• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

endpoint update problems "-ERROR: IP is blocked. (dns attacks)"

Started by banjo67xxx, February 09, 2014, 09:57:54 AM

Previous topic - Next topic

banjo67xxx

Hi,

I'm having problems updating my endpoint today, as I'm getting the following error when I try to update it both via the script, and manually on the website.

QuoteIP is blocked. (dns attacks)

My ISP is CHINA169-BACKBONE for China Unicom in the 山东 province and today they gave me the dynamic address 112.232.67.xxx

Yesterday everything was working perfectly with the dynamic address 27.211.155.xxx

Is there any way to get the block removed, as its really not practical to reboot my router 1000+ times in the hope that my ISP will give me an address in the 27.192.0.0/11 net rather than the 112.232.0.0/11 net ?

TIA

kasperd

Quote from: banjo67xxx on February 09, 2014, 09:57:54 AMIs there any way to get the block removed
You can try to write to ipv6@he.net and explain the situation. Maybe they can tune the blocking criteria.

Quote from: banjo67xxx on February 09, 2014, 09:57:54 AMas its really not practical to reboot my router 1000+ times in the hope that my ISP will give me an address in the 27.192.0.0/11 net
There are ways you can influence the outcome, such that you won't have to try that many times.

One method is to place a switch on the outside of the router and another device, which communicates only with the router and not with the rest of the Internet. If the router performs an ARP request in order to double-check, that the assigned IP is not in use, your other device can respond to ARP requests from your router every time it asks for one in the blocked range.

Another method is to forget about the switch on the outside of the router, and instead connect the router directly to a device on which you run only a DHCP server. Use that DHCP server to give your router an IP address, which you believe is an unused IP address on the ISPs DHCP server. With a bit of luck, after assigning that IP address to your router, it can keep it once it is reconnected to the real Internet connection. For better chance of success adjust other parameters on your own DHCP server to match those of your ISPs.

Variations of the above two methods are possible without moving any network cables around, if instead you can run some alternative DHCP software on the router (you only need that temporarily).

It is a bit of work to pull something like that off, but it is easier than trying manually hundreds of times. Besides simply retrying is unlikely to do much good as both DHCP client and DHCP server remembers your previous assignment, such that there is high probability of getting the same IP address you were trying not to get.

kriteknetworks


banjo67xxx

Quote from: kasperd on February 09, 2014, 10:39:39 AM
One method is to place a switch on the outside of the router and another device, which communicates only with the router and not with the rest of the Internet. If the router performs an ARP request in order to double-check, that the assigned IP is not in use, your other device can respond to ARP requests from your router every time it asks for one in the blocked range.

Another method is to forget about the switch on the outside of the router, and instead connect the router directly to a device on which you run only a DHCP server. Use that DHCP server to give your router an IP address, which you believe is an unused IP address on the ISPs DHCP server. With a bit of luck, after assigning that IP address to your router, it can keep it once it is reconnected to the real Internet connection. For better chance of success adjust other parameters on your own DHCP server to match those of your ISPs.

Hmmm... Interesting concept, I think this might work if the ISP used a DHCP server, but I believe the PPP in PPPoE does the address assignment using a different mechanism. (I not sure on this, as this is the first time I've used an ISP that implements PPPoE).

kasperd

Quote from: banjo67xxx on February 10, 2014, 09:22:09 PMI believe the PPP in PPPoE does the address assignment using a different mechanism.
I think you are right. I don't know enough about PPP to say what influence you might have on IP assignment.

LSS740572

It happened to me as well, same ISP, PPPoE, same problem. The IP range in question for me was 112.225.x.x, similar to his 112.232.67.x.

Since I'm using OpenWrt on the router so I can set the tunnel as wan6 and leave the endpoint update done on the Router's side. However, at times I found the tunnel non-working, and whenever it happens my wan IP was in that range. For OpenWrt I just need to click Connect on both wan and wan6 on the Interface screen to reconnect (so as to reassign IP), and it usually needs one or two reconnects to be able to get an IP address that is outside the blocked range.

Actually the ISP's IP assignment for PPPoE appears purely random. It just assigns a random IPv4 address from one of the dynamic ranges they have, and at times some of the ISP's IP ranges were blocked by the remote server (such as here) due to past issues like dns attacks or something, which also explains why sometimes when normally browsing the internet, some normally accessible websites could not be accessed and then becomes accessible again after a while or after a reconnect.

EDIT: Actually I got both 112.225.x.x and 112.255.x.x blocked. I presume there are more than just these two ranges among 112.x.x.x were blocked here. Actually there are around 3-4 IP ranges from my ISP, means that whenever the IP changes, there is a roughly 1/4~1/3 chance that my IPv6 tunnel endpoint won't be updated. If needed, I may consider doing another topic concerning how many parts in the 112.x.x.x IP block were blocked.