Specific URL being redirected someplace weird on my home network?
November 26, 2017 11:56 AM   Subscribe

For the past couple of weeks, I have been unable to access one specific domain (iu.instructure.com) from any device in my home. This is the domain that Canvas uses, so I'm always accessing securely (https). But my browsers are all complaining that the certificate is invalid. Any ideas what could be going on?

Earlier in the week, the certificate was from reportantu.info and now it says it is from tpbid.com.

I have encountered the same problem on my Windows 10 desktop, my Windows 7 laptop, and my Android phone, using both Chrome and Firefox. Forcing my computer to use Google's DNS (8.8.8.8) did not change anything, and neither did rebooting the router. When I connect to any other network (e.g. wireless data on my phone), I can access the website just fine.

If I just connect to http://iu.instructure.com/ on my home network (not https), it serves up a message like this:

---
403 Forbidden

You don't have permission to access the URL on this server. Sorry for the inconvenience.
Please report this message and include the following information to us.
Thank you very much!

URL: http://iu.instructure.com/
Server: ip-10-0-4-117
Date: 2017/11/26 19:45:22
Powered by Tengine/2.1.2
---

If I access http://iu.instructure.com/ on any other network, it correctly redirects me to the login screen at https://canvas.iu.edu/lms-prd/app/.

I'm frankly baffled by the problem, and I'm not even sure how to describe it well enough to find information on my own. Like maybe my router has a virus? Does that seem plausible? Should I try a factory reset on it?
posted by ErWenn to Computers & Internet (13 answers total) 1 user marked this as a favorite
 
What kind of router do you have? It's definitely possible for a router to be compromised, and it appears that your router is intercepting traffic and (attempting to) direct it to a local webserver.

I'd reset the router, and be sure to change the default administrative password.
posted by sriracha at 12:51 PM on November 26, 2017 [1 favorite]


The fact that it's an internal IP is a little spooky and makes me think it's not some DNS propagation artifact. Factory reset your router, and then go online and check for any firmware updates for the model and apply them if they exist.
posted by floam at 1:17 PM on November 26, 2017 [1 favorite]


Router is a Netgear N600 WNDR3400v3.

I just did a factory reset on it, changed the admin password, set up the WiFi network again, and upgraded the firmware. I was convinced that would do it. No dice.

Maybe the cable modem (Netgear CM400)? I'll try a factory reset on that one now.
posted by ErWenn at 1:28 PM on November 26, 2017


That didn't work either. I am completely and utterly confused now. I've never even heard of a problem like this.
posted by ErWenn at 1:32 PM on November 26, 2017


Huh. Strange! Of course, it's possible that's not really an internal IP on your network, but an external server who happens to show the error with its own internal 10.0.4.117-related hostname in the report instead of a FQDN.
posted by floam at 1:39 PM on November 26, 2017


Hmm, I looked it up, and iu.instructure.com resolves to a public Amazon IP address that should be accessible from anywhere.

On your Windows 10 computer, try this:
  • Press the Windows key.
  • Type Notepad in the search field.
    In the search results, right-click Notepad and select Run as administrator.
    From Notepad, open the following file: c:\Windows\System32\Drivers\etc\hosts

    Do you see "iu.instructure.com" in that file? If you do, delete it, reboot, and then try again.
    posted by erst at 3:43 PM on November 26, 2017


    [1000]<0>(~)> nslookup iu.instructure.com
    Server: 8.8.8.8
    Address: 8.8.8.8#53

    Non-authoritative answer:
    iu.instructure.com canonical name = cluster29.instructure.com.
    cluster29.instructure.com canonical name = canvas-iad-prod-c29-1731329711.us-east-1.elb.amazonaws.com.
    Name: canvas-iad-prod-c29-1731329711.us-east-1.elb.amazonaws.com
    Address: 34.229.8.15
    Name: canvas-iad-prod-c29-1731329711.us-east-1.elb.amazonaws.com
    Address: 52.4.195.221
    Name: canvas-iad-prod-c29-1731329711.us-east-1.elb.amazonaws.com
    Address: 54.84.52.226

    When I try and access any of the 3 ip addresses, I get a message:

    Your connection is not secure

    The owner of 54.84.52.226 has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

    54.84.52.226 uses an invalid security certificate. The certificate is only valid for the following names: *.canvaslms.com, canvaslms.com, *.instructure.com, instructure.com

    So maybe your router is not sending the name correctly with the ip address.
    posted by Obscure Reference at 4:38 PM on November 26, 2017


    erst:
    Nothing's been added to the "hosts" file; it's just comments. (Also, this problem occurs on every device in the house, including phones.)

    Obscure Reference:
    When I try connect from here, the certificate that's being used is only valid for "*.tpbid.com, tpbid.com", so I'm definitely not getting the same certificate as you.

    Note that the problem is only with the domain name "iu.instructure.com". The certificate provided by canvas.iu.edu (where login info is entered) seems to be just fine, as does the certificate for just "instructure.com". So this is an oddly specific kind of problem.

    Given that the problem is the same on multiple different devices, using different browsers, different operating systems, and different DNS servers, and that I've been able to successfully access the site on some of those devices, when they are connected to a different network, I can only imagine a few places where the problem could be.

    The most obvious would be the router or the cable modem. I did a factory reset on both and updated the firmware and the problem persisted.

    It seems unlikely that the issue is with my ISP (Comcast), given that everybody else in town uses Comcast, and it'd be all over the internet if no one in Bloomington (a town that's like half IU students) could access Canvas (the course management system that every single class uses). Also, I tried it at a friend's house and had no problems.

    So now I'm stuck coming up with increasingly absurd hypotheses, like:

    - There's some kind of virus on the cable modem or router that can't be wiped by a factory reset. (Is that even theoretically possible?)

    - Some kind of virus has attacked multiple devices in my house (like my desktop and my router or the router and the cable modem), and when I fix the problem on one device, the other device immediately reinfects it. (I said that some of these were absurd.)

    - The problem is at the ISP level or on instructure.com's servers, but is somehow not targeting every user, only a few of them. (I said "increasingly" absurd.)

    - There's a physical hack of some sort somewhere in my house. (I'm just making crap up now.)


    At this level of ridiculous hypothesis, the answer is usually that there is a more probable scenario that I have incorrectly ruled out. This sort of thing is almost impossible to find on my own, so if anyone has other suggestions, I would greatly appreciate it.

    As long as this is an issue, I'm going to have a very hard time doing my job (I teach at IU).
    posted by ErWenn at 8:02 PM on November 26, 2017


    I had some similar issues a few months ago connecting to a specific https website from home i.e., could previously connect with no problem, could still connect fine from work, weird error messages that seemed to point in the direction of a problem with https or the certificate being used. I think it ended up being something odd with my wireless router; it was several years old at that point so I finally bought a new one and haven't experienced any problems since then. You can troubleshoot this by bypassing your router and connecting directly to your cable modem or by buying a new router (which you can return afterward if it's not the culprit).
    posted by ElKevbo at 8:29 PM on November 26, 2017


    I’m on my phone so i can’t run any tests or anything, but your second to last point about targeting ‘specific users’ isn’t as absurd as you think it might be. It’s not targeting, just unluckiness. If this site, for example, has multiple servers (or cdn hosts) and one is misconfigured somehow, then issues can present themselves randomly. Because of caching, etc it’s quite possible for different devices in the same house even to be accessing different hosts. Or they are all accessing the same fubared one, but down the street the host they are hitting is fine. I’m not saying this is the case, but i’ve definitely been on the other end of debugging issues like this where only one person (or geographic region, or whatever) gets random behavior, or only 1/x requests is fubared, etc. Don’t dismiss the idea that this might be on this website’s side. I’d say that’s a lot more likely than some mystery virus in your cable modem.
    posted by cgg at 9:06 PM on November 26, 2017 [1 favorite]


    I'm leaning towards it being on the website's end and some unlucky caching or something. It may just clear up after some more hours or days.

    In the meantime, given that you work at a university, perhaps you can VPN in and it will work that way so you can get work done? Or use some cheap VPN service.
    posted by floam at 10:33 AM on November 27, 2017


    This exact same thing happened to me, couldn't figure it out, after about two weeks I could see the site again, hasn't returned.

    I have an old Netgear router, use Windows 10 on a desktop and 2 Surface Pros. Tested on IE, Firefox and Chrome.
    posted by cda at 12:19 PM on November 27, 2017


    Turns out it was in fact a Comcast thing. No idea what actually happened, but they've now fixed the problem. Thanks for everyone's help!
    posted by ErWenn at 6:36 PM on November 30, 2017


    « Older Menstrual cycle and mood   |   How does an HSA work? Newer »
    This thread is closed to new comments.