Discussion began here:

http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-264.html

EDIT: Discussion summary:


Hey all.

I've noticed something weird tonight. I'm having real problems connecting to most websites when I have phorm.com and associated IP's blocked via my firewall (Comodo). If I unblock them I get normal operation.

It looks like a DNS issue and that's what I thought it was (hangs on "looking up hostname"), but unblocking the phorm addresses solves it.

Anyone else seeing this?

I should add that if I unblock the addresses and visit a site which was unreachable with the addresses blocked, then after visiting I can visit again no problem with the addresses blocked.

I have the following blocked:

88.208.248.102 - 88.208.250.85
phorm.com

Hmm, I can't even get to my modem configuration page (192.168.100.1) with those blocks.

Not just http, but ftp as well.


I'm still seeing this behaviour today.

I've narrowed it down to the blocking of phorm.com.

Is no one else seeing this?

Does no one else have phorm.com blocked?

Seriously, no internet connectivity unless phorm.com is not blocked -- what else can that mean but all my internet activity is passing through, or relying upon a response from, phorm.com at some point?

Tracert to bbc.co.uk:

Without phorm.com blocked

Tracing route to bbc.co.uk [212.58.224.131]
over a maximum of 30 hops:

1 6 ms 5 ms 6 ms 10.157.4.1
2 8 ms 7 ms 5 ms midd-t2cam1-b-ge914.inet.ntl.com [213.106.239.20
9]
3 7 ms 6 ms 5 ms midd-t3core-1b-ge-010-0.inet.ntl.com [195.182.17
6.113]
4 16 ms 10 ms 11 ms ren-bb-b-so-300-0.inet.ntl.com [213.105.75.49]
5 11 ms 11 ms 11 ms man-bb-a-so-010-0.inet.ntl.com [62.253.185.170]

6 18 ms 17 ms 17 ms gfd-bb-b-so-200-0.inet.ntl.com [62.252.192.94]
7 18 ms 19 ms 20 ms redb-ic-1-as0-0.inet.ntl.com [62.253.185.78]
8 172 ms 223 ms 31 ms 212.58.238.189
9 20 ms 19 ms 17 ms 212.58.238.133
10 20 ms 20 ms 20 ms rdirwww-vip.thdo.bbc.co.uk [212.58.224.131]

Trace complete.

With phorm.com blocked

Tracing route to bbc.co.uk [212.58.224.131]
over a maximum of 30 hops:

1 5 ms 5 ms 6 ms 10.157.4.1
2 6 ms 5 ms 5 ms midd-t2cam1-b-ge914.inet.ntl.com [213.106.239.20
9]
3 * * * Request timed out.
4 12 ms 49 ms 11 ms ren-bb-b-so-300-0.inet.ntl.com [213.105.75.49]
5 13 ms 12 ms 11 ms man-bb-a-so-010-0.inet.ntl.com [62.253.185.170]

6 18 ms 17 ms 18 ms gfd-bb-b-so-200-0.inet.ntl.com [62.252.192.94]
7 20 ms 20 ms 20 ms redb-ic-1-as0-0.inet.ntl.com [62.253.185.78]
8 20 ms 19 ms 20 ms 212.58.238.189
9 18 ms 19 ms 17 ms 212.58.238.133
10 20 ms 20 ms 20 ms rdirwww-vip.thdo.bbc.co.uk [212.58.224.131]

Trace complete.

The third hop seems to be the culprit. Times out on:

midd-t3core-1b-ge-010-0.inet.ntl.com



I should add that I've had those blocks up for over a week with no problem until about 10 pm last night when I noticed some sites were unreachable. I shutdown the computer after poking around for a few minutes and when I booted up about an hour and a half later there was no connectivity. That's when I decided to unblock those addresses just to see -- to my surprise, all connectivity returned

i would start looking for traces of phorm cookies on your machine heed

also interseting to note that http://status-cable.virginmedia.com/vmstatus/maintenanceissue.do?ticket=140408 has you down as being in maintainance for this week (Phorm moving there kit in?)

You can check if your web page has been modified en route here

http://vancouver.cs.washington.edu/#results

The page also explains the mods.

More information about associated research here

http://arstechnica.com/news.ars/post/20080416-research-1-3-percent-of-web-pages-altered-in-transit.html

Anyone know what the cookies are?

I've looked for phorm and webwise. I don't see anything for them.

---------- Post added at 12:09 ---------- Previous post was at 12:07 ----------

You can check if your web page has been modified en route here

http://vancouver.cs.washington.edu/#results

The page also explains the mods.

More information about associated research here

http://arstechnica.com/news.ars/post/20080416-research-1-3-percent-of-web-pages-altered-in-transit.html

I saw that on slashdot earlier.

It shows me as being fine.

Anyone know what the cookies are?

I've looked for phorm and webwise. I don't see anything for them.

---------- Post added at 12:09 ---------- Previous post was at 12:07 ----------



I saw that on slashdot earlier.

It shows me as being fine.


Pete has a very good description of the cookies here:

http://www.dephormation.org.uk/cookie_analysis.html

---------- Post added at 12:13 ---------- Previous post was at 12:11 ----------

You can check if your web page has been modified en route here

http://vancouver.cs.washington.edu/#results

The page also explains the mods.

More information about associated research here

http://arstechnica.com/news.ars/post/20080416-research-1-3-percent-of-web-pages-altered-in-transit.html


That looks at modifications done to the actual page contents... phorm, as far as we know, does not do that.

Hmm, I don't see anything webwise related. A few from VM as well as one from adserver.virginmedia.com and allyours.virginmedia.com

EDIT: I just installed FF2 for the first time an hour ago, so clean install. Checked cookies and nothing there out of the ordinary.

Hmm, I don't see anything webwise related. A few from VM as well as one from adserver.virginmedia.com and allyours.virginmedia.com

adserver.virginmedia.com ... personally, I'd have that domain in the hosts file. ;)

Did the ff results from pete's site come back ok?
I would still take screenshots and make any notes of what your experiencing even if it is nothing it may always help you in the future just dont modify anything to change timestamps e.t.c

Heed, what is your location?

If there is a covert trial underway it would be localised.

I don't have a webwise cookie :shrug:

I can't really see how removing a cookie would lose you internet connectivity?

Yes, the FF2 results came back okay.

I'm connected through the middlesborough servers.

Gavin, it's not removing a cookie that loses me connectivity -- it's having phorm.com blocked.

---------- Post added at 14:20 ---------- Previous post was at 13:13 ----------

The odd thing is that if I block 88.208.250.66, 88.208.250.85 and 207.44.186.90 I can connect fine. But if I block the domain name phorm.com that's when everything dies. Those 3 IP's are supposed to be phorm.com IP's, so I don't understand why I don't see the same behaviour when I just have those 3 blocked.

Could there be more IP's associated with phorm.com that are not publically known?

Ahh, sorry, my mistake.

How are you blocking it? Via your hosts file?

Anyone know what the cookies are?

I've looked for phorm and webwise. I don't see anything for them.

---------- Post added at 12:09 ---------- Previous post was at 12:07 ----------



I saw that on slashdot earlier.

It shows me as being fine.

That's actually a good sign. It means that there has been no interference at the level of your webpage yet. You should check regularly. It will pick up the Phorm redirects once they start.

I really would like to know how and why blocking phorm IPs and phorm sites should interfere with net access, seemingly at the 3rd hop.

I'm a visitor here, trying to find out as much as I can about Phorm and Nebuad before they start up in my country. I've been lurking here for weeks. I've a suspicion that success in the UK and the USA would make Australia and New Zealand prime targets. I'm not sure we have any protection from this sort of abuse either. I'm a malware remover and I've known a lot about 121 Media, ContextPlus, PeopleonPage and Apropos for a long time through removing their less than helpful products from victims machines. It's an issue I feel strongly about.

Ahh, sorry, my mistake.

How are you blocking it? Via your hosts file?

No, through my firewall (Comodo).

The cookie discussion started as an aside just to make a check to see if anythng turned up -- nothing did, as far as I can see.

Can you post your complete network settings please - I'm interested in what DNS servers you are using.

windoze ipconfig /all

linux ifconfig -a && cat /etc/hosts

I'd like to test this out.

Cheers

---------- Post added at 14:41 ---------- Previous post was at 14:40 ----------

No, through my firewall (Comodo).

The cookie discussion started as an aside just to make a check to see if anythng turned up -- nothing did, as far as I can see.

What settings are you using ? tcp/udp drop incoming or outcoming packets from phrom.com ?

Tracing those 3 IPs, I can't see a link to Phorm.

88.208.250.66 > live-servers.net > Fasthosts
88.208.250.85 > live-servers.net > Fasthosts
207.44.186.90 > ThePlanet

So i'm guessing sites not hosted or routed through those companies should still work?

Can you post your complete network settings please - I'm interested in what DNS servers you are using.

windoze ipconfig /all

linux ifconfig -a && cat /etc/hosts

I'd like to test this out.

Cheers

---------- Post added at 14:41 ---------- Previous post was at 14:40 ----------



What settings are you using ? tcp/udp drop incoming or outcoming packets from phrom.com ?

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Heed>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : xxxxxxxxx
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : xxxxxxxxxxxxxxx
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : xxxxxxxxx Mod edit (Gavin): IP address removed for your security.
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 82.11.28.1
DHCP Server . . . . . . . . . . . : 62.254.64.20
DNS Servers . . . . . . . . . . . : 194.168.4.100
194.168.8.100
NetBIOS over Tcpip. . . . . . . . : Disabled
Lease Obtained. . . . . . . . . . : 18 April 2008 09:33:37
Lease Expires . . . . . . . . . . : 23 April 2008 11:24:13

C:\Documents and Settings\Heed>

As for settings, I'm not sure. Comodo just allows you specify an address, a range or a domain name. I believe it's simply blocking all communication with the domain/I.P. that's listed.

which hosts did you get those IPs from? webwise.com or something?

Tracing those 3 IPs, I can't see a link to Phorm.

88.208.250.66 > live-servers.net > Fasthosts
88.208.250.85 > live-servers.net > Fasthosts
207.44.186.90 > ThePlanet

So i'm guessing sites not hosted or routed through those companies should still work?

Those I.P's came from here:

http://www.all-nettools.com/toolbox

NsLookup

Yeah, but what hostnames did you lookup to get those IPs?

webwise.com does resolve to 88.208.250.66, but I think that's for the webhosting rather anything else. There are probably other hosts that resolve there (that Fasthosts are hosting)

Have you tried using a non ntl DNS server instead ?

If you're looking at anonymity/getting away from phorm then why the heck are you using ntl name servers ?

Use someone elses and retest - let us know how you get on

Yeah, but what hostnames did you lookup to get those IPs?

webwise.com does resolve to 88.208.250.66, but I think that's for the webhosting rather anything else. There are probably other hosts that resolve there (that Fasthosts are hosting)

Oh, phorm.com.

Those are IP's that have been passed around in the big phorm thread.

But really, the relevant point is that blocking the phorm.com domain leads me to have no connectivity.

---------- Post added at 15:02 ---------- Previous post was at 14:59 ----------

Have you tried using a non ntl DNS server instead ?

If you're looking at anonymity/getting away from phorm then why the heck are you using ntl name servers ?

Use someone elses and retest - let us know how you get on

No, I haven't.

You have any handy?

As for why, well I didn't think I would need to switch DNS servers in order to avoid phorm.

---------- Post added at 15:08 ---------- Previous post was at 15:02 ----------

Okay, I switched to OpenDNS servers and have functionality with phorm.com blocked.

What does this tell us?

No, I haven't.

You have any handy?

As for why, well I didn't think I would need to switch DNS servers in order to avoid phorm.

thut thut

If I were in charge I would make all your DNS requests run through virgin's poisioned DNS servers and borg the lot of you. Phorm is good for you :)

For that matter re-route every tcp/udp request on port 53.

The only people I can't handle are people like myself who route all traffic through an ssh tunnel bounced through either new york or london.

Some DNS servers for you do a whois.net and pick one of the billions of open DNS servers....

nslookup
> server NS1.UK2.NET
Default server: NS1.UK2.NET
Address: 83.170.64.2#53
> news.bbc.co.uk
Server: NS1.UK2.NET
Address: 83.170.64.2#53

Non-authoritative answer:
news.bbc.co.uk canonical name = newswww.bbc.net.uk.
Name: newswww.bbc.net.uk
Address: 212.58.226.29
>

I think blocking those IPs block all/large amounts of servers run by Fasthosts and ThePlanet. Loads of hostnames will resolve to those IPs.

Can you block by hostname instead?

ps Can you give the firewall rules that you are using to block

#88.208.248.102 - 88.208.250.85

That's virtually 3 class C's that you are trying to block maybe you have your netmask screwed.

Please forget about IP's for a second -- I've had those blocked for over a week with no problems and now only have phorm.com blocked.

As I said above, switching to OpenDNS servers gives me connectivity back when phorm.com is blocked.

---------- Post added at 15:16 ---------- Previous post was at 15:14 ----------


Can you block by hostname instead?

Yes, that's when I encounter problems and that's the only block in place right now -- "phorm.com".

---------- Post added at 15:20 ---------- Previous post was at 15:16 ----------

NTL's/VM's DNS servers never have been a lot of cop.

I would say on the basis of your post alone that VM's DNS servers are cross-referencing with Phorm. However, i'd say it needs more investigation to be conclusive.


Yes, that seems most likely. I originally thought it was a DNS problem (described in my first post) because it looks just like one.

But what can we make out of every DNS lookup being bounced to somewhere in phorm.com? Is that part of the tech spec. on this equipment?

EDIT: And wait a minute. Phorm kit is not even supposed to be on VM's network, right? I'm sure I've seen VM responses that they are "still evaluating" and have no kit in place yet. Someone correct me if I'm wrong and VM haven't denied the kit is in-place/has been trialed/will be trialed.

I would say so as when its in place and has been mentioned in other peoples post's you cant escape phorms kit as it goes through it, might be perfectly simple explination but as i keep stating keep as much info as you can (for all you know you could be in a secret trial or otherwise) and have no protection for liabel damages at a future date, however secretive phorms kit is.

Well I gave this a try

#$iptables -I POSTROUTING -t nat -s 0/0 -d 88.208.248.0/24 -p all -j DROP -v
#$iptables -I POSTROUTING -t nat -s 0/0 -d 88.208.249.0/24 -p all -j DROP -v
#$iptables -I POSTROUTING -t nat -s 0/0 -d 88.208.250.0/24 -p all -j DROP -v

And all seems to work so I'm still with the dodgy DNS servers theory. Block phorm should not block internet access completely.

would be interesting to know if other people in your area are having this same issue also.

Well I gave this a try

#$iptables -I POSTROUTING -t nat -s 0/0 -d 88.208.248.0/24 -p all -j DROP -v
#$iptables -I POSTROUTING -t nat -s 0/0 -d 88.208.249.0/24 -p all -j DROP -v
#$iptables -I POSTROUTING -t nat -s 0/0 -d 88.208.250.0/24 -p all -j DROP -v

And all seems to work so I'm still with the dodgy DNS servers theory. Block phorm should not block internet access completely.

I would be more than happy to put it down to something innocent like poor NTL DNS servers, but I can't escape the fact that several dozen times I have switched from blocking/unblocking phorm.com and each time it resulted in no connectivity (block) and connectivity (unblocked) when using the default NTL DNS servers. That can't be a coincidence, can it?

I'm confused, who is The Jackal?! :notopic:

I would be more than happy to put it down to something innocent like poor NTL DNS servers, but I can't escape the fact that several dozen times I have switched from blocking/unblocking phorm.com and each time it resulted in no connectivity (block) and connectivity (unblocked) when using the default NTL DNS servers. That can't be a coincidence, can it?

Well it seems like your connection is failing to do a name resolution this is hardly blocked internet access.

If you can when you say your internet is blocked can you do a

netstat -n so that we can see exactly where your machine is trying to connect to.

Repeat when connected.

Well it seems like your connection is failing to do a name resolution this is hardly blocked internet access.

If you can when you say your internet is blocked can you do a

netstat -n so that we can see exactly where your machine is trying to connect to.

Repeat when connected.

Well, when you can't resolve a domain name that's a lot of the internet unavailable. But let's not quibble about that.


C:\Documents and Settings\Heed>netstat -n

Active Connections

Proto Local Address Foreign Address State
TCP 82.11.31.190:4503 208.69.34.230:80 ESTABLISHED

C:\Documents and Settings\Heed>netstat -n

Active Connections

Proto Local Address Foreign Address State
TCP 82.11.31.190:4503 208.69.34.230:80 ESTABLISHED



No difference with phorm.com blocked or unblocked.

I'm back on the default DNS servers for testing purposes.

And as soon as phorm.com is blocked I can't resolve domain names and as soon as it's ublocked I can.

And as soon as phorm.com is blocked I can't resolve domain names and as soon as it's ublocked I can.

Try to trace what is happening to your DNS resolutions. (tcp/udp ports 53)

I don't know much about windows so maybe someone else can help get the tools that you need to monitor tcp connections.

I used to use a tcp/ip monitor but for the love of life can't remember what it was called.

Good luck - Let us know where it fails as I'd love to play with this further.

Thankyou

Try to trace what is happening to your DNS resolutions. (tcp/udp ports 53)

I don't know much about windows so maybe someone else can help get the tools that you need to monitor tcp connections.

I used to use a tcp/ip monitor but for the love of life can't remember what it was called.

Good luck - Let us know where it fails as I'd love to play with this further.

Thankyou

tcpmon (http://www.kochini.com/dcomp/tcpmon/)?

Try to trace what is happening to your DNS resolutions. (tcp/udp ports 53)

I don't know much about windows so maybe someone else can help get the tools that you need to monitor tcp connections.

I used to use a tcp/ip monitor but for the love of life can't remember what it was called.

Good luck - Let us know where it fails as I'd love to play with this further.

Thankyou

Yeah, we've reached the extent of my networking and networking tools knowledge.

I've done another tracert and I'm still showing a fail (time out) on my third hop to midd-t3core-1b-ge-010-0.inet.ntl.com when phorm.com is blocked.

tcpmon (http://www.kochini.com/dcomp/tcpmon/)?

I love this guy. Spot on everytime.

Yeh that's the one I used.

Okay, running tcpmon now. With phorm.com blocked it shows nothing when I try to hit a site -- no connections nothing in the log.

And what do you see in the logs when you ping the bbc as follows

ping 212.58.226.20

---------- Post added at 16:29 ---------- Previous post was at 16:27 ----------

oops tcpmon doesn't monitor pings.

instead try

telnet 212.58.226.20 80

You should see the ack sent and possibly an established state

With phorm.com ublocked:

16:41:11 | 82. 11. 31.190: 4750 | 212. 58.226. 20:HTTP | established

With phorm.com blocked:

16:43:25 | 82. 11. 31.190: 4751 | 212. 58.226. 20:HTTP | established

With phorm.com ublocked:

16:41:11 | localip: 4750 | 212. 58.226. 20:HTTP | established

With phorm.com blocked:

16:43:25 | localip: 4751 | 212. 58.226. 20:HTTP | established

So you're connected but you can't see it in a browser. What about opera , IE , firefox, erm lynx for windows even :)

Within the terminal

telnet 212.58.226.20 80

hit ctrl-c several times

hit the return key and you should see the HTML from the bbc site.

And when you're blocked you can't do nslookups ?

---------- Post added at 16:50 ---------- Previous post was at 16:48 ----------

ps what happens when you put this in your browser ?

http://212.58.226.20/

If I hit ctrl+c or enter I just get "Bad request" and "connection to host lost".

If I hit ctrl+c or enter I just get "Bad request" and "connection to host lost".

Thats excellent and in the browser (opera/IE/firefox) ?

http://212.58.226.20/

Tracing those 3 IPs, I can't see a link to Phorm.

88.208.250.66 > live-servers.net > Fasthosts
88.208.250.85 > live-servers.net > Fasthosts
207.44.186.90 > ThePlanet

So i'm guessing sites not hosted or routed through those companies should still work?

Fasthosts is where the BT Webwise pages are hosted
www.webwise.bt.com
- they used to be on Phorm related IP's looked after in Houston Texas by GODADDY, but now they are with the cheap budget hosting site Fasthosts. When Fasthosts went down earlier this week BT Webwise pages went down too.

Thats excellent and in the browser (opera/IE/firefox) ?

http://212.58.226.20/

Yes, I can reach that when I have phorm.com blocked.

Actually, I can reach it in Opera but not IE or FF2. I'm going to do a machine reboot and double check.

Hmm, after a machine reboot I can still get there in Opera, but not IE and FF2. This might be somehow related to the behaviour I noted earlier where if I visited a site successfully I could then get back most of the time after phorm.com was blocked.

EDIT: Finally loaded in FF2 without any images except the banner title (showing a lookup pending for newsimg.bbc.co.uk). Have got the banner title but no more to show up in IE.

Yes, I can reach that when I have phorm.com blocked.

Which going back to what I've been saying before - your DNS is barfed I would seriously like to know how you are blocking phorm.

Can I add a final note ?

I don't know how you're blocking those IP ranges but it's not going to help. If I were to design the phorm infrastructure I would have to build my application servers and message queuing system within Virgin's infrastructure.

Pushing each request out especially if they are managed by some small outfit like fasthosts is going to overload their network and imply latency to the end user. Hmmm come to think about Virgin doesn't give a toss about the end user experience so they might adopt this model anyway ;)

But ideally message pooling within Virgin's network is going to be the best way to implement phorm and if that's the case there's going to be no escaping phorm :)

Which going back to what I've been saying before - your DNS is barfed I would seriously like to know how you are blocking phorm.

Can I add a final note ?

I don't know how you're blocking those IP ranges but it's not going to help. If I were to design the phorm infrastructure I would have to build my application servers and message queuing system within Virgin's infrastructure.

Pushing each request out especially if they are managed by some small outfit like fasthosts is going to overload their network and imply latency to the end user. Hmmm come to think about Virgin doesn't give a toss about the end user experience so they might adopt this model anyway ;)

But ideally message pooling within Virgin's network is going to be the best way to implement phorm and if that's the case there's going to be no escaping phorm :)


I'm simply blocking phorm.com via my firewall -- Comodo. Yes, DNS seems to be the culprit, but the question is why does it fail only when I have phorm.com blocked? It's unlikely to be the firewall itself as I've tried blocking other domains like bbc.co.uk or google.com and things function fine except when trying to reach the blocked domain -- as it should be. But switch google.com to phorm.com and DNS gets borked.

Also, please forget about the IP ranges. Since this morning the only thing I have blocked is the domain name phorm.com -- that's where I'm seeing the problem.

As for helping to keep phorm at bay or not, I don't know -- but it just seems like a prudent thing to do -- certainly not something that should have a negative impact unless trying to visit phorm.com.

http://homepage.ntlworld.com/kbyiers/phormblock.jpg

Guys maybe a trace using wireshark might show us something.


Do a trace zip it and PM it to me , Do 2 tests with blocking and without blocking phorm.com


Make sure you shut down other internet apps to reduce the amount of data captured.

http://www.wireshark.org/

Guys maybe a trace using wireshark might show us something.


Do a trace zip it and PM it to me , Do 2 tests with blocking and without blocking phorm.com


Make sure you shut down other internet apps to reduce the amount of data captured.

http://www.wireshark.org/

Can you attach files to a PM? I couldn't see a way, so here's a link to the file:

http://homepage.ntlworld.com/kbyiers/PhormCapture.rar

Yes, I can reach that when I have phorm.com blocked.

Actually, I can reach it in Opera but not IE or FF2. I'm going to do a machine reboot and double check.

Hmm, after a machine reboot I can still get there in Opera, but not IE and FF2. This might be somehow related to the behaviour I noted earlier where if I visited a site successfully I could then get back most of the time after phorm.com was blocked.

EDIT: Finally loaded in FF2 without any images except the banner title (showing a lookup pending for newsimg.bbc.co.uk). Have got the banner title but no more to show up in IE.

I did have a single episode of the BBC news site loading without ANY images a couple of days ago - at that time I think I had a variety of BTwebwise sites blocked, and if I recall correctly that was the day the BTWebwise site was down. Hasn't happened since and I have NO blocks in place at present - deliberately.

I tried blocking www.phorm.com via comodo and no connection was possible including email etc, it just shut the connection completely, removed block on phorm and all retuned to normal.
Then blocked other sites via comodo and no connection problems at all.
Weird.

I tried blocking www.phorm.com via comodo and no connection was possible including email etc, it just shut the connection completely, removed block on phorm and all retuned to normal.
Then blocked other sites via comodo and no connection problems at all.
Weird.


Thank you!

I was beginning to feel like I was fighting a one man up-hill battle to show that this isn't some run of the mill connection issue.

A confirmation of the issue just as described is exactly what I needed. :)

And yes, weird, indeed.

I have phorm.com and webwise.net in hosts file but this doesn't cause any problems, someone posted that they have phorm.com blocked in router and have no problems, is it possible that comodo is the problem, although it only has a problem with phorm.com.

It could be comodo but why would comodo deney access to everything just when you put phorm.com in and not when you put anything else in?.

im installing it and going to test it out for myself now :).

I have phorm.com and webwise.net in hosts file but this doesn't cause any problems, someone posted that they have phorm.com blocked in router and have no problems, is it possible that comodo is the problem, although it only has a problem with phorm.com.

Yeah, it's a possibility. It seems odd it would only display this buggy behaviour with one domain, but bugs can be tricky. It's also not clear if it's just certain geographical areas that are affected or not.

I know some people have said they have phorm.com blocked and have no problems, but it might be area dependant. Also, it only seems to happen if you're using the default NTL DNS servers. The issue disappears with phorm.com blocked via Comodo if I switch to another DNS server. So, if some of those not seeing a problem are using non NTL DNS servers that would make sense.

I don't know if it is relevant to the discussion here, but a response from BT management quoted on the BT forum states that if a user adds www.webwise.net (http://www.webwise.net) to their hosts file with a resolved address of 127.0.0.1, whilst opted in to Phorm during the forthcoming BT trials, they will lose all internet access. Would adding to the hosts file have the same effect as blocking? If so, this does begin to smell like a secret trial, perhaps on a small number of ubrs?

http://www.beta.bt.com/bta/forums/thread.jspa?threadID=3152&tstart=0&start=135

I,ve posted on comodo forums about this, will see if any answers are forthcoming, a bit sceptical re comodo forums due to the excessive fanboy attacks from previous questions placed.

---------- Post added at 20:00 ---------- Previous post was at 19:58 ----------

Yeah, it's a possibility. It seems odd it would only display this buggy behaviour with one domain, but bugs can be tricky. It's also not clear if it's just certain areas that are affected or not.

I know some people have said they have phorm.com blocked and have no problems, but it might be area dependant. Also, it only seems to happen if you're using the default NTL DNS servers. The issue disappears with phorm.com blocked via Comodo if I switch to another DNS server. So, if some of those not seeing a problem are using non NTL DNS servers that would make sense.

I have opendns setup in router, so don't use ntl dns.

I just read that from your post in the monster phorm thread, John.

The thing is, he only mentions traffic on port 80. So far, if it happens all ports seem to be affected, so that doesn't seem to be the same thing unless he's mistaken.

Tony, good idea. I've never been to their forums, so I hope you get an intelligent response.

I don't know if it is relevant to the discussion here, but a response from BT management quoted on the BT forum states that if a user adds www.webwise.net (http://www.webwise.net) to their hosts file with a resolved address of 127.0.0.1, whilst opted in to Phorm during the forthcoming BT trials, they will lose all internet access. Would adding to the hosts file have the same effect as blocking? If so, this does begin to smell like a secret trial, perhaps on a small number of ubrs?

http://www.beta.bt.com/bta/forums/thread.jspa?threadID=3152&tstart=0&start=135

I have webwise in hosts file but this causes no problems, also have phorm.com in there with no problems, can put webwise.net into blocked address in comodo and have no problems, but once i put phorm.com in all connection goes.

When I tested this earlier today it was using NTL's DNS servers (194.168.4.100 194.168.8.100) and I was unable to duplicate the problem when blocking phorm.com in hosts, or at router.

Does the same thing happen if you block webwise.net?

I,ve posted on comodo forums about this, will see if any answers are forthcoming, a bit sceptical re comodo forums due to the excessive fanboy attacks from previous questions placed.

---------- Post added at 20:00 ---------- Previous post was at 19:58 ----------



I have opendns setup in router, so don't use ntl dns.

And even using opendns you lost connectivity when you blocked phorm in Comodo?

That's interesting. Switching to opendns fixed the issue for me. I don't use a router, though. Just modem into LAN port.

---------- Post added at 20:07 ---------- Previous post was at 20:06 ----------

When I tested this earlier today it was using NTL's DNS servers (194.168.4.100 194.168.8.100) and I was unable to duplicate the problem when blocking phorm.com in hosts, or at router.

Does the same thing happen if you block webwise.net?

Nope, just phorm.com.

And even using opendns you lost connectivity when you blocked phorm in Comodo?

That's interesting. Switching to opendns fixed the issue for me. I don't use a router, though. Just modem into LAN port.

---------- Post added at 20:07 ---------- Previous post was at 20:06 ----------





It seems that even though opendnds is setup in router when checking on opendnds website it says i am not using opendns.
Will have to checkout the router to ensure that all is setup ok

I'm getting the same behaviour with Comodo.

I _think_ it's to do with the phorm.com hostname resolving to multiple IPs :-
88.208.250.66
88.208.250.85 and
207.44.186.90

I suspect Comodo isn't blocking the individual IPs, it's blocking the whole range from 88.208.250.66 to 207.44.186.90 - which encompasses the VM DNS servers (were your alternate DNS servers outside this range ?) and also the modem config page (192.168.100.1).

I tested this by blocking news.ntli.net (resolves to 62.253.170.163 and 80.5.182.99) and that stops me accessing www.google.co.uk (http://www.google.co.uk) (uses IPs 64.233.167.##) and www.namesdatabase.com (http://www.namesdatabase.com) (IP = 67.129.97.31) but DNS still works as does the modem config page and most other web pages.

Not an exhaustive test , but i think that's the problem.

BTW, adding the 3 individual IPs that phorm.com resolves to (not as a range!!) does block phorm.com without the adverse effects. ;)

Well I gave this a try

#$iptables -I POSTROUTING -t nat -s 0/0 -d 88.208.248.0/24 -p all -j DROP -v
#$iptables -I POSTROUTING -t nat -s 0/0 -d 88.208.249.0/24 -p all -j DROP -v
#$iptables -I POSTROUTING -t nat -s 0/0 -d 88.208.250.0/24 -p all -j DROP -v

And all seems to work so I'm still with the dodgy DNS servers theory. Block phorm should not block internet access completely.

That is blocking way more than phorms 3 ip addresses, not a very good idea.

Just block 88.208.250.85, 207.44.186.90 & 88.208.250.66

I'm getting the same behaviour with Comodo.

I _think_ it's to do with the phorm.com hostname resolving to multiple IPs :-
88.208.250.66
88.208.250.85 and
207.44.186.90

I suspect Comodo isn't blocking the individual IPs, it's blocking the whole range from 88.208.250.66 to 207.44.186.90 - which encompasses the VM DNS servers (were your alternate DNS servers outside this range ?) and also the modem config page (192.168.100.1).

I tested this by blocking news.ntli.net (resolves to 62.253.170.163 and 80.5.182.99) and that stops me accessing www.google.co.uk (http://www.google.co.uk) (uses IPs 64.233.167.##) and www.namesdatabase.com (http://www.namesdatabase.com) (IP = 67.129.97.31) but DNS still works as does the modem config page and most other web pages.

Not an exhaustive test , but i think that's the problem.

BTW, adding the 3 individual IPs that phorm.com resolves to (not as a range!!) does block phorm.com without the adverse effects. ;)

Well done that man... That looks a very plausible reason...

Just tried again after resetting router (seems config was corrupted somehow) and now am using opendns, with phorm.com set in blocked address in comodo no problems.
So this only occurs when phorm is blocked in comodo and ntl dns is used.

Just tried again after resetting router (seems config was corrupted somehow) and now am using opendns, with phorm.com set in blocked address in comodo no problems.
So this only occurs when phorm is blocked in comodo and ntl dns is used.
Fobic (above) has the answer - the OpenDNS servers are on 208.... - above the range bounded by the phorm.com addreses.

Fobic (above) has the answer - the OpenDNS servers are on 208.... - above the range bounded by the phorm.com addreses.

Yep, just read that, after i posted doh.

I'm getting the same behaviour with Comodo.

I _think_ it's to do with the phorm.com hostname resolving to multiple IPs :-
88.208.250.66
88.208.250.85 and
207.44.186.90

I suspect Comodo isn't blocking the individual IPs, it's blocking the whole range from 88.208.250.66 to 207.44.186.90 - which encompasses the VM DNS servers (were your alternate DNS servers outside this range ?) and also the modem config page (192.168.100.1).


Well spotted :clap: - Guess this forum is not full of dunces afterall.

Can the OP try just blocking the IPs instead of FQDN.

---------- Post added at 20:53 ---------- Previous post was at 20:51 ----------

That is blocking way more than phorms 3 ip addresses, not a very good idea.

Just block 88.208.250.85, 207.44.186.90 & 88.208.250.66

OP quoted he was trying to block a whole range so I replicated it as a test

I'm getting the same behaviour with Comodo.

I _think_ it's to do with the phorm.com hostname resolving to multiple IPs :-
88.208.250.66
88.208.250.85 and
207.44.186.90

I suspect Comodo isn't blocking the individual IPs, it's blocking the whole range from 88.208.250.66 to 207.44.186.90 - which encompasses the VM DNS servers (were your alternate DNS servers outside this range ?) and also the modem config page (192.168.100.1).

I tested this by blocking news.ntli.net (resolves to 62.253.170.163 and 80.5.182.99) and that stops me accessing www.google.co.uk (http://www.google.co.uk) (uses IPs 64.233.167.##) and www.namesdatabase.com (http://www.namesdatabase.com) (IP = 67.129.97.31) but DNS still works as does the modem config page and most other web pages.

Not an exhaustive test , but i think that's the problem.

BTW, adding the 3 individual IPs that phorm.com resolves to (not as a range!!) does block phorm.com without the adverse effects. ;)

Nicely done!

Yes, that does seem to be the issue.

I tried your test of blocking news.ntli.net and those sites you listed are unreachable.

Just blocking the 3 phorm IP's doesn't cause any problems.

I'm glad that seems to solve the mystery.

The odd thing is this just began happening last night, so I'm guessing Comodo did an auto update last night that introduced the bug. I've had phorm.com blocked for over a week now.

Thanks to all for their input.

You might wan't to delete the cap files now

As it does seem its a SW fault of that firewall.

Fobic, nicely spotted!! :clap::clap:

:hyper:If there was a category for "Most fascinating thread if you're a Techie", then this one would win!:D

Read this thread with a great amount of interest - just finished setting up my laptop after a complete nuke and re-install. Symptoms were the same-ish, could connect to network (wired or wireless), get an IP address, then nothing. Couldn't even log into router. Phorm.com had been blocked for several weeks. After shutting down all programs like Comodo, Spybot, and AVG problem still remained.
As other machine on network (not running Comodo) worked fine :doh: , assumed it was a tcp/ip error. After an attempted repair using a borrowed disc failed, bit the bullet and used the recovery partition, and all now is fine. I eliminated the firewall as the problem remained after I had shut down the firewall... Is it possible that Comodo was still having an effect after being shutdown, or started in safe mode? Just interested as it all adds to my knowledge...

I eliminated the firewall as the problem remained after I had shut down the firewall... Is it possible that Comodo was still having an effect after being shutdown, or started in safe mode? Just interested as it all adds to my knowledge...

It's very likely Comodo was still having an effect even though you had shut it down.

Most firewalls leave processes running when you close the user interface down (by clicking on the "quit" or "exit" menu items from the tool tray icon). In the case of Comodo , it leaves a process named cmdagent.exe running, and this seems to keep on blocking whatever the firewall was blocking before you quit it.

I've not tried starting in Safe Mode so I have no clue how Comodo behaves in that instance.

One thing that surprised me :- there is an option in Comodo Settings to "automatically start the application with Windows (Recommended)". Unticking this , I expected the firewall not to start up on a reboot and thus not block anything. However, cmdagent.exe still gets started and continues to do its blocking - it's just the user interface that isn't started. Weird.

Looks like the only way to test if unexpected behaviour is down to Comodo, is to uninstall it :rolleyes: (unless anyone knows how to kill protected processes in XP ?)

Check services and see if there are any there called comodo or similar and disable them.

R/C my computer/manage/services and appications/services and you will get a list of all services that start with windows. R/C and change start up settings.

You could also try process explorer to identify what comodo runs :-

http://www.microsoft.com/technet/sysinternals/Security/ProcessExplorer.mspx

I remember that I did try starting in safe mode, with exactly the same result - could get on network and get IP address, but unable to get out with IE or Firefox. When I shut Comodo down I did it from the systray icon. The same thing happened on several networks, but I am unable to check anything as it is all gone... I have re-installed, so might try later to repeat and investigate further.
Thanks for the replies so far.

is comodo designed to use hostnames in blocking rules? typically when configuring firewalls you always should use ip addresses and not dns names.

All this other testing of telnet etc does not use port 80. Only port 80 traffic is intercepted by the L7 switch.

That is blocking way more than phorms 3 ip addresses, not a very good idea.

Just block 88.208.250.85, 207.44.186.90 & 88.208.250.66
88.208.250.85 rezolvs to RIPE Network Coordination Centre, so why would you want to block them? :confused: