ISPs in Spain are blocking CDN IP ranges to tackle soccer piracy
Hello, Nanog, This is an ongoing issue that might affect your spanish users if you use services like Cloudflare, Vercel, BunnyCDN or GitHub pages. A couple of weeks ago, the most important ISPs in Spain started intercepting or nullrouting IP addresses from this CDN providers. The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place. The issue is that most of this piracy sites use Cloudflare and others to protect themselves, so ISPs are nullrouting or intercepting IP ranges that serve thousands of websites, including all Cloudflare Free customers (but not limited to). For example, they blocked one IP address that served ChatGPT. These blockages are applied when the soccer matches are played and they are turned off hours later. Cloudflare has already taken legal action against this, but the issue is still ongoing. You can find more information about this issue on TorrentFreak (LaLiga Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way), BandaanchaEU (bandaancha bloqueos del fútbol). *Regards,* *Raúl Martínez*
LOL! I’m sure there’s a tariff for that :-) -mel
On Apr 14, 2025, at 8:20 AM, Raúl Martínez via NANOG <nanog@lists.nanog.org> wrote:
Hello, Nanog,
This is an ongoing issue that might affect your spanish users if you use services like Cloudflare, Vercel, BunnyCDN or GitHub pages.
A couple of weeks ago, the most important ISPs in Spain started intercepting or nullrouting IP addresses from this CDN providers.
The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place.
The issue is that most of this piracy sites use Cloudflare and others to protect themselves, so ISPs are nullrouting or intercepting IP ranges that serve thousands of websites, including all Cloudflare Free customers (but not limited to). For example, they blocked one IP address that served ChatGPT.
These blockages are applied when the soccer matches are played and they are turned off hours later.
Cloudflare has already taken legal action against this, but the issue is still ongoing.
You can find more information about this issue on TorrentFreak (LaLiga Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way), BandaanchaEU (bandaancha bloqueos del fútbol).
*Regards,* *Raúl Martínez* _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PCJ6SCDU...
Here's an idea, why don't we centralise the entire internet behind a single network to "solve" the issue of connectivity and availability? Oh, wait! Nevermind! /s C. On Mon, 14 Apr 2025 at 10:20, Raúl Martínez via NANOG <nanog@lists.nanog.org> wrote:
Hello, Nanog,
This is an ongoing issue that might affect your spanish users if you use services like Cloudflare, Vercel, BunnyCDN or GitHub pages.
A couple of weeks ago, the most important ISPs in Spain started intercepting or nullrouting IP addresses from this CDN providers.
The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place.
The issue is that most of this piracy sites use Cloudflare and others to protect themselves, so ISPs are nullrouting or intercepting IP ranges that serve thousands of websites, including all Cloudflare Free customers (but not limited to). For example, they blocked one IP address that served ChatGPT.
These blockages are applied when the soccer matches are played and they are turned off hours later.
Cloudflare has already taken legal action against this, but the issue is still ongoing.
You can find more information about this issue on TorrentFreak (LaLiga Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way), BandaanchaEU (bandaancha bloqueos del fútbol).
*Regards,* *Raúl Martínez* _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PCJ6SCDU...
While we're at it, who needs L3. A flat L2 should suffice. On 4/14/25 18:00, Constantine A. Murenin via NANOG wrote:
Here's an idea, why don't we centralise the entire internet behind a single network to "solve" the issue of connectivity and availability? Oh, wait! Nevermind! /s
C.
On Mon, 14 Apr 2025 at 10:20, Raúl Martínez via NANOG <nanog@lists.nanog.org> wrote:
Hello, Nanog,
This is an ongoing issue that might affect your spanish users if you use services like Cloudflare, Vercel, BunnyCDN or GitHub pages.
A couple of weeks ago, the most important ISPs in Spain started intercepting or nullrouting IP addresses from this CDN providers.
The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place.
The issue is that most of this piracy sites use Cloudflare and others to protect themselves, so ISPs are nullrouting or intercepting IP ranges that serve thousands of websites, including all Cloudflare Free customers (but not limited to). For example, they blocked one IP address that served ChatGPT.
These blockages are applied when the soccer matches are played and they are turned off hours later.
Cloudflare has already taken legal action against this, but the issue is still ongoing.
You can find more information about this issue on TorrentFreak (LaLiga Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way), BandaanchaEU (bandaancha bloqueos del fútbol).
*Regards,* *Raúl Martínez* _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PCJ6SCDU...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TPJCY6RF...
In this case the centralization normally serves to avoid blocking. You don't turn off the entire Internet to block one site, but Spain has decided to go nuclear and has decided that actually it's okay to block the entire internet to block one site. When Italy did the same thing several months ago, they said it was by mistake and reversed it (and then to save face, said there had been no mistake and they had never blocked it at all). On 14/04/25 18:00, Constantine A. Murenin via NANOG wrote:
Here's an idea, why don't we centralise the entire internet behind a single network to "solve" the issue of connectivity and availability? Oh, wait! Nevermind! /s
C.
On Mon, 14 Apr 2025 at 10:20, Raúl Martínez via NANOG <nanog@lists.nanog.org> wrote:
Hello, Nanog,
This is an ongoing issue that might affect your spanish users if you use services like Cloudflare, Vercel, BunnyCDN or GitHub pages.
A couple of weeks ago, the most important ISPs in Spain started intercepting or nullrouting IP addresses from this CDN providers.
The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place.
The issue is that most of this piracy sites use Cloudflare and others to protect themselves, so ISPs are nullrouting or intercepting IP ranges that serve thousands of websites, including all Cloudflare Free customers (but not limited to). For example, they blocked one IP address that served ChatGPT.
These blockages are applied when the soccer matches are played and they are turned off hours later.
Cloudflare has already taken legal action against this, but the issue is still ongoing.
You can find more information about this issue on TorrentFreak (LaLiga Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way), BandaanchaEU (bandaancha bloqueos del fútbol).
*Regards,* *Raúl Martínez* _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PCJ6SCDU...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TPJCY6RF...
I'm just not sure if this "too big to fail" is a realistic strategy beyond the "feels good" component. If you prohibit any way to identify and block specific resources within a network / website… Whether with the use of CDNs, and/or with Encrypted Client Hello or the earlier Encrypted SNI to hide the Server Name Indication, or with HTTPS for read-only content in general. How could you possibly then be surprised that they DO block the entire resource in question, when a legal requirement exists to censor some specific content within, which can no longer be identified properly because of CDN with HTTPS with ECH without the plain-text SNI? For anyone who's an investor in $NET, it might be interesting to know how exactly does Cloudflare justify using things like ECH and ESNI that prohibit providers from blocking just the specific sites, and thus causing the entire network to be blocked each incident. How is it NOT Cloudflare's fault that their entire network always gets blocked in these incidents?! I'd be interested to hear why the other customers accept these things, too. If they weren't doing ECH and weren't broadcasting football through HTTPS, there'd be no need to block their entire network in these actions. Yet they're pushing ECH and HTTPS everywhere. C. On Mon, 14 Apr 2025 at 15:31, nanog--- via NANOG <nanog@lists.nanog.org> wrote:
In this case the centralization normally serves to avoid blocking. You don't turn off the entire Internet to block one site, but Spain has decided to go nuclear and has decided that actually it's okay to block the entire internet to block one site.
When Italy did the same thing several months ago, they said it was by mistake and reversed it (and then to save face, said there had been no mistake and they had never blocked it at all).
On 14/04/25 18:00, Constantine A. Murenin via NANOG wrote:
Here's an idea, why don't we centralise the entire internet behind a single network to "solve" the issue of connectivity and availability? Oh, wait! Nevermind! /s
C.
On Mon, 14 Apr 2025 at 10:20, Raúl Martínez via NANOG <nanog@lists.nanog.org> wrote:
Hello, Nanog,
This is an ongoing issue that might affect your spanish users if you use services like Cloudflare, Vercel, BunnyCDN or GitHub pages.
A couple of weeks ago, the most important ISPs in Spain started intercepting or nullrouting IP addresses from this CDN providers.
The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place.
The issue is that most of this piracy sites use Cloudflare and others to protect themselves, so ISPs are nullrouting or intercepting IP ranges that serve thousands of websites, including all Cloudflare Free customers (but not limited to). For example, they blocked one IP address that served ChatGPT.
These blockages are applied when the soccer matches are played and they are turned off hours later.
Cloudflare has already taken legal action against this, but the issue is still ongoing.
You can find more information about this issue on TorrentFreak (LaLiga Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way), BandaanchaEU (bandaancha bloqueos del fútbol).
*Regards,* *Raúl Martínez* _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PCJ6SCDU...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TPJCY6RF...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/5PYKDCH6...
These incidents shouldn’t be a thing to begin with, as “censorship” is not within the scope of an ISP’s responsibilities. Eyeball customers pay for access to the whole internet, not “the internet minus every CDN because ISP thinks it’s their responsibility to block websites they don’t want to allow”.
On Apr 14, 2025, at 16:16, Constantine A. Murenin via NANOG <nanog@lists.nanog.org> wrote:
How is it NOT Cloudflare's fault that their entire network always gets blocked in these incidents?
You cannot expect the entire world to have the same laws as the United States. If laws of foreign countries specify that some content that's legal in the US has to be blocked in said country, it's 100% Cloudflare's fault for wilfully and intentionally making such blocking impossible apart from blocking Cloudflare's entire network, affecting all the other customers, too. You can't have your cake and eat it, too. A simple Google Search for ESNI / Encrypted Client Hello (ECH) / DNS over HTTPS (DoH) is all Cloudflare on top. They didn't just make it impossible by accident, they made it impossible by design. They've literally wilfully and intentionally engineered their entire network for the all-or-nothing scenario. C. On Mon, 14 Apr 2025 at 18:10, Tim Burke <tim@mid.net> wrote:
These incidents shouldn’t be a thing to begin with, as “censorship” is not within the scope of an ISP’s responsibilities. Eyeball customers pay for access to the whole internet, not “the internet minus every CDN because ISP thinks it’s their responsibility to block websites they don’t want to allow”.
On Apr 14, 2025, at 16:16, Constantine A. Murenin via NANOG <nanog@lists.nanog.org> wrote:
How is it NOT Cloudflare's fault that their entire network always gets blocked in these incidents?
Which is good. They're doing the right thing in general. -----Original Message----- From: Constantine A. Murenin via NANOG <nanog@lists.nanog.org> Sent: Monday, April 14, 2025 9:22 PM To: Tim Burke <tim@mid.net> Cc: nanog@lists.nanog.org; Constantine A. Murenin <mureninc@gmail.com> Subject: [NANOG] Re: ISPs in Spain are blocking CDN IP ranges to tackle soccer piracy You cannot expect the entire world to have the same laws as the United States. If laws of foreign countries specify that some content that's legal in the US has to be blocked in said country, it's 100% Cloudflare's fault for wilfully and intentionally making such blocking impossible apart from blocking Cloudflare's entire network, affecting all the other customers, too. You can't have your cake and eat it, too. A simple Google Search for ESNI / Encrypted Client Hello (ECH) / DNS over HTTPS (DoH) is all Cloudflare on top. They didn't just make it impossible by accident, they made it impossible by design. They've literally wilfully and intentionally engineered their entire network for the all-or-nothing scenario. C. On Mon, 14 Apr 2025 at 18:10, Tim Burke <tim@mid.net> wrote:
These incidents shouldn’t be a thing to begin with, as “censorship” is not within the scope of an ISP’s responsibilities. Eyeball customers pay for access to the whole internet, not “the internet minus every CDN because ISP thinks it’s their responsibility to block websites they don’t want to allow”.
On Apr 14, 2025, at 16:16, Constantine A. Murenin via NANOG <nanog@lists.nanog.org> wrote:
How is it NOT Cloudflare's fault that their entire network always gets blocked in these incidents?
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LHV6DVAB...
Why is it not also 100% that government's fault for wilfully and intentionally making impossible blocking orders? And why stop at ECH? Why not 100% blame Github's if China blocks Github, for using TLS? You're running defense for totalitarianism here - not a good look. Yes, to help prevent totalitarian censorship, networks have been designed to prevent anyone other than the endpoints of a communication from learning what is being communicated. It's been a gradual process, ongoing for 30 or more years now. Dictatorships still sometimes turn off the entire internet because they can't block specific content, which makes their population angry at the dictator, who turned off the internet, and not at the content providers, who prevented the dictator from doing gradual blocks. Know what those dictators do the rest of the time? Turn on the entire internet, including content they don't like, because they can't selectively block it and the guillotines will come out if the internet stays off for too long. On 15/04/25 03:22, Constantine A. Murenin via NANOG wrote:
You cannot expect the entire world to have the same laws as the United States.
If laws of foreign countries specify that some content that's legal in the US has to be blocked in said country, it's 100% Cloudflare's fault for wilfully and intentionally making such blocking impossible apart from blocking Cloudflare's entire network, affecting all the other customers, too.
You can't have your cake and eat it, too. A simple Google Search for ESNI / Encrypted Client Hello (ECH) / DNS over HTTPS (DoH) is all Cloudflare on top. They didn't just make it impossible by accident, they made it impossible by design. They've literally wilfully and intentionally engineered their entire network for the all-or-nothing scenario.
C.
On Mon, 14 Apr 2025 at 18:10, Tim Burke <tim@mid.net> wrote:
These incidents shouldn’t be a thing to begin with, as “censorship” is not within the scope of an ISP’s responsibilities. Eyeball customers pay for access to the whole internet, not “the internet minus every CDN because ISP thinks it’s their responsibility to block websites they don’t want to allow”.
On Apr 14, 2025, at 16:16, Constantine A. Murenin via NANOG <nanog@lists.nanog.org> wrote:
How is it NOT Cloudflare's fault that their entire network always gets blocked in these incidents?
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LHV6DVAB...
It's quite common for dictatorships to shut down all internet access in the country whenever the people are angry about something bad the dictator did. Until now, the world thought that would never happen in a supposedly democratic country. People are surprised that courts and governments are willing to go as far as shutting down half the internet, in order to solve some sports piracy. When a sportsball league asks a court to shut down half the internet to block piracy, the court is expected to refuse, and the league is expected to seek a different remedy. Apparently the sportsball leagues in Spain and Italy have strong ties to the actual Mafia, so that might have something to do with it. The same principle that prevents Spain from selectively blocking a single Cloudflare site also prevents dictators from murdering anyone in the country who edits their Wikipedia page unfavourably, so keep that in mind. On 14/04/25 23:15, Constantine A. Murenin wrote:
I'm just not sure if this "too big to fail" is a realistic strategy beyond the "feels good" component.
If you prohibit any way to identify and block specific resources within a network / website…
Whether with the use of CDNs, and/or with Encrypted Client Hello or the earlier Encrypted SNI to hide the Server Name Indication, or with HTTPS for read-only content in general.
How could you possibly then be surprised that they DO block the entire resource in question, when a legal requirement exists to censor some specific content within, which can no longer be identified properly because of CDN with HTTPS with ECH without the plain-text SNI?
For anyone who's an investor in $NET, it might be interesting to know how exactly does Cloudflare justify using things like ECH and ESNI that prohibit providers from blocking just the specific sites, and thus causing the entire network to be blocked each incident.
How is it NOT Cloudflare's fault that their entire network always gets blocked in these incidents?!
I'd be interested to hear why the other customers accept these things, too. If they weren't doing ECH and weren't broadcasting football through HTTPS, there'd be no need to block their entire network in these actions. Yet they're pushing ECH and HTTPS everywhere.
C.
On Mon, 14 Apr 2025 at 15:31, nanog--- via NANOG <nanog@lists.nanog.org> wrote:
In this case the centralization normally serves to avoid blocking. You don't turn off the entire Internet to block one site, but Spain has decided to go nuclear and has decided that actually it's okay to block the entire internet to block one site.
When Italy did the same thing several months ago, they said it was by mistake and reversed it (and then to save face, said there had been no mistake and they had never blocked it at all).
On 14/04/25 18:00, Constantine A. Murenin via NANOG wrote:
Here's an idea, why don't we centralise the entire internet behind a single network to "solve" the issue of connectivity and availability? Oh, wait! Nevermind! /s
C.
On Mon, 14 Apr 2025 at 10:20, Raúl Martínez via NANOG <nanog@lists.nanog.org> wrote:
Hello, Nanog,
This is an ongoing issue that might affect your spanish users if you use services like Cloudflare, Vercel, BunnyCDN or GitHub pages.
A couple of weeks ago, the most important ISPs in Spain started intercepting or nullrouting IP addresses from this CDN providers.
The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place.
The issue is that most of this piracy sites use Cloudflare and others to protect themselves, so ISPs are nullrouting or intercepting IP ranges that serve thousands of websites, including all Cloudflare Free customers (but not limited to). For example, they blocked one IP address that served ChatGPT.
These blockages are applied when the soccer matches are played and they are turned off hours later.
Cloudflare has already taken legal action against this, but the issue is still ongoing.
You can find more information about this issue on TorrentFreak (LaLiga Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way), BandaanchaEU (bandaancha bloqueos del fútbol).
*Regards,* *Raúl Martínez* _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PCJ6SCDU...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TPJCY6RF...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/5PYKDCH6...
Not quite, because the entire Wikipedia in all languages is then simply blocked, so, they're not even able to read any of the other articles from Wikipedia either, in any language. This violates primal protocol design principles of flexibility and resilience, business continuity and backwards compatibility. Also, the same principle that prevents Spain from selectively blocking a single Cloudflare site, also prevents me, as a network administrator, in the privacy of my own home, from blocking ads and other undesirable resources throughout the entirety of my home network, on all devices, in bulk. And after the ability to do this network-wide blocking has been removed, Cloudflare's partners are also slowly but surely removing the ability to block said content within your own endpoint devices, too, by removing all the ad-blockers from all the stores, and preventing relevant API access from within the browser, too; plus making it a ToS violation to alter website contents through a plug-in. Sorry, but Cloudflare is not a good guy in this story. On Mon, 14 Apr 2025 at 18:20, <nanog@immibis.com> wrote:
The same principle that prevents Spain from selectively blocking a single Cloudflare site also prevents dictators from murdering anyone in the country who edits their Wikipedia page unfavourably, so keep that in mind.
They're not the good guy in terms of being a centralized service, perhaps, but the technology they've introduced and are pushing is technology I happily and enthusiastically deploy myself on my own services, though since I'm not going through their CDN you can still easily block/restrict my services. That, I think, is an important part to remember - the only fault cloudflare has here is being used by many services, the technology, however, is needed and should be widely adopted by all services. -----Original Message----- From: Constantine A. Murenin via NANOG <nanog@lists.nanog.org> Sent: Monday, April 14, 2025 9:39 PM To: nanog@immibis.com Cc: North American Network Operators Group <nanog@lists.nanog.org>; Constantine A. Murenin <mureninc@gmail.com> Subject: [NANOG] Re: ISPs in Spain are blocking CDN IP ranges to tackle soccer piracy Not quite, because the entire Wikipedia in all languages is then simply blocked, so, they're not even able to read any of the other articles from Wikipedia either, in any language. This violates primal protocol design principles of flexibility and resilience, business continuity and backwards compatibility. Also, the same principle that prevents Spain from selectively blocking a single Cloudflare site, also prevents me, as a network administrator, in the privacy of my own home, from blocking ads and other undesirable resources throughout the entirety of my home network, on all devices, in bulk. And after the ability to do this network-wide blocking has been removed, Cloudflare's partners are also slowly but surely removing the ability to block said content within your own endpoint devices, too, by removing all the ad-blockers from all the stores, and preventing relevant API access from within the browser, too; plus making it a ToS violation to alter website contents through a plug-in. Sorry, but Cloudflare is not a good guy in this story. On Mon, 14 Apr 2025 at 18:20, <nanog@immibis.com> wrote:
The same principle that prevents Spain from selectively blocking a single Cloudflare site also prevents dictators from murdering anyone in the country who edits their Wikipedia page unfavourably, so keep that in mind.
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/IFL7UVWS...
On 15/04/25 03:38, Constantine A. Murenin wrote:
Also, the same principle that prevents Spain from selectively blocking a single Cloudflare site, also prevents me, as a network administrator, in the privacy of my own home, from blocking ads and other undesirable resources throughout the entirety of my home network, on all devices, in bulk.
You control the endpoints of the communication, so you may install uBlock Origin in your browser. Unless your browser happens to run on an iPhone, in which case - you had free choice to buy a phone that supported ad-blocking or one where you were prevented from ad-blocking, so you have nobody to blame for that choice but yourself. Unless you live in one of those weird social circles where the text bubbles have to be blue or you get ostracized.
And after the ability to do this network-wide blocking has been removed, Cloudflare's partners are also slowly but surely removing the ability to block said content within your own endpoint devices, too, by removing all the ad-blockers from all the stores, and preventing relevant API access from within the browser, too; plus making it a ToS violation to alter website contents through a plug-in. Sorry, but Cloudflare is not a good guy in this story.
Absolutely. Don't buy those products. Encourage everyone you know to not buy those products. They'll get the message eventually. The web may well split in two: a free one, and an enslaved one. It will be a real shame if the enslaved-net overlaps 100% with the hard-to-censor-net. It will probably overlap 100% with the do-not-want-to-censor-net, because most large content companies bend the knee immediately at the slightest threat of blocking. To some extent, this sort of thing already happened with Tor. A network serves one master, but an inter-network, being comprised of many networks, serves many masters. All that can be done in protocol design is to make it all-or-nothing, on purpose, which is why things have been going this way in the past 30 years of protocol design. By aligning incentives a certain way, the least bad tradeoff for each master is to maximize access to information. When you're a dictator who can suppress dissent for no cost, you do so. When you're a dictator who can only suppress dissent by destroying everything that you rule over, you resign because all outcomes are bad for you. Think of it like the second amendment of the internet, or mutually assured destruction. I don't like Cloudflare but they are in the right in this particular situation. We'll see whether Spain can politically tolerate shutting down half the internet during football matches. Remember, Italy made the same decision several months ago, but quickly reversed it and went so far as to pretend it never happened. If it wasn't like this with Cloudflare, they'd probably block a handful of small hosting provider ASNs permanently. Is that good? (this is a quote - formatting accidentally removed because Thunderbird is terrible) Not quite, because the entire Wikipedia in all languages is then simply blocked, so, they're not even able to read any of the other articles from Wikipedia either, in any language. This violates primal protocol design principles of flexibility and resilience, business continuity and backwards compatibility. (my answer) Flexibility for who? Resilience for who? A protocol which gives dictators the flexibility to resiliently block dissent isn't necessarily a good thing, unless you're the dictator. (Are you?) A protocol which gives political dissidents the flexibility to resiliently communicate with each other seems better, doesn't it? You can't have both. It's flexible and resilient for one or the other. (Or neither, in which case it sucks) Are you trying to make one single internet, which implies that local administrators cannot selectively block things, or are you trying to make a fragmented internet where you're only connected to part of it and which part depends on how you connect?
One day Akamai and Cloudflare and the other "CDNs" who have contributed to the protection of criminals and been the greatest asset EVER to online organized crime - one day - and I don't know when - but they will be held responsible. Marco On 4/14/2025 1:30 PM, nanog--- via NANOG wrote:
In this case the centralization normally serves to avoid blocking. You don't turn off the entire Internet to block one site, but Spain has decided to go nuclear and has decided that actually it's okay to block the entire internet to block one site.
When Italy did the same thing several months ago, they said it was by mistake and reversed it (and then to save face, said there had been no mistake and they had never blocked it at all).
On 14/04/25 18:00, Constantine A. Murenin via NANOG wrote:
Here's an idea, why don't we centralise the entire internet behind a single network to "solve" the issue of connectivity and availability? Oh, wait! Nevermind! /s
C.
On Mon, 14 Apr 2025 at 10:20, Raúl Martínez via NANOG <nanog@lists.nanog.org> wrote:
Hello, Nanog,
This is an ongoing issue that might affect your spanish users if you use services like Cloudflare, Vercel, BunnyCDN or GitHub pages.
A couple of weeks ago, the most important ISPs in Spain started intercepting or nullrouting IP addresses from this CDN providers.
The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place.
The issue is that most of this piracy sites use Cloudflare and others to protect themselves, so ISPs are nullrouting or intercepting IP ranges that serve thousands of websites, including all Cloudflare Free customers (but not limited to). For example, they blocked one IP address that served ChatGPT.
These blockages are applied when the soccer matches are played and they are turned off hours later.
Cloudflare has already taken legal action against this, but the issue is still ongoing.
You can find more information about this issue on TorrentFreak (LaLiga Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way), BandaanchaEU (bandaancha bloqueos del fútbol).
*Regards,* *Raúl Martínez* _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PCJ6SCDU...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TPJCY6RF...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/5PYKDCH6...
Hi Raúl, thanks for the info... how weird that Spain's doing the same that Italy has been doing for over a year now... but of course the Spanish way, much less organised and more improvised. This is the second *known* country to widely implement this kind of thing now, and also the second that does it because football (aka "soccer"). I've read the snarky comments from two others; folks, this is serious business. Especially when you look at the experiences made by Italian Internet users (like Google apps unavailable for days because someone did the wrong thing) you'll quickly stop joking. ...a concerned Internet citizen (who also happens to be connected in Spain). nanog@lists.nanog.org (Raúl Martínez via NANOG) wrote:
This is an ongoing issue that might affect your spanish users if you use services like Cloudflare, Vercel, BunnyCDN or GitHub pages.
A couple of weeks ago, the most important ISPs in Spain started intercepting or nullrouting IP addresses from this CDN providers.
The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place.
The issue is that most of this piracy sites use Cloudflare and others to protect themselves, so ISPs are nullrouting or intercepting IP ranges that serve thousands of websites, including all Cloudflare Free customers (but not limited to). For example, they blocked one IP address that served ChatGPT.
These blockages are applied when the soccer matches are played and they are turned off hours later.
Cloudflare has already taken legal action against this, but the issue is still ongoing.
You can find more information about this issue on TorrentFreak (LaLiga Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way), BandaanchaEU (bandaancha bloqueos del fútbol).
Il giorno lun 14 apr 2025 alle ore 17:20 Raúl Martínez via NANOG <nanog@lists.nanog.org> ha scritto:
The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place.
At least this was court ordered. Here in Italy the Serie A league donated a software platform to AGCOM ( Telecommunication ministry) and congress passed a law obligating providers to block IPs and domains within 30 minutes of publication using the platform. The kicker is that the copyright holders themselves are the ones to insert the IPs and Domains to block. No control, no court order, just sign up and prove you are a copyright holder and you can block IPs and domains. If you google piracy shield there is all kinds of information on what has happened in the last 18 months regarding platform setup, blocking of all kinds of legitimate content etc and CCIA sent a letter to the European commission questioning the legality of the law and system. Italy is pushing ahead and expanding the system to include more copyright holders, ie not just for live events, and expanding the size of the database to include more IPs and domains. Brian
participants (10)
-
Brian Turnbow -
Bryan Holloway -
Constantine A. Murenin -
Elmar K. Bins -
Gary Sparkes -
Marco Belmonte -
Mel Beckman -
nanog@immibis.com -
Raúl Martínez -
Tim Burke