No internet connectivity when phorm.com is blocked (split from monster phorm thread)

[Heed]

Discussion began here:

http://www.cableforum.co.uk/board/12...-page-264.html

EDIT: Discussion summary:

Quote:

Originally Posted by Heed

Hey all.

I've noticed something weird tonight. I'm having real problems connecting to most websites when I have phorm.com and associated IP's blocked via my firewall (Comodo). If I unblock them I get normal operation.

It looks like a DNS issue and that's what I thought it was (hangs on "looking up hostname"), but unblocking the phorm addresses solves it.

Anyone else seeing this?

I should add that if I unblock the addresses and visit a site which was unreachable with the addresses blocked, then after visiting I can visit again no problem with the addresses blocked.

I have the following blocked:

88.208.248.102 - 88.208.250.85
phorm.com

Hmm, I can't even get to my modem configuration page (192.168.100.1) with those blocks.

Not just http, but ftp as well.

Quote:

Originally Posted by Heed

I'm still seeing this behaviour today.

I've narrowed it down to the blocking of phorm.com.

Is no one else seeing this?

Does no one else have phorm.com blocked?

Seriously, no internet connectivity unless phorm.com is not blocked -- what else can that mean but all my internet activity is passing through, or relying upon a response from, phorm.com at some point?

Tracert to bbc.co.uk:

Without phorm.com blocked

Tracing route to bbc.co.uk [212.58.224.131]
over a maximum of 30 hops:

1 6 ms 5 ms 6 ms 10.157.4.1
2 8 ms 7 ms 5 ms midd-t2cam1-b-ge914.inet.ntl.com [213.106.239.20
9]
3 7 ms 6 ms 5 ms midd-t3core-1b-ge-010-0.inet.ntl.com [195.182.17
6.113]
4 16 ms 10 ms 11 ms ren-bb-b-so-300-0.inet.ntl.com [213.105.75.49]
5 11 ms 11 ms 11 ms man-bb-a-so-010-0.inet.ntl.com [62.253.185.170]

6 18 ms 17 ms 17 ms gfd-bb-b-so-200-0.inet.ntl.com [62.252.192.94]
7 18 ms 19 ms 20 ms redb-ic-1-as0-0.inet.ntl.com [62.253.185.78]
8 172 ms 223 ms 31 ms 212.58.238.189
9 20 ms 19 ms 17 ms 212.58.238.133
10 20 ms 20 ms 20 ms rdirwww-vip.thdo.bbc.co.uk [212.58.224.131]

Trace complete.

With phorm.com blocked

Tracing route to bbc.co.uk [212.58.224.131]
over a maximum of 30 hops:

1 5 ms 5 ms 6 ms 10.157.4.1
2 6 ms 5 ms 5 ms midd-t2cam1-b-ge914.inet.ntl.com [213.106.239.20
9]
3 * * * Request timed out.
4 12 ms 49 ms 11 ms ren-bb-b-so-300-0.inet.ntl.com [213.105.75.49]
5 13 ms 12 ms 11 ms man-bb-a-so-010-0.inet.ntl.com [62.253.185.170]

6 18 ms 17 ms 18 ms gfd-bb-b-so-200-0.inet.ntl.com [62.252.192.94]
7 20 ms 20 ms 20 ms redb-ic-1-as0-0.inet.ntl.com [62.253.185.78]
8 20 ms 19 ms 20 ms 212.58.238.189
9 18 ms 19 ms 17 ms 212.58.238.133
10 20 ms 20 ms 20 ms rdirwww-vip.thdo.bbc.co.uk [212.58.224.131]

Trace complete.

The third hop seems to be the culprit. Times out on:

midd-t3core-1b-ge-010-0.inet.ntl.com

Quote:

Originally Posted by Heed

I should add that I've had those blocks up for over a week with no problem until about 10 pm last night when I noticed some sites were unreachable. I shutdown the computer after poking around for a few minutes and when I booted up about an hour and a half later there was no connectivity. That's when I decided to unblock those addresses just to see -- to my surprise, all connectivity returned

[Bonglet]

i would start looking for traces of phorm cookies on your machine heed

also interseting to note that http://status-cable.virginmedia.com/...?ticket=140408 has you down as being in maintainance for this week (Phorm moving there kit in?)

[ilago]

You can check if your web page has been modified en route here

http://vancouver.cs.washington.edu/#results

The page also explains the mods.

More information about associated research here

http://arstechnica.com/news.ars/post...n-transit.html

[Heed]

Anyone know what the cookies are?

I've looked for phorm and webwise. I don't see anything for them.

---------- Post added at 12:09 ---------- Previous post was at 12:07 ----------

Quote:

Originally Posted by ilago

You can check if your web page has been modified en route here

http://vancouver.cs.washington.edu/#results

The page also explains the mods.

More information about associated research here

http://arstechnica.com/news.ars/post...n-transit.html

I saw that on slashdot earlier.

It shows me as being fine.

[kt88man]

Quote:

Originally Posted by Heed

Anyone know what the cookies are?

I've looked for phorm and webwise. I don't see anything for them.

---------- Post added at 12:09 ---------- Previous post was at 12:07 ----------



I saw that on slashdot earlier.

It shows me as being fine.

Pete has a very good description of the cookies here:

http://www.dephormation.org.uk/cookie_analysis.html

---------- Post added at 12:13 ---------- Previous post was at 12:11 ----------

Quote:

Originally Posted by ilago

You can check if your web page has been modified en route here

http://vancouver.cs.washington.edu/#results

The page also explains the mods.

More information about associated research here

http://arstechnica.com/news.ars/post...n-transit.html

That looks at modifications done to the actual page contents... phorm, as far as we know, does not do that.

[Heed]

Hmm, I don't see anything webwise related. A few from VM as well as one from adserver.virginmedia.com and allyours.virginmedia.com

EDIT: I just installed FF2 for the first time an hour ago, so clean install. Checked cookies and nothing there out of the ordinary.

[kt88man]

Quote:

Originally Posted by Heed

Hmm, I don't see anything webwise related. A few from VM as well as one from adserver.virginmedia.com and allyours.virginmedia.com

adserver.virginmedia.com ... personally, I'd have that domain in the hosts file.

[Bonglet]

Did the ff results from pete's site come back ok?
I would still take screenshots and make any notes of what your experiencing even if it is nothing it may always help you in the future just dont modify anything to change timestamps e.t.c

[GeoffW]

Heed, what is your location?

If there is a covert trial underway it would be localised.

[punky]

I don't have a webwise cookie

I can't really see how removing a cookie would lose you internet connectivity?

[Heed]

Yes, the FF2 results came back okay.

I'm connected through the middlesborough servers.

Gavin, it's not removing a cookie that loses me connectivity -- it's having phorm.com blocked.

---------- Post added at 14:20 ---------- Previous post was at 13:13 ----------

The odd thing is that if I block 88.208.250.66, 88.208.250.85 and 207.44.186.90 I can connect fine. But if I block the domain name phorm.com that's when everything dies. Those 3 IP's are supposed to be phorm.com IP's, so I don't understand why I don't see the same behaviour when I just have those 3 blocked.

Could there be more IP's associated with phorm.com that are not publically known?

[punky]

Ahh, sorry, my mistake.

How are you blocking it? Via your hosts file?

[ilago]

Quote:

Originally Posted by Heed

Anyone know what the cookies are?

I've looked for phorm and webwise. I don't see anything for them.

---------- Post added at 12:09 ---------- Previous post was at 12:07 ----------



I saw that on slashdot earlier.

It shows me as being fine.

That's actually a good sign. It means that there has been no interference at the level of your webpage yet. You should check regularly. It will pick up the Phorm redirects once they start.

I really would like to know how and why blocking phorm IPs and phorm sites should interfere with net access, seemingly at the 3rd hop.

I'm a visitor here, trying to find out as much as I can about Phorm and Nebuad before they start up in my country. I've been lurking here for weeks. I've a suspicion that success in the UK and the USA would make Australia and New Zealand prime targets. I'm not sure we have any protection from this sort of abuse either. I'm a malware remover and I've known a lot about 121 Media, ContextPlus, PeopleonPage and Apropos for a long time through removing their less than helpful products from victims machines. It's an issue I feel strongly about.

[Heed]

Quote:

Originally Posted by Gavin

Ahh, sorry, my mistake.

How are you blocking it? Via your hosts file?

No, through my firewall (Comodo).

The cookie discussion started as an aside just to make a check to see if anythng turned up -- nothing did, as far as I can see.

[The Jackal]

Can you post your complete network settings please - I'm interested in what DNS servers you are using.

windoze ipconfig /all

linux ifconfig -a && cat /etc/hosts

I'd like to test this out.

Cheers

---------- Post added at 14:41 ---------- Previous post was at 14:40 ----------

Quote:

Originally Posted by Heed

No, through my firewall (Comodo).

The cookie discussion started as an aside just to make a check to see if anythng turned up -- nothing did, as far as I can see.

What settings are you using ? tcp/udp drop incoming or outcoming packets from phrom.com ?