[HN Gopher] Cloudflare misidentifies Hetzner IPs as being locate...
___________________________________________________________________
Cloudflare misidentifies Hetzner IPs as being located in Iran
Author : doruk101
Score : 110 points
Date : 2024-09-18 20:46 UTC (2 hours ago)
(HTM) web link (gitlab.com)
(TXT) w3m dump (gitlab.com)
| preisschild wrote:
| Yeah, google does it too. I could not use certain Hetzner IPs to
| download container image on my kubernetes nodes at all. Even the
| official registry.k8s.io registry is hosted on Google Cloud
| Services and basic stuff like the pause image cant be pulled.
| kodama-lens wrote:
| I can confirm this. All Google container registries, including
| the official k8s repos are unaccessible via some hetzner ipv4
| domains.
|
| There is a GitHub issue that also covers the problem and it
| states you should report thos IPS to their support. I did but
| support says they can't do anything until the ip region list is
| updated.
|
| IPv6 as a workaround is also difficult because some of the
| image I need are on GitHub and they are still not ipv6
| accessible
| Jach wrote:
| Google's IP to location mapping is so bad it has to be
| intentional. I was in Japan and using my home network as a VPN
| quite a bit, after a while Google decided my home comcast IP
| had to be located in Japan. Even though others in the household
| were still there, they started getting default-Japanese pages
| on google/maps/youtube/... It didn't fix itself back until a
| couple weeks after I got home, even filled out
| https://support.google.com/websearch/contact/ip
| ipaddr wrote:
| They finger print your browser. You need to vpn to your home
| and serve from your US browser not tunnel traffic back to
| your Japan machine.
| 38 wrote:
| I mean, so? Why should it matter where they are located?
| tyree731 wrote:
| You may be surprised to discover that services will filter
| traffic by location.
| themoonisachees wrote:
| In my previous jobs we didn't have any business in china and
| banning all IP ranges was a cheap an easy strategy to remove
| 50% of unsuccessful login attempts.
| reisse wrote:
| A lot of US resources ban traffic outside the US. Or, at least,
| from "suspicious" or "sanctioned" locations. Some ban EU due to
| GDPR.
|
| You never know such things when you are in US though...
| dathinab wrote:
| but the traffic is _clearly coming from Germany_, the issue
| is that cloudflare/google have tagged certain ip addresses as
| Iranian no matter where the traffic actually originates from
| reisse wrote:
| > but the traffic is _clearly coming from Germany_
|
| How do you know that if the only thing you see on the
| receiving side is an IP address, which is marked as
| Iranian?
| VWWHFSfQ wrote:
| My servers ban huge swaths of IPs from certain places that
| originates enormous amounts of spam, scanners, and other
| nefarious traffic. It's very effective
| FredPret wrote:
| Sturgeon's law [0] apply to all sorts of things, including
| web visitors
|
| [0] https://en.m.wikipedia.org/wiki/Sturgeon%27s_law
| Fokamul wrote:
| So you ban US and China, aka two places where most spam, ddos
| and malware is coming from. Right?
| VWWHFSfQ wrote:
| China yes
| ajsnigrutin wrote:
| So, all the cloud, vps, and hosting providers?
| Dalewyn wrote:
| US sanctions prohibit transfer of goods, technologies,
| information, etc. to Iran.
|
| As a company, this means BSTS (better safe than sorry) CYA
| (cover your ass) measures for good or worse.
| Narhem wrote:
| Curiosity may get me on this one, but is sharing information
| (such as this post/comment) an example of transfer of
| information (to potentially all countries)?
| rockemsockem wrote:
| Yes. Which is why you can't post ITAR information online.
|
| Edit: it also wouldn't surprise me if hacker news blocks
| traffic from Iran.
| greyface- wrote:
| It's the interpretation of some cloud providers that exchanging
| datagrams with entities in OFAC-sanctioned countries
| constitutes a prohibited transaction.
| londons_explore wrote:
| Which is plainly stupid.
|
| They should interpret the law to mean "We will treat every
| request from Iran as a non-paying customer, and won't offer
| anything outside the free-tier"
|
| Even if that isn't the way was _written_ , it is plain that
| it falls within the _intent_ of the law, and is beneficial to
| US businesses.
| cute_boi wrote:
| Do you think the people who makes rules and legislation are
| that smart?
| londons_explore wrote:
| No, but I expect the judges who interpret the law to see
| that.
|
| No judge will send a google employee to prison because
| someone located in Iran managed to download a copy of the
| docker image to Alpine Linux from the google/amazon
| container registry...
| golergka wrote:
| Isn't intent of sanctions to weaken the adversary?
| Providing services, even free-tier (or, may be, especially
| so), to sanctioned countries is exactly the opposite of
| that.
| londons_explore wrote:
| It makes US service providers, like Google and Amazon,
| very unattractive for businesses that require worldwide
| coverage - for example wikipedia.
|
| I would argue that for unpaid services (for example
| serving up web content), we should not be applying
| sanctions. Those specific sanctions are so easy for the
| iranians to work around (VPN), and so damaging to our
| businesses (no worldwide service).
| golergka wrote:
| > It makes US service providers, like Google and Amazon,
| very unattractive for businesses that require worldwide
| coverage
|
| You know what is much more unattractive to these
| businesses? Getting on the wrong side of the US
| government. And honestly, I don't see any business
| (except for ones in Russia, China and Iran) changing
| provider because they don't provide service to Iran.
|
| > damaging to our businesses (no worldwide service)
|
| I'm confused, are you arguing here for allowing free-tier
| services under the sanction regime, or for getting rid of
| sanctions against Iran altogether? If it's the latter,
| then the argument is self-consistent. But if it's the
| former, then you're effectively saying that an american
| business which currently doesn't provide any services to
| iranian customers would instead prefer to provide free-
| tier services for them without any way to get them to
| paid tier, and that doesn't make any sense. If you know
| that users from a certain region would always be at 0%
| conversion, you would get nothing by providing them with
| a free tier.
| londons_explore wrote:
| Imagine wikipedia was looking for new hosting.
|
| They consider Google cloud, but then reject it because
| GCP cannot serve users in Iran, and Wikipedia's policy is
| to be globally available.
|
| Google loses worldwide revenue from all of wikipedia.
|
| (I have met multiple companies who have dismissed GCP for
| this reason. Even companies with no current business in
| Iran might one day want to expand there, so don't want to
| make infrastructure choices which lock them out).
| input_sh wrote:
| The adversary is the government and businesses associated
| with the government, not all of the 90 million people
| living in Iran.
| FredPret wrote:
| How is it stupid?
|
| You de-risk your enterprise significantly by cutting Iran
| out completely, and you only lose the handful of dollars
| this would've translated into down the road.
|
| Some customers aren't worth having.
| Animats wrote:
| The actual sanctions are complicated.[1]
|
| There's a big list of allowed Internet activity between the
| US and Iran.[2] It is explicitly US policy to _not_ cut off
| Iran from the Internet. The State Department wants people in
| Iran to get info from the outside world. However, the US does
| not allow US domain registrations or web hosting "for or on
| behalf of the Government of Iran".
|
| The Office of Foreign Assets Control can be queried for case
| by case info. That's appropriate here.
|
| [1] https://www.ecfr.gov/current/title-31/subtitle-B/chapter-
| V/p...
|
| [2] https://www.ecfr.gov/current/title-31/subtitle-B/chapter-
| V/p...
| greyskull wrote:
| Might be pertinent to suffix this with (2023), though I see there
| are still recent replies
| jkaplowitz wrote:
| It's a still-unresolved issue as far as I know; the linked
| ticket was only closed last year because Gitlab has no control
| over it as long as they want to continue using Cloudflare. The
| companies which do have control over it have not fixed it so
| far.
| tgma wrote:
| My theory is lots of people who want to circumvent Iranian
| internet censorship rely on tunnels/VPNs hosted on Hetzner, which
| correlates those IPs with `Accept-Language: fa` and GPS locations
| collected from Android or other similar behavior.
| Alex-Programs wrote:
| Yeah, I had the same theory when Google did this with a free-
| tier VPN IP that was in Turkey. It claimed I was in Tehran -
| and, when I looked at the map of servers, the Turkish server I
| was connected to was the closest to Tehran.
| lutoma wrote:
| I think a more likely explanation is that Hetzner just acquired
| some IPv4 address ranges that were previously used in Iran
| rany_ wrote:
| I think that might be less likely given the trade
| restrictions. There's no way an Iranian ISP just gave Hetzner
| those IPv4 addresses free of charge.
| rany_ wrote:
| That's almost certainly the case. I use Tor semi-regularly and
| many Tor exit relay IPs are identified as being in Iran which
| is just not possible.
| scandox wrote:
| Would be an easy way to conduct an adhoc trade war...AWS doesn't
| need competition from a pesky German host let's just make things
| faintly awkward...
| osiemens wrote:
| I wonder if this is related to something I found when I moved my
| hosting from DO to Hetzner: https://on-no.net/posts/moving-
| providers-and-tainted-ips/
|
| TL;DR is that the IP that my new instance was assigned had
| previously been used as part of an advertising CDN based in Iran.
| It wouldn't surprise me if this is some game of whack-a-mole
| between interested parties who are at turns applying and
| attempting to evade blocks.
| paulv wrote:
| Does this kind of thing affect Hetzner IPs in their US
| datacenters?
| jsheard wrote:
| It looks like they use different ASNs for the US datacenters,
| so probably not in this case. Nuremberg, Falkenstein and
| Helsinki all share the problematic AS24940 block mentioned in
| the OP, but Ashburn is on AS213230 and Hillsboro is on
| AS212317.
| dathinab wrote:
| it's pretty absurd that cloudflare can just effectively cripple a
| cloud provider by tagging part of their IPv4 range as Iranian and
| not fixing their issues in over a year (and AFIK have no
| intention to fix them at all)
|
| like I wonder if Hetzner has any way to legally force them to
| stop misclassifying their IP
| dools wrote:
| Kinda seems like it might have legs as a defamation lawsuit...
| amatecha wrote:
| What's absurd to me is that Cloudflare gains more and more
| control over the internet, by people voluntarily submitting to
| its domination.
|
| My favorite is trying to go someone's random blog with like 5
| posts (because they have a singular post about the technical
| topic I'm trying to figure something out about) and I can't
| access the site because Cloudflare has decided my locked-down
| Firefox ("resist fingerprinting" + strict privacy mode etc.)
| running on OpenBSD is somehow malicious. So much for the open
| web. (nevermind the audacity that "we can't spy on you
| sufficiently" is enough to serve a 403 Forbidden response
| header)
| TheTr1ckt3r wrote:
| This whole issue of blocking Iranian IPs and not allowing them to
| download Docker containers for 'legal' reasons is ridiculous.
| Additionally, trying to detect and ban VPNs used by Iranians,
| which will affect the next user of that IP, is equally absurd
| appendix-rock wrote:
| What do you suggest, then? What's your legal opinion?
| RadiozRadioz wrote:
| I'm frequently reminded how thankful I am to live in a country
| with a strong, positive international reputation. Even ignoring
| actual quality-of-life stuff associated with where I live -
| simply not being from a country with a "dodgy" reputation makes
| many things so much easier.
|
| I don't have to think about blocked websites. Companies accept my
| payments. Couriers ship to me. With my passport, I walk straight
| to the front of the fast lane, past the large queue of people who
| didn't happen to be born somewhere rich, western and politically
| stable.
|
| I don't take it for granted, and it makes me sad that this
| distinction exists.
| Onavo wrote:
| It's more that you are on the right side in a unipolar world.
| When the world shifts to multipolarity in the next few years,
| the problem will solve itself.
| kiba wrote:
| Multipolarity is a more dangerous world, as we have seen
| Russia asserts itself at the expense of Ukraine.
| buran77 wrote:
| Unless you happen to not be aligned with or really on the
| wrong side of that fabled ideal power monopole. It can
| quickly knock you from ignorance to reality. Imagine Russia
| was that monopole of power. Or look no further than a
| dictatorship. Great if your interests align or you're
| willing to bend them until they do, hell if they don't.
|
| The US is the closest thing we have to a monopole these
| days and I'm sure it's sweet for some and very bitter for
| others.
| QuercusMax wrote:
| "According to a 2024 analysis by The Washington Post, 60%
| of low-income countries were under some form of U.S.
| financial sanction. The analysis also concluded that the
| U.S. imposes three times as many sanctions as any other
| country or international body." - from
| https://en.wikipedia.org/wiki/United_States_sanctions
|
| Really quite ridiculous that there are sanctions on
| something like 1/3 of the world.
| aaomidi wrote:
| As we have seen US/Israel assert itself at the expense of
| Gaza and Palestine.
| 01HNNWZ0MV43FF wrote:
| I'm a globalist and all but when people say "multipolar"
| doesn't that usually mean "the USA shouldn't rule everyone, I
| want to also rule over some countries "
| rtsil wrote:
| I doubt the "next few years", and if the world shifts to
| multipolar, it won't solve the problem, it will just move
| everyone to the "bad side" where frictions big and small
| abound.
| ajsnigrutin wrote:
| I live in a small EU country.
|
| There are many, many american sites that just block the whole
| EU IP ranges becaus they don't want to deal with GDPR.
| ttt3ts wrote:
| I have done that exact configuration for several of my
| clients who didn't realize any/much revenue in the EU. For
| them it was the obvious best move but I wish there was a
| better option.
| alberth wrote:
| This probably wasn't cloudflare doing per se. It was probably
| Maxmind, which is the most widely used IP to Geolocation service
| out that.
|
| And cloudflare uses it as well.
|
| https://developers.cloudflare.com/network/ip-geolocation/
| ewpratten wrote:
| Hey OP. On behalf of Cloudflare, we take information accuracy
| very seriously.
|
| I raised the linked issue internally with the team, and they have
| reason to suspect this has already been addressed.
|
| That being said, if you (or anyone else here) are still seeing
| this issue occur, please raise a ticket with our support team
| (https://developers.cloudflare.com/support/contacting-cloudfl...)
| so we can investigate further.
|
| Thanks :)
| ggm wrote:
| https://geolocatemuch.com/ is the way.
___________________________________________________________________
(page generated 2024-09-18 23:00 UTC)