will only accept traffic from certain regions and if your IP address is not within their allowed list, the packets may be eaten. The reason I'm asking is that you said you can access through a proxy.