HWF unreachable

Discussion in 'HWF Info & Issues' started by RHochstenbach, Mar 12, 2009.

  1. RHochstenbach

    RHochstenbach Administrator

    Likes Received:
    26
    Trophy Points:
    48
    I've noticed that HWF is often unreachable during the last few days. Is this a known problem?
     
  2. Sniper

    Sniper Administrator Staff Member

    Likes Received:
    59
    Trophy Points:
    63
    not had any problems myself, anyone else? (also had a look at google stats which don't show any deviation)
     
  3. RHochstenbach

    RHochstenbach Administrator

    Likes Received:
    26
    Trophy Points:
    48
    It's getting weird. Others can connect to HWF without problems at the times when I can't connect. I've also tried to connect to HWF by using its IP adress, without success.

    I can only connect to HWF when using 3G on my iPhone.

    Pinging is also not possible either. I'm using OpenDNS, and got an AirPort extreme router. As usual, I've reset the router and the cable modem.

    I've also tried different computers in my network.

    The same problem happens when connecting to zone365. All other websites in the world appear to work fine.

    Tried it with Safari 3, Firefox 3 and IE.

    Traceroute gives this output:
    Code:
    traceroute to hardwareforums.com (207.58.155.243), 64 hops max, 40 byte packets
     1 *192.168.2.1 (192.168.2.1) *1.909 ms *1.158 ms *1.121 ms
     2 *195.190.242.7 (195.190.242.7) *20.330 ms 213.75.64.153 (213.75.64.153) *18.892 ms *25.106 ms
     3 *213.75.64.153 (213.75.64.153) *19.454 ms *19.948 ms *19.139 ms
     4 *213.75.64.166 (213.75.64.166) *21.094 ms *20.616 ms *20.610 ms
     5 *TenGE13-2.br02.ams01.pccwbtn.net (195.69.145.37) *26.603 ms *22.169 ms *22.108 ms
     6 *servint.ge5-7.br01.wdc02.pccwbtn.net (63.218.83.2) *107.688 ms *105.792 ms *105.851 ms
     7 *sc-smv2911.servint.net (207.58.153.30) *105.988 ms *112.582 ms *144.345 ms
     8 ** * *
     9 ** *
    
    Now the weird thing is, when it does work (a few times a day), HWF loads very quickly...
     
  4. RHochstenbach

    RHochstenbach Administrator

    Likes Received:
    26
    Trophy Points:
    48
    I just noticed that I CAN access HWF when using an online proxy server. Could it be possible that an IP range has been blocked that includes mine (84.25.10.75)? HWF isn't blocked by my ISP, because all my friends have the same ISP, and can connect without any issues...
     
  5. Sniper

    Sniper Administrator Staff Member

    Likes Received:
    59
    Trophy Points:
    63
    hmm very strange, I'll ask Anti-Trend.
     
  6. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    There's nothing blocked statically in the firewall tables; the block chain is dynamic. It blocks based on abusive behavior, meaning known attacks or DoS activity. Right now there are 5 IPs in the dynamic table, and all 5 are in Asia.

    BTW, OpenDNS tampers with your forward lookups, I'd use your local root DNS servers instead if I was you. :)
     
  7. RHochstenbach

    RHochstenbach Administrator

    Likes Received:
    26
    Trophy Points:
    48
    I'll try that. The weird thing is that others that use OpenDNS don't have any issues with loading HWF.

    But don't you guys have some kind of plugin installed that cause issues with page loading for annoying users? Isn't it possible that an IP range has been added that inludes my IP address?

    edit: I've just changed my DNS settings to use my ISPs DNS servers. HWF appears to be working....for now.
     
  8. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    Nope, just looked over that too. There is a short list of abusive subnets, all in China or India. You're not in any, or you wouldn't even be able to connect.

    My first guess would be to look into things like local routing problems, stale cache, DNS, or packet loss. It could also be something like a 3rd-party targeted ad (dynamic content) that is aimed at your locale, which is failing. I've seen this once or twice myself in the last few years. That would explain the intermittent nature of the issue. In any case, if you experience it again, I'd try the following:

    1. Can you connect to zone365.com? It's hosted on the same server.
    2. Try connecting to the IP directly: 207.58.155.243
    3. Clear your browser cache.
    4. Try a different browser -- could be a misbehaving plugin.
    5. Try pinging the IP address. Any dropped packets?
    6. Try telnet'ing straight to port 80 and doing an HTTP GET.
    7. If all else fails, record the date, time, and your IP address at the time of the issue, and fire me an email. I can look into the server's logs and see if there's a local correlation.
     
  9. RHochstenbach

    RHochstenbach Administrator

    Likes Received:
    26
    Trophy Points:
    48
    It's still working, but I'll try to remember everything that I tried before:

    Tried that. Wasn't working either.

    Same problems.

    Tried that too.

    Tried it with Safari 3, Firefox 3 and IE7. The 1st two on Mac OS X and Windows XP.

    I only received time-outs, so 100% of the packets where lost.

    Do you know what command I need to use for that in either Windows or BSD?

    Sure, I'll do that when it happens again :)
     
  10. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    Not enough data for a solid assesment, but sounds like it's not DNS, or a browser issue. I'm leaning towards routing, or an RFC-bending app/plugin/malware/other that has temporarily angered the self-hardening firewall script on the server by making Waayyyyyy too many simultaneous connections.

    Code:
    telnet hardwareforums.com 80
    GET /index.php HTTP/1.1
    When done, Ctrl+] then type "quit" and hit enter.
     
  11. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    Guess what? I got a moment and grepped the firewall logs for your IP. Found it... several hundred times. You've been blocked recently for activity that looks like syn flooding or spoofing. This can be caused by naughty client apps, malfunctioning router sending out-of-order packets, malware, or somebody (e.g. your ISP) tampering with your traffic.

    So, in short, my assessment from the hip is as follows:
    Something bad is happening to your traffic, between your person and our server, cause unknown. Could be something bad on your PC, could be something wrong with a network appliance, could be a naughty ISP. The firewall sees a bunch of invalid TCP traffic and drops it by default. After the script sees a pattern emerge of junk traffic from your IP, it bans you for a short while under the assumption that you must be an attacker.
     
  12. RHochstenbach

    RHochstenbach Administrator

    Likes Received:
    26
    Trophy Points:
    48
    It can't be malware, because I tried it on 2 Apple computers, an iPhone and an iPod Touch. And I don't have a firewall active on the OS, but only in my router (AirPort Extreme). But I can visit other websites and forums without any problems. So it can't be caused by a blocked port 80, HTTP or anything specific to vBulletin.

    But I've noticed that HWF hasn't been unreachable anymore since I used the DNS servers of my ISP instead of OpenDNS....
     
  13. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    In that case, most likely candidates are your router or your ISP, or possibly something upstream of you. It will be hard to detect on your end during a full "outage", since you've most likely been put on the firewall's blacklist at that point, so any connections from your IP will fail. But you might try a different router if you have one, or bypass altogether, and see if the behavior changes. There's also this: Test Your ISP | Electronic Frontier Foundation
     
  14. RHochstenbach

    RHochstenbach Administrator

    Likes Received:
    26
    Trophy Points:
    48
    That is weird. Could it be possible that someone 'stole' my IP? It can't be caused by the ISP, because my friends use the same ISP, and blocking websites to customers is illegal here.

    Btw can you view detailed information about each event like the domain name and host name? My domain is landg1.lb.home.nl, and my hostname is CP1340521-A. I've also contacted my ISP. They might give me a new IP address.

    As for the router, I have an airport extreme. I think that the problems started after the latest firmware update, but I'm not sure.
     
  15. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    If somebody stole your IP, they'd have to be on the same ISP in the same subnet as you, and the MAC table on the ISP's router upstream of you would have to be very liberally configured to let other account holders use your IP. Plus, the symptoms would be *very* heavy packet loss, around 50% of your traffic would hit the wrong host. Since you're not reporting that behavior, I really doubt that's the case. :)

    Now the firmware on the airport, that is a more likely cause. Is there any way you can temporarily remove that from the equation for troubleshooting?
     
  16. RHochstenbach

    RHochstenbach Administrator

    Likes Received:
    26
    Trophy Points:
    48
    I can't connect the computer directly to the cable modem, because all wires here are fixed to the building. I did revert the router's firmware to an older version that always worked. I suddenly recall that I'm beta-testing the new EuroDocsis 3.0 technology with my ISP. But I've contacted them, and the I'll see if they find the bottleneck.
     
  17. RHochstenbach

    RHochstenbach Administrator

    Likes Received:
    26
    Trophy Points:
    48
    I've executed the netstat command while attempting to connect to HWF. It gave me this output:
    Code:
    tcp4 0 0 192.168.2.200.49307 snake.hardwarefo.http LAST_ACK
    tcp4 0 0 192.168.2.200.49305 snake.hardwarefo.http LAST_ACK
    
    I don't know if that shows anything useful...
     
  18. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    Have you seen the issue since I made the FW exception for you?
     
  19. RHochstenbach

    RHochstenbach Administrator

    Likes Received:
    26
    Trophy Points:
    48
    Nope, haven't seen any issues. It works smoothly :)
     
  20. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    OK! Please remember that this is a workaround for the symptoms, not the problem. Whatever was mangling your traffic is probably still in play.
     

Share This Page