User security or ISP security (was RE: has anyone notice this ?)
On Sun, 29 Jun 2003, Jay Hennigan wrote: The rogue proxy servers are apparently a man-in-the-middle password sniffer of some type affecting at a minimum HTTP and SSH. http://ask.slashdot.org/article.pl?sid=03/06/19/2325235mode=threadtid=126 I'm not going to defend ISP security practices. However as the slashdot thread showed, as bad as people think ISP security is, most of the time the problem is not with the ISP. It appears nothing was wrong with Charter's systems. The user's machine was infected by a spybot hijacking the user's name queries.
Re: has anyone notice this ?
On Sat, Jun 28, 2003 at 05:24:46PM -0700, [EMAIL PROTECTED] said: [snip] It would be easier to troubleshoot if you used a browser that returned a meaningful error message. The page could not be found could be just about anything. DNS, routing, broken link, etc. --- vickyr i even tried the same thing under linux---mozilla and i get site name not found which i believe is less meaningful than ie :) this strongly suggests a DNS problem to my mind, at least. Have you verified that DNS is working properly? The one thing that I find myself saying nearly constantly to folks at work is, A browser is not much of a diagnostic tool. Use something that generates a meaningful error message. (use dig(1), `telnet host 80`, traceroute, etc.) If you have already used these tools, my apologies; your first post was a little short on details. -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui pgp0.pgp Description: PGP signature
RE: has anyone notice this ?
Hi Todd, sorry about the late responseyes in fact i am using my own dns servers w/o any problems (knock on wood)time warner think its their cable modem box but i think its a caching issue on there end. regards, /vicky -Original Message- From: Todd Mitchell - lists [mailto:[EMAIL PROTECTED] Sent: Saturday, June 28, 2003 7:19 PM To: [EMAIL PROTECTED] Cc: 'David A. Ulevitch'; [EMAIL PROTECTED] Subject: RE: has anyone notice this ? Have you tried using DNS servers other than the ones supplied by your ISPs DHCP server? Todd -- | -Original Message- | From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of | Vicky Rode | Sent: Saturday, June 28, 2003 9:57 PM | To: David A. Ulevitch; [EMAIL PROTECTED] | Subject: RE: has anyone notice this ? | | | Hi David, | | i'm just couple feet away from my box. i'm currently using wireless and | even | tried wired with same results. the fact others are experiencing similar | problems makes me believe the problem could be on time warner end, | possible | caching issue. | | | | regards, | /vicky | | | | -Original Message- | From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of | David A. Ulevitch | Sent: Saturday, June 28, 2003 6:03 PM | To: [EMAIL PROTECTED] | Subject: RE: has anyone notice this ? | | | | | quote who=Vicky Rode | vickyr i'm a time warner end-user trying to access outside world | which could be anything. | | [SNIP] | | vickyr yes i have and they think it could be the cable modem box | and have issued a replacement. i sure hope they have a good stock | because i know whole bunch of people who are having similar problems. | maybe its time to buy some 3com stocks :) | | A twisted or crumpled up ethernet cable can sometimes impede the flow of | ones and zeros. Often looping up extra slack in your cat-5 can prove | catastrophic for the free flow of electrons down the pipe. | | Ahh...Saturday (PDT)... | | -davidu | | |David A. Ulevitch -- http://david.ulevitch.com | http://everydns.net -+- http://communitycolo.net | Campus Box 6957 + Washington University in St. Louis | | |
RE: has anyone notice this ?
Hi Jay, comments in-line: -Original Message- From: Jay Hennigan [mailto:[EMAIL PROTECTED] Sent: Saturday, June 28, 2003 10:22 PM To: Vicky Rode Cc: [EMAIL PROTECTED] Subject: RE: has anyone notice this ? On Sat, 28 Jun 2003, Vicky Rode wrote: It would be easier to troubleshoot if you used a browser that returned a meaningful error message. The page could not be found could be just about anything. DNS, routing, broken link, etc. --- vickyr i even tried the same thing under linux---mozilla and i get site name not found which i believe is less meaningful than ie :) No such domain is the Mozilla response. This points to a DNS issue, which is more useful than Page could not be displayed. What does dig give you for the domain? How about dig with a different name server specified? -- vickyr you might be correct but like i said in my case linux---mozilla states www.cnn.com could not be found. please check the name and try again. i finally gave up playing ping pong with time warner and started using my dns servers. Also, you don't indicate if you're a Time Warner customer trying to reach web sites elsewhere or a non-customer trying to reach sites on the Time Warner network. Your IP address or ISP's network and the URL of the site you're trying to reach, for example. - vickyr i'm a time warner end-user trying to access outside world which could be anything. Nag their tech support. --- vickyr i even tried talking to their level 2 support and they still think its my cable modem box even after presenting them the facts unless for some reason their box also runs a cache server. Have you queried the Time Warner support staff? --- vickyr yes i have and they think it could be the cable modem box and have issued a replacement. i sure hope they have a good stock because vickyr i know whole bunch of people who are having similar problems. It's those Warner Brothers Acme brand modems. Same outfit that makes all of Wile E.s stuff. It's probably also an Acme nameserver. Seriously, you should use some other tools such as name lookup to find the IP address of the site in question. If it fails with their default resolvers, try a different resolver. Then see if you can get to the site (or a default site on the same server) by IP address, use traceroute, etc. maybe its time to buy some 3com stocks :) If a whole bunch of people are having the same issue and they're all on Time Warner in your neck of the woods, it probably isn't the cable modem hardware. --- vickyr exactly my point. regards, /vicky -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
RE: has anyone notice this ?
On Sun, 29 Jun 2003, Vicky Rode wrote: If a whole bunch of people are having the same issue and they're all on Time Warner in your neck of the woods, it probably isn't the cable modem hardware. --- vickyr exactly my point. Is Time-Warner associated with Charter Communications? There's a thread on Slashdot about their name servers being hijacked to point all requests to a set of rogue proxy servers. Another thread suggests a nasty form of spyware is responsible. The rogue proxy servers are apparently a man-in-the-middle password sniffer of some type affecting at a minimum HTTP and SSH. http://ask.slashdot.org/article.pl?sid=03/06/19/2325235mode=threadtid=126 I got the above link by email from someone following this thread but not set up to post to NANOG. If true, it makes the thread more NANOG-relevant than a simple case of poor service from a cable company. -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Re: has anyone notice this ?
[EMAIL PROTECTED] (Jay Hennigan) writes: Is Time-Warner associated with Charter Communications? There's a thread on Slashdot about their name servers being hijacked to point all requests to a set of rogue proxy servers. s/name/dhcp/. specifically, the article states: Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47). ... i suspect that a dhcp client's willingness to install a dns search list from the dhcp reply is universal (and not just limited to windows clients) and i've always thought this was a terrible idea. if i type ssh foo then i want foo.vix.com, no matter who the local dhcp server was configured by. but when i went about removing this sick behaviour from isc dhcp, it turned out that many people depend on dhcp to get the only dns search list they ever have. the world seems very strange to me sometimes. -- Paul Vixie
Re: has anyone notice this ?
On Sat, 28 Jun 2003, Vicky Rode wrote: just wondering has anyone noticed http access issue (the page cannot be displayed) on time warner network ? i literally have to try 5 to 6 times to get to the page. i believe this problem just started a week or so back. It would be easier to troubleshoot if you used a browser that returned a meaningful error message. The page could not be found could be just about anything. DNS, routing, broken link, etc. Also, you don't indicate if you're a Time Warner customer trying to reach web sites elsewhere or a non-customer trying to reach sites on the Time Warner network. Your IP address or ISP's network and the URL of the site you're trying to reach, for example. i've even talked to few other people on socal.rr.com network and they are experiencing similar problems. is this socal.rr.com related or other regions are expediting same problems too. time warner's network status page shows everything is okay. It really depends on the nature of the failure. More information is needed. Have you queried the Time Warner support staff? -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
RE: has anyone notice this ?
Hi Jay, see comments in-line: -Original Message- From: Jay Hennigan [mailto:[EMAIL PROTECTED] Sent: Saturday, June 28, 2003 4:09 PM To: Vicky Rode Cc: [EMAIL PROTECTED] Subject: Re: has anyone notice this ? On Sat, 28 Jun 2003, Vicky Rode wrote: just wondering has anyone noticed http access issue (the page cannot be displayed) on time warner network ? i literally have to try 5 to 6 times to get to the page. i believe this problem just started a week or so back. It would be easier to troubleshoot if you used a browser that returned a meaningful error message. The page could not be found could be just about anything. DNS, routing, broken link, etc. --- vickyr i even tried the same thing under linux---mozilla and i get site name not found which i believe is less meaningful than ie :) Also, you don't indicate if you're a Time Warner customer trying to reach web sites elsewhere or a non-customer trying to reach sites on the Time Warner network. Your IP address or ISP's network and the URL of the site you're trying to reach, for example. - vickyr i'm a time warner end-user trying to access outside world which could be anything. i've even talked to few other people on socal.rr.com network and they are experiencing similar problems. is this socal.rr.com related or other regions are expediting same problems too. time warner's network status page shows everything is okay. It really depends on the nature of the failure. More information is needed. Have you queried the Time Warner support staff? --- vickyr yes i have and they think it could be the cable modem box and have issued a replacement. i sure hope they have a good stock because vickyr i know whole bunch of people who are having similar problems. maybe its time to buy some 3com stocks :) regards, /vicky -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
RE: has anyone notice this ?
quote who=Vicky Rode vickyr i'm a time warner end-user trying to access outside world which could be anything. [SNIP] vickyr yes i have and they think it could be the cable modem box and have issued a replacement. i sure hope they have a good stock because i know whole bunch of people who are having similar problems. maybe its time to buy some 3com stocks :) A twisted or crumpled up ethernet cable can sometimes impede the flow of ones and zeros. Often looping up extra slack in your cat-5 can prove catastrophic for the free flow of electrons down the pipe. Ahh...Saturday (PDT)... -davidu David A. Ulevitch -- http://david.ulevitch.com http://everydns.net -+- http://communitycolo.net Campus Box 6957 + Washington University in St. Louis
RE: has anyone notice this ?
Hi David, i'm just couple feet away from my box. i'm currently using wireless and even tried wired with same results. the fact others are experiencing similar problems makes me believe the problem could be on time warner end, possible caching issue. regards, /vicky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David A. Ulevitch Sent: Saturday, June 28, 2003 6:03 PM To: [EMAIL PROTECTED] Subject: RE: has anyone notice this ? quote who=Vicky Rode vickyr i'm a time warner end-user trying to access outside world which could be anything. [SNIP] vickyr yes i have and they think it could be the cable modem box and have issued a replacement. i sure hope they have a good stock because i know whole bunch of people who are having similar problems. maybe its time to buy some 3com stocks :) A twisted or crumpled up ethernet cable can sometimes impede the flow of ones and zeros. Often looping up extra slack in your cat-5 can prove catastrophic for the free flow of electrons down the pipe. Ahh...Saturday (PDT)... -davidu David A. Ulevitch -- http://david.ulevitch.com http://everydns.net -+- http://communitycolo.net Campus Box 6957 + Washington University in St. Louis
RE: has anyone notice this ?
Have you tried using DNS servers other than the ones supplied by your ISPs DHCP server? Todd -- | -Original Message- | From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of | Vicky Rode | Sent: Saturday, June 28, 2003 9:57 PM | To: David A. Ulevitch; [EMAIL PROTECTED] | Subject: RE: has anyone notice this ? | | | Hi David, | | i'm just couple feet away from my box. i'm currently using wireless and | even | tried wired with same results. the fact others are experiencing similar | problems makes me believe the problem could be on time warner end, | possible | caching issue. | | | | regards, | /vicky | | | | -Original Message- | From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of | David A. Ulevitch | Sent: Saturday, June 28, 2003 6:03 PM | To: [EMAIL PROTECTED] | Subject: RE: has anyone notice this ? | | | | | quote who=Vicky Rode | vickyr i'm a time warner end-user trying to access outside world | which could be anything. | | [SNIP] | | vickyr yes i have and they think it could be the cable modem box | and have issued a replacement. i sure hope they have a good stock | because i know whole bunch of people who are having similar problems. | maybe its time to buy some 3com stocks :) | | A twisted or crumpled up ethernet cable can sometimes impede the flow of | ones and zeros. Often looping up extra slack in your cat-5 can prove | catastrophic for the free flow of electrons down the pipe. | | Ahh...Saturday (PDT)... | | -davidu | | |David A. Ulevitch -- http://david.ulevitch.com | http://everydns.net -+- http://communitycolo.net | Campus Box 6957 + Washington University in St. Louis | | |
RE: has anyone notice this ?
On Sat, 28 Jun 2003, Vicky Rode wrote: It would be easier to troubleshoot if you used a browser that returned a meaningful error message. The page could not be found could be just about anything. DNS, routing, broken link, etc. --- vickyr i even tried the same thing under linux---mozilla and i get site name not found which i believe is less meaningful than ie :) No such domain is the Mozilla response. This points to a DNS issue, which is more useful than Page could not be displayed. What does dig give you for the domain? How about dig with a different name server specified? Also, you don't indicate if you're a Time Warner customer trying to reach web sites elsewhere or a non-customer trying to reach sites on the Time Warner network. Your IP address or ISP's network and the URL of the site you're trying to reach, for example. - vickyr i'm a time warner end-user trying to access outside world which could be anything. Nag their tech support. Have you queried the Time Warner support staff? --- vickyr yes i have and they think it could be the cable modem box and have issued a replacement. i sure hope they have a good stock because vickyr i know whole bunch of people who are having similar problems. It's those Warner Brothers Acme brand modems. Same outfit that makes all of Wile E.s stuff. It's probably also an Acme nameserver. Seriously, you should use some other tools such as name lookup to find the IP address of the site in question. If it fails with their default resolvers, try a different resolver. Then see if you can get to the site (or a default site on the same server) by IP address, use traceroute, etc. maybe its time to buy some 3com stocks :) If a whole bunch of people are having the same issue and they're all on Time Warner in your neck of the woods, it probably isn't the cable modem hardware. -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
