Skip to content

Hey Dreamhost, you’re okay by me!

07-Mar-09

Something verging on two months ago, I noticed that I wasn’t able to reach certain websites that I frequent (usually by way of RSS feeds) from my home Internet connection (a business DSL dry loop through Verizon). Some examples: Foobooz, riotclitshave (it’s a pun on right-click, save; shut up), Jeffrey Morgenthaler’s blog. What these sites have in common is that they are hosted by Dreamhost. The sites weren’t down (using my VPS as a proxy confirmed that without even needing to bother with things like Down for everyone or just me?), they were just failing to send packets back to me, semi-specifically.

I did a bit of research and found that not only did it appear that I was pretty obviously being explicitly blocked, other customers of my ISP were not. This irritated me more than a little bit, since I do like to believe that I have a reasonable idea of what I’m doing, I do take care of the security of my systems and networks at home (although I’ve been known to get a bit lax given that I do this shit all day at work), and I strive to be a very responsible network neighbor.

So I went looking for contact information for Dreamhost on their website… and found things sorely lacking. Web forms yes, one that applied to my situation, not so much. Phone numbers, no. Actual email addresses, no. This didn’t look good, but I went ahead and filled out a web form and emailed, by way of GMail (since any outgoing SMTP connection from my mail server would, of course, be ignored) what I expected to be the Usual Suspects:

Date: Sat, 21 Feb 2009 15:29:05 -0500
Subject: Could you explain why you’re blackholing my source IP address?
From: gabriel rosenkoetter
To: abuse@dreamhost.com, postmaster@dreamhost.com, webmaster@dreamhost.com

For the past several weeks, I have been unable to reach several of your
customer’s websites (for example, foobooz.com and jeffreymorgenthaler.com)
from a source IP address of 71.242.125.164. I also can not reach port 25 on
your MXes (which is why this email is being sent through GMail), and ICMP
traffic (traceroute or ping) to any netblock you own is dropped by your
pnap.net border router (usually newdream-8.border21.lax.pnap.net,
216.52.220.146) marked “administratively prohibited”.

So far as I know, I have done nothing to attack you. My network is not open,
my mail server is secure with valid reverse DNS entries, and I’m not running
any webscraping. Could you please explain why you have blocked my access to
your customers’ web sites and provided me with difficult at best recourse to
contact you?

Dubious that anyone would see either of those (identical) missives, I reached out to some of my contacts in the Industry. By which I mean I asked whether anybody in the IRC channel where some of us sysadmin types hang out (no, that’s no longer EFNet #root for me any more; long story, politics, drama, and baggage) knew anyone at Dreamhost. One responded promptly in the affirmative and was very helpful in passing my query along. Here’s the thing about the lazyweb: you get better results with a self-selectedly intelligent audience, which, curiously, you rarely find on the world wide web proper.

And then I went out for the evening and straight to bed afterwards, only to rise to actual Results the next day! (Well, okay, fine I saw the reply on my iPhone while I was out, but I was in neither mood nor position to deal with it properly then.)

It appears (but I’m not certain: I put the same text in the web form and the email) that it was actually the web form (which I guess involved Sales, since nothing else seemed appropriate and they seemed like the folks who might care that someone couldn’t get to their customers’ web sites)—but maybe it was imajes’s influence? The world may never know!—that yielded the only unautomated response:

From: DreamHost Sales Team
Subject: Re: [REDACTED@gmail.com [REDACTED]] Could you explain why you’re blackholing my source IP address?
Date: Sat, 21 Feb 2009 18:09:29 -0800 (PST)
To: gabriel rosenkoetter

Hello,

Sorry to hear that you’re having trouble accessing our network. Oddly
enough, I checked the server and don’t see that you’re being blocked.
Both in deny host and iptables.

Please run a traceroute and send us the results. It may help us in
identifying where exactly the connecting is being dropped. You can reach
me directly at [REDACTED]@dreamhost.com or [REDACTED]@gmail.com.

Thanks,
Phiya C

To which I, of course, promptly responded:

From: gabriel rosenkoetter < [REDACTED]@gmail.com>
Subject: Re: [[REDACTED]@gmail.com [REDACTED]] Could you explain why you’re blackholing my source IP address?
Date: Sun, 22 Feb 2009 12:39:01 -0500
To: [REDACTED]@dreamhost.com, [REDACTED]@gmail.com
Cc: DreamHost Sales Team

Thanks for the quick response!

Here’s a traceroute from 71.242.125.164 (which NATs for systems within my
house) to www.foobooz.com, one of your customers whose website I used to
visit regularly:

traceroute to www.foobooz.com (67.205.11.75), 64 hops max, 40 byte packets
1 L239.DSL-RTR1.PHIL.verizon-gni.net (71.242.125.1) 22.640 ms 22.283 ms 21.962 ms
2 at-1-0-0-1710.CORE-RTR1.PHIL.verizon-gni.net (130.81.7.58) 21.871 ms 22.833 ms 22.739 ms
3 so-7-1-0-0.BB-RTR1.PHIL.verizon-gni.net (130.81.20.136) 22.535 ms 22.244 ms 22.004 ms
4 0.so-6-0-0.XL1.PHL6.ALTER.NET (152.63.3.77) 22.556 ms 22.845 ms 22.642 ms
5 0.so-7-0-0.XL3.LAX15.ALTER.NET (152.63.112.53) 98.813 ms 99.694 ms 99.297 ms
6 POS6-0-0.GW3.LAX15.ALTER.NET (152.63.112.105) 99.064 ms 99.075 ms 99.264 ms
7 internapGIGE-gw.customer.alter.net (157.130.236.110) 211.681 ms 188.354 ms 200.618 ms
8 border21.po2-20g-bbnet2.lax.pnap.net (216.52.255.102) 100.799 ms 100.404 ms 101.081 ms
9 newdream-8.border21.lax.pnap.net (216.52.220.146) 98.858 ms !X * *
10 * * *

In many traceroute implementations, including FreeBSD’s (which this is), !X
means “communication administratively prohibited”, so I’m pretty sure that
there is an ACL on that pnap.net border gateway that’s dropping packets.
(The same thing happens with TCP packets.)

It took another 36 hours or so (which I am certainly in a position to understand; who knows, maybe an electrician decided to take one of their production DCs completely offline like one did to mine), but that then yielded this:

From: DreamHost Sales Team
Subject: Re: [[REDACTED]@gmail.com [REDACTED]] Could you explain why you’re blackholing my source IP addr
Date: Tue, 24 Feb 2009 16:28:52 -0800 (PST)
To: [REDACTED]@gmail.com

Hello,

It does appear that your IP is being blocked at the router level. We blocked several IPs when a DOS Attack was launched on our panel. Please understand in such case we cannot indiscriminately block IPs. We simply block IPs that are attempting to gain access during the attack. At any event, the block has been removed. We sincerely apologize for the inconvenience this has caused and appreciate your continued patience. If you have any additional questions, please let us know.

Thanks,
Brian S

I am just now, as in after this is posted, getting around to responding to ask whether they’ve got any change management documentation from when that block was put in place to document what I appeared to be doing because, as previously mentioned, I like to think I run an acceptably sound ship, and I’d like to know if I’m screwing up in some way so that I can fix it.

Overall, however, I am very, and unexpectedly, impressed with how well Dreamhost responded. Bravo!

Update: (2009-03-07 15:30 UTC-0500) Well, nothing’s perfect. They definitely didn’t understand what I meant when I asked for logs of any attack, mostly that I’m not one of their customers, but I do understand their privacy concerns:

From: DreamHost Sales Team
Subject: Re: [[REDACTED]@gmail.com [REDACTED]] Could you explain why you’re blackholing my source IP add
Date: Sat, 7 Mar 2009 06:10:12 -0800 (PST)

Hello Gabriel,
sorry again for blocking your IP, unfortunately there is no logging data that we can share with you on this matter due to security issues. Your IP could have been selected if you had multiple connection attempts to our panel which may have been a result of failed login attempts, unfortunately it seems to just have been a cyber case of being in the wrong place at the wrong time.

Thanks,
Javier R

Oh well.

Filed in Uncategorized | Tagged , , , | Comments (0) »

Dear recruiters: reading comprehension counts.

24-Feb-09

As my resume does exist in several places online, I am frequently contacted by recruiters. I’m generally unsurprised when they ignore my preference (noted rather explicitly on, for example, LinkedIn) that they contact me via email rather than the telephone, nor when they call both my home (which, until recently forwarded to…) and my mobile number, sometimes leaving a voicemail at both (despite a greeting that suggests that callers send me an email or text message rather than leaving a voicemail). Those are par for the course. In fact: I make a point of staying in touch with recruiters who actually do manage to follow these directions because they seem like the sort of person I would like to have representing me when I am looking for a job (no, I’m not right now).

But this guy (whose contact information I’m eliding) really kicked things up to the next level, and ensured that I will never, ever want to work with him (yes, I do keep track):

From: Kevin [REDACTED]
Subject: RE: Join my network on LinkedIn
Date: Tue, 24 Feb 2009 12:44:02 -0500
To: ‘gabriel rosenkoetter’

Gabriel, Thanks for accepting my invitation.

Kevin [REDACTED]
Sr Recruiter - EMC Technologies
[REDACTED]

—–Original Message—–
From: gabriel rosenkoetter
Sent: Tuesday, February 24, 2009 12:43 PM
To: Kevin [REDACTED]
Subject: Re: Join my network on LinkedIn

At 2009-02-24 07:22 -0800, Kevin [REDACTED] (LinkedIn Invitations) wrote:
> I am a Sr Recruiter who constantly works ONLY on EMC Technologies
> for my clients. I proactively recruit and market Top Talent in the
> EMC Technology area. I wanted to connect with you for mutual
> beneficial relationship

Kevin, thanks for getting in touch. Generally, I keep LinkedIn
contacts to people I’ve actually met personally, but do please feel
free to stay in touch via email.

Cheers…


gabriel rosenkoetter
[REDACTED]

Filed in Uncategorized | Tagged , | Comments (0) »

Here’s how NOT to perform PDU maintenance on the production DC floor:

18-Feb-09
  1. Schedule maintenance on a PDU in the middle of a day, on a week dayWednesday.
  2. When questioned over this obvious risk in the change management meeting by the Director over Windows systems, assure everyone that nothing could go wrong because the circuit is redundant.
  3. Permit your electrical contractor to blow a fuse when performing this work at 11:30 US Eastern.
  4. Take down all of the production HP-UX Oracle systems, most of the prod SQL Servers, all of the ESX servers in that site, several network core switches, one blade chassis, the OpenView server you assured us you were migrating off a year ago, so we took it off hardware support (which subsequently fails to boot because one of its PSUs has failed), and assorted other prod systems.
  5. Rather than acting in your capacity over Operations, establishing a bridge call, and following the documentation your direct reports have created around order of startup after a site failure, permit chaos to run wild for three hours until cooler heads insist on at least a touch of Order.

Why, yes, I did have fuN at work today!

Filed in Uncategorized | Tagged , , | Comments (0) »

Ah, lazyweb. Guess what: I haven’t missed you one damn bit!

12-Feb-09

Riding on this, perhaps now evident, wild hair I’ve gotten to go back to writing things online, I decided that I would go ahead and install locally an online photo album. (I’m uninterested in using sites like Flickr or SmugMug because it means giving my content to someone else, at least for them to take care of if not for me to yield ownership of. That’s the same reason that this replaces my prior use of Livejournal.) The de facto standard for this sort of thing is Gallery, which comes with some warts, but overall does what I want with an acceptable level of idiocy (see also: Wordpress), and it does actually have a module to provide RSS feeds, which is important to me for /var/log/gr. (That RSS thing is what pushed me back to Gallery from Mr. Fitzpatrick et al’s PicPix, along with the largely unmaintained state of the latter.)

Because I really can’t be bothered to manually maintain software packages any more (doing this shit for a living has beaten that impulse right the fuck out of me), especially not one that depends on so many things as Gallery2 does (think ImageMagick; it just snowballs from there), I opted to use the version in FreeBSD’s ports collection, where there are certainly some missed version level dependencies, but after periodic attention over a couple of days I managed to get the thing to build and install. Then, as I have with Wordpress, I picked up the pristine installed files and dropped them in a separate directory to actually present them (so that later updates through ports don’t bitch about modified files and I can just roll the package updates and then update the live site carefully)… and the thing went boom.

This brings us to the Gallery forums, specifically this post by yours truly. You’ll note that I took the time to research the common causes for the problem that I was having, determine that none of them applied to my situation, and provide all of the relevant information that they recommend for people requesting help on their forums.

What did I receive in response? A true open source classic: “Your production application’s functionality is our playground.” Not quite in those words and with a touch of s, our, their,, but still. I quote here from the passing response I gave this horse shit attitude there:

The stance you describe[, "I doubt there are many people who have a lot of experience debugging the install, and most of those are the core developers who have now moved wholesale to G3 development,"] is pretty distressing, considering that 2.3 is still the shipping version of the software and this forum does exist with the explicit assertion that it is [the] canonical location to look for assistance installing and configuring Gallery2.

What the fuck is wrong with these people? It’s likely that some of them are smarter than I am, and they’re certainly better at doing what they do than I am, but I assert that, if they aren’t interested or don’t have the time to provide assistance with the software they’ve produced, then they shouldn’t tell me that I should go to this specific place to ask questions about it!

Yes, I figured the problem out for myself. Yes, I explained how to fix it in the same forum, which most posters there apparently don’t realize might be useful. To channel Dave Lowery, I hate my generation.

Filed in Uncategorized | | Comments (0) »

Taking “web log” too literally.

09-Feb-09

I didn’t really make much noise when I sucked this content out from Livejournal and put it up here (although maybe I’ll go over there and note that this exists, now that I’m comfortable with its stability), but now I’ve also finally gotten around to something I’ve meant to do for some time: /var/log/gr, wherein you will find links to various RSS feeds that I produce (including one from here).

Filed in Uncategorized | | Comments (0) »

“Wrong window.”

15-Jan-09

From the work IRC server (gr is me):

[15:01] jon: dove55
[15:01] gr: That’s a pretty lame password, jon.
[15:01] _travis_lappy486_: O.o
[15:01] _travis_lappy486_: LoL.
[15:01] _travis_lappy486_: Quick!
[15:01] jon: doh
[15:02] gr: travis, tempting, but technically that would be a firing offense.
[15:02] gr: Internal security is an HR issue, not a technical issue.
[15:03] _travis_lappy486_: LoL.
[15:03] jon: to late anyway
[15:03] _travis_lappy486_: Definitely.
[15:03] _travis_lappy486_: I dont’ know how many times I’ve almost sent it…
[15:04] _travis_lappy486_: Each time I get the O.o face.
[15:06] gr: jon, changing it to dove56 doesn’t count.

Filed in Uncategorized | Tagged , | Comments (0) »

Verizon Business DSL reverse DNS entry request procedure

08-Jan-09

First off, the reason to do this is that lots of places (notably, anything Brad Fitzpatrick touches…) now weight PTR records matching things like /(dsl|static)-[0-9]+-[0-9]+-[0-9]+-[0-9]+/ as indicating spam. Which, you know, I understand, but it’s a pain for people who maintain their own mail servers and have one of the less-than-ideal ISPs. When I moved into Philly, I was forced to switch from Speakeasy (who I liked very much, and do PTR records without any muss or fuss quickly) to Verizon Business DSL (you don’t get static IPs from Verizon without the business service), and I presumed that getting reverse DNS was going to be a hassle, so I put off doing the research.

After I got around to doing the research, I read various accounts describing pain and irritation, but found several that were successful of which Dean Gibson’s post to the postfix mailing list is the most complete I bothered to record in delicious:

http://archives.neohapsis.com/archives/postfix/2003-07/2967.html

That made made me think it wasn’t going to be a big deal, but I put it off some more (”about a year”, I think) because I was lazy and wasn’t seeing all that much lost mail. I’m still both of those things, but I was going through doing some setup for email at moonbar.net for some of the Apothecary folks (configuring SPF for the domain to forward allowability on through to _spf.google.com, so that they can just spoof the source address in GMail and not deal with my requirements around IMAPS and SMTP with SSL authentication), so I figured I’d clean this up too. It turns out it’s even easier now! Here’s what you do:

  1. Email mmvbts@verizon.com the IP address domain mapping that you want.
  2. Call 800-483-5325, choose option 3 for “Verizon enhanced products”, choose option 3 for “domain name services”.
  3. Explain what you want and that you’ve sent the email (the account isn’t monitored, so you do have to call to tell them to look at it), verify your account information.
  4. Wait 24 to 72 hours.

I’m currently in step 4, so I’ll update after I see how that goes…

Update: All set!

> server ns2.bellatlantic.net
Default server: ns2.bellatlantic.net
Address: 71.252.0.72#53
> 71.242.125.164
Server:         ns2.bellatlantic.net
Address:        71.252.0.72#53

164.125.242.71.in-addr.arpa     name = stow.eclipsed.net.

(Yes, they really do still have their primary external DNS in the bellatlantic.net domain.)

Filed in Uncategorized | | Comments (0) »

Well, there goes the neighborhood.

28-Nov-07

Snooth just hit techcrunch.

I think I hear the hounds being unleashed…

Filed in Uncategorized | | Comments (0) »

Here's what open source documentation SHOULD look like.

14-Nov-07

eAccelerator.

No, it's not perfect English (Oxford, American, whatever… Standard {Written,White} English), but it makes its point clearly and concisely. Like a blog, it's still conversational (in a way technical documentation “shouldn't” be), but that isn't getting in the way of my understanding the content.

Yes, eAccelerator is easier to describe than the sprawling blob of PHP, but the fact that you're documenting a sprawling blob is no excuse to start writing like you stopped paying attention in English class during fourth grade.

(I note that this maybe sounds like I'm saying, “Speak English!” I don't mean to be. I'd have a harder time processing properly-written Italian or German, and I wouldn't have a prayer in French, Russian, Japanese, and so forth, but I would be completely lost if I were reading Italian or German as poorly written as the English PHP documentation. I have a feeling that someone for whom English was not a first language would be totally stymied by the English PHP documentation. That's simply unacceptable by any sane consumer of the product.)

Filed in Uncategorized | | Comments (0) »

But, really, RPM can still service my balls.

14-Nov-07

Is this even English?

The first thing you'll probably want to to is get the source to build cleanly without using RPM. To do this, unpack the sources, and change the directory name to $NAME.orig. Then unpack the source again. Use this source to build from.

Wait, what? I mean, I'm even letting the complete Fail at 5th grade grammar go, but I'm supposed to unpack the sources, then change to a directory dependent on a shell variable I haven't set, and then… unpack the sources that are off somewhere else? Again? (So why'd I do it the first time?) I guess, targeting my current working directory?

Really, I'm not asking for proper technical documentation here: I know that you're working from your step-mother's basement, but you could at least try to be clear. This isn't your fucking blog. This is, ostensibly, Official Documentation.

Jesus mother Christ fucking a pogo stick.

Filed in Uncategorized | | Comments (0) »