Was PoA down?

ScottM

Taxi to Parking
Joined
Jul 19, 2005
Messages
42,530
Location
Variable, but somewhere on earth
Display Name

Display name:
iBazinga!
From about 1:30pm CDT to about 1:50pm (now) on the 31 May I could not get to PoA. What was up with that?

The error I kept getting was that the site could not be found. Neither through my home service or my work service was I able to get to the site.
 
smigaldi said:
From about 1:30pm CDT to about 1:50pm (now) on the 31 May I could not get to PoA. What was up with that?

The error I kept getting was that the site could not be found. Neither through my home service or my work service was I able to get to the site.

Nope... There were four posts made during that time frame, two of which were from me. No problems noted.

Sounds like some kind of a DNS issue - Are you using the same DNS servers for your home and work connections?
 
flyingcheesehead said:
Sounds like some kind of a DNS issue - Are you using the same DNS servers for your home and work connections?

Nope two completely seperate networks. On is SBC DSL (home) the other is a proprietary radio link (work). Different routers, DNS, etc. Nothing the same until the Internet cloud.
 
smigaldi said:
Nope two completely seperate networks. On is SBC DSL (home) the other is a proprietary radio link (work). Different routers, DNS, etc. Nothing the same until the Internet cloud.
Depends on what they hook up to for that "Internet cloud" connection, too. They could lease bandwidth from a bigger company or something could have caused a BGP reconvergence for routing (did that by accident one night with a large ISP when I was a network analyst :rolleyes: ).

There could be any number of reasons why you couldn't reach it.
 
Brian Austin said:
Depends on what they hook up to for that "Internet cloud" connection, too. They could lease bandwidth from a bigger company or something could have caused a BGP reconvergence for routing (did that by accident one night with a large ISP when I was a network analyst :rolleyes: ).

There could be any number of reasons why you couldn't reach it.

I am wondering if it was one of the bigger routers out of the Chicago area having a burp.
 
User Access Verification
Password:
CHI23-ATT> en
Password:
CHI23-ATT# conf [SIZE=-1]t
Enter configuration commands, one line at a time. End with CNTL/Z.
[/SIZE]CHI23-ATT(config)# access-list 14 deny smigaldi
CHI23-ATT(config)# interface FastEthernet0/21
CHI23-ATT(config-if)# ip access-group 14 in
CHI23-ATT(config-if)# ^Z
%SYS-5-CONFIG_I: Configured from console by vty3 (10.1.1.17)
CHI23-ATT# wr mem
Building configuration...
[OK]
CHI23-ATT# exit
Sorry Scott, I was told to.
 
flyingcheesehead said:
Nope... There were four posts made during that time frame, two of which were from me. No problems noted.

Sounds like some kind of a DNS issue - Are you using the same DNS servers for your home and work connections?
I think I may have had the same problem from work this afternoon but I was too busy to check into it then. AFaIK most of our traffic routes through Chicago, at least it did last time I checked (a couple years ago).
 
lancefisher said:
I think I may have had the same problem from work this afternoon but I was too busy to check into it then. AFaIK most of our traffic routes through Chicago, at least it did last time I checked (a couple years ago).

New slogan:

"Chicago. Causing traffic jams in any medium we can!" :rolleyes:
 
I had some trouble for a while yesterday. Looked like a routing problem rather than DNS.
 
I figured it out but I do not understand it completely.

What happened was that my security software detected an attack from PoA. This just happened again BTW, when it decides an attack is underway it blocks all traffic from that site for 30 minutes.

The logged attack was called a ICC Profile TagData Overflow

This is a link describing the attack, http://securityresponse.symantec.com/avcenter/nis_ids/s21196.html

Why would I be getting this type of message from PoA? I have looked over the logs and these two occurances are the only ones.

Chuck: What's up with this?
 
If embedded color profiles are a potential problem, we'd have to disable all attachments and images.
 
Possibly you had a recent update to your virus definitions?
 
smigaldi said:
Strange that this just started showing up this week. I never had the problem before.
I have had this happen here several times since last October.
 
The "intrusion problem" is that an image file was sent to you from us at your request (ie, you read a thread or clicked on an attachment), and that image file contained in its internal data structure information about the color pallattes used in that image.

Its possible that there is an image here with a problem with its color pallette, but unless you can tell me what image did it, there's nothing I can do short of turning off ALL images, which isn't going to happen.

So did you have any recent updates to Norton, in general?
 
Greebo said:
The "intrusion problem" is that an image file was sent to you from us at your request (ie, you read a thread or clicked on an attachment), and that image file contained in its internal data structure information about the color pallattes used in that image.

Its possible that there is an image here with a problem with its color pallette, but unless you can tell me what image did it, there's nothing I can do short of turning off ALL images, which isn't going to happen.

So did you have any recent updates to Norton, in general?

But I hadn't requested and image I had simply hit the 'New Posts' button. This is very strange and outside of my knowledge base. Any assistance you can offer is great. BTW I did update the security patch from M$ that is supposed to fix it but I got another hit. In the mean time I have elected to not block those messages from the Internet as a work around.
 
Do you have logs from Norton indicating what tripped its flag? A specific URL, for example?

When I say "at your request" I mean at your browser's request. When you click a link, you think you're just clicking a link, but you're actually sending one request to the server, getting a response, and then sending back potentially dozens of other requests - for js files, css files, image files, etc. Everything the initial response says your browser needs to view the page.

You can't NOT visit a PoA page w/o requesting at least one image. Its on every single one...
 
Greebo said:
Do you have logs from Norton indicating what tripped its flag? A specific URL, for example?

When I say "at your request" I mean at your browser's request. When you click a link, you think you're just clicking a link, but you're actually sending one request to the server, getting a response, and then sending back potentially dozens of other requests - for js files, css files, image files, etc. Everything the initial response says your browser needs to view the page.

You can't NOT visit a PoA page w/o requesting at least one image. Its on every single one...

I don't have the logs handy but I'll get them later tonight and send them to you.
 
Greebo said:
Do you have logs from Norton indicating what tripped its flag? A specific URL, for example?

When I say "at your request" I mean at your browser's request. When you click a link, you think you're just clicking a link, but you're actually sending one request to the server, getting a response, and then sending back potentially dozens of other requests - for js files, css files, image files, etc. Everything the initial response says your browser needs to view the page.

You can't NOT visit a PoA page w/o requesting at least one image. Its on every single one...
Intrusion Detection is monitoring 566 signatures.
Intrusion detected and blocked. All communication with www.pilotsofamerica.com(216.69.169.202) will be blocked for 30 minutes.
Intrusion: ICC Profile TagData Overflow.
Intruder: www.pilotsofamerica.com(216.69.169.202)(http(80)).
Risk Level: High.
Protocol: TCP.
Attacked IP: localhost.
Attacked Port: 3149.
Intrusion detected and blocked. All communication with www.pilotsofamerica.com(216.69.169.202) will be blocked for 30 minutes.
Intrusion: ICC Profile TagData Overflow.
Intruder: www.pilotsofamerica.com(216.69.169.202)(http(80)).
Risk Level: High.
Protocol: TCP.
Attacked IP: localhost.
Attacked Port: 2578.
Intrusion Detection Signature File Version: 5/5/2006 Rev. 83. Intrusion Detection Engine Version: 2.0.0.50707.
Intrusion Detection has been enabled.
Intrusion Detection is monitoring 567 signatures.
Intrusion: ICC Profile TagData Overflow.
Intruder: www.pilotsofamerica.com(216.69.169.202)(http(80)).
Risk Level: High.
Protocol: TCP.
Attacked IP: localhost.
Attacked Port: 2716.
Intrusion detected and blocked. All communication with www.pilotsofamerica.com(216.69.169.202) will be blocked for 30 minutes.
Intrusion detected and blocked. All communication with www.pilotsofamerica.com(216.69.169.202) will be blocked for 30 minutes.
Intrusion: ICC Profile TagData Overflow.
Intruder: www.pilotsofamerica.com(216.69.169.202)(http(80)).
Risk Level: High.
Protocol: TCP.
Attacked IP: localhost.
Attacked Port: 2326.

these are the only cases and it started on 1 june
 
June 1. Symantec releases updates on Wednesdays, so it may well have been applied Wed. night or yesterday. Corporate is a different schedule, as often as daily.

I've vote on Symantec as the problem.
 
wsuffa said:
June 1. Symantec releases updates on Wednesdays, so it may well have been applied Wed. night or yesterday. Corporate is a different schedule, as often as daily.

I've vote on Symantec as the problem.

Wasted vote as I have no symantec product on my computer. This is Norton Internet Security
 
smigaldi said:
Wasted vote as I have no symantec product on my computer. This is Norton Internet Security

Norton = Symantec. Same company. Symantec bought Norton years ago, and still uses the brand.
 
??

What does this have to do with Norton/Symantec possibly giving false warnings?
 
Ok, so today someone PM'd me that they got the norton warning while viewing Anthony's "PIcking up the tiger" thread.

Would someone like to volunter who has the latest updates from Norton and see if they get that problem just looking at the thread or if its when they look at the images?

Mind you, if that thread is the problem, you won't be able to get back here for a bit. So please email me at chaeberle@pilotsofamerica.com or poasupport@pilotsofamerica.com if you can confirm this thread is the problem.
 
You can reveal that that pm was from Me Chuck. I also vote that its the dang Norton thing but what do I know I'm a tech neanderthal. FWIW the first time I got the intrusion message I don't believe that there were any images on the "Picking Up the Tiger Today" post, just text. Anthony added the images later. Of course Antony could be attempting to take over the world.
 
If you have avatars turned on, there are images. :)
 
Back
Top