Wednesday, January 10, 2018

Supply, Demand and an Asshole



In this post I will name names, AFAIK because frankly I am bloody cross.  

The Initial Problem
It took Marcus and Agata over 18 months of intense searching to find what we regarded as an exceptional property located in Alcester England.

We bought it on the condition that within 6 months  (and that's pretty generous) we would have an Internet Fibre line installed.  Why??, because we need the speed and latency to send and receive vast data volumes.

We even agreed to pay well over the odds by UK pricing so that the deal was fair for both parties.

9 months later the developer  (Paul Harvey) and now the Associate  (Andy Moore) have let us down badly.  No Fibre Internet


The Further Problem
Being a professional, prior to moving to England Marcus setup, configured and pushed to a mirror website of the >>300GB of data from his Primary.  That is operational and was intended as a temporary backup measure whilst the original website, now relocated to the UK would exist but at barely zero speed.


For continuity, updates, professionalism and some other technical reasons the original website needs to be up.

It has been up using a truly pathetic copper DSL line  (4Mbits/second) until, well according to my apache2 logs

At 11.16 on Jan 5th 2018 everything died

The Rescue
Using some technical wizardry  (my words) I've managed to temporarily setup the webserver via my extremely expensive, chargeable 4G connection.

My DNS record changes went live early on morning of Tuesday January 9th 2018

The Asshole
So the user from IP 47.189.134.210 started block downloading our  entire website in the early hours of Jan 9, 2018.  By entire website I mean the entity that took literally over a decade to compile, and as stated which is many hundreds of Gigabytes in size.

The Detection
So you might think.  How do you identify who owns what IP address.  The best way I know is to use the whois Linux command,  not for example the whois webpage search.

[Extract from that Spectre immune server of mine ]


# apt-get install whois
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  whois
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 68.4 kB of archives.
After this operation, 257 kB of additional disk space will be used.
Get:1 http://raspbian.mirror.uk.sargasso.net/raspbian stretch/main armhf whois armhf 5.2.17~deb9u1 [68.4 kB]
Fetched 68.4 kB in 0s (72.1 kB/s)
Selecting previously unselected package whois.
(Reading database ... 123631 files and directories currently installed.)
Preparing to unpack .../whois_5.2.17~deb9u1_armhf.deb ...
Unpacking whois (5.2.17~deb9u1) ...
Setting up whois (5.2.17~deb9u1) ...

Processing triggers for man-db (2.7.6.1-2) ...
---


# whois 47.189.134.210

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=47.189.134.210?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       47.182.0.0 - 47.190.255.255
CIDR:           47.184.0.0/14, 47.182.0.0/15, 47.190.0.0/16, 47.188.0.0/15
NetName:        FCC-211
NetHandle:      NET-47-182-0-0-1
Parent:         NET47 (NET-47-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Frontier Communications Corporation (FCC-211)
RegDate:        2015-08-28
Updated:        2015-08-28
Ref:            https://whois.arin.net/rest/net/NET-47-182-0-0-1



OrgName:        Frontier Communications Corporation
OrgId:          FCC-211
Address:        700 Hidden Ridge
City:           Irving
StateProv:      TX
PostalCode:     75038
Country:        US
RegDate:        2015-04-02
Updated:        2017-08-30
Comment:        Abuse complaints will only be responded to by the use of the abuse contact
Ref:            https://whois.arin.net/rest/org/FCC-211

ReferralServer:  rwhois://rwhois.frontiernet.net:4321

OrgAbuseHandle: ABUSE223-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-866-474-7662
OrgAbuseEmail:  abuse@frontiernet.net
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE223-ARIN

OrgTechHandle: ZF47-ARIN
OrgTechName:   Frontier Communications
OrgTechPhone:  +1-866-474-7662
OrgTechEmail:  abuse@frontiernet.net
OrgTechRef:    https://whois.arin.net/rest/poc/ZF47-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#



Found a referral to rwhois.frontiernet.net:4321.

%rwhois V-1.5:002090:00 whois.frontiernet.net (by Network Solutions, Inc. V-1.5.9.6)
network:Auth-Area:47.189.128.0/18
network:ID:NET-47-189-128-0-21
network:Network-Name:47-189-128-0-21
network:IP-Network:47.189.128.0/21
network:Org-Name;I:FTR3 FIOS-D Irving TX
network:Street-Address:3498 N Beltline Rd
network:City:Irving
network:State:TX
network:Postal-Code:75062
network:Country-Code:US
network:Tech-Contact;I:AR255-FRTR
network:Updated:20160714
network:Updated-By:ipeng@frontiernet.net
network:Class-Name:network

network:Auth-Area:47.189.128.0/18
network:ID:NET-47-189-128-0-18
network:Network-Name:47-189-128-0-18
network:IP-Network:47.189.128.0/18
network:Org-Name;I:Frontier Communications Solutions
network:Street-Address:180 South Clinton Ave
network:City:Rochester
network:State:NY
network:Postal-Code:14646
network:Country-Code:US
network:Tech-Contact;I:ABUSE-FRTR
network:Admin-Contact;I:IPADMIN-FRTR
network:Updated:20160713
network:Updated-By:ipeng@frontiernet.net
network:Class-Name:network


%ok


Action 1
I wrote an angry email to abuse@frontiernet.net

Action 2
I made a number of countermeasures.  One I will share is to block replies from the apache2 webserver from any source IP address coming from this ISP.  Here is how

service apache2 stop  # stop webserver

cd /etc/apache/
# ssl.conf is the configuration file for the https website that I am going to block
# remember that in apache2 the conf is split into a bzillion separate files and not the usually 
# single httpd.conf like in the good old days

vi /etc/apache2/sites-enabled/ssl.conf

<VirtualHost _default_:443>
<Directory "/">
Options Indexes FollowSymLinks
require all granted
Order allow,deny
Allow from all
Deny  from 47.190.0.0/16 47.182.0.0/15 47.184.0.0/14 47.188.0.0/15
</Directory>

 </VirtualHost>

service apache2 start    # start webserver with changed config


No Thanks Buddy
So I am most angry at the people named explicitly above who have caused us to spend a lot of money, and let us down by not providing the Fibre Internet connection we negotiated at high cost (UK pricing) in a very relaxed timeframe.

I am also angry at the twat user, IP address 47.189.134.210 who thought it would be a fine idea to en mass download our entire website.  

I'm not opposed to fair use but you tried to download over 26,000 files from us.   This does not constitute fair use.

I'm angry with myself that I did not consider somebody would be so selfish and via my temporary Internet Connection which is metered now means that this has cost me dearly.


Learning Points

a) Some people take unreasonable advantage of free stuff.   They are Assholes.

a) People that knowingly make promises they have no intention of keeping. They are Assholes too