Weird networking problem on home net access to CMU

Sat Jul 27 15:48:27 EDT 2019

Jim Leonard <jim at xuth.net> wrote:

> I've had problems where VPNs leave my routing and dns in a bad state
> that won't let me access anything in clusters of addresses without
> going through the (now non-existent) vpn tunnel. 

You are going to see a lot of that stuff once you start playing with
that mil.gov Kerberos authentication. Right Kyle :-)

Predrag

> On Sat, Jul 27, 2019 at 01:48:36PM -0400, Predrag Punosevac wrote:
> > Robert MacLachlan <robmacl at cmu.edu> wrote:
> > 
> > > I have verizon FIOS and having this weird problem where I can access
> > > anything in the entire world except the CMU and auton nets.  Is there
> > > any technical way to diagnose where the problem is, i.e. am I some how
> > > blocked off of the CMU net by CMU, or is there some choke point in the
> > > Verizon net, or what?
> > > 
> > > Does CMU have an IP address blocklist?
> > > 
> > > I am connecting by tethering to my phone (T-moble) which has no
> > > problem, but this is of course slow.  The problem started this week,
> > > was there on monday, then stopped for a while and came back maybe
> > > thursday.  At first I thought that the CMU net was actually down.
> > > 
> > >   Rob
> > 
> > Hi Rob,
> > 
> > I have seen and experienced this first hand myself few years ago with
> > Armstrong cable as my ISP. I went to a great deal of network
> > troubleshooting (lot of traceroute, dig, tcpdump, taking to CMU network
> > guys including off site) without getting conclusive evidence pointing to
> > any particular reason.
> > 
> > For starters you can try to traceroute www.cmu.edu from your machine as
> > well as from one of content global delivery networks. 
> > 
> > https://tools.keycdn.com/traceroute
> > 
> > You will need to use dig and whois to convert all those IP addresses to
> > domain names and legal entities.  I can see that at this very moment CMU
> > network is not reachable from Miami and San Francisco servers.
> > Unfortunately the breaking points are hidden. You might be surprise to
> > find out that CMU uses mixture of ISP (Cogent, XO, and KINBER). These
> > are not normal IPS.  More surprisingly is that a working traceroute will
> > often show you that signal between your home and CMU goes through
> > Virginia (NSA). Yap that is right. CMU also uses Managed DNS
> > authoritative servers which they outsourced few years ago to a company
> > (I forgot the name but it is one of those companies managing DNS for
> > Pentagon and alike). At some point I remember finding one of their DNS
> > servers located in New York misconfigured (of course they denied that).
> > 
> > Anyhow in my experience your problem will eventually magically disappear
> > and they have nothing to do with FIOS.
> > 
> > Oh and yes CMU does have a black list of IP addresses that they are
> > blocking. They actually block entire blocks of IP addresses. In your
> > case the reason for loss of connection could have been simply the fact
> > that you got a new IP address (dhcp lease) on Monday from your ISP. That
> > IP address could have been from a block of IP addressed which is
> > currently being blocked by CMU guys for whatever reason (used recently
> > for example for DoS attack by an adversarial foreign nation state). The
> > blocking is typically temporary as those addresses are assigned to U.S.
> > consumers but might have been temporary high-jacked for an attack. No
> > Russians or Serbs for that matter don't use their IP addresses for
> > attach on US just like US agencies do not US addresses to attack Iran
> > for example. The first step is always taking control of large number of
> > personal computers from all over the world from incompetent Internet
> > Service Providers and their even more incompetent users and then staging
> > massive dynamical attack where machines who are attacking you appear
> > from nowhere and everywhere. 
> > 
> > Sorry I could not be of more help but I hope you had fun reading this.
> > 
> > Predrag