nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

U Vlad bro? Docker accidentally cuts off Ukraine

Did you know that US sanctions extend to the digital world too?

By Kieren McCarthy, 13 Jul 2017

DevOps darling Docker accidentally cut off the entire country of Ukraine earlier this week following an overzealous effort to enforce US sanctions against Russia.

On Tuesday, the open platform's users based in the Eastern European country started posting to Docker's support forums complaining that they were hitting a block to Docker's AWS-powered download service. "The Amazon CloudFront distribution is configured to block access from your country," read a pop-up on one person's screen.

Others quickly figured out it was a geo-location ban targeting Ukrainian IP addresses and got around the block by using proxies reporting from outside the country. But the question remained as to why Docker had blocked its service in Ukraine.

And the answer, it emerged a few hours later, was renewed sanctions placed against Russia for its annexation of Crimea in 2014.

Late last month, the US Congress voted to expand existing sanctions and it appears as though those started being applied following the meeting between US president Trump and Russian president Putin at the recent G20 summit.

Trump has previously suggested he would lift the sanctions, but following the meeting it was clear that no agreement had been reached and Russian foreign minister Sergei Lavrov threatened that Russia would take its own actions against the US.

Reach

When it comes to sanctions, most people imagine it is only the refusal to sell weapons or fuel to a specific country, or freezing the accounts of individuals. But in reality they often extend much farther than that, and in the internet era often oblige companies under US legal control – ie, most internet services companies – to withdraw their services as well.

The only effective way of doing that is through geo-blocking, typically by identifying local ISPs and blacklisting their IP addresses. And so it was in this case, except that in trying to cut off Crimea, Docker's over-zealous tech team also managed to cut off the entire rest of the country – probably by relying too heavily on Amazon's blocking technology.

To its credit, Docker realized the error within a few hours of receiving the complaints, lifted the block and posted to its tech forum with an apology.

"Hey everyone, sorry for the trouble. The IP restrictions put in place per US embargo rules were too extensive. We've unblocked Ukraine now and I'm glad to see it's working properly again. Thanks for raising the issue!," wrote one employee. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing