Saturday, December 11, 2010

Verizon purposely blocking “Operation Payback” IP’s

If this makes you angry, SPREAD THE WORD. It's the only way they wont get away with it!

Update: 2:26pm EST: Less than 12 hours after I broke this story, Verizon has unblocked 91.121.72.103. This is only one of the IP's they blocked that I was able to identify and confirm, however it seems to be the most widely used and noticed. Come on Verizon, make it quick with the others. I have updated the tracert logs in this post to reflect another IP address as to not to confuse the masses.

Many of you may have heard of “Operation Payback is a Bitch” and “Anonymous” by now. Anonymous has been in the news many times recently for their denial of service attacks that took down the corporate websites of Mastercard, Paypal, Visa, and the RIAA to name a few. “Anonymous” is a loosely organized group of hackers who gather on the popular forum site 4chan.  
“Operation Payback” was established several months back in an effort to combat anti-piracy groups and their supporters by taking down their websites and email systems in a forum of online protest. Anonymous coordinated this through a 10+ server IRC network and a modified version of a DDOS program called LOIC. Supporters simply open up LOIC and input a server name. Their computer then becomes part of a “voluntary botnet” attacking whatever the current target is until the website drops offline.  Recently with the Wikileaks scandal, Anonymous has shifted Operation Paybacks efforts to attacking any corporation that actively harms/opposes Wikileaks or Julian Assange.
Earlier this week when Mastercard.com was down for over7 hours followed shortly by Visa.com (both websites targeted due to their refusal to process donations to Wikileaks) many people woke up and realized just how powerful the masses could be. Twitter immediately banned the official Anon Operations account after a link to over 1000 supposedly valid MasterCard Credit card numbers was posted. This was soon followed by Facebook removing the Anonymous Operation Payback supporters group for service violations. Yes many websites and companies online were taking action to prevent Operation Payback from getting out of control. Most all of these were obvious and even quoted the specific section of their TOS they say Anonymous violated. The one company that took not so obvious action was Verizon Internet Services.
As most of you here in the USA know, Verizon offers among the fastest available residential internet connection. They also have a massive share in the business market. Verizon FiOS service now offers up to 35mbps upstream bandwidth. This is more than 10 times the average that cable modem users have.
Thursday evening Verizon pulled a dirty trick by silently blocking most all know IP addresses used by IRC, web and other server operated for Operation Payback. This move was made without notice to Verizon’s customers and without the ability to opt out of the blocking. It is unclear as to Verizon’s motivation for this censorship of the internet. One can speculate that they don’t want their FiOS service making the news as the straw that broke the camel’s back for the next web server to be hit by Anonymous. I suppose if you asked an executive they would spit out some BS about protecting the internet. Protecting us from what?!
Truth is, going to a website that encourages you to perform illegal activities such as Denial of Service attacks is not in any way itself illegal. Nor is connecting to an IRC server where people are discussing such activities. As an individual you are only wrong once you start to participate, which is a choice you would have to make and act upon after visiting an Operation Payback website or connecting to an IRC server.
So I know you all want proof and trust me I have no shortage of it. I have been researching this issue the better part of 3 days. As an IT security worker, I like to stay current on the most recent internet attacks, scams, viruses, etc. It’s my job to stay sharp and it’s what my customers expect from me. I was frequenting the Operation Payback is a Bitch website and connecting to IRC on my FiOS connection when I suddenly got disconnected. Considering this is a loosely organized group with a lot of enemies I simply thought the servers crashed again. However after seeing the Twitter messages continue about people in the IRC room I started to think something might be up. I used remote access software to connect to a machine at my parents house about 80 miles away that has a Comcast connection. I loaded up my IRC client and logged right it. At this point I thought it had to be my PC so I tried another. I looked at my firewall/router and found no problems. After 99 unsuccessful connection attempts to the approximately 10 IRC servers I began to realize something was up.
Below is a list of servers you cannot access if your on Verizon Fios in most areas. I have also found that this may effect some Verizon DSL customers.
83.169.21.109
91.121.72.103 -  Now unblocked in most areas

91.121.92.84
88.198.224.117
178.63.172.193
67.23.234.51
Go ahead. Ping them. Try to connect to them using your favorite IRC client. Now call up your friend on any ISP besides Verizon in the USA and see if it works for them! You may also want to “try” and visit the newest Operation Payback website www.anonops.eu from your FiOS connection. Good luck! (as of 2:36pm EST Verizon has unblocked only 91.121.72.103, so this test will work now in most areas)

 
Now before we move forward I need to make myself clear. I am NOT encouraging you to join Operation Payback. I am simply encouraging you to see for yourself how Verizon is deciding what you can and cannot get to on the internet. Now I’m sure the reason here is obvious, however Verizon is an Internet transit provider, not a babysitter. You should be able to decide where you want to go online. Whats to stop them from blocking other sites they don’t like? Would you even know? “Page cannot be displayed” “hmmm guess they are down” most people think, never realizing Verizon is knowingly and actively denying you access.
Here are some more details on how I tested this to be sure I was right before making this public. A trace route or tracert allows you to initiate a trace of every router your internet traffic goes through to get to it’s destination. Just about any modern PC has this functionality built in. If your request doesn’t go through, running a tracert can help you see why and where the failure is happening. Take a look:
tracert 83.169.21.109
Tracing route to lvps83-169-21-109.dedicated.hosteurope.de [83.169.21.109]
over a maximum of 30 hops:
  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
As you can see, the traffic goes nowhere and is stopped at whatever hop number 1 is. I changed the last digits of the IP address from 109 to 110 and initiated another trace. It went right through and listed a Verizon router as hop #1 meaning the traffic stops being passed once it hits Verizon owned equipment. (note, in the below trace I have masked some addresses to protect my location)
To be sure, my test was valid and this wasn’t a case of a transit problem, I used my Comcast connection to verify that all ending hops leading to 109 and 110 were the same routers. I had no problem doing a tracert on 83.169.21.110 or any other IP’s listed above from Comcast!
C:\Users\test>tracert 83.169.21.110
Tracing route to www.pro-rauchfrei.de [83.169.21.110]
over a maximum of 30 hops:
  1     2 ms     2 ms    <1 ms  l100.nwrknj-vfttp-**.verizon-gni.net [****]
  2     1 ms     2 ms     3 ms  g4-0-1-792.nwrknj-lcr-07.verizon-gni.net [130.81.109.108]
  3     2 ms     2 ms     2 ms  so-5-0-0-0.nwrk-bb-rtr1.verizon-gni.net [130.81.29.8]
  4     2 ms     3 ms     2 ms  0.so-7-0-0.xl3.ewr6.alter.net [152.63.19.177]
  5     6 ms     6 ms     5 ms  0.xe-4-0-0.xl3.nyc4.alter.net [152.63.3.101]
  6     6 ms     5 ms     6 ms  gigabitethernet4-0-0.gw1.nyc4.alter.net [152.63.20.97]
  7     5 ms     4 ms     4 ms  teliasonera-test.customer.alter.net [157.130.255.206]
  8     5 ms     4 ms     4 ms  nyk-bb2-link.telia.net [80.91.250.147]
  9    84 ms    84 ms    86 ms  ldn-bb2-link.telia.net [80.91.253.117]
 10    92 ms    93 ms    92 ms  prs-bb2-link.telia.net [80.91.247.240]
 11   102 ms   102 ms   102 ms  ffm-bb2-link.telia.net [80.91.246.180]
 12   102 ms   101 ms   134 ms  ffm-b7-link.telia.net [80.91.254.253]
 13   103 ms   103 ms   143 ms  xe-0-2-0.cr-polaris.fra1.he-core.de [213.248.104.54]
 14   110 ms   112 ms   114 ms  xe-0-1-0-v2.cr-polaris.fra1.he-core.de [80.237.129.81]
 15   118 ms   118 ms   117 ms  xe-2-3-0.cr-nashira.cgn4.hosteurope.de [80.237.129.165]
 16     *        *        *     Request timed out.
 17   105 ms   105 ms   105 ms 
www.pro-rauchfrei.de [83.169.21.110]
Trace complete.
I then went on Facebook and called out everyone to test this issue for me. In all I had approximately 15 FiOS users from 3 states and 2-3 DSL users run the same test. Of the FiOS users, all of them were unable to get to any of the IP addresses listed above. The traffic died at the first hop and that first hop always ended with verizon-gni.net
Among the Verizon DSL users, one reported the same issue while the other two were fine, leading me to believe this is still rolling out to DSL users.

So where does this leave us? Well it’s clear that Verizon is censoring the internet and this probably isn’t the first time they have done it either. I figured it was an effort in futility but I called FiOS support to ask them about this and got nowhere. Eventually I spoke to a “tier 2 network admin” who assured me “Verizon provides an unrestricted connection to the internet with the exception of port 25 outbound for non-business customers” Funny, when I tested I found that static IP business FiOS customers are censored as well.
SHAME ON YOU VERIZON. We pay you to provide a service, not dictate what we can and cannot view online. Operation Payback is a real problem, however you have no right to simply deny users from accessing any information related to it without their knowledge, and then dney that you are doing so! Your job is to provide a service. As a user of you service, (if I’d want to) I have the right to be an idiot, perform illegal activities online, and then you have the right to suspend my account. That’s how every other ISP does it. What your essentially doing is proactively treating us all like service violators and babies who cant handle the “whole internet”
I encourage everyone to make this as public as possible. Post this on Facebook and Twitter. Spread the word. Make this a PR nightmare for Verizon. This is a slippery slope. Whats to stop a Verizon network administrator from denying any of us access to another part of the internet? Think about it!


For media, questions or other inquires please email: compuboy2010@gmail.com


UPDATE 12/12/10:
I have gotten more and more confirmation of DSL users now being blocked as well. It really depends on your area it seems. I also have my first report of a single FiOS use saying he is not being blocked. (I dont however have a geo location of this user or logs proving this).
I have been actively tracking this post and have seen bits on forums about launching an attack against Verizon. DONT people! That would be the worst move we could make at a time like this. All it will do is give whatever network admin group did this more justification. The right thing to do is to make this viral. Get Verizon customers to call and question why these IP's are blocked. Draw attention to the fact that this was done without customers knowledge. It's the only way.
Send this story and the link into your favorite online media outlet. I can be reached for questions or comments at compuboy2010@gmail.com