Frustrated that I don't UNDERSTAND why my network times out

Discussion in 'Linux Networking' started by billy, Oct 8, 2013.

  1. billy

    billy Guest

    I will contact them at the email addresses already posted
    and ask them if they're periodically doing something nasty
    to my IP address for months at a time (like putting me on a
    blacklist or something).

    I'll report back if/when they respond.
    billy, Oct 10, 2013
    1. Advertisements

  2. billy

    billy Guest

    Everything you said is right on the money.
    It's frustratingly hard to figure out.

    The only two ideas "I" can come up with are:
    1. Someone is blocking me (but I can't imagine why)
    2. The path is too long for something (but I don't know what).

    In the first case, I'm not sure if the blocker would be the
    15th hop (which returns packets) not forwarding them on to
    the Centos server or if it's the 16th hop (the Centos server)
    not responding back. Is there a way to tell?

    In the second case, it would be useful to test a similarly
    long (at least 16 hops) path. Or, maybe there's a way to slow
    down my pings so that I can reproduce the problem in fewer hops?
    billy, Oct 10, 2013
    1. Advertisements

  3. billy

    billy Guest

    I understand and agree with your use of "claims", as you
    don't know what I've been told.

    I can google for the public thread where I asked them
    (and they responded in email privately also) and point
    you to that. It was about six months to a year ago.

    Gimme a minute to find it (Google will find it but I won't
    be able to open it up - but you should be able to).

    OK. Found it with Google on
    Title: What can I do to UNDERSTAND why fails for me
    Date: MaMar 1, 2013 - 12 posts - ‎4 authors

    Of course, I can't "go" to that URL (since it's on
    but it looks like it's mirrored here:

    Hey! Guess what? I can't get to "" either!
    Just like, it goes to asterisks on the 16th hop!

    I'm getting tired of redacting my IP address, so I'm letting it
    show here. I hope I don't regret that! :)

    # traceroute -M icmp
    traceroute to (, 30 hops max, 60 byte
    1 ( 2.851 ms 2.836 ms 2.839 ms
    2 ( 5.849 ms 5.849 ms
    5.846 ms
    3 ( 5.845 ms 19.117 ms 19.115 ms
    4 ( 19.111 ms 19.108 ms 26.045 ms
    5 ( 58.291 ms 60.735 ms 60.733 ms
    6 ( 70.816 ms 10.336 ms 15.323 ms
    7 ( 15.291 ms 77.227 ms 140.765 ms
    8 ( 148.204 ms 32.072 ms
    32.025 ms
    9 ( 35.854 ms 82.604 ms
    137.427 ms
    10 ( 137.395 ms 77.731 ms
    86.088 ms
    11 ( 92.609 ms 105.335 ms
    105.305 ms
    12 ( 105.262 ms 130.219 ms
    145.768 ms
    13 ( 145.746 ms 66.089 ms
    83.514 ms
    14 ( 83.485 ms ( 75.311 ms 75.275
    15 ( 75.241 ms
    68.198 ms 85.547 ms
    16 * * *
    17 * * *
    18 * * *
    19 * * *
    20 * * *
    21 * * *
    22 * * *
    23 * * *
    24 * * *
    25 * * *
    26 * * *
    27 * * *
    28 * * *
    29 * * *
    30 * * *
    billy, Oct 10, 2013
  4. billy

    billy Guest

    I can google just fine, so I found the original request way
    back in March on the Centos site (I subsequently got an email
    from the admins saying there's nothing wrong with my IP address).

    Here's what Google says the Centos article URL is:

    It's looking more and more like anything longer than about 15
    hops is dying for me. At least that's a preliminary guess.

    Notice I can get to this Centos mirror just fine:

    When I traceroute to it, I see a MUCH SHORTER route!

    # traceroute -M icmp
    traceroute to (, 30 hops max, 60 byte
    1 ( 2.849 ms 2.835 ms 2.831 ms
    2 ( 2.855 ms 5.644 ms
    5.642 ms
    3 ( 10.434 ms 10.432 ms 10.428 ms
    4 ( 11.707 ms 15.285 ms 15.284 ms
    5 ( 15.280 ms 19.197 ms 19.193 ms
    6 ( 66.277 ms 60.195 ms 113.259 ms
    7 ( 103.422 ms 213.710 ms 235.362 ms
    8 ( 235.334 ms 251.949 ms
    251.924 ms
    9 ( 255.382 ms 134.485 ms
    134.458 ms
    10 ( 149.430 ms *
    180.892 ms
    11 ( 180.882
    ms 226.325 ms 226.300 ms
    12 ( 240.823 ms
    156.853 ms *
    13 * (
    106.930 ms 106.903 ms
    14 ( 106.884
    ms 141.148 ms 190.401 ms
    15 ( 131.264 ms 74.009 ms 83.791 ms
    billy, Oct 10, 2013
  5. billy

    Mike Easter Guest

    When you are trying to access a webserver, you should aim at its name,
    not its IP address for general purposes. One webserver might serve many
    names. The bugs front page is at:

    login is at
    My browser pointed at that IP gives me a forbidden page instead of the
    bugs.centos front door..
    You don't have permission to access / on this server.
    Apache/2.2.3 (CentOS) Server at Port 80

    Some webservers which serve only one front page will give you that page,
    but some will not serve you the page when addressed the IP way.

    That 'rule' does not apply to such as mailservers and news servers who
    don't care about the name vs the IP, except that the name is 'better' in
    the sense that the name might have more than one IP. is at a different place than but they have
    the same nameservice.
    I don't think that is a useful theory.
    Mike Easter, Oct 10, 2013
  6. billy

    billy Guest

    IIRC, when I had asked my neighbors, they had fewer hops to
    the same destination - so - I'm beginning to wonder if it's
    the sheer number of hops (or the time involved); but that's
    just a guess.

    I'd be glad to post traceroute or ping results to ANY server
    you suggest, so we can compare with you.

    I'll also ask a neighbor to send me his traceroutes and
    post them when/if I get them.
    billy, Oct 10, 2013
  7. billy

    billy Guest

    I have sent all the email addresses on that list an email.
    I will write back if/when they respond.
    I don't have high hopes that they will - but - they might.

    I gave them the unedited traceroute results just like I gave you.
    billy, Oct 10, 2013
  8. billy

    billy Guest

    The ping is useless. Either that or I'm using it wrong.

    Here's the cut and paste for the pings on Knoppix:
    # ping -M icmp
    ping: wrong value for -M: do, dont, want are valid ones.

    # ping --help
    ping: invalid option -- '-'
    Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w deadline]
    [-p pattern] [-s packetsize] [-t ttl] [-I interface]
    [-M pmtudisc-hint] [-m mark] [-S sndbuf]
    [-T tstamp-options] [-Q tos] [hop1 ...] destination

    # # ping
    PING ( 56(84) bytes of data.

    --- ping statistics ---
    286 packets transmitted, 0 received, 100% packet loss, time 285212ms

    (strangely it took minutes to time out on Knoppix so I killed it).
    billy, Oct 10, 2013
  9. billy

    Rick Jones Guest

    Now, if the telnet 80 does not succeed, that means
    I was, perhaps, being overly simplistic in my use of terms. I was
    lumping-in "classic" routing issues like loops and what not in with
    things like deliberate blacklisting.
    Anywhere between that 15th hop in the traceroute and I
    would think.

    That it comes and goes for months at a time has me wondering about the
    rate at which his ISP might be changing his assigned IP address (the
    one his gateway gets), and whether or not the "blackouts" correlated
    with that. That would require having kept a log of the noticed start
    and end of the blackouts and a log of the IP assigned by the ISP.

    rick jones
    Rick Jones, Oct 10, 2013
  10. billy

    Rick Jones Guest

    They may not be blocking "you" specifically, but the IP address you
    have from your ISP.
    Only by asking the 15th hop and getting a response. Basically, as
    frustrating as it is, in this matter you will be dependent on the
    kindness of strangers at the ISP(s) at/beyond that 15th hop.
    Hop count to reach a given server depends on topology of the Internet
    not the rate at which you are issuing either pings or traceroute
    packets. To make a possibly lame analogy, driving from NY to LA you
    will go trough the same intermediate cities along the highway no
    matter how fast you drive.

    rick jones
    Rick Jones, Oct 10, 2013
  11. billy

    billy Guest


    The last time this happened, last March, I searched
    all the blacklist servers I could find, an my IP
    address was NOT in any of them.
    billy, Oct 10, 2013
  12. billy

    Rick Jones Guest

    It does seem unlikely, but if there is something capping the TTL at 15
    or 0xF I suppose that could explain it. Though in that case I would
    expect it to be all the time not months-on/months-off. Unless there
    was something else causing his traffic to go through different kit
    somewhere along the way.

    Perhaps some servers in Europe or Asia would be > 15 hops.

    rick jones
    Rick Jones, Oct 10, 2013
  13. I've been following the thread. Given the traceroute output, my
    understanding is that your isp is giving your system an RFC1918
    address, within 10.*.*.*, which means the website will be seeing
    all connections from all customers of your isp as coming from the
    same ip address. It could well be that their automated software is
    blocking any ip address that is trying to make too many
    connections, in a given time frame, and keeping the address in the
    block list, for a specified amount of time. This may not be obvious
    to an admin of, without digging through the logs.

    Regards, Dave Hodgins
    David W. Hodgins, Oct 10, 2013
  14. billy

    unruh Guest

    No It depends maily on the endpoints, not the distance.
    unruh, Oct 10, 2013
  15. billy

    billy Guest

    I think I understand what you're saying, because, in effect, it's
    what our home broadband routers do. Right?

    For example, the home broadband router has an IP address where
    all the computers behind it look, to the outside, as the IP
    address of the router.

    Are you saying that the exit node of the WISP, which is
    in the traceroute below, is what they're blocking?

    traceroute -M icmp
    traceroute to (, 30 hops max, 60 byte packets
    1 ( 2.841 ms 2.826 ms 2.823 ms
    2 ( 6.188 ms 6.188 ms
    6.186 ms
    3 ( 6.186 ms 8.402 ms 12.673 ms
    4 ( 12.669 ms 12.666 ms 12.663 ms
    5 ( 20.944 ms 59.871 ms 59.875 ms
    6 ( 177.035 ms 77.696 ms 77.672 ms
    7 ( 77.655 ms 22.190 ms 82.922 ms
    8 ( 134.102 ms 64.071 ms
    125.261 ms
    9 ( 125.244 ms 52.387
    ms 52.368 ms
    10 ( 52.340 ms 79.126 ms 82.842 ms
    11 ( 82.825 ms 72.917 ms 72.886 ms
    12 ( 56.810 ms 17.257 ms
    22.447 ms
    billy, Oct 10, 2013
  16. billy

    unruh Guest

    No. It had better not be since that would not route in the
    outside world at all. It would not even get to the first hop, never mind
    15 since nothing would know where to send the packet (there are millions
    of systems with that address in the world). The exit node or something
    further up the chain had better have a routable address.
    o> 6 ( 177.035 ms 77.696 ms 77.672 ms

    So all of the above are non-routable addresses. (ie, they cannot be
    routed on the public internet, but can be on a private net).
    That is the address of that router as seen from inside, rather
    than the address it presents the world.
    It is really strange to get a public address and then get a bunch of
    private addresses.
    unruh, Oct 10, 2013
  17. billy

    ~BD~ Guest

    Good luck, Billy! :)

    I can just *feeeeeel* your frustration. Maddening, for sure!
    ~BD~, Oct 10, 2013
  18. Yeah, that'll get their back up. Just be polite and present the results
    of your tests. Wide area networking is an altogether different game. I
    wouldn't tell them their job, because you'll be wrong.

    p-0.0-h the cat

    Internet Terrorist, Mass sock puppeteer, Agent provocateur, Gutter rat,
    Devil incarnate, Linux user#666, BaStarD hacker, Resident evil, Monkey Boy,
    Certifiable criminal, Spineless cowardly scum, textbook Psychopath,
    the SCOURGE, l33t p00h d3 tr0ll, p00h == lam3r, p00h == tr0ll, troll infâme,
    the OVERCAT [The BEARPAIR are dead, and we are its murderers], lowlife troll,
    shyster [pending approval by STATE_TERROR], cripple, sociopath, kook,
    smug prick, smartarse, arsehole, moron, idiot, imbecile, snittish scumbag,
    liar, and shill.

    Honorary SHYSTER and FRAUD awarded for services to Haberdashery.
    By Appointment to God Frank-Lin.
    p-0''0-h the cat (ES), Oct 10, 2013
  19. billy

    Chris Davies Guest

    That's another good theory. Each time a packet goes through a router, its
    "TTL" (Time To Live) is decremented. When it reaches zero the packet is
    discarded. The reasoning behind this is that it handles looping routes
    safely. The downside is that if the target is further away from you than
    the initial TTL you can't reach it.

    You can check your default TTL with this command:

    cat /proc/sys/net/ipv4/ip_default_ttl

    On my system it returns 64. You can change the value (as root, of course)
    by using echo to write a different value to it:

    sudo -s # become root
    echo 128 > /proc/sys/net/ipv4/ip_default_ttl

    Chris Davies, Oct 10, 2013
  20. billy

    ein Guest

    IMHO not really. It is a ISPs way to save let's say commonly routable
    public IP addresses. I've seen this many times.

    Version: GnuPG v1.4.14 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird -

    -----END PGP SIGNATURE-----
    ein, Oct 10, 2013
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.