Total Retard War: Pushing back against Cogent

[Null]

If you have noticed the Kiwi Farms does not reliably load over Clearnet, you are probably the victim of Cogent's blackholing. Blackholes are network blocks which route traffic to nowhere, in an opaque way that does not indicate this is being done. This is usually done for emergencies (like DDoS attacks), but Cogent is doing it because they do not like us.


To get around this:
A. Use a VPN and change locations a few times. Mullvad's Houston TX location does not use Cogent. However, NetActuate is their provider for most of their locations, which does.
B. Use Clearnet-over-Tor. Using a Tor connection and then putting in the Kiwi Farms domain will almost always found a route, even if we're blocked by most of the Internet.
C. Use native Tor, which circumvents even a total disconnect.


To fight back:
You are a paying customer of your ISP. You are paying for total and complete access to the Internet and the World Wide Web. You have a right as a customer to contact your provider to ask why you cannot access certain websites.

If you want to file a complaint, you need to learn how to diagnose where the problem is. For my instructions, I will assume you use Windows.


Step 1. Open the command prompt.
Open the Start menu and type "cmd" in the search box. Click on the Command Prompt app to open it.


Step 2. Lookup the IPs.
In the Command Prompt window, type "nslookup kiwifarms.hk" and press enter.


Step 3. Understand the response.
You will receive an output that looks like this. Each "Address" below is an IP your browser may connect to. If some work and others don't, that is why you have issues loading the site. We will diagnose each one.

Spoiler: nslookup output with a list of addresses

nslookup kiwifarms.hk
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   kiwifarms.hk
Address: 94.131.3.118
Name:   kiwifarms.hk
Address: 86.107.179.19
Name:   kiwifarms.hk
Address: 86.107.179.20
Name:   kiwifarms.hk
Address: 86.107.179.21
Name:   kiwifarms.hk
Address: 86.107.179.22
Name:   kiwifarms.hk
Address: 89.221.224.80
Name:   kiwifarms.hk
Address: 89.221.225.73
Name:   kiwifarms.hk
Address: 2a09:7c41:0:39::1

Step 4. Copy the IP.
Click-and-drag to highlight the first Address. Press enter. This will copy the highlight to your clipboard.


Step 5. Ping the IP.
Type in "ping " and paste in your Address with Ctrl+V. Press enter.

A healthy ping looks like below. The server responds to your request. You can go back to Step 4 and try with the next IP.

Spoiler: Healthy ping with responses

$ ping 86.107.179.19
PING 86.107.179.19 (86.107.179.19) 56(84) bytes of data.
64 bytes from 86.107.179.19: icmp_seq=1 ttl=56 time=392 ms
64 bytes from 86.107.179.19: icmp_seq=2 ttl=56 time=210 ms
64 bytes from 86.107.179.19: icmp_seq=3 ttl=56 time=233 ms
64 bytes from 86.107.179.19: icmp_seq=4 ttl=56 time=188 ms
64 bytes from 86.107.179.19: icmp_seq=5 ttl=56 time=279 ms

An unhealthy ping looks like below. The server does not respond.

Spoiler: Unhealthy ping that never responds

$ ping 94.131.3.118
PING 94.131.3.118 (94.131.3.118) 56(84) bytes of data.
^C
--- 94.131.3.118 ping statistics ---
166 packets transmitted, 0 received, 100% packet loss, time 167188ms

If the server pings, you can connect to the Kiwi Farms on it. Proceed to the next IP on the list.
If the server does not ping, you should verify the blackhole with a traceroute.


Step 6. Traceroute the IP.
Type in "traceroute " and paste in your Address with Ctrl+V. Press enter.


Step 7. Diagnose the blackhole.
Warning: Do not post your traceroutes on the forum. They will contain information about your ISP, which are usually very close to where your home is.

A healthy traceroute looks like below. Notice that the last IP on the route matches the IP you put in. There will sometimes be text that identifies the IP as being Kiwi Farms. This output means you can connect fine.

Spoiler: Healthy traceroute with complete trace

$ traceroute 94.131.3.118
traceroute to 94.131.3.118 (94.131.3.118), 30 hops max, 60 byte packets
 1  10.128.0.1 (10.128.0.1)  50.878 ms  55.937 ms  55.909 ms
 2  unn-37-19-221-189.datapacket.com (37.19.221.189)  55.973 ms unn-37-19-221-188.datapacket.com (37.19.221.188)  55.853 ms  55.827 ms
 3  vl202.hou-cyr1-core-1.cdn77.com (185.156.45.52)  55.803 ms  55.678 ms  55.597 ms
 4  hou-b3-link.ip.twelve99.net (62.115.33.193)  55.571 ms  55.546 ms  55.524 ms
 5  atl-b24-link.ip.twelve99.net (62.115.116.47)  72.771 ms  72.749 ms  72.727 ms
 6  atl-bb1-link.ip.twelve99.net (62.115.134.246)  72.769 ms  60.395 ms  62.497 ms
 7  rest-bb1-link.ip.twelve99.net (62.115.138.70)  76.838 ms  81.401 ms  81.374 ms
 8  prs-bb2-link.ip.twelve99.net (62.115.122.158)  159.660 ms  159.632 ms  159.651 ms
 9  ffm-bb2-link.ip.twelve99.net (62.115.122.139)  166.301 ms  166.222 ms  166.244 ms
10  zch-b1-link.ip.twelve99.net (62.115.138.47)  170.600 ms  170.601 ms  172.868 ms
11  bsesoftware-ic-326113.ip.twelve99-cust.net (213.248.86.27)  172.846 ms  172.875 ms  172.822 ms
12  82.220.32.39 (82.220.32.39)  169.981 ms  168.470 ms  177.064 ms
13  ch.pq.kiwifarms.net (94.131.3.118)  172.761 ms  171.763 ms  171.696 ms

This is also a healthy traceroute. There are some points which do not respond to pings and render stars instead. That's normal.

Spoiler: Healthy traceroute with some missing points

$ traceroute 89.221.224.80
traceroute to 89.221.224.80 (89.221.224.80), 30 hops max, 60 byte packets
 1  10.128.0.1 (10.128.0.1)  62.681 ms  62.610 ms  62.647 ms
 2  static-198-54-133-97.cust.tzulo.com (198.54.133.97)  68.904 ms  68.878 ms  68.852 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  port-channel8.core3.mci3.he.net (184.105.64.214)  94.934 ms * *
 8  * port-channel12.core2.mci3.he.net (184.104.198.33)  96.575 ms *
 9  * * *
10  * * *
11  100ge0-32.core2.dub1.he.net (184.105.65.246)  188.558 ms  192.753 ms  192.705 ms
12  ip.mila.network (185.6.36.115)  210.512 ms  209.623 ms  209.548 ms
13  * * *
14  * * *
15  is.pq.kiwifarms.net (89.221.224.80)  238.131 ms  238.107 ms  215.279 ms

This is also a healthy traceroute. This is more confusing because it starts to spam * * * entries, but zetservers is a good DDoS provider. if you're seeing zetservers, it's good.

Spoiler: Healthy traceroute that does not show end server

$ traceroute 86.107.179.19
traceroute to 86.107.179.19 (86.107.179.19), 30 hops max, 60 byte packets
 1  10.128.0.1 (10.128.0.1)  86.651 ms  86.580 ms  86.545 ms
 2  static-198-54-133-97.cust.tzulo.com (198.54.133.97)  86.626 ms  86.599 ms  86.575 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * port-channel9.core2.par3.he.net (184.104.188.214)  222.957 ms
10  * port-channel12.core2.par2.he.net (184.104.196.230)  222.935 ms *
11  * * *
12  * * 100ge0-74.core2.buh1.he.net (184.104.196.126)  227.204 ms
13  interkvm-host-srl.e0-2.core2.buh1.he.net (216.66.95.115)  227.331 ms  227.307 ms  223.917 ms
14  buc-vox-pr1.zet.net (103.246.249.1)  223.890 ms  315.120 ms  314.933 ms
15  ddos-filter-ai1.zetservers.com (89.41.180.132)  315.003 ms  314.980 ms  314.859 ms
16  * * *
17  * * *
18  * * *
19  * * *

This is an unhealthy traceroute. Notice that the route is very short before the stars and never connects to a hosting provider. This indicates that the route is obstructed.

Spoiler: Unhealthy traceroute

$ traceroute 94.131.3.118
traceroute to 94.131.3.118 (94.131.3.118), 30 hops max, 60 byte packets
 1  10.128.0.1 (10.128.0.1)  68.136 ms  68.120 ms  68.092 ms
 2  static-198-54-133-97.cust.tzulo.com (198.54.133.97)  70.142 ms  70.163 ms  70.141 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *

We can verify this by going to bgp.tools, pasting in the IP of the last server (198.54.133.97), and checking the Connectivity tab.

https://bgp.tools/prefix/198.54.133.0/24#connectivity

Uh oh! Stinky! We can see their ISP is NetActuate, which has a direct upstream with COGENT (stinky)! This is why they can't connect.


Step 8. Identify the NOC.
ICANN and ARIN mandate that all ISPs have human monitored contact emails. It's completely free and legal to email these addresses with your concerns. In this instance, I already contacted Truzo and NetActuate. Truzo confirmed they weren't blocking the IP, and NetActuate confirmed it was Cogent. I asked them to inquire as to why for me (because I don't know, Cogent has never told me).

From that connectivity page, click the ISP you want to complain to. Then click WHOIS.

https://bgp.tools/as/36236#whois

Click the OrgNOCHandle link. NOC is Network Operations Center. Those are your network boys.




Step 9. Be nice.
Remember, these guys did not block the site. They are simply the last point that you can reach before the block.

You are their customer, and you cannot use their service as desired. You want to be able to use the entire Internet. You are wondering why you cannot.


Ideally, the outcome of these complaints would be enough Cogent customers upset at Cogent that the suits start getting nervous about their reputation and standing with the people actually funding them.


Tip: If you're experiencing issues as a VPN customer, complain to your VPN. Most VPNs have a way to report issues which will automatically include relevant information, so just tell them which IPs you're not able to connect to.


Video how-to

 

[Null]

Before I feature this, please check my post. If you have trouble understanding any of my instructions let me know.

 

[GenociderSyo]

The only thing I found confusing was the connectivity checker since almost all have cogent in their someplace.

Since it splits into GTT and Cogent does that mean some peoples isps are using the GTT route and some the cogent one?

And in one like this since it dead ends does that mean that its less likely to be cogent involved?

 

[Null]

And in one like this since it dead ends does that mean that its less likely to be cogent involved?

Yes. For this IP announcement, Stark is is SINGLE-HOMED with BSE. BSE is a direct customer of Cogent. Cogent has actioned similar relationships before. Go for it.

For this other announcement with Stark, they are single-homed with MiRHosting. MiRHosting has GTT, Lumen, and Hurricane as upstreams. Cogent still shows up because all T1 ISPs (except Hurricane, long story) will upstream with Cogent. This means Cogent is not directly associated.

 

[skunt]

Before I feature this, please check my post. If you have trouble understanding any of my instructions let me know.

I'd suggest asking users not to post their traceroutes and stuff directly in this thread because it'll be a mess.
Also the post might be a little less imposing if you swap from quotes to spoilers - wall of texts and all.

Oh, maybe if there's someone good at powershell or whatever that could write a script to automate it? That should make everything a bunch more concise and straighforward.

 

[Chukipz]

I think you mean Clearnet over Tor

 

[Monopoly Supporter]

Does this mean that HE has stopped blocking or am I misunderstanding what HE did?

 

[Null]

Does this mean that HE has stopped blocking or am I misunderstanding what HE did?

Hurricane will not allow me to announce any subnets as a customer-of-a-customer-of-a-customer-of-a-customer.
Cogent is illegally hijacking healthy subnets to apply nullroutes on /32s.

 

[Monopoly Supporter]

EDIT: Ignore This
I use Lumen CenturyLink (AS209) (formerly Qwest (formerly US West)) and after running traceroute a bunch of times have found that the KiwiFarms IP 212.23.222.112 is the only one that will, for whatever reason, try to route through Cogent and then get dropped. All the other KiwiFarms IPs are routed through Lumen's Level3 and go through. Interestingly, the 212.23.222.112 traceroute makes it's way all the way from the United States, to Amsterdam, then to Warsaw, before getting dropped by 149.6.71.138 (Cogent). So if you use CenturyLink and randomly get disconnected from KF like I do, I found a possible solution to be modifying your hosts file to resolve kiwifarms.hk to one of the A records which is not 212.23.222.112.

The fact that MEVSPACE (212.23.222.112) gets to Lumen through Cogent may explain this:

I will see if I can complain to CenturyLink support about this (can they change routing for an IP so that it goes through TATA or Arelion?)

 

[Null]

212.23.222.112 is MevSpace which I just re-added. MevSpace has a direct uplink to Cogent and for some reason doesn't kick us off and also doesn't answer Cogent at all.

https://ping.pe/212.23.222.112

That IP 100% works though, can you confirm that entering the IP in directly doesn't render a page?

 

[SCRAM]

212.23.222.112 is MevSpace which I just re-added. MevSpace has a direct uplink to Cogent and for some reason doesn't kick us off and also doesn't answer Cogent at all.

https://ping.pe/212.23.222.112

That IP 100% works though, can you confirm that entering the IP in directly doesn't render a page?

OTG but this is what I get on my phone.

 

[Null]

OTG but this is what I get on my phone.

yep.... if it was a network block you'd get nothing.

 

[Kokton]

Video is pretty clear and informative, but the audio spikes randomly.

 

[Monopoly Supporter]

212.23.222.112 is MevSpace which I just re-added. MevSpace has a direct uplink to Cogent and for some reason doesn't kick us off and also doesn't answer Cogent at all.

https://ping.pe/212.23.222.112

That IP 100% works though, can you confirm that entering the IP in directly doesn't render a page?

Hmmm, it does connect. I just saw Cogent and the traceroute hop (?) number jump to 64 and assumed that must have been the IP that was causing me to get disconnected. I tested the rest of the IPs:

94.131.3.118 - connects to HTTP, but hangs with "TLSv1.3 (OUT), TLS handshake, Client hello (1):" when connecting to HTTPS. ERR_TIMED_OUT with Chrome
86.107.179.19 - cool and good
86.107.179.20 - cool and good
86.107.179.21 - cool and good
86.107.179.22 - cool and good
89.221.225.73 - cool and good
89.221.224.80 - connects to HTTP, "curl: (35) error:0A000126:SSL routines::unexpected eof while reading" when connecting to HTTPS. ERR_TIMED_OUT with Chrome
212.23.222.112 - cool and good

 

[Null]

If it connects then there's some other problem. It's not on my end because my blocks would not let you connect.

 

[Softdrinks]

My ISP isnt blocking all the IP's of KF however one IP isnt working. they seem to be a direct customer of cogent according to bgp activity, they do not have a NOC listed however they do have a "OrgRoutingHandle" and a "OrgTechHandle" should i be contacting the Routinghandle if i have trouble connecting?

 

[Null]

My ISP isnt blocking all the IP's of KF however one IP isnt working. they seem to be a direct customer of cogent according to bgp activity, they do not have a NOC listed however they do have a "OrgRoutingHandle" and a "OrgTechHandle" should i be contacting the Routinghandle if i have trouble connecting?

Which IP is not working?

 

[Softdrinks]

Which IP is not working?

94.131.3.118, however its fortunate that i can still get on just fine via other ips, never had issues connecting. just this IP not working

 

[Pentaborane]

https://dnschecker.org/

86.107.179.19
89.221.224.80
89.221.225.73
94.131.3.118

Go down this list and traceroute each. Figure out which ones aren't completing. Copy the last successful node to ping. Identify the company, find their NOC address. Complain to them that their network is unable to access whatever IP you tried tracerouting. Suggest it might be Cogent's fault.

Not quite. There are some other outages. I'm connecting from my current user's IP address that has 146 in the last nibble.

The worst part is that browsers on Windows don't work properly with round-robin addresses.

Spoiler: traceroute

                                My traceroute  [v0.95]
self -> 89.221.224.80 (89.221.2242023-12-26T23:37:27+0100
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                              Packets               Pings
 Host                                       Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. [...]
 5. hbg-bb2-link.ip.twelve99.net            66.7%     7   13.0  12.7  12.5  13.0   0.3
 7. adm-bb2-link.ip.twelve99.net             0.0%     7   18.6  18.8  18.2  19.4   0.4
 8. adm-b10-link.ip.twelve99.net             0.0%     7   19.0  18.4  18.2  19.0   0.3
 9. milaehf-ic-319567.ip.twelve99-cust.net   0.0%     7   18.6  18.9  18.5  20.5   0.7
10. 157-157-221-5.dsl.dynamic.simnet.is      0.0%     7   62.3  71.2  62.3  77.8   5.8
11. is.pq.kiwifarms.net                      0.0%     7   55.2  54.1  53.9  55.2   0.5

% ping 89.221.224.80
PING 89.221.224.80 (89.221.224.80): 56 data bytes
64 bytes from 89.221.224.80: icmp_seq=0 ttl=53 time=54.255 ms
64 bytes from 89.221.224.80: icmp_seq=1 ttl=53 time=53.991 ms
^C
--- 89.221.224.80 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 53.991/54.123/54.255/0.132 ms
% TZ=C date
Tue Dec 26 22:18:15 UTC 2023
% curl --resolve kiwifarms.hk:443:89.221.224.80 -v -I 'https://kiwifarms.hk/forums/forum-discussion.8/'
* Added kiwifarms.hk:443:89.221.224.80 to DNS cache
* Hostname kiwifarms.hk was found in DNS cache
*   Trying 89.221.224.80:443...
* Connected to kiwifarms.hk (89.221.224.80) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to kiwifarms.hk:443
* Closing connection
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to kiwifarms.hk:443
%

At the same time 89.221.225.73:443 works.

Spoiler: proof

% curl -v -I 'https://kiwifarms.hk/forums/forum-discussion.8/'
*   Trying 89.221.225.73:443...
* Connected to kiwifarms.hk (89.221.225.73) port 443
* ALPN: curl offers h2,http/1.1                                                                                                   * TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):                                                                       * TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=kiwifarms.net
*  start date: Dec 21 16:28:07 2023 GMT
*  expire date: Mar 20 16:28:06 2024 GMT
*  subjectAltName: host "kiwifarms.hk" matched cert's "kiwifarms.hk"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://kiwifarms.hk/forums/forum-discussion.8/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: kiwifarms.hk]
* [HTTP/2] [1] [:path: /forums/forum-discussion.8/]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> HEAD /forums/forum-discussion.8/ HTTP/2
> Host: kiwifarms.hk
> User-Agent: curl/8.4.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 203
HTTP/2 203
< server: openresty
server: openresty
< date: Tue, 26 Dec 2023 22:24:04 GMT
date: Tue, 26 Dec 2023 22:24:04 GMT
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< content-length: 4413
content-length: 4413
< set-cookie: sssg_clearance=; Domain=.; Max-Age=0; Expires=Mon, 26 Dec 2022 22:24:04 GMT
set-cookie: sssg_clearance=; Domain=.; Max-Age=0; Expires=Mon, 26 Dec 2022 22:24:04 GMT

<
* Connection #0 to host kiwifarms.hk left intact

 

[Tetragrammaton]

although i have not any issues connecting over clearnet so far this is actually a pretty useful guide for what to do when/if an issue does arise.