[BBLISA] Amazon EC2 Oddly Rejecting Very Specific IP Addresses

Steve Bower sbower at cisco.com
Tue Apr 13 13:32:44 EDT 2010 

> Date: Tue, 13 Apr 2010 13:03:24 -0400
> From: "Richard 'Doc' Kinne" <rkinne at aavso.org>
> To: bblisa at bblisa.org
> Subject: [BBLISA] Amazon EC2 Oddly Rejecting Very Specific IP Addresses
> 
> Folks:
> 
> I'd like to see if anyone has heard of circumstances like this before.
> 
> I have a server on the Amazon EC2 cloud running a website service. This is
> largely working well.
> 
> However I have one customer that cannot get to it from a specific address.
> The IP address of my server is 75.101.149.255.

I'd suspect that the .255 on the end is causing your issue.  See below...

[...]

> When my customer tries to do a traceroute from his place to my server he
> doesn't even get out of his router:
> 
> tracert 75.101.149.255
> Tracing route to [75.101.149.255] over a maximum of 30 hops:
>   1     1 ms    <1 ms    <1 ms  www.routerlogin.com [10.1.1.1]
>   2     *        *        *     Request timed out.

There's probably a filter on that router that prevents communication to
remote "broadcast" addresses, and assumes that anything ending in .255
is a broadcast address.  There was a trivial DOS attack where you could
forge a packet's addresses to include a remote network's broadcast
address, and make other systems send lots of packets to overwhelm
routers, etc.

I had a similar problem years ago when my direct-on-the-internet PC got
a .255 address, and there were a few web sites I couldn't reach (most
notably NASA's APOD site).

If a traceroute to 75.101.149.254 gets past the router, that's likely
the problem.

It might be possible to disable a setting on the router to make it stop
that filtering, though I don't think I've encountered such a thing on
the (few) router/firewall units I've played with.

> I've never seen anything like that before. I can understand things timing
> out when you get to the Amazon area, but timing out before you even get into
> the Net proper? That doesn't make sense to me. Everything else seems to work
> properly from his location from what he's telling me.
> 
> There is a part of me that thinks there may be something wrong somehow with
> my customer's address. When I do a "whois" on the customer's address it
> comes back as being owned by IANA, which doesn't seem right at all. Also
> when I try a traceroute to his address *I* don't get past my router in two
> totally separate locations (work, that has one ISP, and home, which has a
> very different ISP).

Are you tracing to a 10.x.x.x address?  If so, that's a non-routable IP
range, see RFC1918.

If you have the client connect to another web server that you control,
you could check that server's logs for his IP address, and trace to
that.

  Good luck!
    Steve.

> 
> I've never quite seen anything act like this before and I'm not quite sure
> how to puzzle it out.
> 
> Does anyone have any thoughts?
> --
> Doc Kinne, [KQR]
> (From the Gmail Web Interface)

-- 
Steve Bower - CDO/EHS Unix Administrator - sbower at cisco.com
The ideas presented herein aren't necessarily the ideas presented herein.

More information about the bblisa mailing list