Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

Update falls down using Vodafone mobile

  • 11-05-2021 2:51pm
    #1
    carveone
    Registered Users Posts: 1,212 ✭✭✭


    Hi all,

    I have an older Windows 7 test machine which is running Microsoft Security Essentials and pretty much nothing else. Every so often MSE updates its signatures using Windows Update and the BITS services and this seems to work ok. Obviously there aren't any more Updates for W7 (aside from the Malicious Software Removal Tool).

    One day I decided to connected this machine to a WiFi hotspot on my phone - this is a p30 lite with a Vodafone sim. This seems fine until MSE tried to update. At which point the BITS service goes a bit nuts - it writes to C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat continuously until I do a "net stop bits".

    This is quite odd. I'm not sure if Windows 10 would have the same issue as I don't use it (I run Linux Mint most of the time). If it does, it would seem like a way to DOS a Windows 10 machine.

    Does anyone know if Vodafone filter weird ports or do odd things with their DNS? I remember Three used to filter imgur using a DNS filter but that was easily circumvented and I think they got bored doing that and went away :)

    Edit: That wasn't a particularly well thought out Subject line!


Comments

  • #2
    carveone
    Registered Users Posts: 1,212 ✭✭✭carveone


    After some network probing, I've found that "download.windowsupdate.com" is a different server (8.238.55.126) on the UPC broadband network compared to 93.184.221.240 on the Vodafone 4G network. They are different servers and elicit different header responses for the same file request.

    Using "curl -I" on one of the MSE update patches, the first server returns a perfectly reasonable reply. The second returns complete rubbish.

    > curl -I "http://download.windowsupdate.com/d/msdownload/update/software/defu/2021/05/am_delta_6a3649beb57cee48081bd31631c8774de6505d2f.exe"
    HTTP/1.1 200 OK
[...snip...]
Server: ECAcc (lha/8DA7)
Content-Length: 0
Connection: keep-alive

    Note the Content-Length is zero along with a keep-alive connection. Super. How is that supposed to work? From what I can see, BITS goes nuts and starts reissuing the job over and over.

    In my opinion this is an effective denial of service attack against a Windows 7 machine and I've seen the same problem reported against a Windows 2016 Server.

    I'll have to make a reproducible test case but I've no idea if Microsoft will care (they won't fix it for Windows 7 anyway).


  • #3
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 90,657 Mod ✭✭✭✭Capt'n Midnight


    Let's blame DNS.

    Would it work with a generic third party DNS server ? I gave up relying on NTL/UPC/VM DNS servers a long time ago.


  • #4
    carveone
    Registered Users Posts: 1,212 ✭✭✭carveone


    Capt'n Midnight wrote: »
    Let's blame DNS.

    Would it work with a generic third party DNS server ? I gave up relying on NTL/UPC/VM DNS servers a long time ago.

    Thanks for replying! I tried using 8.8.8.8 to do the query but it returned the same IP address ranges resulting in the same problem. I think - I can't remember what I was trying so I'll go off and try it again! I definitely remember thinking of DNS too though :)

    To me it's a malconfigured Vodafone proxy server. I've tried the same curl command above on Tesco, Virgin, Three and Eir and get valid HEAD responses.

    I spent a day writing out and logging a vulnerability with MSRC but they just closed it with a rather curt need "valid proof of concept (POC) ideally with images or video". Gee, thanks. I'd have to write a broken web server to prove it and, although I can do this, I won't.

    I phoned Vodafone technical support. You can guess how that worked out. They started off by looking for my phone number and phone type and who I was sharing my internet connection with so I hung up on them :p


  • #5
    carveone
    Registered Users Posts: 1,212 ✭✭✭carveone


    Nope. Changing the DNS doesn't fix it.

    Which is interesting because it usually fixes all manner of stupid nonsense with DNS servers. Especially 3's - they used to filter out imgur because reasons. And all stackexchange images were on imgur so that was massively irritating. Change the DNS, problem goes away...


  • #6
    carveone
    Registered Users Posts: 1,212 ✭✭✭carveone


    I know this is an old post but it turns out that the issue is a bug in Windows update (https://github.com/conoror/wudos). If the Content-Length is zero for the HEAD response to a windows update file, then the update goes into an infinite loop. Reported to MS but they're not interested (they could reproduce it alright, they're just not going to fix it).

    I reported it to Vodafone but they didn't care. So I can't hotspot my Windows machines using Vodafone and I'm using Tesco now instead.

    One of those things I guess...



  • Advertisement
Advertisement