Moving Providers and Tainted IPs

Sat, 08 Jul 2023 13:28:02 +0200

I recently switched hosting providers for the host you’re reading this on (more on the hows and whys in a later post, perhaps). Most of the “work” involved in moving stuff involved changing the main IP address as it obviously changed. Being in a shared hosting environment, one is assigned an IPv4 address at random which is likely to have been used in the past. My old instance had been running for about a decade on the same IP so had a decent reputation of not sending bad traffic around the world, but it quickly became clear I was not so lucky with the new host.

Some searching revealed it had also been on blacklists in the past for sending out spam. Not great!

(One may not really care about IP reputation in general - for me, as I’m using the host as the main nameserver for all my domains, it’s relatively important that it is available unimpeded globally so I can receive email and such.)

My standard server monitoring setup showed some pretty obvious changes in TCP connections, from a clean old server:

to a new “dirty” server:

Note the “wave” of TCP connections established and in FIN_WAIT state, a sure sign of a bunch of hosts trying (and failing) to get retrieve some data. Nothing major, but combined with the earlier blacklisting and this being the sole public IP used for all my domains it’s not ideal.

Solving this was pretty easy - just create a new instance and move everything to the new IP once again. My new provider made this a 10 minute process: make a snapshot of the current instance, fire up a new instance based on said snapshot, update the bind config and boom, new IP. While waiting the requisite 24 hours for the new DNS setting to propagate I got curious though - what was that bad traffic anyway? Turns out it was pretty easy to find out.

First I ran a quick tcpdump to see what kind of traffic I should be looking for. tcpdump -n port not ssh confirmed it was random traffic on port 443 (SSL), meaning this IP was used in the past to host a website. Fair enough. What website though? The nginx logs didn’t reveal anything interesting - presumably traffic wasn’t actually getting past SSL negotiation. Digging into that involved a slightly more involved tcpdump:

tcpdump -i any -s 1500 '(tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)' -nXSs0 -tt

This filters out the SNI field for the initial SSL handshake.

And sure enough, there it was:

Turns out it was used as part of an ad server CDN from Iran at some point.

The good news is that the newly assigned IP is clean as a whistle and the TCP graph looks pretty much like the first one here. DNS propagation will be complete in a few hours’ time and then I’ll shut down the old instance and will probably have the current clean IP for years to come. All’s well that ends well.

Hello World

Tue, 04 Jul 2023 20:14:54 +0200

It’s high time to update this here sleepy site, is it not? I decided to wipe out my lovingly hand-crafted photo blog when I realized keeping things manually updated was not something I enjoyed. The plan was to switch to a long-supported static site builder and well… I just never got around to it. I’m not sure what’s prompted me to suddenly try it again now but here we are.

This page circa 2005

This was originally a “photo blog” where I posted pictures almost daily. Courtesy of the Internet Archive here’s what it (roughly) looked like:

The underlying system was based on Wordpress with some custom gallery stuff. It eventually led me to being featured in a Canon commercial, so that was nice. I got increasingly frustrated with wanting to make changes in the PHP-based source so I eventually switched to a custom Rails blog in the (ultimately vain) hope I’d get good at Ruby.

The 2010 redesign

I’m still pretty happy with the design here. I scanned an A4 paper, ramped up the contrast and carefully sliced and diced the images and CSS (manually!) so that it would fit as a background without a noticeable overlap. The image galleries also looked great - the only downside being that I had to manually crop the previews so that they’d fit together nicely in a block with different-sized thumbnails.

There were some other problems that led to a plan for a grand redesign:

Custom blog code sounds great, but it turns out you need to keep up to date with Rails development if you want things to keep working
It wasn’t a good experience on mobile

It’s the latter that caused my main issue with ever getting an update out: the whole frontend world was changing rapidly and I had no idea what to do with CSS pre-processors and the like. I figured it’d shake out pretty soon so I put up a quick “be back soon” page which then stayed in place for about a decade. Whoops.

“Redesign”, 2021 2023 edition

So, here we are. This is now running on Hugo with an off-the-shelf theme that should allow me to once again focus on getting some content up as opposed to fidgeting with the backend. Let’s see how this one shakes out, eh?

Posts on on-no.net

Moving Providers and Tainted IPs

Hello World

This page circa 2005

The 2010 redesign

“Redesign”, 2021 2023 edition