Access to Public Information

Access to Public Information
By Dr. Neal Krawetz

I am a huge fan of the Internet Archive ( They have a fundamental belief that information should be retained. Unfortunately, other organizations seem to be intentionally blocking access.

About Time

When I first spoke with the Internet Archive’s Brewster Kahle, he described their service as providing another dimension for the web: time. Google, Bing, Yahoo, and other search engines are great at showing you what is online right now. However, they don’t show you how a web site has changed over time. This is where the Internet Archive comes in: they record snapshots of web sites so you can see what it looked like on a specific date.

As an example, Facebook often changes their terms of service. It’s easy to see their current terms of service. But what did it look like last year or two years ago? This is where the Internet Archive’s Wayback Machine comes in. They occasionally mirror Facebooks terms of service, allowing you to see every version going back years.

Beyond their Wayback Machine, they also have “collections”. Unlike the web mirrors from the Wayback Machine, the Collections are groups of files uploaded by hundreds of people. For example, I had my own mirror of North Korea’s Flickr account — made shortly after Anonymous compromised the DPRK’s Flicker account and hours before DPRK deleted their account. If I keep these files to myself, then they’ll be safe but unavailable to anyone else. So instead, I created a Collection at the Internet Archive and uploaded them for public access. Now anyone in the world can see pictures from North Korea’s (now deleted) Flickr stream — both the official pictures and pictures uploaded by Anonymous.


I run a web service called RootAbout. This is a search-by-image service that has indexed the Collections at the Internet Archive. (It does not yet index the Wayback Machine; only the Collections.) Although it searches for pictures at the Internet Archive, it doesn’t mirror their content. RootAbout depends on connectivity to in order to retrieve metadata and thumbnail images.

Over the weekend, my RootAbout server began sending me alerts, informing me that connectivity to was down. I received one alert on 2016-12-24, a handful on 2016-12-25, and a complete lack of connectivity on 2016-12-26.

Fortunately for me, I’ve been working on a new traceroute system (same general purpose, very different method). This allowed me to rapidly identify the source of the blockage: Comcast. Specifically, ( Here’s one way I identified it:

  • Identify the target. This is a simple hostname look-up: has address “”. I repeated this from a couple of different locations on the Internet, just to make sure it wasn’t a DNS issue.
  • Traceroute. I performed a traceroute to from my RootAbout server:

    $ traceroute
    traceroute to (, 30 hops max, 60 byte packets
    1 ( 0.442 ms 0.410 ms 0.363 ms
    2 * * *
    3 * * *
    4 * * *
    5 * * *
    6 * * *
    7 *^C

    The “* * *” means it timed out. Using Wireshark, I see no reply at all. This means that there is no connectivity right outside of my hosting provider.

  • Varying addresses. Generally, when connectivity goes down, it goes down for an entire subnet. In contrast, filters are often applied to single network addresses. The Internet Archive has a very large network range ( –, but their “” web server is only located at one address in that range. I decided to test other addresses in that range. Since’s IP address ends with “.2”, I decided to test “.1” and “.3”.

    $ traceroute
    traceroute to (, 30 hops max, 60 byte packets
    1 ( 0.393 ms 0.352 ms 0.304 ms
    2 ( 2.726 ms 2.709 ms 2.756 ms
    3 ( 3.596 ms ( 4.133 ms ( 3.424 ms
    4 ( 29.929 ms 29.921 ms 29.884 ms
    5 ( 27.845 ms 27.838 ms 27.804 ms
    6 ( 29.863 ms 30.063 ms 30.032 ms
    7 ( 28.229 ms ( 29.098 ms 29.312 ms
    8 ( 38.349 ms 38.568 ms 38.576 ms
    9 ( 39.250 ms 39.527 ms 39.491 ms
    10 ( 38.693 ms 38.779 ms ( 38.739 ms
    11 ( 38.493 ms 38.505 ms 38.470 ms
    12 ( 38.767 ms 38.749 ms 38.714 ms


    $ traceroute
    traceroute to (, 30 hops max, 60 byte packets
    1 ( 0.379 ms 0.339 ms 0.295 ms
    2 ( 3.952 ms 4.004 ms 4.117 ms
    3 ( 4.278 ms ( 4.811 ms ( 4.777 ms
    4 ( 29.870 ms 29.849 ms 29.811 ms
    5 ( 27.909 ms 27.892 ms 27.919 ms
    6 ( 27.886 ms 27.935 ms 27.926 ms
    7 ( 29.397 ms ( 28.120 ms ( 28.097 ms
    8 ( 38.419 ms 38.407 ms 39.744 ms
    9 ( 39.616 ms 39.439 ms 39.397 ms
    10 ( 39.040 ms ( 39.703 ms ( 39.022 ms
    11 ( 38.631 ms 38.623 ms 38.589 ms
    12 ( 38.811 ms 38.809 ms 38.802 ms

    This is a clear indication that the filtering is specific to one IP address (, and not a generic network routing issue.

  • Decoding Hostnames. Many network provides embed informative strings in the hostname. In this case, is extremely informative:
    • “” identifies the provider as Comcast.
    • “ibone” identifies Comcast’s Internet backbone service. (This is different from cbone, which is for Comcast-to-Comcast routing.)
    • “” identifies the building. This router should be physically located at 910 Fifteenth Street, Denver, Colorado. According to Google Maps, that’s in the heart of downtown Denver. In that building are a couple of big colocation providers, including Level3, CoreSite Denver, and Massive Networks Denver.
    • “pe” typically denotes a peering service. Peering is one of those big net neutrality debate issues. Companies typically pay a premious for a high speed dedicated peering connection that bypasses most of the Internet.
  • Other Routes to I tested traceroute from sites that could connect to This includes my office, a coffee shop, and a friend’s home network. They could all reach (it doesn’t look down to them). However, traceroute showed that none of them went through the same Comcast router ( Instead, they all followed the same route starting at (Comcast in Seattle). This is consistent with the previous finding, that Comcast’s router in Denver ( is filtering the network traffic.
  • Other Routes through Comcast. I spot-checked connectivity from my server to other online services. Facebook, Google, Bing, Slack, and many others were working without issue. Then I got the idea to see who else uses Comcast’s router in Denver…

    $ traceroute
    traceroute to (, 30 hops max, 60 byte packets
    1 ( 0.478 ms 0.437 ms 0.368 ms
    2 ( 2.543 ms 2.593 ms 2.507 ms
    3 ( 4.450 ms ( 4.408 ms ( 4.350 ms
    4 ( 16.845 ms 16.794 ms 16.734 ms
    5 ( 16.304 ms 16.259 ms 16.581 ms
    6 ( 17.284 ms 16.171 ms 16.095 ms

    There it is, at hop #2. As far as I can tell, the connection path from my server to most .gov sites route though This would appear to be someone trying to filter access to or from for some gov sites, and my server happens to be seeing the filtering from the other side.

As a regular user on the Internet, you’re probably not taking this same route and will probably never see the filtering. However, if you have a hosting provider that uses Comcast, then you might be seeing this filtering.

I reported these observations to the Internet Archive. While they haven’t made any official statement yet, they did confirm that I’m not the only one seeing this.

Why Filter?

I’ve been scratching my head, trying to figure out why someone would want to filter one specific address at It isn’t like this address is used to attack the Internet. For example, the Internet Archive runs lots of bots, but they use different addresses than this service. As far as I can tell, the filtered address is only used for the web server at “”. They are blocking access to, and not from.

While I have nothing authoritative, I did come up with some plausible scenarios:

  1. Accident. Someone edited a configuration file and accidentally pasted in the wrong network address for filtering.
  2. Deliberate Content Filtering. A month ago, the Internet Archive made a big announcement: they are building a new backup facility in Canada. This is in direct response to the new President-elect, who has repeatedly mentioned filtering access to information on the web. This filtering could be a first attempt to restrict access to information on the Internet. (He’s not even President yet, and we’re seeing content filtering.)
  3. Deliberate but Wrong Filtering. A week ago, the Internet Archive announced a new priority: mirror content from government sites. Donald Trump believes many baseless conspiracies, including unjustified beliefs about Muslims, China, Russia, and climate change. There is a strong belief that Trump will impose a revisionist history — either removing or altering government documents that include proven facts but run contrary to his unproven beliefs. By mirroring these pre-revisionist documents, the Internet Archive ensures that publicly funded research will remain accessible and unaltered.

    With my traceroutes, I have demonstrated that this router at Comcast sits on a path from to government sites. Thus, this filtering could be an attempt to prevent the Internet Archive from mirroring these public documents. (If there are no public copies, then who can claim that it was revised?) If this is the reason for the filtering, then the filtering was implemented wrong; they banned access to a web server that doesn’t do the mirroring, and didn’t ban the IP addressed used by’s mirroring bots.

  4. DoS. Maybe someone else wants to deny access to All it would take is for someone to poison some critical routers and block network connectivity. But if this is the case, then they really screwed up. They blocked access for a minority of services on the Internet, and not for most users.

There may be some other reason, but these are the only ones I could think up that match the observed blockage.

If the filtering changes, spreads, or is removed, then I’ll update this blog entry. Meanwhile: “Hey Comcast! Why is your router at filtering access to the Internet Archive?”

December 27, 2016 at 06:12PM
via The Hacker Factor Blog