SixXS::Sunset 2017-06-06

Ticket ID: SIXXS #9729786
Ticket Status: User

PoP: usbos01 - OCCAID Inc. (Boston, Massachusetts)

500 Hard Blocked from TIC
[us] Shadow Hawkins on Friday, 12 July 2013 06:26:44
Sorry to bother you guys. I had aiccu and radvd configured and working on my dd-wrt router for a while. Yesterday I had to reset the router several times and I was blocked from TIC server. This has happened before and I usually just have to wait for an hour and try to connect again but this time I was still blocked now. I tried to change to a wireless WAN and then I can connect to Sixxs again so I'm confident it was my public IP (66.250.143.159) that was blocked. Since I am behind NAT, there is no way I can change an IP. I googled around and it seems other people are having things like "500 Quick Blocked from TIC" or "500 Blocked from TIC". Does this "Hard block" mean my IP is permanently banned? Before yesterday's reset I had a steady connection to sixxs for months. I'm not sure if I was abusing the TIC server these two days or it was someone else with the same public IP that had caused the ban before I had the router reset. If you guys can provide me a history of this IP's attempt to connect sixxs it would be of great help to me to feature this problem out. Thanks
500 Hard Blocked from TIC
[ch] Jeroen Massar SixXS Staff on Friday, 12 July 2013 09:26:12
Yesterday I had to reset the router several times and I was blocked from TIC server.
How often did you reset it? Must have been quite a lot before that happens.
I googled around and it seems other people are having things like "500 Quick Blocked from TIC" or "500 Blocked from TIC".
Yes, there are lots of people who themselves or their vendors cannot read and apparently have tools that reconnect to our TIC servers a lot, in some cases every second and causing a DoS on our TIC server which is then not able to server other users anymore.
Does this "Hard block" mean my IP is permanently banned?
It means that you connected very often and very quickly and as you obviously did not heed the "Quick Blocked" message, you overstepped the thresholds and thus got Hard Blocked. This is not permanent, but you really should stop querying the system too often. Instead of restarting AICCU all the time, figure out what really is the problem and solve that instead.
500 Hard Blocked from TIC
[us] Shadow Hawkins on Friday, 12 July 2013 12:51:08
I only reset it three or four times and when I went to look for the log file I only see the "Hard" block (my router erases logs when restarts, so I might have missed the "Quick" block warning. But from my past experience I don't think 3~4 queries within a hours warrants a "Hard" block). And during the two days I tried to connect for about another four times. I really don't think it is my problem now because I do not have any loops in my script, which I used for quite some time without any issue and I've commented out the aiccu command now. I haven't tried for the whole night but I don't want to start trying now in case it prolongs my ban. Can you have a look at the server log and tell me if my IP stops querying within the last maybe five hours?
500 Hard Blocked from TIC
[ch] Jeroen Massar SixXS Staff on Friday, 12 July 2013 14:23:10
I only reset it three or four times
Then why do we have several hundred connections?
(my router erases logs when restarts
Which "router" is this? Model/software versions?
I don't think 3~4 queries within a hours warrants a "Hard" block
As one is only supposed to make 1 connection, and not the several hundred you caused, it is quite warranted. Obviously something is wrong and you are not aware what it is. As your user is not associated with the block, it seems that the configuration details are wrong too, or the client that is connecting to our TIC server is broken.
I really don't think it is my problem now because I do not have any loops in my script, which I used for quite some time without any issue and I've commented out the aiccu command now.
So you had a script that did reconnects. Why did that script exist and what was it supposed to achieve?
I haven't tried for the whole night but I don't want to start trying now in case it prolongs my ban.
Everytime you try again it prolongs the block till it averages out to a normal rate of connections.
500 Hard Blocked from TIC
[us] Shadow Hawkins on Friday, 12 July 2013 15:36:01
Like I said I was trying to feature out what the problem is. I have a DD-WRT router that uses aiccu to connect to sixxs broker and uses radvd to broadcast IPv6 connection to devices connected to the said router. I used a startup script that execute aiccu ONEC every restart. The first time I tried to set thing up a couple of months ago I had to do some tinkering and as you can imagine I was blocked due to frequent queries that was caused by restarting/resetting the router. Back then I just had to get all the configuration finally right and waited for about half an hour and execute aiccu, by which time I was already unblocked. Everything went fine from that point on and I had a steady connection for about 2~3 months in which time I only restarted about 2 times due to router firmware upgrade. Two days ago I had to reset my router again because I needed to setup a guest wifi network and messed up to the point that even wired connection the the router LAN cannot access the router. After reset I loaded the old working configuration but aiccu was not working. I was puzzled and restarted about two times and then realized that my router clock was not NTP synced so all aiccu attempt was rejected. I fixed that problem but then I got "500 Hard Block". I thought it was just like last time and waited for an hour and tried to connect to sixxs and failed again. So I went to sleep WITHOUT putting any aiccu comment in a looped script. The next morning I was still getting "500 Hard Block" so I realized this block was different from last time. I left for work, again without putting any aiccu in any loop. When I came back home I tried to connect and failed one more time. So I decided to figure out if it was my sixxs account or my IP that was blocked, and if my startup script was not configured right somehow (which is unlikely because it was exactly the same script that was severing me right for months). I used another WAN IP (a 4G hotspot shared from a laptop to the router's WAN port by ethernet connection) and this time I was able to connect to sixxs broker without any problem. This tells me that it was indeed the IP address that was blocked, and the router configuration/my sixxs account should be functioning correctly. In the entire process I NEVER put aiccu in any looped script that automatically reconnects. And my overall trial to connect (through startup script or manually running aiccu) was definitely fewer than ~20 times. If you are seeing hundreds of queries I cannot understand how it could possibly come from my configuration. I now have commented out the aiccu line in my script and disabled IPv6 in my router settings. I have radvd set up that uses the subnet associated with my tunnel, could it be the culprit that constantly queries the server without explicitly running aiccu? This radvd was also untouched and worked fine for months. In any case I now have radvd disabled as well and there is nothing on my router that should make any connection to sixxs server now. Thank you for bearing with me with my lengthy description so far. As you can see I now am trying my best to avoid any connection attempts to sixxs. But also you said that the block is not associated with my account, so I think it is possible that someone who shares WAN IP with me (everyone in the apartment building are behind NAT and uses a single IP) who abused the server and caused the block. This could have happened a long time ago and still is happening due to some faulty configuration. Since I had a continuous connection to sixxs for weeks prior to my recent router reset, I could not have known about this until a reconnect attempt was made by me (I'm assuming that if one establishes and maintains a connection to sixxs broker, one would not be kicked out of his current connection due to his IP being blocked until the aforementioned connection is dropped and a reconnection attempting is made.) I was not I'm not tying to find an excuse for myself but I really need to figure out whether is was caused by me and if so of course I'll dig more and find out what was wrong. If you can have a look at your record now and tell me when did the hundreds of queries start and if it is still ongoing I could at least have an idea if I was looking at the right direction. Thanks in advance.
500 Hard Blocked from TIC
[ch] Jeroen Massar SixXS Staff on Friday, 12 July 2013 16:22:45
which is unlikely because it was exactly the same script that was severing me right for months
Just a note there are many other people who have been running 'fine' with all kinds of scripts and other modifications that rarely cause issues, till the problem hits and our server gets hammered.
In the entire process I NEVER put aiccu in any looped script that automatically reconnects.
Then you really did a LOT of restarts to get into the Hard Blocked state.
And my overall trial to connect (through startup script or manually running aiccu) was definitely fewer than ~20 times.
Hard block kicks in at 50+ reconnects in a day.
If you are seeing hundreds of queries I cannot understand how it could possibly come from my configuration.
As it is not our machine that is causing it, we cannot tell that either.
I now have commented out the aiccu line in my script and disabled IPv6 in my router settings.
Which exact "script" is this, what does it do, when does it get called, are there other tools that might call it?
I have radvd set up that uses the subnet associated with my tunnel, could it be the culprit that constantly queries the server without explicitly running aiccu?
Which "culprit"?
In any case I now have radvd disabled as well and there is nothing on my router that should make any connection to sixxs server now.
What does radvd have to do with restarts of AICCU?
so I think it is possible that someone who shares WAN IP with me
You might want to reach out to the network administrator in that case.
(I'm assuming that if one establishes and maintains a connection to sixxs broker, one would not be
kicked out of his current connection due to his IP being blocked until the aforementioned connection is
dropped and a reconnection attempting is made.
The TIC connections is only made once (1) in the lifetime of AICCU as it is solely used to retrieve it's configuration parameters. The actual tunnel are disjunct from this. Hence, when one connects more than 4 times a day one is likely doing something wrong already... 50 times a day, is sillyness though. Your block started yesterday and is still in effect, it should expire in the next day or so though unless something starts hitting it again.
500 Hard Blocked from TIC
[us] Shadow Hawkins on Friday, 12 July 2013 16:39:54
Which exact "script" is this, what does it do, when does it get called, are there other tools that might call it?
Per http://www.dd-wrt.com/wiki/index.php/IPv6#SixXS_Tunnel_Broker My wan.wanup which executes when the WAN interface goes up has this: aiccu start /jffs/etc/aiccu.conf ip -6 addr add 2001:4830:1100:81b6::/64 dev br0 ip -6 route add 2001:4830:1100:81b6::/64 dev bra I have commented out all three lines now. There shouldn't be any other thing that calls it.
What does radvd have to do with restarts of AICCU?
I don't think it has anything to do, but it refers to the subnet prefix that sixxs assigned to me, so I guess it inquires sixxs server? I maybe wrong. It looks like this. interface br0 { AdvSendAdvert on; prefix 2001:4830:1100:81b6::/64 { }; };
Your block started yesterday and is still in effect, it should expire in the next day or so though unless something starts hitting it again.
Well as long as the TIC server is not being hit right now I'm OK to wait for another day. At least it means I manage to stop whatever is constantly connecting now.
500 Hard Blocked from TIC
[ch] Jeroen Massar SixXS Staff on Friday, 12 July 2013 16:51:48
Per http://www.dd-wrt.com/wiki/index.php/IPv6#SixXS_Tunnel_Broker
My wan.wanup which executes when the WAN interface goes up has this:
aiccu start /jffs/etc/aiccu.conf
You do realize that this causes AICCU to be run (restart) every single time that interface comes up? There you go, that is the cause of the problem. Note that the above URL does not contain a "wan.wanup" file or any instructions to do what you are doing.
500 Hard Blocked from TIC
[us] Shadow Hawkins on Friday, 12 July 2013 17:10:37
The description for wan.wanup is here: http://www.dd-wrt.com/wiki/index.php/Script_Execution Maybe I understand "interface goes up" incorrectly. I thought it means that whenever the WAN connection goes from dead (disconnected) to alive (connected). Therefore it only happens once when the router is rebooted. If that's the case it means that my internet is not stable and it dropped frequently and for my router its WAN interface comes up and down all the time. Or do you mean that "interface goes up" means any time there is traffic on that interface?
500 Hard Blocked from TIC
[ch] Jeroen Massar SixXS Staff on Friday, 12 July 2013 17:15:45
The description for wan.wanup is here:
http://www.dd-wrt.com/wiki/index.php/Script_Execution
I do not see AICCU or SixXS on that page.
Maybe I understand "interface goes up" incorrectly. I thought it means that whenever the WAN connection goes from dead (disconnected) to alive (connected).
That is correct. But note that this also happens when the interface goes down for a bit (eg you lose your connection) and then comes back up, and then you restart AICCU. Thus if you lose link for a bit, you keep on restarting AICCU.
Therefore it only happens once when the router is rebooted.
Nope. That is where you go wrong.
If that's the case it means that my internet is not stable and it dropped frequently and for my router its WAN interface comes up and down all the time.
Correct.
Or do you mean that "interface goes up" means any time there is traffic on that interface?
Nope, what would the point in that? But lets put an end to this discussion though: you obviously manually added something that automatically restarts AICCU. The hard block is thus correctly in place and the system has properly detected it. You'll have to sit it out till the system unblocks you.

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker