Deru

[Lisa Kachold]

Guys:

On Tue, Nov 20, 2012 at 6:27 PM, Derek Trotter <expat.arizonan at gmail.com>wrote:

>  Since you mentioned the possibility of attack, that got me thinking.  I
> did read yesterday about the anonymous retards attacking Israeli websites.
> Maybe they got the wrong idea about Deru.  A couple of years ago some bunch
> of activists wanted to organize a boycott of Arizona because of SB 1070 and
> told people they shouldn't buy Arizona brand iced tea.  The tea is made
> somewhere back east.
>
>  On 11/20/2012 05:54 PM, Brian Cluff wrote:
>
> I would also be interested in the details.  All I know is what I can see,
> or in this case, not see from the PLUG server and not being able to get a
> hold of support.
> I don't know if it's financial or an attack, or if the entire staff is
> just broken down in a bus somewhere, but I sure would like to know.  I
> suspect that it's something major since this has been going on for about a
> week, and this is generally something that would be bad for business.
>
> Brian Cluff
>
> On 11/20/2012 05:48 PM, Derek Trotter wrote:
>
> I've seen the discussions here over the last day or so about Deru having
> problems and being unavailable to much of the internet.   I also read
> speculation about how they might be completely offline soon.  Are they
> having financial troubles, did they lose some  of their support staff,
> or is it something else?
>
> If you don't want to post an answer to the list, please send one to me
> off list.
>
> Thanks
>
> Derek
>
> The following attack vectors would cause the behavior we saw:

a) BGP protocol exploit, first described in 1996 in 2600.com:

http://www.ietf.org/rfc/rfc4272.txt

b) DNS cache poisoning.

The server would have to be configured to allow queries, and/or recursion
or run an exploitable version of Bind (older Debian for instance).

The other exploits like SYN flooding, and network UPNP, or other dOs would
not cause intermittent outages from some carriers.

Clearly this is failure to reach the authorative server, either due to a
routing issue or due to loss of or change to a provider feature or level of
service (dual honed), or a change to the DNS that has not yet propigated to
all hosts, since
cache poisoning would effect all hosts alike.

The authorative server reported via whois for plug.phoenix.az.us is
ns1.deru.net and ns2.deru.net:

The full test indicates that recursion is not on, that one server does not
answer, and that the SOA is set beyond the allowed time of RFC.

http://www.intodns.com/deru.net

DNS therefore clearly works for the server in question.

Traceroutes to and from the network, from various sites show this clearly
as a routing issue:

http://tracert.com/trace_exe.html

So, ruling out DNS, we have a routing issue, which could conceivably be
caused by BGP exploits.

Although, the fact that deru.net is not responding in any way to requests
is telling?  There is a good possibility that they did not pay their bills,
so their bandwidth was either changed to single from HSRP, or throttled
down to nothing and they were removed from the BGP tables.

I hope this shines more light on the possibility of exploits?

All testing should be pointed as deru.net, not at plug.phoenix.az.us which
Brian has swiftly moved (having control over ns1.plug.phoenix.az.us).  Once
the authorative NS servers as defined in the root server or registry quit
answering for phoenix.az.us that domain will also.

http://tracert.com/trace_exe.html

Choices would be to take over control of that domain, however Deru possibly
is not going to be functioning in the solution to sell off or redistribute
their domains.  Again we know nothing of the reason for these outages.

A new thread about these problems with deru appears here (17 hours ago):
http://www.webhostingtalk.com/showthread.php?p=8434377

Have we attempted to contact everyone there?  Here's the full contact list
from their site: (probably stephen at deru.net, eric at deru.net, brian at deru.net,
etc..)

Deru Internet is a division of Deru Communications, an Arizona based
corporation with headquarters in Phoenix.


We are a fast growing, privately owned, ISP. Our founders are not new to
providing high quality Internet Services to Arizona businesses and
residents. They have been involved with the design, deployment, operations,
engineering and management of some of the largest ISPs to have their roots
in Arizona, including Internet Direct, GetNet, NetZone, and GoodNet.

The companies we started have gone on to compete not only on a national
level, but an international level. We have grown up with the Internet and
understand that it's an important part of your life and business.

We understand that you are making a conscious effort to support local
companies rather than seek service from larger nationwide companies. We
want you to know that we will treat you with service that not only rivals
our national competition but also surpasses it in many factors, from price,
to support, to performance.

We are privately owned and operated and have our roots in Arizona.

Darin Wayrynen <http://www.deru.net/darinbio.html>, President, CEO and
Co-founder

Eric Kearney <http://www.deru.net/ericbio.html>, Vice President of
Technology

Bryan Mertz <http://www.deru.net/bryanbio.html>, Senior Sales Executive

Stephen Shearin <http://www.deru.net/stephenbio.html>, Vice President of
Business Development

Prasad Mohandas , Senior Network Administrator

Sijin George, Senior Network Administrator

Sachin Chandran, Senior Network Administrator

Ajin V Koshy, Senior Network Administrator

Majoosh Mathew, Senior Network Administrator

Abhijith Vijayan, Senior Network Administrator

-- 


(503) 754-4452 Android

(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20121120/7a14184e/attachment.html>