Raam Dev’s Weblog

Yahoo! appears to be inaccessible to people in the US. Visiting yahoo.com redirects to www.yahoo.com and fails to load. I confirmed it was at least somewhat limited to the US by trying the connection from a shell account on a server in Europe.

Using dig (a Unix DNS lookup utility), we can see from within the United States that there is a problem with DNS. There is no A record with an IP address listed in the ANSWERS section:

;; QUESTION SECTION:
;www.yahoo.com. IN A

;; ANSWER SECTION:
www.yahoo.com. 129 IN CNAME www.wa1.b.yahoo.com.

And from the server in Europe:

;; QUESTION SECTION:
;www.yahoo.com. IN A

;; ANSWER SECTION:
www.yahoo.com. 272 IN CNAME www.wa1.b.yahoo.com.
www.wa1.b.yahoo.com. 33 IN CNAME www-real.wa1.b.yahoo.com.
www-real.wa1.b.yahoo.com. 33 IN A 209.191.93.52

;; AUTHORITY SECTION:
wa1.b.yahoo.com. 273 IN NS yf2.yahoo.com.
wa1.b.yahoo.com. 273 IN NS yf1.yahoo.com.

If you try connecting directly to the missing IP address, you should at least be able to get the main Yahoo page: http://209.191.93.52. You might also try temporarily adding an entry to your /etc/hosts or C:\Windows\system32\drivers\etc\hosts if you want to continue being able to use the FQDN.

UPDATE: As of 15:50 EST, Yahoo appears to be working again. The outage appeared to start around 15:11 EST, so that’s a good 40 minutes of downtime.

I’ve had plans for a while now to set up a backup system using a Debian Linux server and rsync to back up my MacBook Pro laptop. At first glance, it seemed like it would be pretty straight forward. I’ve been able to make a bootable copy of my entire MBP using nothing but rsync (thanks to some very helpful directions by Mike Bombich, the creator of the popular, and free, Carbon Copy Cloner software). And by bootable copy I mean I could literally plug in the USB drive and boot my MBP from the drive (hold down the Alt/Option key while booting). Restoring a backup is as simple as running the rsync command again, but in the reverse direction. I know this solution works because I used it when I upgraded to a 320GB hard drive.

To start, I needed to create a big enough partition on the external USB drive using Disk Utility (formatted with Mac OS Extended (Journaled)). I then made a bootable copy of my MBP with one rsync command:

sudo rsync -aNHAXx --protect-args --fileflags --force-change \
--rsync-path="/usr/local/bin/rsync" / /Volumes/OSXBackup

But my dream backup system was more unattended. I wanted something that would periodically (a couple times a day) run that rsync command over SSH (in the background) and magically keep an up-to-date bootable copy of my MBP on a remote server.

I love Linux and I jump at any opportunity to use it for something new, especially in a heterogeneous network environment. So when I decided to set up a backup server, I naturally wanted to make use my existing Debian Linux machine (which just so happens to be running on an older G4 Mac Mini).

So, after making a bootable copy of my MBP using the local method mentioned above, I plugged the drive into my Linux machine, created a mount point (/osx-backup), and added an entry to /etc/fstab to make sure it was mounted on boot (note the filesystem type is hfsplus):

/dev/sda /osx-backup hfsplus rw,user,auto 0 0

All that’s left to do now is to run the same rsync command as earlier but this time specifying the remote path in the destination (root@myserver.example.com:/osx-backup/). This causes rsync to tunnel through SSH and run the sync. Unfortunately, this is where things started to fall apart.

OS X uses certain file metadata which must be copied for the backup to be complete (again, we’re talking about a true bootable copy that looks no different than the original). Several of the flags used in the rsync command above are required to maintain this metadata and unfortunately Linux doesn’t support all the necessary system calls to set this data. In particular, here are the necessary flags that don’t work when rsyncing an OS X partition to Linux:

-X (rsync: rsync_xal_set: lsetxattr() failed: Operation not supported (95))
-A (recv_acl_access: value out of range: 8000)
–fileflags (on remote machine: –fileflags: unknown option)
–force-change (on remote machine: –force-change: unknown option)
-N (on remote machine: -svlHogDtNpXrxe.iL: unknown option)

According to the man page for rsync on my MBP, the -N flag is used to preserve create times (crtimes) and the --fileflags option requires chflags system call. When I compiled the newer rsync 3.0.3 on my MBP, I had to apply two patches to the source that were relevant to preserving Mac OS X metadata:

patch -p1 <patches/fileflags.diff
patch -p1 <patches/crtimes.diff

I thought that maybe if I downloaded the source to my Linux server, applied those same patches, and then recompiled rsync, that it would be able to use those options. Unfortunately, those patches require system-level function calls (such as chflags) that simply don’t exist in Linux (the patched source wouldn’t even compile).

So I tried removing all unsupported flags even though I knew lots of OS X metadata would be lost. After the sync finished, I tried booting from the backup drive to see if everything worked. It booted into OS X, but when I logged into my account lots of configuration was gone and several things didn’t work. My Dock and Desktop were both reset and accessing my Documents directory gave me a “permission denied” error. Obviously that metadata is necessary for a viable bootable backup.

So, where to from here? Well, I obviously cannot use Linux to create a bootable backup of my OS X machine using rsync. I read of other possibilities (like mounting my Linux drive as an NFS share on the Mac and then using rsync on the Mac to sync to the NFS share) but they seemed like a lot more work than I was looking for. I liked the rsync solution because it could easily be tunneled over SSH (secure) and it was simple (one command). I can still use the rsync solution, but the backup server will need to be OS X. I’ll be setting that up soon, so look for another post with those details.

Sender verification is an important feature used by email servers to help prevent spam. When sender verification is enabled, the receiving email server checks to make sure the sender exists. Various email servers have different ways of handling this feature. Exim, for example, uses a mechanism called ’sender callouts’ or ‘callbacks’. (When the sending server does not accept a verification request, it does not comply with RFC 2821.)

However, in the event that the network route from the receiving email server to the originating email server is broken (or a firewall blocks the connection), the result can be a bit confusing. The receiving email server treats a failed verification as a failed verification, regardless of whether or not it could even connect to the originating server. This means the email never comes through to the recipient. After all, as far as the email server knows, it’s spam.

One of my hosting clients was experiencing this “lost email” problem and a quick grep at /var/log/exim_mainlog confirmed the problem (hosts and IPs changed for obvious reasons):


2008-11-17 15:02:27 [30121] H=relay1.example.com (qsv-spam1.example.com) [67.26.151.59]:36752 I=[69.161.211.25]:25 sender verify defer for : could not connect to customer.example.com [163.112.75.15]: Connection timed out
2008-11-17 15:02:27 [30121] H=relay1.example.com (qsv-spam1.example.com) [67.26.151.59]:36752 I=[69.161.211.25]:25 F=<administrator@customer.example.com> temporarily rejected RCPT <raam@mydomain.com>: Could not complete sender verify callout
2008-11-17 15:02:27 [30120] H=relay1.example.com (qsv-spam1.example.com) [67.26.151.59]:36751 I=[69.161.211.25]:25 incomplete transaction (RSET) from <administrator@customer.example.com>


As you can see, the email server was unable to connect to customer.example.com to verify the existence of the sender (administrator@customer.example.com). This doesn’t mean the sending server doesn’t verify callbacks, but rather that the network connection from my server to the sending server could not be established.

Most of the stuff I found online related to solving this problem on a server running WHM (here and here) explain how to modify exim.conf to add special whitelist rules. Luckily, my server is running WHM 11.23.2 and has a whitelist option that makes it really easy to exclude a particular IP address from sender verification without any manual changes to exim.conf:

1. Click Service Configuration -> Exim Configuration Editor
2. Under Access Lists, find “Whitelist: Bypass all SMTP time recipient/sender/spam/relay checks” and click [EDIT]
3. Add the IP address for the sending server for which you wish to skip sender verification (as the note at the bottom explains, hosts cannot be used in this list)
4. Click Save
5. Click Save again near the bottom of the Exim Configuration Editor page

That’s it! Now any emails from that IP that were failing to come through because of a sender verification failure will come through without a problem (again, you can watch /var/log/exim_mainlog to confirm).

You may remember that AT&T began offering free wifi for iPhone users earlier this year. Shortly thereafter they pulled the service. Why? Because someone discovered the security applied to the system was extremely weak: simply changing the User Agent of your browser to make it look like you were using an iPhone browser allowed you to gain free WiFi access on your laptop. This could easily be done using the Firefox User Agent Switcher extension, or by simply firing up Safari, enabling Developer mode (Safari->Preferences->Advanced->Show Develop menu), and selecting the iPhone User Agent (Develop->User Agent->Mobile Safari 1.1.3 - iPhone).

With the new service, you connect your iPhone to the wireless network, launch the browser, and get redirected to a page that displays a single field requesting you to enter your iPhone phone number. After submitting your phone number, you receive a (free) text message containing a URL. Loading this URL from your iPhone grants you free wifi access to the Internet.

When I tried the User Agent hack mentioned above from my laptop, I expected to at least get the box prompting me for my iPhone phone number. But to my surprise, all I got was a mobile-formatted page with options to purchase service.

So I suspected they were checking the MAC address of the computer connected to the router and checking if it looked like an iPhone MAC address. Luckily, spoofing the MAC address of my wifi card is easy on OSX:

sudo ifconfig en1 lladdr 00:21:E9:52:6A:E3

BAM! Now as far as the AT&T router can tell, my requests are coming from my iPhone. This time when I connected, I got the form asking me for my iPhone phone number. I submitted the number and a few seconds later received an SMS with a link.

I hoped that simply typing this URL in my laptop browser and visiting it would grant me free wifi access, but unfortunately it did not. Instead, it gave me an error saying that page doesn’t exist.

A commenter on the original LifeHacker post describing the User Agent hack left this comment about the new security features applied by AT&T:

AT&T has locked out non iPhones by using an encrypted log on tied to each iphone number. The key is transmitted to the iPhone over the AT&T cell network a minute before login.

By using the AT&T network to transmit the key, they have definitely made it more difficult to gain free access from your laptop. I’m sure it’s still possible (perhaps by sniffing the wifi traffic between the iPhone and the router after a successful connection), but I’m not sure it’s worth the time and effort.

I heard that an official AT&T tethering option for the iPhone will be coming soon, so that might make this a moot point (assuming they make it a free option). Still, it seems only fair that existing iPhone users should be able to access the free wifi via their laptops. Transmitting a password via SMS seems like a safe way to guarantee the person connecting to the wifi actually has an iPhone.

Here are my notes from The Last HOPE. I started taking notes late, so unfortunately I don’t have notes from all the talks I attended.

Ghetto IDS and Honeypots
* An Evening with Berferd
* Low interaction honeypots: Nepenthes, honeyd, Honeytrap
* Monitor both Honeyd and Nepenthes with Prelude IDS

Monitoring Snort
* SGUIL
* BASE
* SnortSnarf

Remember, tcpdump (a common packet sniffer) writes data in pcap format which ngrep, WireShark, or Snort can process.

Kevin Mitnick - Featured Speaker
* Flowroute + Asterisks can be used to unmask Caller ID (I tested Mitnick’s setup by calling his phone… my blocked number showed up!)

PenTest Labs Using LiveCDs by Thomas Wilhelm
* de-ice.net
* BackTrack, Slax

PenTesting from Firefox URLs:
* isecom.org/osstmm/
* owasp.org/index.php/Main_Page/
* csrc.nist.gov/publications/PubsSPs.html
* vulnerabilityassessment.co.uk/Penetration Test.html
* centralops.net
* nmap-online.com
* hackerwhacker.com (similar to GRC)

Remember, use TOR when doing active tests!

More useful URLs:
* gdataonline.com/seekhash.php
* passcracking.com
* hash.insidepro.com
* md5this.com
* gdataonline.com
* us.md5.crysm.net
* md5.rednoize.com
* milw0rm.com
* freerainbowtables.com
* netcraft.com

Pen Testing the Web with Firefox

Firefox Extensions:
* FireCat
* ExploitMe (XSS-Me, SQL Inject-Me, Access-Me)
* Tamper Data
* Passive Recon
* Add N Edit Cookies
* Firebug
* HackBar
* Web Developer
* xssed.com

Using Firefox as a Front-End: Proxies
* Tor Button
* Paros Proxy
* SPIKE Proxy
* Burp Proxy

Web Frontends
* Metasploit
* FastTrack
* Inprotect (web interface for Nessus and Nmap)
* BASE (web front-end for Snort)

Use Firefox profile manager to install different selections of extensions to help with memory concerns.

FEBE (Firefox Environment Backup Extension)
CLEO (Compact Library Extension Organizer)
OPIE (Import/Export extension preferences)

Places/Things to hack “safely”
* OWASP WebGoat Project
* PwnOS (VMWare image, requires forum login)
* Your own VMWare lab

Identification Card Security: Past, Present, Future

The Complete Amature - ID Making Operating Guide by Doug Farre

* Epson Stylus R800 photo printer
* Laminator
* Dye cutter
* Magnetic stripe encoder
* Custom rubber stamp (simonstamp.com)
* Black light
* Scanner
* Signature pad
* Photoshop
* brainstormidsupply.com

Minimal needed materials:
* Laser Teslin
* Laminates
* Pearl-Ex pigment powders
* Ultraviolet pigment powder
* Transparent base

(Get these from practicingperfection.7p.com. That site is down as of right now, so you need the guy’s email address to contact him.)

Documentation on ID security can be found at idsysgroup.com.

Books to Read
* 1491: New Revelations of the Americas Before Columbus
* Hackers: Heroes of the Computer Revolution
* The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Random URLs:
* foodhacking.com
* hackerspaces.org
* telephreak.org

After so many hours trying to fix the damn U727 USB Sprint card, I finally have it working again. It was working fine up until about a week ago when it mysteriously stopped working. I was getting all kinds of messages, including “Unable to connect” and several seemingly useless messages in /var/log/ppp.log: “Connect script failed”, “LCP: timeout sending Config-Requests”, “CCLExit: -6021 (No carrier.)”, and “CCLExit: -6019 (Modem error, modem not responding.)”.

I finally came across this post that included a list of steps which billio discovered fixed the problem for him. I am re-posting his steps here (I hope he doesn’t mind):

1. Remove the Novatel USB device.

2. Download the latest driver package for Mac OS X from Sprint. It says it is for Tiger (10.4) but it seems to work.

3. Delete (sudo rm -rf) all the Novatel files from /System/Library/Extentions. Reboot.

4. Run the mpkg installer for the Sprint drivers.

5. Reboot.

6. Open Network Preferences; plug in the Novatel device; click “+” and add “Novatel CDMA” device.

7. Click “Advanced” button. Change vendor to Novatel and Model to CDMA.

8. Click “Connect” and it works.

And I couldn’t believe it, but that actually worked! (I’m writing this post using the Sprint card right now.) You can find the Sprint drivers here (select MAC OS from the drop down and download the Sprint SmartView software).

There seems to be a DOS attack causing problems for connections routing through AT&T’s network. Here is a notice from the datacenter that host’s my web hosting server:

A large inbound Denial of Service attack is saturating connections to one of our providers. As a result some inbound traffic (that which gets routed over that provider) is experiencing high latency and timeouts. All other providers are fully functional, the routing is handled by the source network as such the issue will appear inconsistently across client connections. We are working with the affected provider to block the attacks and hope to have it resolved as soon as possible.

If you’re interested, here are the traceroute results.

I think this explains why I was having so many problems with my Verizon FiOS connection at home this morning. I was cursing Verizon left and right wondering why I couldn’t connect to half the Internet!

I’m a little paranoid when it comes to wireless security. Even if I’m on an encrypted wireless network, I won’t access any of my bank accounts or login to any website that requires a password without securing my traffic with an additional layer of security using SSH tunneling.

SSH tunneling can also be used to circumvent network-based restrictions in the workplace or on a free public wifi hotspot, giving you the freedom to browse whatever websites you want. If implemented on an OS networking level, you can even use the tunnel for your email and other applications. However the focus of this post is on using SSH tunneling to secure your web traffic.

Here is a quick list of what you’ll need:

• Firefox or Internet Explorer (this technique also works with Opera and Safari, although I don’t cover those here)
• Putty (Windows); The terminal (Linux or OS X)
• SwitchProxy Tool (nice-to-have Firefox Plugin)
• Access to an *nix-based computer. This will probably be the most difficult to obtain and if you’re not familiar with Linux or OS X I recommend you ask a friend if they wouldn’t mind giving you an account on their Linux computer. You can try to find a free shell that allows port forwarding, but they are rare.

Setting up the SSH Tunnel

Windows

Since Windows doesn’t have an SSH client built in, you will need to use the wonderful SSH client application called Putty. After you’ve downloaded and launched Putty, you should be presented with the main screen. Fill in the Host Name (or IP address) field with that of your Linux computer and be sure to select SSH from the Connection type.

On the left column of options, select Connection -> SSH -> Tunnels. Enter 9000 in the Source port field, select Dynamic from the option at the bottom, and then click Add. Your screen should now look something like this:

Note: If you don’t see the Dynamic option in Putty, make sure you have the latest version.

Now go ahead and click the Open button to connect to and login to your Linux computer. Once you have successfully logged in, the tunnel will be open and you can proceed to configure your web browser to use the tunnel.

Linux/OS X

Since you’re using a *nix based system, your computer already has everything it needs to setup an SSH tunnel. Simply access the terminal (Applications -> Utilities -> Terminal.app on OS X) and connect to the remote Linux computer as follows:

ssh -l -D 9000

After logging into the remote computer, the dynamic SSH tunnel will be opened and we can continue to configuring the web browser.

Configuring the Web Browser to use the SSH Tunnel

Firefox with SwitchProxy Tool plugin (the method I use)

Download and install the SwitchProxy Tool plugin. After installing the plugin, open its configuration window (Tools -> Add-ons -> SwitchProxy Tool -> Preferences on OS X). This will open the basic configuration window for the plugin. Click Manage Proxies and then Add. Choose Standard for the proxy configuration type and click Next. Fill in the fields as shown below.

After saving the connection, you should be able to use the plugin to easily switch between browsing through the SSH tunnel and browsing without it. I have it configured to show in the Firefox Status Bar, as I find that to be the easiest method of toggling between the two:

Firefox without SwitchProxy Tool

Although SwitchProxy Tool to easily switch my proxy settings, I will also explain how to configure the browser without the plugin.

Open the Firefox Preferences (Firefox -> Preferences on OS X) and click the Advanced icon at the top. In the connection section, click the Settings... button. Choose Manual proxy configuration and fill in the SOCKS Host and Port fields as shown below.

Internet Explorer

From the Internet Explorer menu, choose Tools -> Internet Options. Select the Connections tab and then click the LAN Settings button. Enable the Use proxy server for your LAN option and click Advanced.

In the Servers section, make sure all the fields are empty except for the Socks field. Type localhost in the Socks Proxy address field and 9000 in the Port field. Your screen should look something like this:

Click the OK button all the way back to your browser. You should now be browsing the Internet securely through the SSH tunnel! An easy way to confirm this is to disconnect from the Linux computer by closing Putty and checking if you can still browse the web. Since the browser has been configured to use the tunnel, you won’t be able to browse the web if that tunnel is closed.

If you wish to revert back to browsing the web normally, simply uncheck the Use proxy server for your LAN option in LAN Settings.

I ordered Verizon FiOS last week and this morning a Verizon technician came by an opened a gray box hanging from the pole outside my apartment. He was probably doing something in preparation for my FiOS install scheduled for next week. I was a bit surprised when he opened the box without a key, but maybe he had some type of RFID transmitter on him that unlocked the box some other way.

I’ve never seen fiber inside those boxes before so I grabbed my DSLR, put on the telephoto lens, and took some pictures from my window. The closest I could come to finding a name for these boxes is a “cross box”. If anyone has more information on them, please leave a comment!

This information applies to the Netgear model WGR614 v6. It may also apply to other models, but I have only tested these steps with the WGR614 v6. If you discover this information applies to other Netgear models, I would appreciate it if you leave a comment about that model.

Update: Visitors have notified me that his solution also works with the following models:
WGR614 v7
DG834G v4

When you plug in and turn on the Netgear router for the first time, it is configured with an IP address of 192.168.1.1 and, as usual, DHCP is enabled. This allows you to plug in a computer and get an IP address from the router so you can connect to the web-based configuration interface.

When you open a web browser and visit http://192.168.1.1/ you are redirected to http://www.routerlogin.net/welcome.htm. A setup wizard is started. This wizard looks for an Internet Connection and if it doesn’t find one, it will put you in an endless loop, bringing you back to the start of the wizard until you have an internet connection available. This is, to say the least, very annoying and very bad design.

To skip the setup wizard and go straight to the configuration interface, change the URL in your browser to http://192.168.1.1/basicsetting.htm. Now you will see the familiar setup page. There is however a catch. If you go ahead and make all your changes and close the browser, you’ll be stuck! The changes you made wouldn’t have taken effect and if you try to visit http://192.168.1.1/ to configure the router again, you will automatically be redirected to http://www.routerlogin.net/, which will fail to open. So how do you fix this?

Well, if you’re already stuck in this endless loop, press the reset button to reset the router configuration to the defaults. Then follow the steps to get around the setup wizard and then follow these steps before anything else:

1. Click Setup Wizard
2. Choose “No, I want to configure the router myself.”
3. Click Next
4. CLICK APPLY AT THE BOTTOM!

If you don’t follow those steps, the router assumes it has never been configured. Even if you took the time to configure and enable your wireless settings, the wireless won’t be enabled and you might go crazy trying to figure out why (like I did).

For several years now I have experienced the same problem when disconnecting SSH connections to my home or office Linux servers. I noticed the problem only occurred when I was using port forwarding. If I was using Putty to open the connection, then typing logout or exit to disconnect would leave an empty Putty window open, waiting for SSH to complete the disconnection process. So I would have to manually close the window each time. No big deal.

However, this was also happening when I connected from a terminal window on another Linux machine, or more recently, on my MacBook. Here it was becoming more of an annoyance, since I would usually want to continue using that terminal window after disconnecting the SSH connection.

Earlier this week, I discovered I could ask my ISP to modify the reverse DNS zone information so that my home static IP address resolved to the same hostname that I had configured it to point to (i.e., dev82.org -> 66.92.66.105). Whenever I open an SSH connection to my home server, I always use the hostname instead of typing the IP address. The SSH connection would work, but when I disconnected it would hang. As soon as the ISP had updated the reverse DNS zone information, disconnects started working properly and the hanging stopped!

So apparently, whenever you connect via SSH to a hostname while utilizing port forwarding, the IP address must have reverse DNS setup properly (to resolve to the hostname), otherwise SSH might fail to successfully disconnect the session.

If you’re having similar SSH disconnect issues, I will show you how you can check your hostname. I will use dev82.org and 66.92.66.105 as examples. The nslookup command should work on Linux, OS X, or Windows systems.

First, check what IP address your hostname resolves to:

raam@eris:~$ nslookup dev82.org

Non-authoritative answer:
Name: dev82.org
Address: 66.92.66.105

Now do the reverse to make sure Name and Address match:

raam@eris:~$ nslookup 66.92.66.106

Non-authoritative answer:
105.66.92.66.in-addr.arpa name = dev82.org.

If running nslookup on your IP address doesn’t return the same name you’re connecting to, then that might be the cause for your SSH disconnection problems. If your broadband connection comes with a static IP address, you should be able to call your ISP and ask them to change the hostname that your IP address resolves to.

I have Speakeasy DSL at home with a static IP address (I’m boycotting Comcast). I run a Linux server on a Mac Mini and I use it for all my messaging (using naim IRC/AIM and Jabber via Bitlbee, but that’s for another post).

Since I SSH into my Linux box several times a day, it would be nice to avoid typing the full IP address each time. So I decided to setup an A Record on one of the domains I own (we’ll use dev82.org as an example) so that dev82.org points to the IP address of my home DSL connection (66.92.25.92 in this example).

After transferring the Speakeasy DSL to my new apartment in Cambridge, I had a new IP address. No problem — I simply updated the A Record and dev82.org worked again. However, this time I noticed something funky. Take a look at what hostname my IP address resolved to when I pinged dev82.org:

raam@wfc-main2:~$ ping dev82.org
PING dev82.org (66.92.25.92) 56(84) bytes of data.
64 bytes from host103-spk.online-buddies.com (66.92.25.92): icmp_seq=1 ttl=53 time=38.3 ms

That’s weird. What the hell is host103-spk.online-buddies.com? A little Googling tells me:

“Online Buddies, Inc., developer of MANHUNT.net is one of largest developers of web-oriented services serving the gay community.”

Uh, I’m not gay. Besides, why the hell is my home DSL IP address responding to a domain I’ve never heard of? I ran a few more tests, including tests from different ISPs to rule out a local DNS issue. Each time, my home IP address resolved the same:

raam@wfc-main2:~$ nslookup 66.92.25.92
Non-authoritative answer:
92.25.92.66.in-addr.arpa name = host92-spk.online-buddies.com.

So I decided to pick up the phone and call Speakeasy. They have always been helpful and I figured worst-case scenario is that I’ll have to request a new IP address and re-point dev82.org. At least that way my IP address won’t resolve to some gay site.

I called Speakeasy at 3:30am and had a tech on the phone within 3 minutes (Speakeasy rocks). I explained to the tech my situation and he quickly had an explanation: Whoever was assigned my IP address before I was must have had it set up to resolve to that hostname.

I told the tech I had setup an A Record to point the IP address to dev82.org. After confirming that was true with a ping test, the tech said he would update the Reverse DNS record so that 66.92.25.92 resolves to dev82.org.

This is awesome. I had no idea I could request an update to the Reverse DNS record for my static DSL connection! I wonder how easy that process is with a Comcast connection, or if it’s even possible.

So apparently, not only is Comcast throttling BitTorrent traffic (as I proved with a little experiment a few weeks back), but they are forging your traffic to do it! They actually modify your individual TCP packets as they travel between your computer and their intended destination. This is the same technique China uses for the Great Firewall of China to prevent citizens from accessing certain material on the Internet deemed “sensitive”.

As Slashdot seems to always have the most informative and well educated commenter’s, I will post what HiThere wrote with regards to the legal implications this may have for Comcast:

If the ISPs filter based on torrent source, then they cease to be common carriers, and lose common carrier protection. Then they immediately become liable for every case of copyright infringement that they are accessory to.

I don’t think they’d like that choice.

If they are common carriers, then they are supposed to be indifferent to WHAT they are carrying, like the mail or the phones. If an extortion threat is transmitted by mail, you can’t sue the post office. Not just because it’s acting as an agent of the govt, but because it’s a common carrier. (UPS is just as protected.) They aren’t supposed to know or care what they’re carrying. If they did, and demonstrated the capability of filtering it by filtering some of it, then they would lose their common carrier status, and become liable as accessories to extortion, e.g.

OTOH, I don’t want them pretending to be me. Not at all. That should be grounds for a suit. It should also be grounds for criminal prosecution not only of those who implemented it, but of all of their supervisors, managers, etc. also. Including the boards of directors. It shouldn’t have a particular onerous penalty…say 10 days for each separate offense. Cumulative. I’ll be generous, and say 1 day per instance. I.e., 1 day per false packet.

Seriously, if you have a choice, please consider switching to another ISP!

Update: Since I’m going to continue following news related to this topic, I will post relevant news articles I come across below.

Comcast is also Jamming Gnutella (and Lotus Notes?)

Forged reset packets are normally the kind of thing that would only be present if a hacker was attacking your computer, but in this case, it’s the ISP you pay money to each month that is sending them.

Comcast filtering Lotus Notes (Update)

I finally have an end-to-end trace to share which shows that Comcast is filtering the port 1352 traffic. The images below show that Comcast is impersonating and using man-in-the-middle tactics to filter the traffic as stated in the CNet post.

Not only is Comcast filtering P2P traffic, it’s also toying with other traffic! What a surprise!

Comcast Cheating On Bandwidth Testing?

Upon further investigation, it appears that Comcast is delivering this bandwidth only for a few seconds after any new request and it is immediately throttled down. Doing a download and upload test using a significantly large file (100+ MB) yields results more in line with everyday usage experience, usually about 1.2 Mbps down and about 250 Kbps up (but it varies).

The comments on this Slashdot article are really great. Lots of people offer explanations as to what Comcast is doing.

Comcast gets US FCC notice on Web traffic blocking

Comcast, the largest U.S. cable television operator and the second largest high speed Internet provider with more than 11 million subscribers, has repeatedly refuted allegations it blocks certain Internet traffic or applications.

The company said it used bandwidth technology on its network that can slow the delivery of files, but it would not block them outright.

BitTorrent Plugin Detects ISPs Raping Your Torrents

A plugin for Azureus allows you to voluntarily submit reports of possible sabotage by your ISP.

Comcast Makes Nice with BitTorrent

BitTorrent, Inc. maybe. The BitTorrent protocol? I doubt it.

I saw an article on Digg today about how Comcast is denying rumors that they are throttling BitTorrent traffic. I have my own proof that they are! In the following experiment I used Speakeasy’s Speed Test for the speed results.

I’ve measured my connection speed several times over the past few weeks, so I have a pretty good idea what kind of speeds I should be getting when my connection is idle. Usually I get around 18000 kbps down and 1600 kbps up. For the sake of this experiment, I’ll run the test once before I try downloading a torrent:

OK, the results look normal (fast for $55 a month!). I then browsed to my favorite torrent site, mininova.org, and downloaded a totally legal 50mb torrent using the open-source BitTorrent client Azureus (v2.5.0.4). The download took about 4 minutes.

After the download finished, I exited Azureus to make sure nothing was seeding, waited 5 minutes, and than ran Speakeasy’s Speed Test again:

Wow, why so slow?! My first thought was that maybe there were a lot of people in my neighborhood downloading stuff through their Comcast connection, but then I remembered that was 2001. Comcast has upgraded their network since then, so I should be getting blazing speeds! Besides, it was only 10 minutes ago that I was getting 4x the download speed and over 25x the upload speed!

I waited another 20 minutes and tried the speed test again. This time the results came back normal (same speed as the first test). To confirm this wasn’t just a coincidence, I repeated this experiment half a dozen times. Every single time, my connection speed slowed down considerably after about 4 - 5 minutes of downloading a torrent and returned to normal within 20 - 25 minutes of no BitTorrent traffic.

If Comcast thinks they can get away with throttling BitTorrent traffic, then it won’t be long before they start throttling other traffic and even charging extra for it. How many YouTube video’s have you watched? Oh, thats an additional $6 on your bill this month.