Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
General
GeneralPortable MacsHardwareNetworking
Applications
Mac ApplicationsEudoraFirefox / MozillaInternet ExplorerOutlook ExpressMS OfficeEntourageExcelPowerPointWordVirtual PCMedia PlayerOther MS Products
Programming
Mac ProgrammingCodeWarriorPerl
Country Specific
Australian Mac GroupUK Mac Group

Mac Forum / Country Specific / UK Mac Group / May 2008


Tip: Looking for answers? Try searching our database.

That problem I had with broken links in the iTunes store.

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
PGG - 29 May 2008 16:31 GMT
About 3 months ago I made a post here about a problem with the iTunes
store showing broken links when first accessed. To get around the
problem I had to refresh the page 3 or 4 times. That was with then
then current version of iTunes and Mac OS X 10.5.3.

I noticed that I was also getting similar problems in Safari and
Firefox when trying to view web pages with many small embedded images;
a good number of the images would simply not load. Viewing the same
pages from a PC running Windows XP over the same broadband connection
seemed fine.

I've resolved the problem now. It was my D-Link router that was at
fault. I discovered that firewall settings specific to blocking DoS
attacks and portscans, both pertaining to blocking excessive SYNs,
were generating false positives which caused multiple image requests
to fail. Disabling these options fixed the problem.

Obviously D-Link only tested this feature of their firmware when using
a PC. I presume there's something in the behaviour of the Mac OS X IP
stack that's slightly different to the XP one. Sequence numbers,
perhaps?
Reply to this Message
Richard Tobin - 29 May 2008 16:52 GMT
>I've resolved the problem now. It was my D-Link router that was at
>fault. I discovered that firewall settings specific to blocking DoS
>attacks and portscans, both pertaining to blocking excessive SYNs,
>were generating false positives which caused multiple image requests
>to fail. Disabling these options fixed the problem.

This is surprising.  I would expect a browser to keep the connection
open for multiple fetches from the same site, so there wouldn't be
lots of SYNs being sent.  And in any case, SYN is sent by the
initiator, so you should be sending not receiving them.

-- Richard
Signature

In the selection of the two characters immediately succeeding the numeral 9,
consideration shall be given to their replacement by the graphics 10 and 11 to
facilitate the adoption of the code in the sterling monetary area. (X3.4-1963)

Reply to this Message
PGG - 30 May 2008 10:25 GMT
> This is surprising.  I would expect a browser to keep the connection
> open for multiple fetches from the same site, so there wouldn't be
> lots of SYNs being sent.  And in any case, SYN is sent by the
> initiator, so you should be sending not receiving them.

It only manifests itself on sites with links to many images across
multiple servers.
Reply to this Message
Peter Ceresole - 29 May 2008 17:39 GMT
> I've resolved the problem now. It was my D-Link router that was at
> fault. I discovered that firewall settings specific to blocking DoS
> attacks and portscans, both pertaining to blocking excessive SYNs,
> were generating false positives which caused multiple image requests
> to fail. Disabling these options fixed the problem.

What model are you using? I once had (still have on a shelf) a DSL 504
that did this. The only way round was to pass certain ports through
directly. Daniele did this for me, and it worked.

The paranoid behaviour of some DSL firmware when dealing with imagined
port scans was detailed on <http://shadow.sentry.org/~trev/dsl50x.html>

I don't know if any of it is still relevant, but your account sounds
horribly famliar.

The *real* solution was to get a DG834N.
Signature

Peter

Reply to this Message
Chris Ridd - 29 May 2008 19:06 GMT
> The paranoid behaviour of some DSL firmware when dealing with imagined
> port scans was detailed on <http://shadow.sentry.org/~trev/dsl50x.html>

The only problem I've encountered with our Zyxel modem at work was
related to its overzealous (aka wrong) DoS detector. IIRC it thought
some DNS results were a DoS attack!

> I don't know if any of it is still relevant, but your account sounds
> horribly famliar.
>
> The *real* solution was to get a DG834N.

Or at the very least turn off that functionality in the router.

Cheers,

Chris
Reply to this Message
PGG - 30 May 2008 10:24 GMT
> What model are you using? I once had (still have on a shelf) a DSL 504
> that did this. The only way round was to pass certain ports through
> directly. Daniele did this for me, and it worked.

It's a DSL-G604T. It's running the Australian version of the firmware,
however, as that was the only version released that could work with
the wireless of a Nintendo DS, due to some bizarre timing issues. The
Australian firmware did also fix a problem with the DNS relay crashing
which was never fixed in the UK firmware; however since the
introduction of Leopard there's another problem with DNS relaying
which makes it unusable with any software that uses one of two Leopard
DNS API calls.

One other problem I had with the UK firmware was when I enabled port
forwarding for port 80, allowing access to a Linux box externally.
This appeared to work fine until we had a power cut. When the power
was restored, on first attempting to connect inwards I got presented
with the router's own login screen and not the expected Linux box. Or
course I had changed the password from the default, but it was still
frightening.

I've had several other problems with the older UK firmware; a common
one was the occasional slowdown of all web traffic after running some
applications; it was really noticeable after I'd grabbed a Debian ISO
via BitTorrent. Rebooting seemed to be the only guaranteed way to fix
it.
Reply to this Message
Chris Ridd - 30 May 2008 10:40 GMT
>> What model are you using? I once had (still have on a shelf) a DSL 504
>> that did this. The only way round was to pass certain ports through
[quoted text clipped - 8 lines]
> which makes it unusable with any software that uses one of two Leopard
> DNS API calls.

Have you got details on that?

> I've had several other problems with the older UK firmware; a common
> one was the occasional slowdown of all web traffic after running some
> applications; it was really noticeable after I'd grabbed a Debian ISO
> via BitTorrent. Rebooting seemed to be the only guaranteed way to fix
> it.

That's a pretty common problem with cheap routers. P2P software tends
to require more active connections than these cheap routers can
properly manage, and consequently they fall over or have problems. The
solutions are to get better firmware from the manufacturer, or third
party (a number of Linksys routers have free third party firmware), or
you dial down the number of connections in your P2P client.

Cheers,

Chris
Reply to this Message
PGG - 30 May 2008 11:14 GMT
> > It's a DSL-G604T. It's running the Australian version of the firmware,
> > however, as that was the only version released that could work with
[quoted text clipped - 6 lines]
>
> Have you got details on that?

Yes. In OS X there are two DNS resolver APIs, gethostbyname() and
getaddrinfo(). The majority of software uses the former of the two,
but the latter one does have several advantages, such as IPv6 support.
Under Leopard getaddrinfo() first sends an SRV request to the DNS
server. Unfortunately some DNS relays (such as the one in my router)
simply ignore this request, causing getaddrinfo() to time-out for 30
seconds. SRV allows DNS to make IP addresses dependant upon the port
being used, but is hardly used at the moment. The correct response for
a DNS server that doesn't support the request is to send back an
NXDOMAIN response.

EDIT: Having run tcpdump in terminal it seems that as of 10.5.3
getaddrinfo() no longer sends out the SRV request.
Reply to this Message
Chris Ridd - 31 May 2008 16:58 GMT
>>> It's a DSL-G604T. It's running the Australian version of the firmware,
>>> however, as that was the only version released that could work with
[quoted text clipped - 17 lines]
> a DNS server that doesn't support the request is to send back an
> NXDOMAIN response.

Ah, I'd noticed some NXDOMAIN responses being returned, so this might
explain at least some of them.

> EDIT: Having run tcpdump in terminal it seems that as of 10.5.3
> getaddrinfo() no longer sends out the SRV request.

Cheers,

Chris
Reply to this Message
James Dore - 30 May 2008 12:50 GMT
> > What model are you using? I once had (still have on a shelf) a DSL 504
> > that did this. The only way round was to pass certain ports through
> > directly. Daniele did this for me, and it worked.
>
> It's a DSL-G604T.

IRT as DSL-GOAT

I thought Jim had gone into the ISP trade...

ttfn!
Signature

james dore
IT Officer,
New College, Oxford
http://www.new.ox.ac.uk/ it-support@new....

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.