This patch is included in the kernel as of 2.2.13pre15. It's also in Red Hat 6.1.
Not sure if I should tell MediaOne about this, since they don't seem to want people to use Linux.
My problems started when my IP address was changed by the ISP's DHCP server to 18.104.22.168. Note that it ends in .255. Many system administrators block access from addresses that end in .255, to guard against a security problem called smurfing. (This is a simple and effective defense against smurfing, but it isn't the officially recommended one, as it hurts innocent people.)
About two weeks after I reported the problem, my computer received a new IP address that did not end in .255, and the problem went away.
I don't know how many ISPs still hand out .255 addresses to other people. If you get a .255 address, and have trouble accessing a few sites on the web, complain, and demand a non-.255 address; it can't hurt, and it might solve your problem.
The other people at my ISP who have tested this do not have the same problem. The support staff at mediaone.net can't reproduce this problem and have not provided any useful support (beyond sympathy).
Note that even someone on my same subnet but with a non-.255 address does not have the same problem!
Here are logs from traceroute exploring the problem. Note especially that I cannot reach 22.214.171.124 nor 126.96.36.199, two routers which are only four or so hops away from me.
The most likely explanation is given at the bottom of this page- I may have fallen victim to a rough defense against smurf attacks. If this is the case, MediaOne (and any other domain with bigger than class-C networks) should probably reserve .255 and .0 addresses, and not hand them out to customers, as routers which use this defense will ignore them! Alternately, they should work with router admins who use this defense to set up less drastic defenses.
Given two computers, one with a normal-looking address and from an address ending in .255, one could easily implement a scanner that pinged known routers from both computers. Routers that respond to the normal probe but don't respond to the probe from the .255 address probably suffer from this problem. It would be in MediaOne's interest to implement such a scan.
From: "MediaOne Express Technical Support" (email@example.com) Date: 04.02.99 14:29 Subject: RE: hotmail? To: "Dan Kegel"
We have received and logged your E-mail message. Our team of Technical Support Specialists is working to respond to your information request within 24 hours.
From: "MediaOne Express Technical Support"
Date: 13.02.99 11:14 Subject: RE: routing problem at mae-la-CCIBRT.mediaone.net? To: "Dan Kegel" (firstname.lastname@example.org) We have received and logged your E-mail message. Our team of Technical Support Specialists is working to respond to your information request within 24 hours.
There basically isn't anything an origin site or intermediate router can do to prevent smurfs. What it would have to do is filter directed broadcasts, but it needs to know the destination subnet mask to do this; in general, there is no way to know this.
So the lap.ln.net router should not have been filtering .255 source addresses if it was trying to block smurfing. What it is doing is simply denying service to all systems using such an address.
From: "MediaOne Express Technical Support" (email@example.com) Date: 16.02.99 08:53 Subject: RE: routing problem at mae-la-CCIBRT.mediaone.net? To: "'Dan Kegel'" (firstname.lastname@example.org) Thanks for writing. I will pass along your information to the appropriate parties. Thank you for the information.
From: WE-BDSFeedback (WE-BDSFeedback@MediaOne.com) Date: 17.02.99 08:44 Subject: RE: hotmail? To: "'Dan Kegel'" (email@example.com) Thank you I will forward this information to our Network Admin for follow-up. I am sorry our IP assignment is causing you problems such as this.
From: WE-BDSFeedback (WE-BDSFeedback@MediaOne.com) Date: 18.02.99 08:10 Subject: RE: hotmail? To: "'Dan Kegel'" (firstname.lastname@example.org) The problem has been resolved. You will need to recycle your modem to receive a IP update. There are several ways to achieve this: 1. Log out of MediaOne. 2. Turn off your computer. 3. Power cycle the modem. Thank you, MediaOne Express
Hi Dan - this is Mike Newton in yet another existence.... Just saw your page: http://www.kegel.com/mediaone.html due to a random walk. I can shed some light on it....: I do lots of network security consulting. One of the common problems is DOS (denial of service) attacks. Smurf's are particularly a problem at some sites. Also, very few sites actually run with class A or B subnets internally. For example, the non-exist class B of 128.0/16 (188.8.131.52) would usually be subnetted internally to 128.0.0/24 or some such. So, because of smurfs (forged icmp echos to broadcast addresses - a luser on a dialup line can fill a T-3 easily) most places block broadcast addresses both in and out (so they don't get in trouble from rambunctious internal people). Depending upon the place/equipment (router/firewall/version) a common way of doing this is to prevent all '.0' and '.255' addresses from going into/out of an org. Some places even do it at the ISP or not-quite-backbone level. I'd get a different IP address. You are always going to have problems as it is impossible to tell how people are going to subnet and so many places will play it safe and block as above. For large sites the necessary rules to block it in a cisco are so large as to slow the router down (depending upon model, path, ...). Still lost in space and time... - mike ps: you're welcome to use any of the above. Don't put an e-mail (or other) pointer to me on the web though -- you can leave my name off or on as you feel if you do use it.