Weird networking problem on home net access to CMU

[Jim Leonard]

I've had problems where VPNs leave my routing and dns in a bad state that won't let me access anything in clusters of addresses without going through the (now non-existent) vpn tunnel.

On Sat, Jul 27, 2019 at 01:48:36PM -0400, Predrag Punosevac wrote:
> Robert MacLachlan <robmacl at cmu.edu> wrote:
> 
> > I have verizon FIOS and having this weird problem where I can access
> > anything in the entire world except the CMU and auton nets.  Is there
> > any technical way to diagnose where the problem is, i.e. am I some how
> > blocked off of the CMU net by CMU, or is there some choke point in the
> > Verizon net, or what?
> > 
> > Does CMU have an IP address blocklist?
> > 
> > I am connecting by tethering to my phone (T-moble) which has no
> > problem, but this is of course slow.  The problem started this week,
> > was there on monday, then stopped for a while and came back maybe
> > thursday.  At first I thought that the CMU net was actually down.
> > 
> >   Rob
> 
> Hi Rob,
> 
> I have seen and experienced this first hand myself few years ago with
> Armstrong cable as my ISP. I went to a great deal of network
> troubleshooting (lot of traceroute, dig, tcpdump, taking to CMU network
> guys including off site) without getting conclusive evidence pointing to
> any particular reason.
> 
> For starters you can try to traceroute www.cmu.edu from your machine as
> well as from one of content global delivery networks. 
> 
> https://tools.keycdn.com/traceroute
> 
> You will need to use dig and whois to convert all those IP addresses to
> domain names and legal entities.  I can see that at this very moment CMU
> network is not reachable from Miami and San Francisco servers.
> Unfortunately the breaking points are hidden. You might be surprise to
> find out that CMU uses mixture of ISP (Cogent, XO, and KINBER). These
> are not normal IPS.  More surprisingly is that a working traceroute will
> often show you that signal between your home and CMU goes through
> Virginia (NSA). Yap that is right. CMU also uses Managed DNS
> authoritative servers which they outsourced few years ago to a company
> (I forgot the name but it is one of those companies managing DNS for
> Pentagon and alike). At some point I remember finding one of their DNS
> servers located in New York misconfigured (of course they denied that).
> 
> Anyhow in my experience your problem will eventually magically disappear
> and they have nothing to do with FIOS.
> 
> Oh and yes CMU does have a black list of IP addresses that they are
> blocking. They actually block entire blocks of IP addresses. In your
> case the reason for loss of connection could have been simply the fact
> that you got a new IP address (dhcp lease) on Monday from your ISP. That
> IP address could have been from a block of IP addressed which is
> currently being blocked by CMU guys for whatever reason (used recently
> for example for DoS attack by an adversarial foreign nation state). The
> blocking is typically temporary as those addresses are assigned to U.S.
> consumers but might have been temporary high-jacked for an attack. No
> Russians or Serbs for that matter don't use their IP addresses for
> attach on US just like US agencies do not US addresses to attack Iran
> for example. The first step is always taking control of large number of
> personal computers from all over the world from incompetent Internet
> Service Providers and their even more incompetent users and then staging
> massive dynamical attack where machines who are attacking you appear
> from nowhere and everywhere. 
> 
> Sorry I could not be of more help but I hope you had fun reading this.
> 
> Predrag