RE: [sysreq #14828] W3.org site not accessible; Whitelist Zscaler Ip address range

Hi team,

Appears the Zscaler IP range is still blocked, MTR IS:

[support@zs2-akl1-1b ~]$ mtr -c 300 --no-dns 128.30.52.100
                                                    My traceroute  [v0.80]
zs2-akl1-1b (0.0.0.0)                                                                                 Mon Dec 14 21:20:56 2020
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                                      Packets               Pings
 Host                                                                               Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 124.248.141.3                                                                    0.0%    29    0.4   2.8   0.2  47.5  10.0
 2. 154.18.96.58                                                                     0.0%    29   25.9  29.8  25.9  77.2  10.9
 3. 154.18.96.57                                                                     0.0%    29  156.4 156.5 156.3 156.8   0.2
 4. 154.54.88.141                                                                    0.0%    29  200.4 200.4 200.3 200.7   0.1
 5. 154.54.88.138                                                                    0.0%    29  200.4 200.6 200.3 202.8   0.5
 6. 154.54.140.18                                                                    0.0%    29  265.0 265.3 264.9 268.3   0.8
 7. 195.89.111.210                                                                   0.0%    29  200.7 200.8 200.6 201.1   0.1
 8. 23.57.106.245                                                                    0.0%    28  200.5 200.5 200.5 200.7   0.1
 9. 72.52.1.155                                                                      0.0%    28  203.8 203.6 203.4 203.8   0.1
10. 72.52.1.244                                                                      0.0%    28  200.8 200.7 200.5 200.8   0.1
11. ???

Any help greatly appreciated.

Jacob Vaughan
Senior Cybersecurity Engineer | A/NZ Security Operations Centre

68-86 Jervois Quay, Wellington, 6011, New Zealand
Email: JacobV@datacom.co.nz | Mobile: +64 212070737
www.datacom.co.nz



-----Original Message-----
From: Jean-Guilhem Rouel via RT <sysreq@w3.org> 
Sent: Friday, 11 December 2020 4:25 AM
Cc: jacob.vaughan@mpi.govt.nz; Jacob Vaughan <JacobV@datacom.co.nz>; site-comments@w3.org
Subject: [sysreq #14828] W3.org site not accessible; Whitelist Zscaler Ip address range

On Thu Dec 10 09:33:29 2020, srawat@zscaler.com wrote:
> Hello Team,
> 
> Hope you are doing well.
> 
> I am writing this email in hopes of reaching someone in your 
> security/networking department.
> 
> One of our customers *Ministry for Primary Industries New Zealand * 
> raised concern that they were not able to reach the following URLs via 
> our company's service.
> *https://www.w3.org/ <https://www.w3.org/>*
> 
> [image: image.png]
> 
> 
> Taking tcpdump we see Zscaler Auckland node is sending TCP SYN however 
> site is not responding. We see no SYN+ACK from destination.
> It seems you have not whitelisted the range from our Auckland Node.
> 
> 22:48:41.949990 0c:c4:7a:fa:10:a5 > 00:00:5e:00:01:0f, ethertype IPv4 
> (0x0800), length 74: *124.248.141.76.33661 > 128.30.52.100.80: Flags 
> [S],* seq 2737271665, win 65535, options [mss 1460,nop,wscale 
> 5,sackOK,TS val
> 188199143 ecr 0], length 0
> 22:48:44.592392 0c:c4:7a:fa:10:a5 > 00:00:5e:00:01:0f, ethertype IPv4 
> (0x0800), length 74: *124.248.141.76.33661 > 128.30.52.100.80: Flags 
> [S],* seq 2737271665, win 65535, options [mss 1460,nop,wscale 
> 5,sackOK,TS val
> 188199443 ecr 0], length 0
> 22:48:47.420014 0c:c4:7a:fa:10:a5 > 00:00:5e:00:01:0f, ethertype IPv4 
> (0x0800), length 74:* 124.248.141.76.33661 > 128.30.52.100.80: Flags 
> [S],* seq 2737271665, win 65535, options [mss 1460,nop,wscale 
> 5,sackOK,TS val
> 188199763 ecr 0], length 0
> 22:48:50.256015 0c:c4:7a:fa:10:a5 > 00:00:5e:00:01:0f, ethertype IPv4 
> (0x0800), length 62:* 124.248.141.76.56447 > 128.30.52.100.80: Flags 
> [S*], seq 1205153653, win 65535, options [mss 1460,sackOK,eol], length 
> 0
> 22:48:52.915216 0c:c4:7a:fa:10:a5 > 00:00:5e:00:01:0f, ethertype IPv4 
> (0x0800), length 62:* 124.248.141.76.56447 > 128.30.52.100.80: Flags 
> [S]*, seq 1205153653, win 65535, options [mss 1460,sackOK,eol], length 
> 0 ^C
> 
> As a company zscaler provide a hosted web filtering/security solution. 
> As part of the debugging process, we noticed that the outbound IP 
> address of our nodes is being blocked from your CDN.
> Would it be possible to open a dialogue to have this ban or throttle 
> policy lifted? If there is something we need to address I would be 
> more than happy to look at it.
> Note: It is possible that you are seeing a large volume of traffic 
> from our IP address. This is not uncommon as we may have up to 50k+ 
> users behind a single node.

Hi,

Would you be able to run a traceroute to see where packets get stopped? We've received a few similar complaints around the same time as yours, one of them being blocked on Akamai's routers to protect our Internet provider's network. This may be due to them mitigating an attack on this network, I'll try to get more information.

Best Regards,
Jean-Gui

> 
> Zscaler Case ID:  02654708
> Location: *Auckland*
> Range:
> *Auckland* *124.248.141.0/24 <http://124.248.141.0/24>* Regards, Suman 
> Rawat Zscaler Product Support Engineer

Received on Monday, 14 December 2020 09:26:08 UTC