Who cut the cable?!
Over the past three years, I have noticed that something has been happening with the connectivity to my various sites, in terms of how readily surfers can surf to my sites, and download the files. The pattern is always the same, and has been repeated consistently on each of my sites, whether those sites are hosted by various web-hosting services, or on my own servers here at my physical location. I have tried Spry.com, Pair.com, Verio.com, and most recently I have used Bellsouth.net, all with the same result.
The pattern is as follows:
1 - Set up a site, and get a new IP
2 - Change DNS record(s) for new IP
3 - Surfers can download files for anywhere from two hours up to a few days.
4 - Connectivity goes to zero. No surfers can reach my site. (days go by)
Then, if I ask the hosting provider to change my IP, and I change my DNS records to reflect the new IP, the same pattern is repeated. Initially, a few surfers can get through, but after a few hours or days (depending on what, I don't know), it seems as if the cable has been cut. (But not really, because I can personally ssh to the box, in all cases)
I found myself playing a little game, where I set-up the exact same site on two different hosting providers, each with different IPs. I pointed the DNS record to one site (Pair.com), and had "customers" for a few days. Then it "died" (log hits went to zero), so I switched the DNS record to the other server (Spry). I then had customers for a few hours (or days), until ... poof! ... no more hits were being recorded in the apache log. So I switched back to Pair.com, and had customers for a while .... you get the idea.
Most recently, I put some stuff up on freshmeat.net. Freshmeat records the URL clicks, so in the first two hours, there were 4 URL hits. I looked in my apache log, and sure enough, there were four entries. During the next six hours, 13 URL clicks were logged on freshmeat, and no entries were logged in my apache log.
What gives with this?!
- rleesBSD
Greg K posted this at 01:50 — 9th November 2005.
He has: 2,145 posts
Joined: Nov 2003
I use pairNetowrks myself, and have never had any problems such as this. Are you actually setting up the domain name to use pair's nameservers, or you have your own and are setting your DNS servers to just use the IP # from pair.
Another concideration, what type of site is it? Anything the hosting providers would find objectional? (of course, at least with pair, they would tell you this upfront).
I'm not really knowledgable in DNS settings, just giving what pops out to me as things to look for until someone who knows more might be able to answer you better.
-Greg
Mark Hensler posted this at 04:48 — 9th November 2005.
He has: 4,048 posts
Joined: Aug 2000
That's interesting about your bot problems, but.... you forgot to answer Greg's question.
Because you've jumped from host to host. It can't be a host issue. But I'm guessing you're using the same DNS provider? I see this as the only constant here. Plus, I find it interesting as to the timing of your traffic loss and typical DNS propogation time.
Mark Hensler
If there is no answer on Google, then there is no question.
bja888 (not verified) posted this at 03:29 — 9th November 2005.
They have: 5,633 posts
Joined: Jan 1970
You totally lost me somewhere in the first paragraph.
Idea - If the same thing keep happening consider the possbalilty its a server prublem and not a dns proublem.
rleesBSD posted this at 04:23 — 9th November 2005.
They have: 8 posts
Joined: Nov 2005
Well, I am not necessarily saying that the web host provider is the problem. I am saying that a short term fix seems to be available simply by changing the IP address at the registrar - which is pretty weird. Normally, as time goes on and DNS propagates, one would expect an increase in traffic, not a decrease!
The Freshmeat episode occurred while I was running a server here at my location, via a Bellsouth connection. I don't know what happened to those thirteen URL clicks, because the packets from those users never reached my machine. It wasn't a server problem because the packets never reached the machine that the server is running on!
I know that is true, because while the Freshmeat incident was going on, I was simultaneously running a tcpdump log on the machines's interface, and there were no log entries for those thirteen user's clicks.
Some other weird things are going on. There seems to be a bot-net pinging me with UDP port 1026 data every minute. If I set the firewall to cloak a response, then the bots just keep on pinging away. But, if I set the firewall to send a reject response to the UDP, then immediately there is a download of my index.html file to a destination which is specified by a spoofed source. It seems that after that index.html download from the spoofed source packet, things get very quiet. At that point I know the traffic will be pretty much killed off.
Yet I don't notice anything funny about the packet that requested the index page, other than the source has been spoofed (when I look at the packet with the ethereal packet analyzer). Since the index page gets downloaded, I presume that a different node in the botnet takes the download. I don't see how that has any relationship to the decrease in my traffic ....
No, there is nothing "objectionable" on any of my sites .... only very tame "programming and software" related items.
Just thoroughly confused, at the moment ...
- rleesBSD
rleesBSD posted this at 05:21 — 9th November 2005.
They have: 8 posts
Joined: Nov 2005
Oh yea - sorry
Currently, I'm running the local machine with a local nameserver, but with Pair I used Pair nameservers, and with Spry I used Spry's nameservers.
rleesBSD posted this at 14:38 — 9th November 2005.
They have: 8 posts
Joined: Nov 2005
Well, this morning I am treated to some new random weirdness. A number of surfers from different countries have surfed to my site and each of them has downloaded only 32768 bytes of an 88,052 byte file. When I download the file myself, I get the full 88,052 bytes.
Ok, admittedly I sometimes see partial downloads from web-agents that are checking only for the existence of a file. But, in such cases, I never see a request for 32768 bytes. This morning, I have seen requests from four different IP addresses for only 32768 bytes.
- rleesBSD
Greg K posted this at 16:23 — 9th November 2005.
He has: 2,145 posts
Joined: Nov 2003
What answers did pair give you about the problem? They are usually pretty good at getting something like that tracked down.
-Greg
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.