LET and CF are up to something

wych

@jbiloh said:
What about now?

Just been out cold since my last update, even via a RDP and proxy; 552 errors again.

What the hell is going on? Its been like this for ages!

jbiloh

We have Cloudflare on the lowest setting, so don't really know what to do at this point.

AnthonySmith

@jbiloh - it is not cloudflare or it would be consistent and given how fast they reply to support ticket they would have told you want the issue was by now if it was at their side.

Have you put some sort of ACL in place to mitigate the attacks that have been happening? just saying it is a hell of a coincidence that this only started happening after the attacks.

PremiumN

lol now on random occasions im getting 522 errors via web proxies as well.

jbiloh

Well there are also constant attacks.

jbiloh

We're continuing to try and pin down what is causing the problem.

rm_

For me looks like it's trying to edit a post, or edit it more than once, is what kills everything.

jbiloh

We do have numerous thresholds in place right now, we'll tweak that some. But that's only part of the problem, and doesn't explain users who cannot get to LET/LEB at all.

rm_

My guess would be... make sure you're not rate-limiting access from CloudFlare IPs on the web server.

jbiloh

Fairly certain that is already done but we will re-check.

The real IPs of let/leb are leaking somewhere, can you help us via PM to find where that is coming from?

alessio

AnthonySmith said: I don't try to explain the fact it randomly works as that is not my experience for me it never works.

But it does so for others, including me.

AnthonySmith said: Its not a random accusation, it is a theory based on direct experience.

As I said, you might want to elaborate.

@jbiloh said:
We have Cloudflare on the lowest setting, so don't really know what to do at this point.

Was just inaccessible again. Latest Cloudflare ID was 17de8a038a040893

@rm_ said:
My guess would be... make sure you're not rate-limiting access from CloudFlare IPs on the web server.

But then it wouldnt work for anybody, which it doesnt. I guess only Cloudflare could say more based on the posted error traces.

Corey

jbiloh said: Fairly certain that is already done but we will re-check.

The real IPs of let/leb are leaking somewhere, can you help us via PM to find where that is coming from?

Oh so that's how the attackers are getting you. You move the server to a different ip range and they find out what the ips are somehow. Once you figure it out and patch it can you let us know how they were able to do it?

alessio

jbiloh said: The real IPs of let/leb are leaking somewhere, can you help us via PM to find where that is coming from?

Sent emails maybe?

PremiumN

@alessio said:
Sent emails maybe?

I believe they use mandrill

wych

@alessio said:
Sent emails maybe?

Last time I checked they were routed through Mandrill due to historic delivery issues.

Corey

host mail1b.lowendbox.com
mail1b.lowendbox.com has address 23.94.24.51

dig -x 23.94.24.51

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -x 23.94.24.51
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30803
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;51.24.94.23.in-addr.arpa. IN PTR

;; ANSWER SECTION:
51.24.94.23.in-addr.arpa. 3599 IN PTR host.colocrossing.com.

;; Query time: 38 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 23 09:47:33 2014
;; MSG SIZE rcvd: 77

alessio

@PremiumN said:
I believe they use mandrill

@wych said:
Last time I checked they were routed through Mandrill due to historic delivery issues.

As long as the IP is dropped there ....

Any obscure area of the forum maybe where the URL includes the IP address?

jbiloh

Can you guys let us know how it's working for you now?

rm_

jbiloh said: The real IPs of let/leb are leaking somewhere

Couldn't you limit access to the real IP to only the CloudFlare ranges, and blackhole all other traffic at the border router?

PremiumN

@jbiloh said:
Can you guys let us know how it's working for you now?

Still no luck!

alessio

@rm_ said:
Couldn't you limit access to the real IP to only the CloudFlare ranges, and blackhole all other traffic at the border router?

This would be the most ideal solution anyhow.

solarman

Still no luck have to use a proxy

Cloudflare says "Error 522 Ray ID: 17df02d0aec71353 Connection timed out"

jbiloh

alessio said: This would be the most ideal solution anyhow.

That's what we've done.

@solarman can you PM me your personal IP please that is getting rejected?

@premumN can you PM me your personal IP too please that is getting rejected?

alessio

jbiloh said: can you PM me your personal IP please that is getting rejected?

The error would indicate that Cloudflare couldnt establish a connection in the first place, so it shouldnt even get to the point where the end-user IP is transmitted. My guess would be still that either Cloudflare has intermittent problems or you "occasionally" block certain Cloudflare servers (temporarily at least).

jbiloh

We're continuing to work on it.

PremiumN

@jbiloh said:
premumN can you PM me your personal IP too please that is getting rejected?

Its not allowing me to PM for some reason. Check my IP logs. I always had a static ip so you can find out which one.

solarman

@jbiloh said:
premumN can you PM me your personal IP too please that is getting rejected?

Its random our isp issues a different one each time we login.
So I cant use your site from my phone

zafouhar

@jbiloh was the REAL IP Address of LET and LEB changed AFTER you moved to using CloudFlare?

rm_

jbiloh said: That's what we've done.

Then maybe you've forgot to allow some of the Cloudflare ranges, and this can explain why it works for some people (at some locations) and doesn't work for others.

Does CF even have an official list of "we'll access your website from these, and only from these source IPs" anywhere?

zafouhar

@rm_ quite easy to get a list of all IP Address CloudFlare uses http://bgp.he.net/AS13335#_asinfo