Guys:<br><br><div class="gmail_quote">On Tue, Nov 20, 2012 at 6:27 PM, Derek Trotter <span dir="ltr"><<a href="mailto:expat.arizonan@gmail.com" target="_blank">expat.arizonan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<font face="Comic Sans MS">Since you mentioned the possibility of
attack, that got me thinking. I did read yesterday about the
anonymous retards attacking Israeli websites. Maybe they got the
wrong idea about Deru. A couple of years ago some bunch of
activists wanted to organize a boycott of Arizona because of SB
1070 and told people they shouldn't buy Arizona brand iced tea.
The tea is made somewhere back east.<br>
<br>
</font><div><div class="h5">
<div>On 11/20/2012 05:54 PM, Brian Cluff
wrote:<br>
</div>
<blockquote type="cite">I
would also be interested in the details. All I know is what I can
see, or in this case, not see from the PLUG server and not being
able to get a hold of support.
<br>
I don't know if it's financial or an attack, or if the entire
staff is just broken down in a bus somewhere, but I sure would
like to know. I suspect that it's something major since this has
been going on for about a week, and this is generally something
that would be bad for business.
<br>
<br>
Brian Cluff
<br>
<br>
On 11/20/2012 05:48 PM, Derek Trotter wrote:
<br>
<blockquote type="cite">I've seen the discussions here over the
last day or so about Deru having
<br>
problems and being unavailable to much of the internet. I also
read
<br>
speculation about how they might be completely offline soon.
Are they
<br>
having financial troubles, did they lose some of their support
staff,
<br>
or is it something else?
<br>
<br>
If you don't want to post an answer to the list, please send one
to me
<br>
off list.
<br>
<br>
Thanks
<br>
<br>
Derek
<br></blockquote></blockquote></div></div></div></blockquote></div>The following attack vectors would cause the behavior we saw:<div><br></div><div>a) BGP protocol exploit, first described in 1996 in <a href="http://2600.com">2600.com</a>:</div>
<div><br></div><div><a href="http://www.ietf.org/rfc/rfc4272.txt">http://www.ietf.org/rfc/rfc4272.txt</a><br clear="all"><div><br></div><div>b) DNS cache poisoning.</div><div><br></div><div>The server would have to be configured to allow queries, and/or recursion or run an exploitable version of Bind (older Debian for instance).</div>
<div><br></div><div>The other exploits like SYN flooding, and network UPNP, or other dOs would not cause intermittent outages from some carriers. </div><div><br></div><div>Clearly this is failure to reach the authorative server, either due to a routing issue or due to loss of or change to a provider feature or level of service (dual honed), or a change to the DNS that has not yet propigated to all hosts, since </div>
<div>cache poisoning would effect all hosts alike. </div><div><br></div><div>The authorative server reported via whois for <a href="http://plug.phoenix.az.us">plug.phoenix.az.us</a> is <a href="http://ns1.deru.net">ns1.deru.net</a> and <a href="http://ns2.deru.net">ns2.deru.net</a>:</div>
<div><br></div><div>The full test indicates that recursion is not on, that one server does not answer, and that the SOA is set beyond the allowed time of RFC. </div><div><br></div><div><a href="http://www.intodns.com/deru.net">http://www.intodns.com/deru.net</a></div>
<div><br></div><div>DNS therefore clearly works for the server in question.</div><div><br></div><div>Traceroutes to and from the network, from various sites show this clearly as a routing issue:</div><div><br></div><div><a href="http://tracert.com/trace_exe.html">http://tracert.com/trace_exe.html</a></div>
<div><br></div><div>So, ruling out DNS, we have a routing issue, which could conceivably be caused by BGP exploits.</div><div><br></div><div>Although, the fact that <a href="http://deru.net">deru.net</a> is not responding in any way to requests is telling? There is a good possibility that they did not pay their bills, so their bandwidth was either changed to single from HSRP, or throttled down to nothing and they were removed from the BGP tables.</div>
<div><br></div><div>I hope this shines more light on the possibility of exploits?</div><div><br></div><div>All testing should be pointed as <a href="http://deru.net">deru.net</a>, not at <a href="http://plug.phoenix.az.us">plug.phoenix.az.us</a> which Brian has swiftly moved (having control over <a href="http://ns1.plug.phoenix.az.us">ns1.plug.phoenix.az.us</a>). Once the authorative NS servers as defined in the root server or registry quit answering for <a href="http://phoenix.az.us">phoenix.az.us</a> that domain will also.</div>
<div><br></div><div><a href="http://tracert.com/trace_exe.html">http://tracert.com/trace_exe.html</a></div><div><br></div><div>Choices would be to take over control of that domain, however Deru possibly is not going to be functioning in the solution to sell off or redistribute their domains. Again we know nothing of the reason for these outages.</div>
<div><br></div><div>A new thread about these problems with deru appears here (17 hours ago): <a href="http://www.webhostingtalk.com/showthread.php?p=8434377">http://www.webhostingtalk.com/showthread.php?p=8434377</a></div>
<div><br></div><div>Have we attempted to contact everyone there? Here's the full contact list from their site: (probably <a href="mailto:stephen@deru.net">stephen@deru.net</a>, <a href="mailto:eric@deru.net">eric@deru.net</a>, <a href="mailto:brian@deru.net">brian@deru.net</a>, etc..)</div>
<div><br></div><div><p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1">Deru Internet is a division of Deru Communications, an Arizona based corporation with headquarters in Phoenix.</font></p>
<p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1"><br>We are a fast growing, privately owned, ISP. Our founders are not new to providing high quality Internet Services to Arizona businesses and residents. They have been involved with the design, deployment, operations, engineering and management of some of the largest ISPs to have their roots in Arizona, including Internet Direct, GetNet, NetZone, and GoodNet. <br>
</font></p><p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1">The companies we started have gone on to compete not only on a national level, but an international level. We have grown up with the Internet and understand that it's an important part of your life and business.</font></p>
<p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1">We understand that you are making a conscious effort to support local companies rather than seek service from larger nationwide companies. We want you to know that we will treat you with service that not only rivals our national competition but also surpasses it in many factors, from price, to support, to performance.</font></p>
<p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1">We are privately owned and operated and have our roots in Arizona.</font></p>
<p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1"><a href="http://www.deru.net/darinbio.html">Darin Wayrynen</a>, President, CEO and Co-founder</font></p>
<p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1"><a href="http://www.deru.net/ericbio.html">Eric Kearney</a>, Vice President of Technology</font></p>
<p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1"><a href="http://www.deru.net/bryanbio.html">Bryan Mertz</a>, Senior Sales Executive</font></p>
<p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1"><a href="http://www.deru.net/stephenbio.html">Stephen Shearin</a>, Vice President of Business Development</font></p>
<p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1">Prasad Mohandas , Senior Network Administrator</font></p><p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)">
<font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1">Sijin George, Senior Network Administrator</font></p><p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1">Sachin Chandran, Senior Network Administrator</font></p>
<p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1">Ajin V Koshy, Senior Network Administrator</font></p><p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)">
<font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1">Majoosh Mathew, Senior Network Administrator</font></p><p align="left" style="font-family:'Times New Roman';background-color:rgb(255,255,255)"><font face="Arial, Helvetica, sans-serif" color="#cc33cc" size="1">Abhijith Vijayan, Senior Network Administrator</font></p>
<p align="left" style="font-family:'Times New Roman';font-size:medium;background-color:rgb(255,255,255)"></p></div>-- <br><div><img src="http://www.it-clowns.com/motivatebytruth/chat.gif"><br></div><div><br></div>
(503) 754-4452 Android</div><div><br>(623) 239-3392 Skype<br>(623) 688-3392 Google Voice<br>**<br><a href="http://it-clowns.com" target="_blank">it-clowns.com</a> <br>Chief Clown<br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br>
</div>