Idiocy by proxy
-
Fine, I'll comment on the stupid wall of stupid text...
TRWTF is this "Bob" fellow. It is completely conceivable that the NAT router would use pooled external addresses. I suppose the people he was contacting were a bit obtuse in their description, but there is no reason for him to think that they couldn't have each HTTP request come from a different IP. So TRWTF is "Bob" and the retarded company that hired him. Please educate yourself on how NAT works. Thanks.
-
@danixdefcon5 said:
It isn't DHCP, of course, but my explanation would be simple: they've got one of those "round-robin" balanced gateways.
Some ISPs have horribly broken DHCP servers, DHCP clients (at least MS ones) will attempt to renew the lease after half of the DHCP lease time has expired, which means if the lease is too short then the lease will expire during a NAT session.
@danixdefcon5 said:Their problem isn't that the six IPs switch every time they refresh, the problem is that every time they initiate a connection, the router sends it from a different IP at the external interface level, which wouldn't matter if everyone had a public routeable IP address.
It would be impossible for them to do any type of connection that requires more than one packet if that were the case.
@danixdefcon5 said:However, if they use NAT, and said NAT is implemented in the same "round-robin router", this means all requests are coming from different IPs.
You disproved that theory when you said:
@danixdefcon5 said:I once tried to implement something like this, and ended up with a worse situation ... the round-robin did its "balancing" at the packet level, without taking in mind TCP states. So I ended up with a lot of NAT errors in the gateway, and finally opted to throw away the "round-robin" solution.
Seriously though, the problem is most likely a buggy DHCP server/config, DHCP clients will gladly change the IP in the middle of a connection as there isn't a modern OS (including, from my understanding, hardware router OS') that will prevent a new lease just because the interface has traffic coming through them.
-
@Lingerance said:
Some ISPs have horribly broken DHCP servers, DHCP clients (at least MS ones) will attempt to renew the lease after half of the DHCP lease time has expired, which means if the lease is too short then the lease will expire during a NAT session.
Who said this has anything to do with DHCP? I suppose it could, but the most likely scenario is that they are using pooled NAT. Also, having a DHCP lease renew should not have that big of an impact.
@Lingerance said:
@danixdefcon5 said:
Their problem isn't that the six IPs switch every time they refresh, the problem is that every time they initiate a connection, the router sends it from a different IP at the external interface level, which wouldn't matter if everyone had a public routeable IP address.
It would be impossible for them to do any type of connection that requires more than one packet if that were the case.Goddammit, Ling, I asked you in here so you could back me up, not make ridiculously incorrect statements like this. They could quite easily have a setup that allows each connection to come from a different public IP.
@Lingerance said:
You disproved that theory when you said: @danixdefcon5 said:
I once tried to implement something like this, and ended up with a worse situation ... the round-robin did its "balancing" at the packet level, without taking in mind TCP states. So I ended up with a lot of NAT errors in the gateway, and finally opted to throw away the "round-robin" solution.
Seriously though, the problem is most likely a buggy DHCP server/config, DHCP clients will gladly change the IP in the middle of a connection as there isn't a modern OS (including, from my understanding, hardware router OS') that will prevent a new lease just because the interface has traffic coming through them.The "per packet" NAT switch is absolutely the most retarded thing I've ever heard in my life. I have no idea what danix is talking about or why he would bother creating such a fucked-up piece of software to begin with. Still, this has nothing to do with the 3rd party that was trying to access the OP's servers, as they most likely had a completely legitimate NAT setup. It was the OP's "networking expert" who was talking out of his ass and insisting that they couldn't have such a setup.
Another WTF: The OP's company didn't want to open the firewall because it was a big security risk. Are they using absolutely no authentication for their services? I mean, seriously, they should be able to have a publicly-accessible FTP server that is locked down to particular accounts and just add the 3rd party in for a short period so they can do their work. It sounds like the OP's company is fairly incompetent when it comes to simple networking.
-
Back to trying to stay OT, in Cork here we have an small Internet cafe called "Wired To The World", where rather than have a dedicated line they purchased several lines on the same contention a few years back. (here can actually cheaper to buy out an entire contention of 48 than to get the same as a dedicated line from some ISP's). Now any external traffic can now be passed thru any one of these lines at each web request but at least will be recieved back correctly, however for any major client - server connection this caused massive breaks. You could never play any games (one of the popular reasons for people going to Internet cafes here). I haven't stepped foot in there since.
From the OP's Post it sounds as if they have a similar setup.
-
@dlikhten said:
OMFG, all of you suck, I can't believe you all use the standard html editor instead of typing in binary, piping the output to your favorite notepad.exe application, and then printing it to a file printer which will then use image scanning software to get text and paste it into your text-based web browser. What is wrong with you all?
You missed the wooden table. FAIL
-
@Hitsuji said:
Back to trying to stay OT..
How have I not been on-topic for my last few posts?
@Hitsuji said:
From the OP's Post it sounds as if they have a similar setup.
Possible, but the more likely scenario is NAT.
-
@morbiuswilters said:
Who said this has anything to do with DHCP? I suppose it could, but the most likely scenario is that they are using pooled NAT. Also, having a DHCP lease renew should not have that big of an impact.
His argument was it couldn't be DHCP, mine was it could.@morbiuswilters said:Goddammit, Ling, I asked you in here so you could back me up, not make ridiculously incorrect statements like this. They could quite easily have a setup that allows each connection to come from a different public IP.
That was my bad, I misread what he wrote.@morbiuswilters said:Another WTF: The OP's company didn't want to open the firewall because it was a big security risk.
Generally if the firewall blocks the FTP ports except for trusted people the amount of possible brute-force attempts drops significantly. They did open up the firewall for a number of IPs, however the SEO wasn't providing all the IPs. I'm speculating, but perhaps the brute-force attempts were causing a DDoS, such as when the server is configured to restrict the amount of connections allowed?
-
@morbiuswilters said:
The OP's company didn't want to open the firewall because it was a big security risk. Are they using absolutely no authentication for their services?
Too many places have eggshell security. "We're secure, we've got a firewall!" Who knows, maybe they were running a totally unpatched RTM XP version and didn't want to expose the UPnP holes to the world.
If they're so anal to not allow firewall exceptions, I wonder why they couldn't just stick a machine into a DMZ all by itself, open up FTP access to it and let the SEO people do whatever transfers they want. Aftewards you slam the door shut, copy off whatever files were uploaded, and then take the machine out back and hose it down with Lysol.
