Guys: On Tue, Nov 20, 2012 at 6:27 PM, Derek Trotter wrote: > Since you mentioned the possibility of attack, that got me thinking. I > did read yesterday about the anonymous retards attacking Israeli websites. > Maybe they got the wrong idea about Deru. A couple of years ago some bunch > of activists wanted to organize a boycott of Arizona because of SB 1070 and > told people they shouldn't buy Arizona brand iced tea. The tea is made > somewhere back east. > > On 11/20/2012 05:54 PM, Brian Cluff wrote: > > I would also be interested in the details. All I know is what I can see, > or in this case, not see from the PLUG server and not being able to get a > hold of support. > I don't know if it's financial or an attack, or if the entire staff is > just broken down in a bus somewhere, but I sure would like to know. I > suspect that it's something major since this has been going on for about a > week, and this is generally something that would be bad for business. > > Brian Cluff > > On 11/20/2012 05:48 PM, Derek Trotter wrote: > > I've seen the discussions here over the last day or so about Deru having > problems and being unavailable to much of the internet. I also read > speculation about how they might be completely offline soon. Are they > having financial troubles, did they lose some of their support staff, > or is it something else? > > If you don't want to post an answer to the list, please send one to me > off list. > > Thanks > > Derek > > The following attack vectors would cause the behavior we saw: a) BGP protocol exploit, first described in 1996 in 2600.com: http://www.ietf.org/rfc/rfc4272.txt b) DNS cache poisoning. The server would have to be configured to allow queries, and/or recursion or run an exploitable version of Bind (older Debian for instance). The other exploits like SYN flooding, and network UPNP, or other dOs would not cause intermittent outages from some carriers. Clearly this is failure to reach the authorative server, either due to a routing issue or due to loss of or change to a provider feature or level of service (dual honed), or a change to the DNS that has not yet propigated to all hosts, since cache poisoning would effect all hosts alike. The authorative server reported via whois for plug.phoenix.az.us is ns1.deru.net and ns2.deru.net: The full test indicates that recursion is not on, that one server does not answer, and that the SOA is set beyond the allowed time of RFC. http://www.intodns.com/deru.net DNS therefore clearly works for the server in question. Traceroutes to and from the network, from various sites show this clearly as a routing issue: http://tracert.com/trace_exe.html So, ruling out DNS, we have a routing issue, which could conceivably be caused by BGP exploits. Although, the fact that deru.net is not responding in any way to requests is telling? There is a good possibility that they did not pay their bills, so their bandwidth was either changed to single from HSRP, or throttled down to nothing and they were removed from the BGP tables. I hope this shines more light on the possibility of exploits? All testing should be pointed as deru.net, not at plug.phoenix.az.us which Brian has swiftly moved (having control over ns1.plug.phoenix.az.us). Once the authorative NS servers as defined in the root server or registry quit answering for phoenix.az.us that domain will also. http://tracert.com/trace_exe.html Choices would be to take over control of that domain, however Deru possibly is not going to be functioning in the solution to sell off or redistribute their domains. Again we know nothing of the reason for these outages. A new thread about these problems with deru appears here (17 hours ago): http://www.webhostingtalk.com/showthread.php?p=8434377 Have we attempted to contact everyone there? Here's the full contact list from their site: (probably stephen@deru.net, eric@deru.net, brian@deru.net, etc..) Deru Internet is a division of Deru Communications, an Arizona based corporation with headquarters in Phoenix. We are a fast growing, privately owned, ISP. Our founders are not new to providing high quality Internet Services to Arizona businesses and residents. They have been involved with the design, deployment, operations, engineering and management of some of the largest ISPs to have their roots in Arizona, including Internet Direct, GetNet, NetZone, and GoodNet. The companies we started have gone on to compete not only on a national level, but an international level. We have grown up with the Internet and understand that it's an important part of your life and business. We understand that you are making a conscious effort to support local companies rather than seek service from larger nationwide companies. We want you to know that we will treat you with service that not only rivals our national competition but also surpasses it in many factors, from price, to support, to performance. We are privately owned and operated and have our roots in Arizona. Darin Wayrynen , President, CEO and Co-founder Eric Kearney , Vice President of Technology Bryan Mertz , Senior Sales Executive Stephen Shearin , Vice President of Business Development Prasad Mohandas , Senior Network Administrator Sijin George, Senior Network Administrator Sachin Chandran, Senior Network Administrator Ajin V Koshy, Senior Network Administrator Majoosh Mathew, Senior Network Administrator Abhijith Vijayan, Senior Network Administrator -- (503) 754-4452 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** it-clowns.com Chief Clown