This is a route leak, plain and simple. Don't forget to apply Occam's Razor. All of those sites which are "coincidentally" misbehaving are located in the same /24.

This is what is actually happening. Virgin Media peers with Cogent. Virgin prefers routes from peers over transit. Cogent is turrible at provisioning and filtering, and is a large international transit provider.

Let's look at the route from Cogent's perspective:

  BGP routing table entry for 199.58.210.0/24, version 2031309347
  Paths: (1 available, best #1, table Default-IP-Routing-Table)
    54098 11557 4436 40015 54876
      38.122.66.186 (metric 10105011) from 154.54.66.76 (154.54.66.76)
        Origin incomplete, metric 0, localpref 130, valid, internal, best
        Community: 174:3092 174:10031 174:20999 174:21001 174:22013

If Cogent was competent at filtering, they'd never learn a route transiting 4436 via a customer port in the first place, but most likely someone at Lionlink (54098) is leaking from one of their transit providers (Sidera, 11557) to another (Cogent, 174).

Also, traffic passing through Switzerland is a red herring -- the poster is using a geoip database to look up where a Cogent router is. GeoIP databases are typically populated by user activity, e.g., mobile devices phoning home to get wifi-based location, credit card txns, etc. None of this traffic comes from a ptp interface address on a core router. GeoIP databases tend to have a resolution of about a /24, whereas infrastructure netblocks tend to be chopped up into /30s or /31s for ptp links and /32s for loopbacks, so two adjacent /32s could physically be located in wildly different parts of the world. More than likely, that IP address was previously assigned to a customer. The more accurate source of information would be the router's hostname, which clearly indicates that it is in London. The handoff between Virgin and Cogent almost certainly happens at Telehouse in the Docklands.

If someone were, in fact, trying to intercept your traffic, they could almost certainly do so without you noticing (at least at layer 3.)

> If someone were, in fact, trying to intercept your traffic, they could almost certainly do so without you noticing (at least at layer 3.)

Then again, doing it like here would give them plausible deniability ("what? we? tracking? no, someone misconfigured a router."). Or maybe, given how those sites visibly disappear, it is an example of Zersetzung[0]?.

Welcome to post-Snowden world. We just cut ourselves with Ockham's razor and now are bleeding paranoid.

[0] - http://en.wikipedia.org/wiki/Stasi#Zersetzung

Would be interesting to know if you can get to https://conference.hitb.org/check-status/

Partly because it is HTTPS and partly because hack only appears in a url on the page.

This might answer if it is the result of the site, or the site content. Like for some reason LionLink is filtering based on the content on the page.

I'm on Virgin Media in the UK and it starts loading the page in Firefox (the title changes to the title of the page) but never actually completes, so I get a blank page.

No problems from UK with any of the four sites mentioned in OA or the https URL you posted; on Everything Everywhere/Orange ADSL over copper broadband.

Both websites hitb.org (199.58.210.36) and thc.org (199.58.210.16) have A records part of the Rokabear's CIDR 199.58.208.0/21 and some IPs in that block are responding as expected i.e. 199.58.208.36 and 199.58.215.36

However not a single IP in the range 199.58.210.0/24 responds to ICMP or TCP probes. My only guess is this is more likely a faulty or misconfig router.

    # Dirty TCP check
    nmap -v -Pn -p 80 199.58.210.0/24

    # Dirty ICMP check (1 means failure, 0 means success)
    for i in {1..254}; do echo -n "199.58.210.$i "; ping -c2 "199.58.210.$i" >/dev/null 2>/dev/null; echo " $?";  done

Cant access any of those sites either, they just time out. Virgin Media UK. Trace for THC: http://pastebin.com/raw.php?i=qmv3cYse

Quite a while ago now, there was a period where you couldn't get to Stackoverflow on Virgin media. There were some quite long threads in Virgins forums about it, and apparently not all virgin customers were affected! It did eventually resolve itself, but it was very frustrating!

http://community.virginmedia.com/t5/Up-to-120Mb-Setup-Equipm...

Interesting. Are any groups attempting to track odd routings like this? Seems like it would make for a good research project that would garner plenty of publicity.

When such a group crops up it will inevitably also have its website blocked

Thus we see the inevitable result of a culture which encourages internet filters: full on censorship of divergent, but legal, views.

This doesn't strike me as an effective demographic to "full on censor" in this way. Generally speaking, people interested in hacker conferences know how to proxy around a net nanny.

Could this be a botched poor-mans wiretap?: i.e. traffic sent to black-listed domain get's transparently routed to an adversarial middle host, who is intended to eventually forwarded it on to the original destination, but in this case someone misconfigured the wiretap, causing traffic to get lost. (/tinfoil hat)

I'd like to see the tracert for other hosts near the same destination.

Well that would be pretty serious.

He should run that 45 min internet scan through his home network and diff with his work network, get a list of all the sites that have this behavior. Alternatively he could write a script to ping his bookmarks or browser history, that would probably take less time.

We know that routing sometimes takes strange hops - it doesn't always mean malicious intent. He says he also can't acccess the site of the hosting provider - so my take is, that it might be just a fucked up route somewhere. Happens all the time.

The IP that you're trying to reach belongs to a US hosting company, so routing to the US should not be a surprise.