1. Bitbucket Website
  2. Public Issue Tracker
  3. master

Issues

Issue #9261 resolved

Cant Access site Form IRAN

Mohammad Sarrami
created an issue

Dear BitBucket team,

Recently I cant access my repository with Iranian IP Address.

Is there any new Policy to ban the service from Any Region?

Can you please let me know if I have to replace your service with some other free online services. my Email would be : Farvashani@gmail.com

Many thanks

Comments (47)

  1. Erik van Zijst staff

    Is there any new Policy to ban the service from Any Region?

    I'm afraid we should ask Ahmadinejad. Can you copy paste the output of:

    $ nslookup bitbucket.org
    $ traceroute bitbucket.org
    $ ping bitbucket.org
    

    Also, what do you see when load bitbucket up in a browser? Does it time out, or do you see a government message?

    If Iran's draconian censorship machine has indeed decided its citizens don't deserve online code hosting services, you might want to consider proxy servers or TOR.

  2. hamed gh

    I have the same problem,(I'm connecting from university and university's administrators said we didn't close any port!)

    I open BitBucket.org with proxy(because of filtering) but It seemed proxy doesn't work for cmd!

    when I use : git push origin master It show me: error: Connection time-out while accessing https://hamed256giga@bitbucket.org/ha med256giga/blog.git/info/refs?service=git-receive-pack fatal: HTTP request failed

    when I try $ nslookup bitbucket.org it show me: Server: dc01.kashanu.local Address: 172.16.2.30

    Non-authoritative answer: DNS request timed out. timeout was 2 seconds. Name: bitbucket.org Addresses: 131.103.20.167 131.103.20.168

    try : ping bitbucket.org

    Pinging bitbucket.org [131.103.20.168] with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

    Ping statistics for 131.103.20.168: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


    So What should I do??

  3. hamed gh

    Yes I think so (is there any other command to test?) , I can load bitbucket.org only with proxy or vpn. If I try "ping google.com" with VPN, everything is OK:

    Pinging google.com [173.194.70.138] with 32 bytes of data: Reply from 173.194.70.138: bytes=32 time=129ms TTL=51 Reply from 173.194.70.138: bytes=32 time=130ms TTL=51 Reply from 173.194.70.138: bytes=32 time=130ms TTL=51 Reply from 173.194.70.138: bytes=32 time=130ms TTL=51

    Ping statistics for 173.194.70.138: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 129ms, Maximum = 130ms, Average = 129ms

    I try "tracert google.com":

    Tracing route to google.com [173.194.113.103] over a maximum of 30 hops:

    1 132 ms 131 ms 131 ms 10.254.72.1 2 139 ms 134 ms 132 ms 46.16.32.1 3 132 ms 131 ms 133 ms ffm-b2-link.telia.net [62.115.12.109] 4 132 ms 132 ms 133 ms ffm-bb1-link.telia.net [80.91.252.169] 5 135 ms 133 ms 133 ms ffm-b7-link.telia.net [80.91.249.105] 6 134 ms 132 ms 132 ms google-ic-127674-ffm-b7.c.telia.net [213.248.89. 38] 7 * 148 ms 146 ms 72.14.238.44 8 189 ms 133 ms 132 ms 209.85.243.233 9 134 ms 135 ms 134 ms fra02s22-in-f7.1e100.net [173.194.113.103]

    Trace complete.

    tell me what should I dO?? :(

  4. Erik van Zijst staff

    hamed gh So you can load and use the site ok (I guess you can, considering you were able to comment on this issue). If you are using a VPN then a clone should really also work. Can you paste the full shell output of the commands I mentioned above?

  5. hamed gh

    nslookup bitbucket.org

    Server: google-public-dns-a.google.com

    Address: 8.8.8.8

    Non-authoritative answer: Name: bitbucket.org Addresses: 131.103.20.168 131.103.20.167

  6. hamed gh

    traceroute bitbucket.org

    traceroute : The term 'traceroute' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + traceroute bitbucket.org + ~~ + CategoryInfo : ObjectNotFound: (traceroute:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException

    tracert bitbucket.org

    Tracing route to bitbucket.org [131.103.20.167] over a maximum of 30 hops:

    1 155 ms 156 ms 158 ms 10.254.104.1 2 155 ms 155 ms 156 ms 46.16.32.1 3 155 ms * 175 ms xe-1-2-2.cr2.fra1.de.nlayer.net [63.141.223.221] 4 155 ms 155 ms 156 ms as2914.xe-0-3-2.cr2.fra1.de.nlayer.net [69.22.139.31] 5 158 ms * 166 ms xe-1-1-3.r20.frnkge04.de.bb.gin.ntt.net [129.250.5.221] 6 249 ms 251 ms 256 ms ae-1.r21.asbnva02.us.bb.gin.ntt.net [129.250.3.20] 7 241 ms 253 ms 243 ms ae-2.r00.asbnva02.us.bb.gin.ntt.net [129.250.3.114] 8 277 ms 248 ms 264 ms 131.103.20.156 9 266 ms 245 ms 251 ms 131.103.20.167

    Trace complete.

    ping bitbucket.org

    Pinging bitbucket.org [131.103.20.167] with 32 bytes of data: Reply from 131.103.20.167: bytes=32 time=256ms TTL=56 Reply from 131.103.20.167: bytes=32 time=253ms TTL=56 Reply from 131.103.20.167: bytes=32 time=245ms TTL=56 Reply from 131.103.20.167: bytes=32 time=243ms TTL=56

    Ping statistics for 131.103.20.167: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 243ms, Maximum = 256ms, Average = 249ms

  7. Erik van Zijst staff

    That all looks normal. You say you are using a proxy server because of the network censorship. It's possible these proxy servers don't play well with Git's clone requests, which are streaming. This is something you'd have to investigate / ask the proxy administrator.

    If you are on a VPN you shouldn't need any app-level proxies, in which case you could give SSH a try.

  8. Mehran Ahadi

    I have the same issue. This problem seems not to be caused by Iran Goverment Censorship. I've queried the censorship database (http://rafefilter.internet.ir/) and it says bitbucket.org is not censored!

    The problem is neither with DNS lookup:

    Non-authoritative answer:
    Name:    bitbucket.org
    Addresses:  131.103.20.167
              131.103.20.168
    

    Nor with routing:

    Tracing route to bitbucket.org [131.103.20.168]
    over a maximum of 30 hops:
    
      1     1 ms     2 ms     1 ms  WiMaxCPE [192.168.1.1]
      2     *        *        *     Request timed out.
      3    71 ms   157 ms    72 ms  172.23.133.90
      4    69 ms    93 ms   358 ms  10.132.75.249
      5    89 ms   284 ms   127 ms  10.132.92.35
      6    70 ms    64 ms   103 ms  10.132.92.44
      7  1908 ms   228 ms   162 ms  10.21.252.82
      8     *        *        *     Request timed out.
      9    80 ms    72 ms    74 ms  10.21.22.97
     10   247 ms    73 ms   127 ms  10.21.21.65
     11    70 ms    83 ms   108 ms  10.21.21.69
     12   187 ms   259 ms   203 ms  so-10-0-0.franco71.fra.seabone.net [89.221.34.19
    0]
     13   279 ms   188 ms   172 ms  195.22.214.77
     14   204 ms   259 ms   148 ms  195.22.214.63
     15   140 ms   158 ms   194 ms  ae-2.r20.frnkge04.de.bb.gin.ntt.net [129.250.5.2
    17]
     16   246 ms   229 ms   242 ms  ae-1.r21.asbnva02.us.bb.gin.ntt.net [129.250.3.2
    0]
     17   228 ms   239 ms   233 ms  ae-2.r00.asbnva02.us.bb.gin.ntt.net [129.250.3.1
    14]
     18   248 ms   243 ms   246 ms  131.103.20.156
     19     *        *      271 ms  131.103.20.168
    
    ------------------------------------------------------
    
    Pinging bitbucket.org [131.103.20.168] with 32 bytes of data:
    Reply from 131.103.20.168: bytes=32 time=299ms TTL=45
    Reply from 131.103.20.168: bytes=32 time=256ms TTL=45
    Reply from 131.103.20.168: bytes=32 time=279ms TTL=45
    Reply from 131.103.20.168: bytes=32 time=226ms TTL=45
    
    Ping statistics for 131.103.20.168:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 226ms, Maximum = 299ms, Average = 265ms
    

    Even opening http://bitbucket.org/ successfully redirects to SSL-enabled https://bitbucket.org/ address! It means that we have access to your servers but the server might not be responding to iranian IPs.

    Opening https://bitbucket.org/ in a browser shows a connection timeout message. I'm not so expert in SSL-related stuff, but it would be likely caused by a SSL problem, if we assume there is no policy in your servers to ban iranian users.

    As i tested, using any IP changing tools like VPNs and Proxies will totally solve this problem, but it's not the right solution. It's obvious that not all iranian users are able to change their IP, including amateur customers.

    And by the way, Ahmadinejad is gone :)

  9. Erik van Zijst staff

    Opening https://bitbucket.org/ in a browser shows a connection timeout message. I'm not so expert in SSL-related stuff, but it would be likely caused by a SSL problem, if we assume there is no policy in your servers to ban iranian users.

    We do not perform any firewalling whatsoever, but I cannot vouch for any intermediate network provider, Iranian or otherwise.

    And by the way, Ahmadinejad is gone :)

    Yes, my mistake :)

  10. Mehran Ahadi

    Dear Hamed, It's not about being able to access the service using proxies or VPNs. It's about being able to use the service directly and freely without any kind of blocking, as it was before. You might want to take a look at my previous post.

    Unfortunately, the problem still persists and is not fixed: "bitbucket.org took too long to respond"

  11. Thanh LE

    Today we cannot access bitbucket from Vietnam also.. we can access the site but very slowly.. and we cannot import projects to eclipse (or from console)...

    Anyone can help please ?

  12. Jim Redmond staff

    Unfortunately, this appears to be the same problem as before: DNS is resolving the wrong address for bitbucket.org.

    If you update your hosts file (usually /etc/hosts) to include a line like this, then can you connect?

    131.103.20.167 bitbucket.org

  13. Erik van Zijst staff

    I'm afraid there's little we can do about governments that censor the Internet either by subverting DNS, or blocking routes.

    In countries where this is a constant issue, I'd consider looking into using a VPN service (assuming those are not all blocked as well). If worst comes to worst, you should be able to use TOR.

  14. danrah

    I added the line to hosts file but when I try to fetch, I get this error: fatal: unable to access 'https://username@bitbucket.org/reposityr.git/': error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

    and when I change my origin from myusername@bitbucket.org to myusername@131.103.20.167 I get the following error:

    fatal: unable to access 'https://myusername@131.103.20.167/repository.git/': SSL: certificate subject name 'bitbucket.org' does not match target host name '131.103.20.167'

    How to add the certificate to exceptions? I'm using sourcetree on Windows

  15. danrah

    The problem is not yet gone for me. Maybe for some ISPs the issue is resolved. I have the problem with both AsiaTek and Shatel ISPs. However, the above temporary fix will do the trick.

  16. Mehran Ahadi

    Guys, I just checked http://rafefilter.internet.ir/ and found out it seems to be blocked by the government! So I posted a unblock request just few mins ago. I'll let you know whenever I got a response.

    Hamed Jafari It seems that it's not solved yet! For instance, I can access https://bitbucket.org by Internet Explorer on Windows on my Laptop (and currently posting this comment through it), but all other paltforms/clients fail to initialize HTTPS connection! It might be because of some kind of certificate caching or something like that. You're lucky! :)

  17. Mahdi Zareie

    I'm confirming the problem still blocking access to bitbucket . I believe a Man In The Middle doing some kinds of modifications on SSL records .
    it's definitely not a problem related to censorship because bitbucket servers are accessible but something more strange is happening, perhaps they are trying to run a decryption algorithm on the cipher-text but the algorithm does a modification on SSL records ......I guess :-/

  18. Jim Redmond staff

    danrah That may appear to work, but then you'd have no way to be sure that the system answering your requests really is Bitbucket. If you can verify that the certificate presented matches our fingerprint (46:de:34:e7:9b:18:cd:7f:ae:fd:8b:e3:bc:f4:1a:5e:38:d7:ac:24), though, then you may have a good temporary solution.

    You might also be able to reach our API host, api.bitbucket.org, without any man-in-the-middle interference.

    Mehran Ahadi I'd be curious to hear about any response you receive.

  19. Mohammad Shokri

    Jim Redmond It's some kind of DNS Spoofing attack on popular DNS resolvers in Iran. Google & Level3 DNS Servers are confirmed for these addresses: 8.8.8.8, 8.8.4.4 and 4.2.2.4.

    Sample output from dig command:

    $ dig +noall bitbucket.org a +answer @8.8.8.8
    bitbucket.org.      889 IN  A   10.10.34.36
    

    IP address 10.10.34.36 is a common DNS Sinkhole in Iran.

    A quick fix for this is to add BitBucket IP Address to /etc/hosts file:

    # /etc/hosts file
    131.103.20.167    bitbucket.org
    

    Some other less known public DNS Servers are not currently affected, which can also be used to workaround this issue:

    • Cisco OpenDNS: 208.67.222.222
    • Norton ConnectSafe: 199.85.126.10

    Mahdi Zareie What's interesting is that there is also a MITM attack combined with Spoofing which forms a Malformed DNS Packet by adding 2 extra bytes at the beginning of the DNS response packet:

    Sample output from dig command:

    $ dig +noall bitbucket.org any +answer @8.8.8.8
    ;; Got bad packet: bad label type
    47 bytes
    e1 fb 81 80 00 01 00 01 00 00 00 00 09 62 69 74          .............bit
    62 75 63 6b 65 74 03 6f 72 67 00 00 0c 00 01 c0          bucket.org......
    0c 00 0c 00 01 00 00 03 79 00 03 41 41 41 00             ........y..AAA.
    

    First 2 bytes e1 fb are injected! They are Random Packet corruptions of DNS payload!

    What's also interesting is that only UDP DNS Packets are affected, Forcing DNS to use TCP is ok:

    $ dig +noall bitbucket.org any +answer +tcp @8.8.8.8
    bitbucket.org.      21599   IN  A   131.103.20.167
    bitbucket.org.      21599   IN  A   131.103.20.168
    bitbucket.org.      21599   IN  NS  ns-1305.awsdns-35.org.
    bitbucket.org.      21599   IN  NS  ns-1746.awsdns-26.co.uk.
    bitbucket.org.      21599   IN  NS  ns-445.awsdns-55.com.
    bitbucket.org.      21599   IN  NS  ns-584.awsdns-09.net.
    bitbucket.org.      899 IN  SOA ns-584.awsdns-09.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
    bitbucket.org.      21599   IN  MX  1 aspmx.l.google.com.
    bitbucket.org.      21599   IN  MX  10 aspmx2.googlemail.com.
    bitbucket.org.      21599   IN  MX  10 aspmx3.googlemail.com.
    bitbucket.org.      21599   IN  MX  5 alt1.aspmx.l.google.com.
    bitbucket.org.      21599   IN  MX  5 alt2.aspmx.l.google.com.
    bitbucket.org.      21599   IN  TXT "v=spf1 a:bitbucket09.managed.contegix.com a:bitbucket10.managed.contegix.com a:lb01-ash.bitbucket.org a:lb02-ash.bitbucket.org a:status-fe01.bitbucket.org a:status-fe02.bitbucket.org include:_spf.google.com include:support.zendesk.com ~all"
    
  20. Mohammad Shokri

    Jim Redmond SSL Fingerprint verified:

    $ openssl s_client -connect bitbucket.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
    SHA1 Fingerprint=46:DE:34:E7:9B:18:CD:7F:AE:FD:8B:E3:BC:F4:1A:5E:38:D7:AC:24
    

    But still can't access through web:

    $ curl -I https://bitbucket.org/
    curl: (35) Unknown SSL protocol error in connection to bitbucket.org:-9847
    
  21. halaei

    This is error that I see in firefox:

    An error occurred during a connection to bitbucket.org. SSL received a record that 
    exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
    
  22. Mohammad Shokri

    Erik van Zijst Thank you Erik, I hope this could help shed some light on the permanent solution for this, cause we really are dependant on bitbucket cloud git services and their integration to other services. Currently both VPN and/or Tor would work but both of them are slow and requires special customization to servers, specially in order to maintain integration between services like phabricator and bitbucket.

  23. Ali Tivay

    I am still experiencing this problem. The situation is particularly hairy for me because I'm trying to connect from a VPS inside iran, and I can't activate a proxy like "openconnect" since it breaks my SSH connection to the VPS.

    bitbucket.org is still inaccessible from the VPS.

  24. halaei

    According to this link, it seems that bitbucket is not filtered by Iran, but bitbucket itself embargoed Iran. If it is true, then I can say it is a shame. I think bitbucket should officially confirm or reject it.

  25. Vladlena Shumilo

    This is NOT resolved and after testing a lot this seems like a bitbucket thing. As per the comment above I am trying to connect from Cuba and getting timeouts via ssh AND https. Happens that Cuba is in the embargoed list too. Coincidence?

  26. Log in to comment