Cloudflare misidentifies Hetzner IPs as being located in Iran

I&#x27;m frequently reminded how thankful I am to live in a country with a strong, positive international reputation. Even ignoring actual quality-of-life stuff associated with where I live - simply not being from a country with a &quot;dodgy&quot; reputation makes many things so much easier.<p>I don&#x27;t have to think about blocked websites. Companies accept my payments. Couriers ship to me. With my passport, I walk straight to the front of the fast lane, past the large queue of people who didn&#x27;t happen to be born somewhere rich, western and politically stable.<p>I don&#x27;t take it for granted, and it makes me sad that this distinction exists.

Hey OP. On behalf of Cloudflare, we take information accuracy very seriously.<p>I raised the linked issue internally with the team, and they have reason to suspect this has already been addressed.<p>That being said, if you (or anyone else here) are still seeing this issue occur, please raise a ticket with our support team (<a href="https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;support&#x2F;contacting-cloudflare-support&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;support&#x2F;contacting-cloudfl...</a>) so we can investigate further.<p>Thanks :)

This probably wasn’t cloudflare doing per se. It was probably Maxmind, which is the most widely used IP to Geolocation service out that.<p>And cloudflare uses it as well.<p><a href="https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;network&#x2F;ip-geolocation&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;network&#x2F;ip-geolocation&#x2F;</a>

This whole issue of blocking Iranian IPs and not allowing them to download Docker containers for ‘legal’ reasons is ridiculous. Additionally, trying to detect and ban VPNs used by Iranians, which will affect the next user of that IP, is equally absurd

This is not limited to Cloudflare. Google has the same issue and it turns out the IPs were being used by the Iranian hosting companies connected to internet surveillance but they keep moving around. So far we only observed this in Hetzner German DCs, which is consistent with the news about illicit activities by Iranian companies in Germany, two years ago during the last uprising against the Iranian government (the Woman, Life, Freedom movement)<p>We also wrote about this <a href="https:&#x2F;&#x2F;blog.cloud66.com&#x2F;hetzner-connectivity-issues-due-to-sanction-busting-activities" rel="nofollow">https:&#x2F;&#x2F;blog.cloud66.com&#x2F;hetzner-connectivity-issues-due-to-...</a>

it&#x27;s pretty absurd that cloudflare can just effectively cripple a cloud provider by tagging part of their IPv4 range as Iranian and not fixing their issues in over a year (and AFIK have no intention to fix them at all)<p>like I wonder if Hetzner has any way to legally force them to stop misclassifying their IP

I will describe what we do at IPinfo to avoid such a messup. First of all because we do active measurements and our data is usually less prone to errors like this and when it comes to IP location it is as good as it gets.<p>We have a support team active 247. Then is the issue of update rollout, when things goes wrong (rarely if ever) we can push data updates immediately. We work with our customers and users and try to push immediate fixes.<p>But the most important thing in my opinion we do is this comment itself. If things go wrong we will address it before you come to our support team.

Falsehoods lawyers believe about the Internet: You can identify a person (and their jurisdiction) from “their” IP address.

Might be pertinent to suffix this with (2023), though I see there are still recent replies

It should be illegal for providers to override the location information provided by the owner of the IP. Hopefully the FTC will look into this abuse. In the real world this would be the equivalent of me putting my shipping address on an order but the store deciding to ship it to some random place because they “believe” that’s my actual address.

Does this kind of thing affect Hetzner IPs in their US datacenters?

I was recently reviewing my Google account session history and saw an active session from some small town in western China. Obviously freaked out, rolled all passwords, spent hours scouring what they could’ve had access to, etc.<p>Only for the next day, when Google updates the exact same sessions location to my exact real location on another continent.<p>Google of course won’t show the IP address of sessions anymore, just the “location” so there was no way of confirming beforehand.

Would be an easy way to conduct an adhoc trade war...AWS doesn&#x27;t need competition from a pesky German host let&#x27;s just make things faintly awkward...

Yeah, google does it too. I could not use certain Hetzner IPs to download container image on my kubernetes nodes at all. Even the official registry.k8s.io registry is hosted on Google Cloud Services and basic stuff like the pause image cant be pulled.

Is Apple store working in Iran? For example, Apple store is working in Russia.<p>I genuinely do not understand how logic works between 1.sanctions 2... 3.let&#x27;s ban some IPs. What is the chain of reasoning happens on step 2? Why this is not applicable to Google&#x2F;Apple?<p>There are definitely sanctions against Russia, yet Apple&#x2F;Play stores work just fine.

I wonder if this is related to something I found when I moved my hosting from DO to Hetzner: <a href="https:&#x2F;&#x2F;on-no.net&#x2F;posts&#x2F;moving-providers-and-tainted-ips&#x2F;" rel="nofollow">https:&#x2F;&#x2F;on-no.net&#x2F;posts&#x2F;moving-providers-and-tainted-ips&#x2F;</a><p>TL;DR is that the IP that my new instance was assigned had previously been used as part of an advertising CDN based in Iran. It wouldn&#x27;t surprise me if this is some game of whack-a-mole between interested parties who are at turns applying and attempting to evade blocks.

That probably explains the issues I’m having sometimes when pulling images from Elastic registry on hetzner boxes. At least now I know the reason behind that

<a href="https:&#x2F;&#x2F;geolocatemuch.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;geolocatemuch.com&#x2F;</a> is the way.

This seems to be more than a year ago. Why is it suddenly trending now?

gg

I mean, so? Why should it matter where they are located?

My theory is lots of people who want to circumvent Iranian internet censorship rely on tunnels&#x2F;VPNs hosted on Hetzner, which correlates those IPs with `Accept-Language: fa` and GPS locations collected from Android or other similar behavior.

ok